[cod] ServerArk: A UDP flood attack analyzer and adaptive blocker for gaming servers

escaped turkey escapedturkey at escapedturkey.com
Wed Feb 22 15:34:19 EST 2012


Can you repost those rules please?

Thank you. :)

EscapedTurkey Billing and Support
https://escapedturkey.com/helpdesk

On Feb 22, 2012, at 3:26 PM, Marco Padovan <evcz at evcz.tk> wrote:

 I still don't know why people do not use the rules you posted a few weeks
ago that should do everything by themself :|

Il 22/02/2012 19:29, John ha scritto:

 The comments on the tool say this:

 * So how does it work?  Very simply, it captures one second of
 * UDP frames every minute directly from the kernel, via the pcap
 * interface (the same one tcpdump uses).  It then analyzes only those
 * UDP frames targeted to a port on which a game server is running.
 * It then tallies all the different IP addresses (one for each "player"),
 * and if there are "too many" packets for the IP, it uses iptables to
 * tell the kernel to drop those packets, so they never make it to the
 * game server itself. This effectively blocks the attack from affecting
 * the current players on the server.  See the serverark.conf file for
 * more information.

This will help with specific types of attacks, but if you are the target of
a distributed flood, you could see quite a few iptables rules created. For
performance reasons, the author should consider switching to the "ipset"
module and tools, with a single iptables rule. (By default, I see that it
limits the number of blocked IPs to 128, so it's meant for small attacks.)

The tool will also unfortunately not help against attacks involving
randomized, spoofed IPs, which are a significant percentage of the ones we
see. For that type of attack, traffic will need to be manually analyzed.

-John


On 2/22/2012 9:36 AM, Geoff Goas wrote:

Has anyone tried this yet?

I just got hit with a bandwidth overage fee on my dedi, further
investigation shows my CoD2 servers are being used for these reflection
attacks... sigh.

On Tue, Feb 21, 2012 at 1:25 PM, escapedturkey <
escapedturkey at escapedturkey.com> wrote:

> I was given permission by the developer to share this program that he has
> been developing.
>
> It supposedly stops spam kind of attacks against servers -- specifically
> for Jedi Academy. I am curious if it helps for other games too.
>
> # ServerArk (C) 2011 Boyd G. Gafford Ph.D.
>
> "# A UDP flood attack analyzer and adaptive blocker for gaming servers."
>
> http://elitewarriors.net/serverark/serverark_0.93.zip
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>


-- 
*Geoff Goas
Systems Engineer*



_______________________________________________
cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod




_______________________________________________
cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod

 _______________________________________________
cod mailing list
cod at icculus.org
http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120222/68effe5e/attachment.htm>


More information about the cod mailing list