<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML - vooraf opgemaakt Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTML-voorafopgemaaktChar
{mso-style-name:"HTML - vooraf opgemaakt Char";
mso-style-priority:99;
mso-style-link:"HTML - vooraf opgemaakt";
font-family:Consolas;}
span.E-mailStijl19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=NL link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Can't we create a rule which completely blocks 'getstatus'? <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If so; how? (at first just for testing purposes)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Met vriendelijke groeten,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>With kind regards,<br>
<br>
Julian Maartens<br>
River Hosting<br>
<br>
</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:gray'><a href="mailto:info@riverhosting.nl"><span style='color:gray;
text-decoration:none'>info@riverhosting.nl</span></a></span><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#A6A6A6'><br>
</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:gray'><a href="http://www.riverhosting.nl/"><span style='color:gray;
text-decoration:none'>http://www.riverhosting.nl</span></a></span><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#A6A6A6'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Van:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> escapedturkey
[mailto:escapedturkey@escapedturkey.com] <br>
<b>Verzonden:</b> donderdag 23 februari 2012 16:16<br>
<b>Aan:</b> Call of Duty server admin list.<br>
<b>Onderwerp:</b> Re: [cod] CoD2 UDP flood<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>Did the trick. Thanks! =)<o:p></o:p></p>
<div>
<p class=MsoNormal>On Thu, Feb 23, 2012 at 10:14 AM, Marco Padovan <<a
href="mailto:evcz@evcz.tk">evcz@evcz.tk</a>> wrote:<o:p></o:p></p>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>iptables
--flush ; </span>iptables --delete-chain<br>
<br>
that will completly empty your firewall...<br>
<br>
then run your script<br>
<br>
Il 23/02/2012 16:06, escapedturkey ha scritto: <o:p></o:p></p>
<div>
<div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<div>
<p class=MsoNormal>iptables --flush<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>/sbin/iptables -N QUERY-BLOCK<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>iptables: Chain already exists.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>/sbin/iptables -N QUERY-CHECK<br>
iptables: Chain already exists.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Any help? =)<o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p>
<div>
<p class=MsoNormal>On Thu, Feb 23, 2012 at 10:03 AM, Marco Padovan <<a
href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>> wrote:<o:p></o:p></p>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>The
<br>
<br>
</span>"Chain already exists." error should appear...<br>
<br>
iptables --flush<br>
<br>
then run the script...<br>
<br>
eventually run all the rules one by one and see which one is giving you the
error...<br>
<br>
you can monitor the number of blocked packets issuing:<br>
<br>
iptables -nvx -L QUERY-BLOCK<br>
<br>
and<br>
<br>
iptables -nvx -L QUERY-CHECK<br>
<br>
Il 23/02/2012 15:53, escapedturkey ha scritto: <o:p></o:p></p>
<div>
<div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal># These commands, for instance, would block external IPs
that send queries <br>
# at a rate of 2/second or higher:<br>
# add a host to the banlist and then drop the packet.<br>
/sbin/iptables -N QUERY-BLOCK<br>
/sbin/iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP<br>
# is this a query packet? if so, block commonly attacked ports outright,<br>
# then see if it's a known attacking IP, then see if it is sending at a high<br>
# rate and should be added to the list of known attacking IPs.<br>
/sbin/iptables -N QUERY-CHECK<br>
/sbin/iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus"
--algo bm --from 32 --to 41 -j RETURN<br>
/sbin/iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP<br>
/sbin/iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP<br>
/sbin/iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP<br>
/sbin/iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP<br>
/sbin/iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP<br>
/sbin/iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP<br>
# is it already blocked? continue blocking it and update the counter so it<br>
# gets blocked for at least another 30 seconds.<br>
/sbin/iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds
30 --hitcount 1 -j DROP<br>
# check to see if it exceeds our rate threshold,<br>
# and add it to the list if it does.<br>
# /sbin/iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit-above 2/second -j QUERY-BLOCK<br>
# CentOS 5 or CentOS 6 compatible<br>
/sbin/iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit 2/s -j RETURN<br>
/sbin/iptables -A QUERY-CHECK -j QUERY-BLOCK<br>
# look at all the packets going to q3/cod*/et/etc servers <br>
# /sbin/iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK<o:p></o:p></p>
<div>
