<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
<font size="-1"><font face="Verdana">I've no clue about windows...
which kind of firewall are you using?<br>
Do you have any hardware firewall?<br>
<br>
On linux you can easily block all those packets (that affect
marginally also your gameservers) using iptables... I'm not sure
if windows "by default" is as flexible as iptables...<br>
</font></font><br>
Il 21/01/2011 23:36, STIPE Admin ha scritto:
<blockquote cite="mid:00e601cbb9bb$990510a0$cb0f31e0$@com.au"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page Section1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
        {page:Section1;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="Section1">
<div>
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);">I am too experiencing a similar
issue. I’m unsure if this
is a reflection attack but all my COD servers are acting
like BOTNETs –
that is, it seems to be DOS attacking targets at high
speeds. So far I have
been banning multiple IP addresses a day manually but it’s
hard to keep
up as new IPs form up every hour. Has anyone found a
solution to this yet? I
use Windows to run my COD servers btw.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size: 10pt;
font-family: "Calibri","sans-serif";
color: rgb(31, 73, 125);"><o:p> </o:p></span></b></p>
</div>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);"><o:p> </o:p></span></p>
<div>
<div style="border-right: medium none; border-width: 1pt
medium medium; border-style: solid none none; border-color:
rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color;
padding: 3pt 0cm 0cm;">
<p class="MsoNormal"><b><span style="font-size: 10pt;
font-family:
"Tahoma","sans-serif"; color:
windowtext;" lang="EN-US">From:</span></b><span
style="font-size: 10pt; font-family:
"Tahoma","sans-serif"; color:
windowtext;" lang="EN-US">
Marco Padovan [<a class="moz-txt-link-freetext" href="mailto:evolutioncrazy@gmail.com">mailto:evolutioncrazy@gmail.com</a>] <br>
<b>Sent:</b> Wednesday, 19 January 2011 12:51 AM<br>
<b>To:</b> Call of Duty server admin list.<br>
<b>Subject:</b> Re: [cod] "reflection attacks" ... cod
servers
exploited ?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size: 10pt; font-family:
"Verdana","sans-serif";">We
are getting hit HARD (.eu)<br>
<br>
I dunno what's the tool you are referring to... could you
please mail me some
references privately so I can analyze it?<br>
<br>
Basically we are currently dealing on a daily basis with
this kind of attacks
since december ...<br>
<br>
We find ourself handling 10k incoming spoofed packets per
second during certain
times of the day...<br>
<br>
What are you referring to small flow? 1k/sec?
100packets/sec?<br>
Which kind of rate limiting figures did you all applied?<br>
We are trying to defend our self with very very strict
network filters... but
that's damaging also our services that certain times appear
unreachable (even
if they are not)<br>
<br>
In our case it looks like it's not just against other
gameservers... but also
against random hosts...<br>
Source packets sometimes are from port 80 udp and, if not
blocked, replies
would do an udp flood to the poor host if enough gameservers
were involved...
(even if no udp service was running on port 80) :(<br>
<br>
The worst thing is that the damage to us as "reflectors" is
very low
as we are used to handle a shitload of packets so it's
difficult to say if
there's an attack going on or not :/<br>
<br>
Additionally, as I'm providing services to different GSP
brands in different
countries, I found out that attacks are basically spread on
ALL the servers...
using all the servers available on the master list as
reflectors and targeting
only a little number of victims... they are not exploiting
just a single GSP /
gameserver :|<br>
<br>
<br>
</span>Il 18/01/2011 07:51, John ha scritto: <o:p></o:p></p>
<p class="MsoNormal">On 1/17/2011 10:44 PM, Geoff Goas wrote: <br>
<br>
<o:p></o:p></p>
<p class="MsoNormal">John, you've seen an increase in attacks on
victims or you
are seeing your servers being used as reflection servers? <br>
<br>
How are you detecting either/or? <o:p></o:p></p>
<p class="MsoNormal"><br>
Both. As a victim, from traffic dumps made during large (D)DoS
attacks and from
received complaints by the IP owners at other GSPs that have
been concurrent
with the attacks on our clients. A a reflector is from a
complaint; it's more
difficult to detect those from the side of the server being
used as the
reflector because the flow is small. <br>
<br>
-John <br>
_______________________________________________ <br>
cod mailing list <br>
<a moz-do-not-send="true" href="mailto:cod@icculus.org">cod@icculus.org</a>
<br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
<o:p></o:p></p>
</div>
</blockquote>
</body>
</html>