[cod] ServerArk: A UDP flood attack analyzer and adaptive blocker for gaming servers

Marco Padovan evcz at evcz.tk
Wed Feb 22 15:26:06 EST 2012 

I still don't know why people do not use the rules you posted a few
weeks ago that should do everything by themself :|

Il 22/02/2012 19:29, John ha scritto:
> The comments on the tool say this:
>
>  * So how does it work?  Very simply, it captures one second of
>  * UDP frames every minute directly from the kernel, via the pcap
>  * interface (the same one tcpdump uses).  It then analyzes only those
>  * UDP frames targeted to a port on which a game server is running.
>  * It then tallies all the different IP addresses (one for each "player"),
>  * and if there are "too many" packets for the IP, it uses iptables to
>  * tell the kernel to drop those packets, so they never make it to the
>  * game server itself. This effectively blocks the attack from affecting
>  * the current players on the server.  See the serverark.conf file for
>  * more information.
>
> This will help with specific types of attacks, but if you are the
> target of a distributed flood, you could see quite a few iptables
> rules created. For performance reasons, the author should consider
> switching to the "ipset" module and tools, with a single iptables
> rule. (By default, I see that it limits the number of blocked IPs to
> 128, so it's meant for small attacks.)
>
> The tool will also unfortunately not help against attacks involving
> randomized, spoofed IPs, which are a significant percentage of the
> ones we see. For that type of attack, traffic will need to be manually
> analyzed.
>
> -John
>
>
> On 2/22/2012 9:36 AM, Geoff Goas wrote:
>> Has anyone tried this yet?
>>
>> I just got hit with a bandwidth overage fee on my dedi, further
>> investigation shows my CoD2 servers are being used for these
>> reflection attacks... sigh.
>>
>> On Tue, Feb 21, 2012 at 1:25 PM, escapedturkey
>> <escapedturkey at escapedturkey.com
>> <mailto:escapedturkey at escapedturkey.com>> wrote:
>>
>>     I was given permission by the developer to share this program
>>     that he has been developing.
>>
>>     It supposedly stops spam kind of attacks against servers --
>>     specifically for Jedi Academy. I am curious if it helps for other
>>     games too.
>>
>>     # ServerArk (C) 2011 Boyd G. Gafford Ph.D.
>>
>>     "# A UDP flood attack analyzer and adaptive blocker for gaming
>>     servers."
>>
>>     http://elitewarriors.net/serverark/serverark_0.93.zip
>>
>>
>>
>>     _______________________________________________
>>     cod mailing list
>>     cod at icculus.org <mailto:cod at icculus.org>
>>     http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>> -- 
>> /*Geoff Goas
>> Systems Engineer*/
>>
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120222/3230e966/attachment.htm>

More information about the cod mailing list