<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Yes this is a big trouble.<br>
<br>
Upgrading network speed isn't a solution, due the fact that this is
very expensive solution for a gameserver machines. We don't need
more than 100 MBPS.<br>
<br>
The only sollution as you mention is nullroute in front of our
router, so packets won't get router and no services are affected.<br>
<br>
Hardware firewall is Ok but the attack is going anyway to the
firewall so, line occupied. Damn zombie machines and botnets..<br>
<br>
Well we are a game server provider, so we have several different
servers. Most attacked ones nowadays are COD2, ET and some Cstrike
ones<br>
<br>
El 25/10/11 16:39, Marco Padovan escribió:
<blockquote
cite="mid:CAN1yXyG9-dwSL2obU-eExr165h7FMai4Gu32obqSd6F1HN4GEw@mail.gmail.com"
type="cite">
<p>Ouch :-\<br>
Once targeted I think there's nothing to do except to increase
the uplink speed :-( </p>
<p>Unlucky in case of cod4 servers certain times even 1gbit links
weren't enough... I think only 10ge can handle it based on the
number of cod4 servers online :-( <br>
At that point one would need some hardcore hardware firewall to
filter them out unless you just drop any udp packet bigger then
600bytes :-( </p>
<p>Only viable solution might be the usual one: nullroute :-/</p>
<p>(As targets I generally see garry's mods servers, what kind of
services are you currently being targeted? ) </p>
<div class="gmail_quote">Il giorno 25/ott/2011 16:28, "NewLight
Systems" <<a moz-do-not-send="true"
href="mailto:nls@newlightsystems.com">nls@newlightsystems.com</a>>
ha scritto:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi,<br>
<br>
the second one, we are being target of attacks. I have seen
COD2 and ET ports attacked.<br>
<br>
The problem is that there are UDP attacks, so the perform is
not affected but servers are connected to 100 MBPS and
attacks are distributed, so more than 90 MBPS inbound
traffic is affecting the network performance of that
concrete machine<br>
<br>
El 25/10/11 16:18, Marco Padovan escribió:
<blockquote type="cite"> <font size="-1"><font
face="Verdana">Are you talking about being exploited
as reflector or as being target of the attacks?<br>
<br>
If it's the first case one of our mostly exploited
machines is being targeted with something like 10k
pps: after filtering _ALL_ the malicious traffic the
machine performance is not affected... we have seen
way higher PPS rates against cod4 in the past...<br>
What PPS rate are you getting? </font></font><font
size="-1"><font face="Verdana">What are the machine
specs?</font></font><br>
<font size="-1"><font face="Verdana">Is it being affected
due to the iptables rules or are malicious packets
still leaking and reaching the gameservers ports?<br>
</font></font><br>
Il 25/10/2011 15:49, NewLight Systems ha scritto:
<blockquote type="cite"> Same problems here, the problem
is that even with iptables the incoming traffic is
affecting the machine<br>
<br>
El 25/10/11 12:47, Marco Padovan escribió:
<blockquote type="cite"> <font size="-1"><font
face="Verdana">I can confirm that since the day
before yesterday I started to receive alerts from
the firewall about cod2 attacks too.<br>
<br>
In the past (up to 3months ago) enemy territory
was another heavily targeted game.<br>
</font></font><br>
Il 25/10/2011 12:43, Luca Farflame Fabbro ha scritto:
<blockquote type="cite">
<pre>Hi Ryan
        in one of your previous messages you mentioned that this patch can be "ported" also to the other COD servers. Is there any plan to do this?
Now it seems that even if the server are less in number they target the COD2 servers to do the DDOS attacks. Don't have any COD server running so I don't know if also those are used as reflectors.
Just one simple question regarding the patch fort the COD4 server.
If you leave the server up'n running for a certain period of time (no restart for 3 weeks let's say) it seems that when the
sv_queryIgnoreMegs
limit is reached (our servers don't have a lot of players) the server starts to reply to the query with the spoofed IP's. A restart of the server solves the problem.
I know that it will be better to restart the server before that time but would it be a possible solution to flush the stored bad IP's and restart the check on the new incoming packets when the predefined memory is full or just before this happens (% or minimum sv-ignore free memory)? Usually the attackers use the server as a reflector only for a certain amount of time (form 1 hour or less to a maximum of 2 - 3 days) then a lot of time will pass before having the same IP used as destination of the DDOS attack.
