<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Yes that's very annoying . The problem is that is very easy to do a
distributed attack with this gameserver's bugs.<br>
<br>
And of course, any gameserver is probably on a dedicated line with
100 or 1000 MBPS bandwidth, so 20 "zombie" gameservers throwing
reflection attacks = 50 MBPS = 1 GBPS of distributed attack.<br>
<br>
I don't mind our cpus, are fast, but we are real capped at the
bottleneck that represents 1 GBPS of fast ethernet<br>
<br>
El 24/02/12 00:15, Boyd G. Gafford Ph.D. escribió:
<blockquote cite="mid:4F46C888.7000104@westportresearch.com"
type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
Yep, thats getting towards the saturated side lol. It must be a
distributed DOS UDP flood, as I can't imagine many script kiddies
with that kind of bandwidth for a single attack spoofing 20 IPs.<br>
<br>
At that point, a lot of your CPU is just handling the incoming IP
packets. Not much to do in that situation. Even if you bonded
four GbE's together, you're still looking at needing quite a chunk
of CPU just to offload throwing away that 1Gbps.<br>
<br>
Even if you were to dynamically interact with your router to tell
it to drop the packets, your incoming bandwidth would still be
hammered. It almost has to happen at the carrier (preferably at
the carriers of the flooders) to do anything to help, and we all
know how likely that is to happen unfortunately.<br>
<br>
Good luck,<br>
<br>
<i>Boyd</i><br>
<div class="moz-signature"><br>
</div>
<br>
On 02/23/2012 04:46 PM, NewLight Systems wrote:
<blockquote cite="mid:4F46C1B5.2060601@newlightsystems.com"
type="cite">
<meta content="text/html; charset=UTF-8"
http-equiv="Content-Type">
The problem is that we are receiving for example 1 GBPS attacks
to one IP from serveral sources ( maybe 15 - 20 ips )<br>
<br>
That means that 1 GB of inbound is occupied. We have iptables
rules, of course, but is affecting all services on that
dedicated server<br>
<br>
El 23/02/12 23:42, Boyd G. Gafford Ph.D. escribió:
<blockquote cite="mid:4F46C0C1.60803@westportresearch.com"
type="cite">
<meta content="text/html; charset=UTF-8"
http-equiv="Content-Type">
Hey there, thanks for responding.<br>
<br>
I'm not sure I understand what you mean by "the line is
occupied anyway." If you mean the bandwidth to the server is
saturated by the flood, then yeah, its going to affect game
play. Fortunately most servers at data centers have high
enough bandwidth to them that a typical attack doesn't
saturate.<br>
<br>
If your game server port is the target of a single IP UDP
flood attack, then typically an iptables drop rule handled by
the kernel is more efficient than the game server itself,
especially if the flooded packets are server commands that are
being processed by the game server, which is sending out UDP
reply packets. That takes up much more CPU than a
kernel-level packet drop.<br>
<br>
Under those circumstances, the cheap VPS we use in Dallas has
endured 64Mbps attacks for hours and the game server is still
very playable. It would be nice if the flood was blocked at
the router or carrier level, but still iptables is pretty
amazing when the kernel drop is your last line of defense.<br>
<br>
Thanks,<br>
<br>
<i>Boyd</i><br>
<br>
<br>
On 02/23/2012 04:22 PM, NewLight Systems wrote:
<blockquote cite="mid:4F46BC41.4010505@newlightsystems.com"
type="cite">
<meta content="text/html; charset=UTF-8"
http-equiv="Content-Type">
It's ok but this isn't working if the UDP floods to your
server because the line is occupied anyway.<br>
<br>
If you are the target, there's nothing you can do in a
dedicated server level.<br>
<br>
This type of attack ( allways if you are the target ) have
to be erradicated in a higher level ( router or carrier ) if
you want to preserve your connection<br>
<br>
El 23/02/12 23:12, Boyd G. Gafford Ph.D. escribió:
<blockquote cite="mid:4F46B9E7.2030501@westportresearch.com"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
Hey everyone, EscapedTurkey told me about this group, and
so I Just wanted to say a quick hello.<br>
<br>
I'm the guy who got frustrated enough with UDP flood
attacks that I wrote ServerArk to deal with the majority
of them. If anyone has any questions about the program,
or any ideas on what they would like to see in it in the
future, by all means let me know.<br>
<br>
Since I've been using it on our JA (Q3 protocol) servers (<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://elitewarriors.net">http://elitewarriors.net</a>)
its blocked about 20 high volume attacks (one at 64Mbps)
successfully over the past few months. As long as the
source IP of the UDP flood is not random, it works really
well.<br>
<br>
I have a few new ideas on flood detection on random IP
attacks I will ping off your guys over the next few days
to see what you think.<br>
<br>
Also kudos to whoever did the "I don't want to participate
in reflection attacks" iptables rule that matches off of
the 'getstatus' UDP packet payload. If everyone who had a
Q3 protocol server (COD, JA, etc) had that rule running
reflection attacks would be a LOT less potent.<br>
<br>
:)<br>
<br>
Thanks,<br>
<br>
<i>Boyd</i><br>
<br>
<div class="moz-signature"><i><font size="-1">__________________________________<br>
Boyd G. Gafford Ph.D.<br>
Manager of Software Development<br>
Westport Research Associates Inc.<br>
7001 Blue Ridge Blvd<br>
Raytown, MO 64133<br>
(816) 358-8990<br>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:drboyd@westportresearch.com">drboyd@westportresearch.com</a><br>
</font></i><br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<meta http-equiv="Content-Style-Type" content="text/css">
<title></title>
<meta name="Generator" content="Cocoa HTML Writer">
<meta name="CocoaVersion" content="949.54">
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Times; min-height: 14.0px}