<p class=MsoNormal>/sbin/iptables -A INPUT -p udp --dport 27000:30000 -j
QUERY-CHECK<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>./spamblock.bsh<br>
iptables: Chain already exists.<br>
iptables: Chain already exists.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>iptables -L -n<br>
Chain INPUT (policy ACCEPT)<br>
target prot opt source destination<br>
QUERY-CHECK udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a
href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpts:27000:30000<br>
<br>
Chain FORWARD (policy ACCEPT)<br>
target prot opt source destination<br>
<br>
Chain OUTPUT (policy ACCEPT)<br>
target prot opt source destination<br>
<br>
Chain QUERY-BLOCK (1 references)<br>
target prot opt source destination<br>
DROP all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a
href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> recent: SET name:
blocked-hosts side: source<br>
<br>
Chain QUERY-CHECK (1 references)<br>
target prot opt source destination<br>
RETURN udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a
href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> STRING match
!"getstatus" ALGO name bm FROM 32 TO 41<br>
DROP udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a
href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp spts:0:1025<br>
DROP udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a
href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp spt:3074<br>
DROP udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a
href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp spt:7777<br>
DROP udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a
href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp spts:27015:27100<br>
DROP udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a
href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp spt:25200<br>
DROP udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a
href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp spt:25565<br>
DROP all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a
href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> recent: UPDATE seconds:
30 hit_count: 1 name: blocked-hosts side: source<br>
RETURN all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a
href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> limit: up to 2/sec burst
5 mode srcip<br>
QUERY-BLOCK all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a
href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Should I be concerned with " iptables: Chain already
exists."? <o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p>
<div>
<p class=MsoNormal>On Thu, Feb 23, 2012 at 9:44 AM, Marco Padovan <<a
href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>> wrote:<o:p></o:p></p>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>sure,
do it :)</span><br>
<br>
Il 23/02/2012 15:44, escapedturkey ha scritto: <o:p></o:p></p>
<div>
<div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<div>
<p class=MsoNormal>I support most Q3 engine games. Some go beyond the range
specified in the original post.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Can I change:<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>To:<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>iptables -A INPUT -p udp --dport 27000:30000 -j QUERY-CHECK<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Or will that cause problems? <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Ex: JK2 =28070 JA = 29070 <o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>On Thu, Feb 23, 2012 at 9:30 AM, Marco Padovan <<a
href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>> wrote:<o:p></o:p></p>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Let
us know if that works ;)</span><br>
<br>
Il 23/02/2012 15:20, escapedturkey ha scritto: <o:p></o:p></p>
<div>
<div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal style='margin-bottom:12.0pt'>Thank you. Much appreciated. =)<o:p></o:p></p>
<div>
<p class=MsoNormal>On Thu, Feb 23, 2012 at 7:33 AM, Marco Padovan <<a
href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>> wrote:<o:p></o:p></p>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Ehm,<br>
nope :D<br>
<br>
You need all the lines John posted:<br>
<br>
</span><a href="http://icculus.org/pipermail/cod/2012-January/015861.html"
target="_blank">http://icculus.org/pipermail/cod/2012-January/015861.html</a><br>
<br>
To make it works in centos5 / 6 change into that ruleset: <o:p></o:p></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name
getstatus --hashlimit-above 2/second -j QUERY-BLOCK<br>
<span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><br>
in this way (two different lines):<br>
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name
getstatus --hashlimit 2/s -j RETURN<br>
iptables -A QUERY-CHECK -j QUERY-BLOCK</span><o:p></o:p></p>
</div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>all
the other rules should be kept as they are :)<br>
