[cod] CoD2 UDP flood

Håvard Pedersen fuzzy76 at fuzzy76.net
Fri Feb 24 07:12:36 EST 2012


This seemed to work great so far, also for Call of Duty 1! 95% of my
traffic dropped instantly. Be aware that the webbased mailinglist
archive wraps the lines, so it won't work with a direct copy-paste
from there (all lines should start with "iptables" or a # character,
if not, it's wrapped).

For people like me, who looks at iptables as some kind of voodoo,
these articles helped:

https://help.ubuntu.com/community/IptablesHowTo (for actually setting the rules)
http://www.microhowto.info/howto/make_the_configuration_of_iptables_persistent_on_debian.html
(for keeping them between reboots)


Håvard Pedersen
http://fuzzy76.net/




On Sat, Jan 21, 2012 at 01:51, John <lists.cod at nuclearfallout.net> wrote:
> On 1/20/2012 3:27 PM, Marco Padovan wrote:
>
> I was referring to dynamic filtering using -m recent
>
> [not] to manually adding IPs O.o
>
>
> Marco's right about this. The most effective way to prevent effects from
> these attacks on Linux is to use a combination of the "string", "hashlimit",
> and "recent" modules. Done right, the solution is mostly automatic, so you
> shouldn't need to manually add IPs.
>
> These commands, for instance, would block external IPs that send queries at
> a rate of 2/second or higher:
>
> # add a host to the banlist and then drop the packet.
> iptables -N QUERY-BLOCK
> iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
>
> # is this a query packet? if so, block commonly attacked ports outright,
> # then see if it's a known attacking IP, then see if it is sending at a high
> # rate and should be added to the list of known attacking IPs.
> iptables -N QUERY-CHECK
> iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo bm
> --from 32 --to 41 -j RETURN
> iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP
> iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP
> iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP
> iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP
> iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP
> iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP
> # is it already blocked? continue blocking it and update the counter so it
> # gets blocked for at least another 30 seconds.
> iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30
> --hitcount 1 -j DROP
> # check to see if it exceeds our rate threshold,
> # and add it to the list if it does.
> iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name
> getstatus --hashlimit-above 2/second -j QUERY-BLOCK
>
> # look at all the packets going to q3/cod*/et/etc servers
> iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK
>
> The "recent" module makes it possible to block up to 100 IPs at once with
> this method (any attackers beyond this would only be rate-limited). That
> number can be raised when the module is loaded, but I haven't seen 100
> attacks happening at once yet (typically it's maybe 5-20 at once). You can
> see blocked hosts later by looking at /proc/net/xt_recent/blocked-hosts.
>
> (If you don't have "recent", you could get away without it -- just be aware
> that some of the packets will get through, increasing load on the game
> server. Without "hashlimit", you'd still see an advantage from the port
> checks, but you'd need to manually block IPs that are being hit on other
> ports. Without "string", you'd similarly be down to just port checks, and
> need to take out the other rules.)
>
> -John
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>


More information about the cod mailing list