p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier; color: #2e3bfb}
p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier}
p.p4 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier; min-height: 14.0px}
p.p5 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier; color: #0018ea}
p.p6 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Times}
span.s1 {text-decoration: underline}
</style>
<p class="p1"><br>
</p>
<p class="p2"><b>David Aguilar Valero</b></p>
<p class="p3">Dpto. Comercial y Soporte técnico</p>
<p class="p3">NewLight Systems</p>
<p class="p2"><b>Servidores de juegos, HW, Dedicados</b></p>
<p class="p4"><br>
</p>
<p class="p5"><span class="s1"><a moz-do-not-send="true"
href="mailto:c"><b>crk01@nls.es</b></a></span></p>
<p class="p5"><span class="s1"><a moz-do-not-send="true"
href="mailto:crk01@newlightsystems.com">crk01@newlightsystems.com</a></span></p>
<p class="p5"><span class="s1"><a moz-do-not-send="true"
href="mailto:tecnico@newlightsystems.com">tecnico@newlightsystems.com</a></span></p>
<p class="p3">#NewLight_Systems @ irc-hispano.org</p>
<p class="p5"><span class="s1"><a moz-do-not-send="true"
href="http://www.newlightsystems.com/"><b>www.newlightsystems.com</b></a></span></p>
<p class="p5"><span class="s1"><a moz-do-not-send="true"
href="http://www.nls.es/"><b>www.nls.es</b></a></span></p>
<p class="p6">This email and any files or attachments
transmitted with it are intended solely for the use of
the intended recipient. This email is confidential and
may contain legally privileged information. If you are
not the intended recipient you should not read,
disseminate, distribute, or copy this email. If you have
received this email in error, please notify the sender
immediately and delete it from your system.</p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<meta http-equiv="Content-Style-Type" content="text/css">
<title></title>
<meta name="Generator" content="Cocoa HTML Writer">
<meta name="CocoaVersion" content="949.54">
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Times; min-height: 14.0px}
p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier; color: #2e3bfb}
p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier}
p.p4 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier; min-height: 14.0px}
p.p5 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier; color: #0018ea}
p.p6 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Times}
span.s1 {text-decoration: underline}
</style>
<p class="p1"><br>
</p>
<p class="p2"><b>David Aguilar Valero</b></p>
<p class="p3">Dpto. Comercial y Soporte técnico</p>
<p class="p3">NewLight Systems</p>
<p class="p2"><b>Servidores de juegos, HW, Dedicados</b></p>
<p class="p4"><br>
</p>
<p class="p5"><span class="s1"><a moz-do-not-send="true"
href="mailto:c"><b>crk01@nls.es</b></a></span></p>
<p class="p5"><span class="s1"><a moz-do-not-send="true"
href="mailto:crk01@newlightsystems.com">crk01@newlightsystems.com</a></span></p>
<p class="p5"><span class="s1"><a moz-do-not-send="true"
href="mailto:tecnico@newlightsystems.com">tecnico@newlightsystems.com</a></span></p>
<p class="p3">#NewLight_Systems @ irc-hispano.org</p>
<p class="p5"><span class="s1"><a moz-do-not-send="true"
href="http://www.newlightsystems.com/"><b>www.newlightsystems.com</b></a></span></p>
<p class="p5"><span class="s1"><a moz-do-not-send="true"
href="http://www.nls.es/"><b>www.nls.es</b></a></span></p>
<p class="p6">This email and any files or attachments
transmitted with it are intended solely for the use of the
intended recipient. This email is confidential and may
contain legally privileged information. If you are not the
intended recipient you should not read, disseminate,
distribute, or copy this email. If you have received this
email in error, please notify the sender immediately and
delete it from your system.</p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="Content-Style-Type" content="text/css">
<title></title>
<meta name="Generator" content="Cocoa HTML Writer">
<meta name="CocoaVersion" content="949.54">
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Times; min-height: 14.0px}
p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier; color: #2e3bfb}
p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier}
p.p4 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier; min-height: 14.0px}
p.p5 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier; color: #0018ea}
p.p6 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Times}
span.s1 {text-decoration: underline}
</style>
<p class="p1"><br>
</p>
<p class="p2"><b>David Aguilar Valero</b></p>
<p class="p3">Dpto. Comercial y Soporte técnico</p>
<p class="p3">NewLight Systems</p>
<p class="p2"><b>Servidores de juegos, HW, Dedicados</b></p>
<p class="p4"><br>
</p>
<p class="p5"><span class="s1"><a href="mailto:c"><b>crk01@nls.es</b></a></span></p>
<p class="p5"><span class="s1"><a
href="mailto:crk01@newlightsystems.com">crk01@newlightsystems.com</a></span></p>
<p class="p5"><span class="s1"><a
href="mailto:tecnico@newlightsystems.com">tecnico@newlightsystems.com</a></span></p>
<p class="p3">#NewLight_Systems @ irc-hispano.org</p>
<p class="p5"><span class="s1"><a
href="http://www.newlightsystems.com/"><b>www.newlightsystems.com</b></a></span></p>
<p class="p5"><span class="s1"><a href="http://www.nls.es/"><b>www.nls.es</b></a></span></p>
<p class="p6">This email and any files or attachments transmitted
with it are intended solely for the use of the intended
recipient. This email is confidential and may contain legally
privileged information. If you are not the intended recipient
you should not read, disseminate, distribute, or copy this
email. If you have received this email in error, please notify
the sender immediately and delete it from your system.</p>
</div>
</body>
</html>