Regards
        Luca
_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<div>-- <br>
<p><br>
</p>
<p><b>David Aguilar Valero</b></p>
<p>Dpto. Comercial y Soporte técnico</p>
<p>NewLight Systems</p>
<p><b>Servidores de juegos, HW, Dedicados</b></p>
<p><br>
</p>
<p><span><a moz-do-not-send="true" href="mailto:c"
target="_blank"><b>crk01@nls.es</b></a></span></p>
<p><span><a moz-do-not-send="true"
href="mailto:crk01@newlightsystems.com"
target="_blank">crk01@newlightsystems.com</a></span></p>
<p><span><a moz-do-not-send="true"
href="mailto:tecnico@newlightsystems.com"
target="_blank">tecnico@newlightsystems.com</a></span></p>
<p>#NewLight_Systems @ <a moz-do-not-send="true"
href="http://irc-hispano.org" target="_blank">irc-hispano.org</a></p>
<p><span><a moz-do-not-send="true"
href="http://www.newlightsystems.com/"
target="_blank"><b>www.newlightsystems.com</b></a></span></p>
<p><span><a moz-do-not-send="true"
href="http://www.nls.es/" target="_blank"><b>www.nls.es</b></a></span></p>
<p>This email and any files or attachments transmitted
with it are intended solely for the use of the
intended recipient. This email is confidential and
may contain legally privileged information. If you
are not the intended recipient you should not read,
disseminate, distribute, or copy this email. If you
have received this email in error, please notify the
sender immediately and delete it from your system.</p>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<div>-- <br>
<p><br>
</p>
<p><b>David Aguilar Valero</b></p>
<p>Dpto. Comercial y Soporte técnico</p>
<p>NewLight Systems</p>
<p><b>Servidores de juegos, HW, Dedicados</b></p>
<p><br>
</p>
<p><span><a moz-do-not-send="true" href="mailto:c"
target="_blank"><b>crk01@nls.es</b></a></span></p>
<p><span><a moz-do-not-send="true"
href="mailto:crk01@newlightsystems.com"
target="_blank">crk01@newlightsystems.com</a></span></p>
<p><span><a moz-do-not-send="true"
href="mailto:tecnico@newlightsystems.com"
target="_blank">tecnico@newlightsystems.com</a></span></p>
<p>#NewLight_Systems @ <a moz-do-not-send="true"
href="http://irc-hispano.org" target="_blank">irc-hispano.org</a></p>
<p><span><a moz-do-not-send="true"
href="http://www.newlightsystems.com/"
target="_blank"><b>www.newlightsystems.com</b></a></span></p>
<p><span><a moz-do-not-send="true"
href="http://www.nls.es/" target="_blank"><b>www.nls.es</b></a></span></p>
<p>This email and any files or attachments transmitted
with it are intended solely for the use of the intended
recipient. This email is confidential and may contain
legally privileged information. If you are not the
intended recipient you should not read, disseminate,
distribute, or copy this email. If you have received
this email in error, please notify the sender
immediately and delete it from your system.</p>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true" href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="Content-Style-Type" content="text/css">
<title></title>
<meta name="Generator" content="Cocoa HTML Writer">
<meta name="CocoaVersion" content="949.54">
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Times; min-height: 14.0px}
p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier; color: #2e3bfb}
p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier}
p.p4 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier; min-height: 14.0px}
p.p5 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier; color: #0018ea}
p.p6 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Times}
span.s1 {text-decoration: underline}
</style>
<p class="p1"><br>
</p>
<p class="p2"><b>David Aguilar Valero</b></p>
<p class="p3">Dpto. Comercial y Soporte técnico</p>
<p class="p3">NewLight Systems</p>
<p class="p2"><b>Servidores de juegos, HW, Dedicados</b></p>
<p class="p4"><br>
</p>
<p class="p5"><span class="s1"><a href="mailto:c"><b>crk01@nls.es</b></a></span></p>
<p class="p5"><span class="s1"><a
href="mailto:crk01@newlightsystems.com">crk01@newlightsystems.com</a></span></p>
<p class="p5"><span class="s1"><a
href="mailto:tecnico@newlightsystems.com">tecnico@newlightsystems.com</a></span></p>
<p class="p3">#NewLight_Systems @ irc-hispano.org</p>
<p class="p5"><span class="s1"><a
href="http://www.newlightsystems.com/"><b>www.newlightsystems.com</b></a></span></p>
<p class="p5"><span class="s1"><a href="http://www.nls.es/"><b>www.nls.es</b></a></span></p>
<p class="p6">This email and any files or attachments transmitted
with it are intended solely for the use of the intended
recipient. This email is confidential and may contain legally
privileged information. If you are not the intended recipient
you should not read, disseminate, distribute, or copy this
email. If you have received this email in error, please notify
the sender immediately and delete it from your system.</p>
</div>
</body>
</html>