[cod] ServerArk: A UDP flood attack analyzer and adaptive blocker for gaming servers
Boyd G. Gafford Ph.D.
drboyd at westportresearch.com
Tue Mar 13 09:12:11 EDT 2012
Looks like the executable is older than your pcap library. Just type
the following to build the executable:
gcc -o serverark serverark.c -lpcap
It should compile and link successfully, and then use that executable.
/Boyd/
On 03/12/2012 10:50 PM, Mavrick wrote:
> Bump on the rules, however I am trying to use serverark and i'm
> getting this:
>
> # ./serverark -d
> ./serverark: error while loading shared libraries: libpcap.so.0.8:
> cannot open shared object file: No such file or directory
>
> # locate libpcap
> /usr/lib64/libpcap.so.1
> /usr/lib64/libpcap.so.1.0.0
> /usr/share/doc/libpcap-1.0.0
>
> # uname -a
> Linux game1.frag-live.com 2.6.32-220.4.2.el6.x86_64 #1 SMP Tue Feb 14
> 04:00:16 GMT 2012 x86_64 x86_64 x86_64 GNU/Linux
>
>
> Best Regards,
>
> Daniel "mavrick" Lang
>
>
> On 23/02/12 6:34 AM, escaped turkey wrote:
>> Can you repost those rules please?
>>
>> Thank you. :)
>>
>> EscapedTurkey Billing and Support
>> https://escapedturkey.com/helpdesk
>>
>> On Feb 22, 2012, at 3:26 PM, Marco Padovan <evcz at evcz.tk
>> <mailto:evcz at evcz.tk>> wrote:
>>
>>> I still don't know why people do not use the rules you posted a few
>>> weeks ago that should do everything by themself :|
>>>
>>> Il 22/02/2012 19:29, John ha scritto:
>>>> The comments on the tool say this:
>>>>
>>>> * So how does it work? Very simply, it captures one second of
>>>> * UDP frames every minute directly from the kernel, via the pcap
>>>> * interface (the same one tcpdump uses). It then analyzes only those
>>>> * UDP frames targeted to a port on which a game server is running.
>>>> * It then tallies all the different IP addresses (one for each
>>>> "player"),
>>>> * and if there are "too many" packets for the IP, it uses iptables to
>>>> * tell the kernel to drop those packets, so they never make it to the
>>>> * game server itself. This effectively blocks the attack from
>>>> affecting
>>>> * the current players on the server. See the serverark.conf file for
>>>> * more information.
>>>>
>>>> This will help with specific types of attacks, but if you are the
>>>> target of a distributed flood, you could see quite a few iptables
>>>> rules created. For performance reasons, the author should consider
>>>> switching to the "ipset" module and tools, with a single iptables
>>>> rule. (By default, I see that it limits the number of blocked IPs
>>>> to 128, so it's meant for small attacks.)
>>>>
>>>> The tool will also unfortunately not help against attacks involving
>>>> randomized, spoofed IPs, which are a significant percentage of the
>>>> ones we see. For that type of attack, traffic will need to be
>>>> manually analyzed.
>>>>
>>>> -John
>>>>
>>>>
>>>> On 2/22/2012 9:36 AM, Geoff Goas wrote:
>>>>> Has anyone tried this yet?
>>>>>
>>>>> I just got hit with a bandwidth overage fee on my dedi, further
>>>>> investigation shows my CoD2 servers are being used for these
>>>>> reflection attacks... sigh.
>>>>>
>>>>> On Tue, Feb 21, 2012 at 1:25 PM, escapedturkey
>>>>> <escapedturkey at escapedturkey.com
>>>>> <mailto:escapedturkey at escapedturkey.com>> wrote:
>>>>>
>>>>> I was given permission by the developer to share this program
>>>>> that he has been developing.
>>>>>
>>>>> It supposedly stops spam kind of attacks against servers --
>>>>> specifically for Jedi Academy. I am curious if it helps for
>>>>> other games too.
>>>>>
>>>>> # ServerArk (C) 2011 Boyd G. Gafford Ph.D.
>>>>>
>>>>> "# A UDP flood attack analyzer and adaptive blocker for gaming
>>>>> servers."
>>>>>
>>>>> http://elitewarriors.net/serverark/serverark_0.93.zip
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> cod mailing list
>>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> /*Geoff Goas
>>>>> Systems Engineer*/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> cod mailing list
>>>>> cod at icculus.org
>>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> http://icculus.org/mailman/listinfo/cod
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120313/a3a430a6/attachment.htm>
More information about the cod
mailing list