[cod] ServerArk: A UDP flood attack analyzer and adaptive blocker for gaming servers

Mavrick mavrick.master at gmail.com
Mon Mar 12 23:50:40 EDT 2012 

Bump on the rules, however I am trying to use serverark and i'm getting 
this:

# ./serverark -d
./serverark: error while loading shared libraries: libpcap.so.0.8: 
cannot open shared object file: No such file or directory

# locate libpcap
/usr/lib64/libpcap.so.1
/usr/lib64/libpcap.so.1.0.0
/usr/share/doc/libpcap-1.0.0

# uname -a
Linux game1.frag-live.com 2.6.32-220.4.2.el6.x86_64 #1 SMP Tue Feb 14 
04:00:16 GMT 2012 x86_64 x86_64 x86_64 GNU/Linux


Best Regards,

Daniel "mavrick" Lang


On 23/02/12 6:34 AM, escaped turkey wrote:
> Can you repost those rules please?
>
> Thank you. :)
>
> EscapedTurkey Billing and Support
> https://escapedturkey.com/helpdesk
>
> On Feb 22, 2012, at 3:26 PM, Marco Padovan <evcz at evcz.tk 
> <mailto:evcz at evcz.tk>> wrote:
>
>> I still don't know why people do not use the rules you posted a few 
>> weeks ago that should do everything by themself :|
>>
>> Il 22/02/2012 19:29, John ha scritto:
>>> The comments on the tool say this:
>>>
>>>  * So how does it work?  Very simply, it captures one second of
>>>  * UDP frames every minute directly from the kernel, via the pcap
>>>  * interface (the same one tcpdump uses).  It then analyzes only those
>>>  * UDP frames targeted to a port on which a game server is running.
>>>  * It then tallies all the different IP addresses (one for each 
>>> "player"),
>>>  * and if there are "too many" packets for the IP, it uses iptables to
>>>  * tell the kernel to drop those packets, so they never make it to the
>>>  * game server itself. This effectively blocks the attack from affecting
>>>  * the current players on the server.  See the serverark.conf file for
>>>  * more information.
>>>
>>> This will help with specific types of attacks, but if you are the 
>>> target of a distributed flood, you could see quite a few iptables 
>>> rules created. For performance reasons, the author should consider 
>>> switching to the "ipset" module and tools, with a single iptables 
>>> rule. (By default, I see that it limits the number of blocked IPs to 
>>> 128, so it's meant for small attacks.)
>>>
>>> The tool will also unfortunately not help against attacks involving 
>>> randomized, spoofed IPs, which are a significant percentage of the 
>>> ones we see. For that type of attack, traffic will need to be 
>>> manually analyzed.
>>>
>>> -John
>>>
>>>
>>> On 2/22/2012 9:36 AM, Geoff Goas wrote:
>>>> Has anyone tried this yet?
>>>>
>>>> I just got hit with a bandwidth overage fee on my dedi, further 
>>>> investigation shows my CoD2 servers are being used for these 
>>>> reflection attacks... sigh.
>>>>
>>>> On Tue, Feb 21, 2012 at 1:25 PM, escapedturkey 
>>>> <escapedturkey at escapedturkey.com 
>>>> <mailto:escapedturkey at escapedturkey.com>> wrote:
>>>>
>>>>     I was given permission by the developer to share this program
>>>>     that he has been developing.
>>>>
>>>>     It supposedly stops spam kind of attacks against servers --
>>>>     specifically for Jedi Academy. I am curious if it helps for
>>>>     other games too.
>>>>
>>>>     # ServerArk (C) 2011 Boyd G. Gafford Ph.D.
>>>>
>>>>     "# A UDP flood attack analyzer and adaptive blocker for gaming
>>>>     servers."
>>>>
>>>>     http://elitewarriors.net/serverark/serverark_0.93.zip
>>>>
>>>>
>>>>
>>>>     _______________________________________________
>>>>     cod mailing list
>>>>     cod at icculus.org <mailto:cod at icculus.org>
>>>>     http://icculus.org/mailman/listinfo/cod
>>>>
>>>>
>>>>
>>>>
>>>> -- 
>>>> /*Geoff Goas
>>>> Systems Engineer*/
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org <mailto:cod at icculus.org>
>> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120313/e25e6966/attachment.htm>

More information about the cod mailing list