[cod] Game server whitelisting rules
Boyd G. Gafford Ph.D.
drboyd at westportresearch.com
Tue Apr 17 14:35:07 EDT 2012
You need the --reap option of the recent module for this new set to
work, and I don't believe that 1.3.5 has that option.
Can you check that out for me Brandon?
Just do a
man iptables
and then
/--reap
and see if that search shows it to you.
Thanks,
/Boyd/
On 04/17/2012 01:09 PM, Brandon R. Miller wrote:
> Will it work on CentOS 5.x with iptables 1.3.5?
>
> - Brandon M.
>
> On 4/17/2012 10:12 AM, Boyd G. Gafford Ph.D. wrote:
>> Just wanted to let everyone know that I am making the dynamic
>> whitelisting iptables rules I have been testing available to anyone
>> who runs a Q3-protocol server under Linux and wants to try them out.
>> These rules were designed for the most severe of all attacks, and
>> that is attacks where the source IP is spoofed and is random. It
>> also works for attacks from a single IP as well, as well as indirect
>> reflection attacks.
>>
>> We have 2 commercial server companies using these rules currently in
>> their production environment, and I am currently working with two
>> more. I also have test servers running on several VPS's that I use
>> for development.
>>
>> So what do the iptables do? Here's the list:
>>
>> 1) Players have their IP saved automatically at the kernel level when
>> they join a game server, and then those IPs are used as a filter for
>> other rules. When they leave the game server the IP is retired after
>> 10 minutes. (This is what we call a whitelisted player). This is
>> the main guts of the protection, as identifying valid players is
>> important to mitigating attacks.
>>
>> 2) Server query packets like 'getstatus' and 'getinfo' are rate
>> limited to 10/sec to prevent lag when they are used in a DOS attack.
>> Players that are whitelisted have their packets allowed (so they can
>> see server status while in game even during an attack).
>>
>> 3) 'getchallenge' packets (normally used by a player to join the
>> game) are rate limited to 2/sec, to prevent lag when they are used in
>> a DOS attack. Players that are whitelisted always have their
>> requests to join the server processed. This allows a player who was
>> recently playing the ability to join the server again, even when the
>> DOSer is trying to lock down the population on the server by spamming
>> fake players joining.
>>
>> 4) All other packets are rate limited per whitelisted player IP to no
>> more than 100/second, to prevent lag when a DOSer has stolen a valid
>> player IP address and is attacking with it in an attempt to break
>> through the whitelist rules.
>>
>> 5) Attempts to use your game server as a reflector to attack other
>> game servers is blocked (due to rate limiting in 1-4).
>>
>> 6) Reflection attack packets hitting your server are dropped (again
>> due to rate limiting in 1-4).
>>
>> 7) A custom packet (not part of the Q3 protocol) can be sent by a
>> player to break into and join a game that is under 24/7
>> 'getchallenge' attack. This is one of the slicker features of the
>> iptables rules, as this 'server lockdown' DOS attack is now easily
>> breached.
>>
>>
>> The iptables rules are added dynamically per server IP:PORT pair.
>> That way the rules affect nothing but UDP packets to that game
>> server. No other types of packets are affected whatsoever. To make
>> it easy, the rules have been put into shell scripts.
>>
>> Example: Protect the game running on 10.1.2.3 port 28000.
>>
>> # ./protectgame.sh 10.1.2.3 28000
>>
>> Example: Show the iptables rules currently protecting the game
>> running on 10.1.2.3 port 28000.
>>
>> # ./listgame.sh 10.1.2.3 28000
>>
>> Example: Remove the iptables rules protecting the game running on
>> 10.1.2.3 port 28000.
>>
>> # ./unprotectgame.sh 10.1.2.3 28000
>>
>> Rather than just send the scripts to the whole list here, I've
>> decided to ask anyone interested to Email me personally and request
>> it. If you run a commercial gaming service (or even your own COD
>> server and agree not to share it with anyone else), I will be happy
>> to send it to you and help you understand how to use it in your
>> environment.
>>
>> Thanks,
>>
>> /Boyd/
>>
>> /__________________________________
>> Boyd G. Gafford Ph.D.
>> Manager of Software Development
>> Westport Research Associates Inc.
>> 7001 Blue Ridge Blvd
>> Raytown, MO 64133
>> (816) 358-8990
>> drboyd at westportresearch.com
>> /
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120417/196595a3/attachment.htm>
More information about the cod
mailing list