</span><br>
Il 23/02/2012 13:10, escapedturkey ha scritto: <o:p></o:p></p>
<div>
<div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<div>
<p class=MsoNormal>Thank you. I missed those lines.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Here is what I have so far:<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>/sbin/iptables -N QUERY-BLOCK<br>
/sbin/iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP<br>
/sbin/iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit 2/s -j RETURN<br>
/sbin/iptables -A QUERY-CHECK -j QUERY-BLOCK<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Is this correct? <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Thank you again. =)<o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>On Thu, Feb 23, 2012 at 5:32 AM, Marco Padovan <<a
href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>> wrote:<o:p></o:p></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;
font-family:"Verdana","sans-serif"'>did you issued all the other commands?<br>
<br>
like:</span><o:p></o:p></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'>iptables -N QUERY-BLOCK<br>
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP<o:p></o:p></p>
</div>
<p class=MsoNormal>?<br>
<br>
Il 23/02/2012 03:54, escapedturkey ha scritto: <o:p></o:p></p>
<div>
<div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<div>
<p class=MsoNormal>iptables v1.4.7: Couldn't load target `QUERY-BLOCK':/lib64/xtables/libipt_QUERY-BLOCK.so:
cannot open shared object file: No such file or directory<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Any ideas?<o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p>
<div>
<p class=MsoNormal>On Wed, Feb 22, 2012 at 4:51 PM, Marco Padovan <<a
href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>> wrote:<o:p></o:p></p>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>on
centos5 and centos6<br>
<br>
modifying this line:</span><o:p></o:p></p>
<div>
<p class=MsoNormal>iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit-above 2/second -j QUERY-BLOCK<o:p></o:p></p>
</div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><br>
in this way (two different lines):<br>
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name
getstatus --hashlimit 2/s -j RETURN<br>
iptables -A QUERY-CHECK -j QUERY-BLOCK<br>
<br>
should mimic the same behaviour<br>
</span><br>
Il 22/02/2012 18:43, Geoff Goas ha scritto: <o:p></o:p></p>
<div>
<div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal style='margin-bottom:12.0pt'>Hi,<br>
<br>
On CentOS 5.5, <i><span style='font-family:"Courier New"'>--hashlimit-above</span></i>
is not a valid option for the "hashlimit" match. Which version of
iptables introduces this, and how can I mimic that same ruleset with the
options available to me in version 1.3.5 of iptables?<br>
<br>
Thanks,<o:p></o:p></p>
<div>
<p class=MsoNormal>On Fri, Jan 20, 2012 at 7:51 PM, John <<a
href="mailto:lists.cod@nuclearfallout.net" target="_blank">lists.cod@nuclearfallout.net</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal>On 1/20/2012 3:27 PM, Marco Padovan wrote: <o:p></o:p></p>
</div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;
font-family:"Verdana","sans-serif"'>I was referring to dynamic filtering using
-m recent<o:p></o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>[not]
to manually adding IPs O.o</span><o:p></o:p></p>
</blockquote>
<p class=MsoNormal><br>
Marco's right about this. The most effective way to prevent effects from these
attacks on Linux is to use a combination of the "string",
"hashlimit", and "recent" modules. Done right, the solution
is mostly automatic, so you shouldn't need to manually add IPs.<br>
<br>
These commands, for instance, would block external IPs that send queries at a
rate of 2/second or higher:<br>
<br>
# add a host to the banlist and then drop the packet.<br>
iptables -N QUERY-BLOCK<br>
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP<br>
<br>
# is this a query packet? if so, block commonly attacked ports outright, <br>
# then see if it's a known attacking IP, then see if it is sending at a high<br>
# rate and should be added to the list of known attacking IPs.<br>
iptables -N QUERY-CHECK<br>
iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus"
--algo bm --from 32 --to 41 -j RETURN<br>
iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP<br>
# is it already blocked? continue blocking it and update the counter so it<br>
# gets blocked for at least another 30 seconds.<br>
iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30
--hitcount 1 -j DROP<br>
# check to see if it exceeds our rate threshold,<br>
# and add it to the list if it does.<br>
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name
getstatus --hashlimit-above 2/second -j QUERY-BLOCK<br>
<br>
# look at all the packets going to q3/cod*/et/etc servers<br>
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK<br>
<br>
The "recent" module makes it possible to block up to 100 IPs at once
