[cod] ServerArk: A UDP flood attack analyzer and adaptive blocker for gaming servers

John lists.cod at nuclearfallout.net
Wed Feb 22 13:29:12 EST 2012 

The comments on the tool say this:

  * So how does it work?  Very simply, it captures one second of
  * UDP frames every minute directly from the kernel, via the pcap
  * interface (the same one tcpdump uses).  It then analyzes only those
  * UDP frames targeted to a port on which a game server is running.
  * It then tallies all the different IP addresses (one for each "player"),
  * and if there are "too many" packets for the IP, it uses iptables to
  * tell the kernel to drop those packets, so they never make it to the
  * game server itself. This effectively blocks the attack from affecting
  * the current players on the server.  See the serverark.conf file for
  * more information.

This will help with specific types of attacks, but if you are the target 
of a distributed flood, you could see quite a few iptables rules 
created. For performance reasons, the author should consider switching 
to the "ipset" module and tools, with a single iptables rule. (By 
default, I see that it limits the number of blocked IPs to 128, so it's 
meant for small attacks.)

The tool will also unfortunately not help against attacks involving 
randomized, spoofed IPs, which are a significant percentage of the ones 
we see. For that type of attack, traffic will need to be manually analyzed.

-John


On 2/22/2012 9:36 AM, Geoff Goas wrote:
> Has anyone tried this yet?
>
> I just got hit with a bandwidth overage fee on my dedi, further 
> investigation shows my CoD2 servers are being used for these 
> reflection attacks... sigh.
>
> On Tue, Feb 21, 2012 at 1:25 PM, escapedturkey 
> <escapedturkey at escapedturkey.com 
> <mailto:escapedturkey at escapedturkey.com>> wrote:
>
>     I was given permission by the developer to share this program that
>     he has been developing.
>
>     It supposedly stops spam kind of attacks against servers --
>     specifically for Jedi Academy. I am curious if it helps for other
>     games too.
>
>     # ServerArk (C) 2011 Boyd G. Gafford Ph.D.
>
>     "# A UDP flood attack analyzer and adaptive blocker for gaming
>     servers."
>
>     http://elitewarriors.net/serverark/serverark_0.93.zip
>
>
>
>     _______________________________________________
>     cod mailing list
>     cod at icculus.org <mailto:cod at icculus.org>
>     http://icculus.org/mailman/listinfo/cod
>
>
>
>
> -- 
> /*Geoff Goas
> Systems Engineer*/
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120222/83075432/attachment-0001.htm>

More information about the cod mailing list