[cod] ServerArk: A UDP flood attack analyzer and adaptive blocker for gaming servers

Mark Grigsby tog at teamltk.com
Tue Mar 13 00:31:20 EDT 2012 

you should be able to just link the files..

 ls -al `locate libpcap.so`
lrwxrwxrwx 1 root root     16 2012-03-07 18:45 /usr/lib/libpcap.so.0.8 ->
libpcap.so.1.1.1
-rw-r--r-- 1 root root 206936 2010-05-09 08:44 /usr/lib/libpcap.so.1.1.1




On Mon, Mar 12, 2012 at 8:50 PM, Mavrick <mavrick.master at gmail.com> wrote:

>  Bump on the rules, however I am trying to use serverark and i'm getting
> this:
>
> # ./serverark -d
> ./serverark: error while loading shared libraries: libpcap.so.0.8: cannot
> open shared object file: No such file or directory
>
> # locate libpcap
> /usr/lib64/libpcap.so.1
> /usr/lib64/libpcap.so.1.0.0
> /usr/share/doc/libpcap-1.0.0
>
> # uname -a
> Linux game1.frag-live.com 2.6.32-220.4.2.el6.x86_64 #1 SMP Tue Feb 14
> 04:00:16 GMT 2012 x86_64 x86_64 x86_64 GNU/Linux
>
>
> Best Regards,
>
> Daniel "mavrick" Lang
>
>
>
> On 23/02/12 6:34 AM, escaped turkey wrote:
>
> Can you repost those rules please?
>
>  Thank you. :)
>
> EscapedTurkey Billing and Support
> https://escapedturkey.com/helpdesk
>
> On Feb 22, 2012, at 3:26 PM, Marco Padovan <evcz at evcz.tk> wrote:
>
>   I still don't know why people do not use the rules you posted a few
> weeks ago that should do everything by themself :|
>
> Il 22/02/2012 19:29, John ha scritto:
>
> The comments on the tool say this:
>
>  * So how does it work?  Very simply, it captures one second of
>  * UDP frames every minute directly from the kernel, via the pcap
>  * interface (the same one tcpdump uses).  It then analyzes only those
>  * UDP frames targeted to a port on which a game server is running.
>  * It then tallies all the different IP addresses (one for each "player"),
>  * and if there are "too many" packets for the IP, it uses iptables to
>  * tell the kernel to drop those packets, so they never make it to the
>  * game server itself. This effectively blocks the attack from affecting
>  * the current players on the server.  See the serverark.conf file for
>  * more information.
>
> This will help with specific types of attacks, but if you are the target
> of a distributed flood, you could see quite a few iptables rules created.
> For performance reasons, the author should consider switching to the
> "ipset" module and tools, with a single iptables rule. (By default, I see
> that it limits the number of blocked IPs to 128, so it's meant for small
> attacks.)
>
> The tool will also unfortunately not help against attacks involving
> randomized, spoofed IPs, which are a significant percentage of the ones we
> see. For that type of attack, traffic will need to be manually analyzed.
>
> -John
>
>
> On 2/22/2012 9:36 AM, Geoff Goas wrote:
>
> Has anyone tried this yet?
>
> I just got hit with a bandwidth overage fee on my dedi, further
> investigation shows my CoD2 servers are being used for these reflection
> attacks... sigh.
>
> On Tue, Feb 21, 2012 at 1:25 PM, escapedturkey <
> escapedturkey at escapedturkey.com> wrote:
>
>> I was given permission by the developer to share this program that he has
>> been developing.
>>
>> It supposedly stops spam kind of attacks against servers -- specifically
>> for Jedi Academy. I am curious if it helps for other games too.
>>
>> # ServerArk (C) 2011 Boyd G. Gafford Ph.D.
>>
>> "# A UDP flood attack analyzer and adaptive blocker for gaming servers."
>>
>> http://elitewarriors.net/serverark/serverark_0.93.zip
>>
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>
>
> --
> *Geoff Goas
> Systems Engineer*
>
>
>
> _______________________________________________
> cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod
>
>
>
>
> _______________________________________________
> cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod
>
>   _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing listcod at icculus.orghttp://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>


-- 
Mark Grigsby
63613 S. Barview Rd
Coos Bay, OR. 97420
DID: 541-762-1171
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120312/bed41a6e/attachment-0001.htm>

More information about the cod mailing list