with this method (any attackers beyond this would only be rate-limited). That
number can be raised when the module is loaded, but I haven't seen 100 attacks
happening at once yet (typically it's maybe 5-20 at once). You can see blocked
hosts later by looking at /proc/net/xt_recent/blocked-hosts.<br>
<br>
(If you don't have "recent", you could get away without it -- just be
aware that some of the packets will get through, increasing load on the game
server. Without "hashlimit", you'd still see an advantage from the
port checks, but you'd need to manually block IPs that are being hit on other
ports. Without "string", you'd similarly be down to just port checks,
and need to take out the other rules.)<span style='color:#888888'><br>
<br>
-John</span><o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
<br clear=all>
<br>
-- <br>
<b><i><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif"'>Geoff
Goas<br>
Systems Engineer</span></i></b><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre><pre>cod mailing list<o:p></o:p></pre><pre><a
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><o:p></o:p></pre><pre><a
href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></pre></blockquote>
</div>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br clear=all>
<br>
-- <o:p></o:p></p>
<div>
<p class=MsoNormal>EscapedTurkey.com Billing and Support<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><a href="https://www.escapedturkey.com/helpdesk"
target="_blank">https://www.escapedturkey.com/helpdesk</a><o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre><pre>cod mailing list<o:p></o:p></pre><pre><a
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><o:p></o:p></pre><pre><a
href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></pre></blockquote>
</div>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br clear=all>
<br>
-- <o:p></o:p></p>
<div>
<p class=MsoNormal>EscapedTurkey.com Billing and Support<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><a href="https://www.escapedturkey.com/helpdesk"
target="_blank">https://www.escapedturkey.com/helpdesk</a><o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre><pre>cod mailing list<o:p></o:p></pre><pre><a
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><o:p></o:p></pre><pre><a
href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></pre></blockquote>
</div>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br clear=all>
<br>
-- <o:p></o:p></p>
<div>
<p class=MsoNormal>EscapedTurkey.com Billing and Support<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><a href="https://www.escapedturkey.com/helpdesk"
target="_blank">https://www.escapedturkey.com/helpdesk</a><o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre><pre>cod mailing list<o:p></o:p></pre><pre><a
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><o:p></o:p></pre><pre><a
href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></pre></blockquote>
</div>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br clear=all>
<br>
-- <o:p></o:p></p>
<div>
<p class=MsoNormal>EscapedTurkey.com Billing and Support<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><a href="https://www.escapedturkey.com/helpdesk"
target="_blank">https://www.escapedturkey.com/helpdesk</a><o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre><pre>cod mailing list<o:p></o:p></pre><pre><a
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><o:p></o:p></pre><pre><a
href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></pre></blockquote>
</div>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br clear=all>
<br>
-- <o:p></o:p></p>
<div>
<p class=MsoNormal>EscapedTurkey.com Billing and Support<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><a href="https://www.escapedturkey.com/helpdesk"
target="_blank">https://www.escapedturkey.com/helpdesk</a><o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre><pre>cod mailing list<o:p></o:p></pre><pre><a
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><o:p></o:p></pre><pre><a
href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></pre></blockquote>
</div>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br clear=all>
<br>
-- <o:p></o:p></p>
<div>
<p class=MsoNormal>EscapedTurkey.com Billing and Support<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><a href="https://www.escapedturkey.com/helpdesk"
target="_blank">https://www.escapedturkey.com/helpdesk</a><o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre><pre>cod mailing list<o:p></o:p></pre><pre><a
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><o:p></o:p></pre><pre><a
href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></pre></blockquote>
</div>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br clear=all>
<br>
-- <o:p></o:p></p>
<div>
<p class=MsoNormal>EscapedTurkey.com Billing and Support<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><a href="https://www.escapedturkey.com/helpdesk"
target="_blank">https://www.escapedturkey.com/helpdesk</a><o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>