<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>Best way to block these attacks on Windows?<br>
<br>
</tt>
<div class="moz-signature">- Brandon M.</div>
<tt></tt><br>
On 10/27/2011 7:02 AM, Marco Padovan wrote:
<blockquote cite="mid:4EA94846.7050303@evcz.tk" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
enemy territory suffer (and has sufferend in the past) of the
exact same attack... I was having et servers targeted with 1k pps
alone....<br>
cod2 was abused in the past too... they just started hitting again
recently... it's nothing exceptionally new :(<br>
<br>
I think that for our own safety we should filters all the attacks
at network level... as even if cod2 was patched they would move to
cod2 1.0, then cod1 then et... it's like a never ending story :)<br>
(We are not only reflectors but one day we all could also became
targets... and maybe our own servers could be taking part to the
attack against themselfs) <br>
<br>
We all (as servers admins) could even consider in setting up
something like dshield for those who cannot dynamically filter the
incoming reflections requests...<br>
<br>
Our goal shouldn't be just to not avoid overloading our server
instances with unwanted queries request but also to protect
ourself.<br>
<br>
I do not know what is the current tech situation into the
gameserver market but in the past I heard many people running
linux boxes with the iptables modules blacklisted "because it
lower performance"<br>
Is this still the case? :|<br>
<br>
Additionally: can people with AS like you (i3d) or mpuk or other
big players track down these spoof sources?<br>
<br>
by the way:<br>
currently spoofed ip targeting cod2:<br>
184.154.231.14 (port 80) - attack detected at 13:50 CET<br>
spoofed packet TTL is 116<br>
pps decently high...<br>
<br>
Il 27/10/2011 13:29, i3D.net - Stefan Ideler ha scritto:
<blockquote cite="mid:20111027112939.2759ed73@mail.i3d.nl"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<style>BODY{font:10pt Tahoma, Verdana, sans-serif}</style> Hi,<br>
<br>
I'm seeing the same, where cod2 servers are now being abused for
this purpose.<br>
As such a patch, even if untested/very much beta, would be
greatly appreciated.<br>
<br>
Best regards,<br>
<br>
Stefan Ideler<br>
<br>
<blockquote style="padding-left: 5px; margin-left: 5px;
border-left: #0000ff 2px solid; margin-right: 0px">
<hr><b>From:</b> Luca Farflame Fabbro [<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="mailto:farflame@cybergames.it">mailto:farflame@cybergames.it</a>]<br>
<b>To:</b> Call of Duty server admin list. [<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="mailto:cod@icculus.org">mailto:cod@icculus.org</a>]<br>
<b>Sent:</b> Tue, 25 Oct 2011 12:43:36 +0200<br>
<b>Subject:</b> Re: [cod] Query limiting...<br>
<br>
Hi Ryan<br>
in one of your previous messages you mentioned that this patch
can be "ported" also to the other COD servers. Is there any
plan to do this?<br>
Now it seems that even if the server are less in number they
target the COD2 servers to do the DDOS attacks. Don't have any
COD server running so I don't know if also those are used as
reflectors.<br>
<br>
Just one simple question regarding the patch fort the COD4
server.<br>
If you leave the server up'n running for a certain period of
time (no restart for 3 weeks let's say) it seems that when the
<br>
sv_queryIgnoreMegs<br>
limit is reached (our servers don't have a lot of players) the
server starts to reply to the query with the spoofed IP's. A
restart of the server solves the problem.<br>
I know that it will be better to restart the server before
that time but would it be a possible solution to flush the
stored bad IP's and restart the check on the new incoming
packets when the predefined memory is full or just before this
happens (% or minimum sv-ignore free memory)? Usually the
attackers use the server as a reflector only for a certain
amount of time (form 1 hour or less to a maximum of 2 - 3
days) then a lot of time will pass before having the same IP
used as destination of the DDOS attack. <br>
<br>
Regards<br>
Luca<br>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true" href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
</blockquote>
<style>
</style><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>