[cod] Game server whitelisting rules

Boyd G. Gafford Ph.D. drboyd at westportresearch.com
Tue Apr 17 14:35:07 EDT 2012 

You need the --reap option of the recent module for this new set to 
work, and I don't believe that 1.3.5 has that option.

Can you check that out for me Brandon?

Just do a

man iptables

and then

/--reap

and see if that search shows it to you.

Thanks,

/Boyd/


On 04/17/2012 01:09 PM, Brandon R. Miller wrote:
> Will it work on CentOS 5.x with iptables 1.3.5?
>
> - Brandon M.
>
> On 4/17/2012 10:12 AM, Boyd G. Gafford Ph.D. wrote:
>> Just wanted to let everyone know that I am making the dynamic 
>> whitelisting iptables rules I have been testing available to anyone 
>> who runs a Q3-protocol server under Linux and wants to try them out.  
>> These rules were designed for the most severe of all attacks, and 
>> that is attacks where the source IP is spoofed and is random.  It 
>> also works for attacks from a single IP as well, as well as indirect 
>> reflection attacks.
>>
>> We have 2 commercial server companies using these rules currently in 
>> their production environment, and I am currently working with two 
>> more.  I also have test servers running on several VPS's that I use 
>> for development.
>>
>> So what do the iptables do?  Here's the list:
>>
>> 1) Players have their IP saved automatically at the kernel level when 
>> they join a game server, and then those IPs are used as a filter for 
>> other rules.  When they leave the game server the IP is retired after 
>> 10 minutes.  (This is what we call a whitelisted player).  This is 
>> the main guts of the protection, as identifying valid players is 
>> important to mitigating attacks.
>>
>> 2) Server query packets like 'getstatus' and 'getinfo' are rate 
>> limited to 10/sec to prevent lag when they are used in a DOS attack.  
>> Players that are whitelisted have their packets allowed (so they can 
>> see server status while in game even during an attack).
>>
>> 3) 'getchallenge' packets (normally used by a player to join the 
>> game) are rate limited to 2/sec, to prevent lag when they are used in 
>> a DOS attack.  Players that are whitelisted always have their 
>> requests to join the server processed.  This allows a player who was 
>> recently playing the ability to join the server again, even when the 
>> DOSer is trying to lock down the population on the server by spamming 
>> fake players joining.
>>
>> 4) All other packets are rate limited per whitelisted player IP to no 
>> more than 100/second, to prevent lag when a DOSer has stolen a valid 
>> player IP address and is attacking with it in an attempt to break 
>> through the whitelist rules.
>>
>> 5) Attempts to use your game server as a reflector to attack other 
>> game servers is blocked (due to rate limiting in 1-4).
>>
>> 6) Reflection attack packets hitting your server are dropped (again 
>> due to rate limiting in 1-4).
>>
>> 7) A custom packet (not part of the Q3 protocol) can be sent by a 
>> player to break into and join a game that is under 24/7 
>> 'getchallenge' attack.  This is one of the slicker features of the 
>> iptables rules, as this 'server lockdown' DOS attack is now easily 
>> breached.
>>
>>
>> The iptables rules are added dynamically per server IP:PORT pair.  
>> That way the rules affect nothing but UDP packets to that game 
>> server.  No other types of packets are affected whatsoever.  To make 
>> it easy, the rules have been put into shell scripts.
>>
>> Example:  Protect the game running on 10.1.2.3 port 28000.
>>
>> # ./protectgame.sh 10.1.2.3 28000
>>
>> Example:  Show the iptables rules currently protecting the game 
>> running on 10.1.2.3 port 28000.
>>
>> # ./listgame.sh 10.1.2.3 28000
>>
>> Example:  Remove the iptables rules protecting the game running on 
>> 10.1.2.3 port 28000.
>>
>> # ./unprotectgame.sh 10.1.2.3 28000
>>
>> Rather than just send the scripts to the whole list here, I've 
>> decided to ask anyone interested to Email me personally and request 
>> it.  If you run a commercial gaming service (or even your own COD 
>> server and agree not to share it with anyone else), I will be happy 
>> to send it to you and help you understand how to use it in your 
>> environment.
>>
>> Thanks,
>>
>> /Boyd/
>>
>> /__________________________________
>> Boyd G. Gafford Ph.D.
>> Manager of Software Development
>> Westport Research Associates Inc.
>> 7001 Blue Ridge Blvd
>> Raytown, MO 64133
>> (816) 358-8990
>> drboyd at westportresearch.com
>> /
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120417/196595a3/attachment.htm>

More information about the cod mailing list