[cod] Game server whitelisting rules

Boyd G. Gafford Ph.D. drboyd at westportresearch.com
Tue Apr 17 16:01:40 EDT 2012


That one's easy, it takes work.

The old Q3 protocol was really designed for a different era, as it is 
what, over 10 years old now?  I have often thought it would be nice if 
they reworked the protocol to put some light encryption on the packets, 
or at least stiffen up the exchange with even some clever identification 
on each frame.

But yeah, some of the games that run this protocol are so old that the 
companies that sold them really don't care about fixing something that 
won't make them hardly any money.

Sad really.
//

On 04/17/2012 02:48 PM, Bobby wrote:
>
> I have a dumb question, Why wont the game company fix/patch the game 
> to prevent further attacks?
>
> -Bobby
>
> *From:*Boyd G. Gafford Ph.D. [mailto:drboyd at westportresearch.com]
> *Sent:* Tuesday, April 17, 2012 3:35 PM
> *To:* cod at icculus.org
> *Subject:* Re: [cod] Game server whitelisting rules
>
> Also, just a quick shout out to Escaped Turkey (escapedturkey.com), 
> who has been a big help in this whole development process.
>
> The rules have been a collaboration between us for several months now, 
> to get to the point where the rules are mature enough to withstand so 
> many different attacks.  Escaped Turkey was one of the first companies 
> to give ServerArk a try, which led to moving all the ServerArk logic 
> into the kernel with these custom iptables rules, and to eventually 
> getting the whitelisting working.
>
> Thanks ET!
>
> :)
>
> /__________________________________
> Boyd G. Gafford Ph.D.
> Manager of Software Development
> Westport Research Associates Inc.
> 7001 Blue Ridge Blvd
> Raytown, MO 64133
> (816) 358-8990
> drboyd at westportresearch.com <mailto:drboyd at westportresearch.com>/
>
>
> On 04/17/2012 10:58 AM, escapedturkey wrote:
>
> On top of that, using webmin and usermin, I have developed scripts (to 
> utilize Boyd's scripts) where the user simply clicks on of two 
> buttons, then within 30 minutes protection is enabled or disabled. 
> There is another script to display the protection status. This way 
> root runs a script, every 30 minutes, searches to see who has enabled 
> or disabled protection, then adds or removes the rules to iptables.
>
> For more information on how the scripts work, please see the following:
>
> https://www.escapedturkey.com/links/serverprotection
>
> I will gladly share these scripts as well. Please drop me an e-mail if 
> you are interested. The more protection we have for everyone's game 
> servers, the better the community will be. =)
>
> On Tue, Apr 17, 2012 at 11:12 AM, Boyd G. Gafford Ph.D. 
> <drboyd at westportresearch.com <mailto:drboyd at westportresearch.com>> wrote:
>
> Just wanted to let everyone know that I am making the dynamic 
> whitelisting iptables rules I have been testing available to anyone 
> who runs a Q3-protocol server under Linux and wants to try them out.  
> These rules were designed for the most severe of all attacks, and that 
> is attacks where the source IP is spoofed and is random.  It also 
> works for attacks from a single IP as well, as well as indirect 
> reflection attacks.
>
> We have 2 commercial server companies using these rules currently in 
> their production environment, and I am currently working with two 
> more.  I also have test servers running on several VPS's that I use 
> for development.
>
> So what do the iptables do?  Here's the list:
>
> 1) Players have their IP saved automatically at the kernel level when 
> they join a game server, and then those IPs are used as a filter for 
> other rules.  When they leave the game server the IP is retired after 
> 10 minutes.  (This is what we call a whitelisted player).  This is the 
> main guts of the protection, as identifying valid players is important 
> to mitigating attacks.
>
> 2) Server query packets like 'getstatus' and 'getinfo' are rate 
> limited to 10/sec to prevent lag when they are used in a DOS attack.  
> Players that are whitelisted have their packets allowed (so they can 
> see server status while in game even during an attack).
>
> 3) 'getchallenge' packets (normally used by a player to join the game) 
> are rate limited to 2/sec, to prevent lag when they are used in a DOS 
> attack.  Players that are whitelisted always have their requests to 
> join the server processed.  This allows a player who was recently 
> playing the ability to join the server again, even when the DOSer is 
> trying to lock down the population on the server by spamming fake 
> players joining.
>
> 4) All other packets are rate limited per whitelisted player IP to no 
> more than 100/second, to prevent lag when a DOSer has stolen a valid 
> player IP address and is attacking with it in an attempt to break 
> through the whitelist rules.
>
> 5) Attempts to use your game server as a reflector to attack other 
> game servers is blocked (due to rate limiting in 1-4).
>
> 6) Reflection attack packets hitting your server are dropped (again 
> due to rate limiting in 1-4).
>
> 7) A custom packet (not part of the Q3 protocol) can be sent by a 
> player to break into and join a game that is under 24/7 'getchallenge' 
> attack.  This is one of the slicker features of the iptables rules, as 
> this 'server lockdown' DOS attack is now easily breached.
>
>
> The iptables rules are added dynamically per server IP:PORT pair.  
> That way the rules affect nothing but UDP packets to that game 
> server.  No other types of packets are affected whatsoever.  To make 
> it easy, the rules have been put into shell scripts.
>
> Example:  Protect the game running on 10.1.2.3 port 28000.
>
> # ./protectgame.sh 10.1.2.3 28000
>
> Example:  Show the iptables rules currently protecting the game 
> running on 10.1.2.3 port 28000.
>
> # ./listgame.sh 10.1.2.3 28000
>
> Example:  Remove the iptables rules protecting the game running on 
> 10.1.2.3 port 28000.
>
> # ./unprotectgame.sh 10.1.2.3 28000
>
> Rather than just send the scripts to the whole list here, I've decided 
> to ask anyone interested to Email me personally and request it.  If 
> you run a commercial gaming service (or even your own COD server and 
> agree not to share it with anyone else), I will be happy to send it to 
> you and help you understand how to use it in your environment.
>
> Thanks,
>
> /Boyd/
>
>
> /__________________________________
> //Boyd G. Gafford Ph.D.
> Manager of Software Development
> Westport Research Associates Inc.
> 7001 Blue Ridge Blvd
> Raytown, MO 64133
> (816) 358-8990 <tel:%28816%29%20358-8990>
> drboyd at westportresearch.com <mailto:drboyd at westportresearch.com>/
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
> -- 
>
> EscapedTurkey.com Billing and Support
>
> https://www.escapedturkey.com/helpdesk
>
>
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org  <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120417/477d0195/attachment.htm>


More information about the cod mailing list