<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
That would be great if the actual flooders IP was in the attack.
Unfortunately they are nearly always spoofed and hence any report
based on them would end up being inaccurate. Because UDP packets
are one-way, spoofing the source IP still makes it through routers
as most only go off the destination IP.<br>
<br>
If routers at the starting ISP were to check on the source IP of all
packets, and not let any packets through that do not match the
source IPs assigned (static or DHCP), then the ability to UDP flood
with a spoofed IP would be impossible, and your idea would work.<br>
<br>
This may eventually happen some day, but don't expect it anytime
soon.<br>
<br>
<i>Boyd</i><br>
<br>
<br>
On 02/24/2012 10:29 AM, escapedturkey wrote:
<blockquote
cite="mid:CALCvV0wynjW8JeO7G53GHsa-WiVXX6A_LULNq-f94MhN++id8A@mail.gmail.com"
type="cite">Crazy idea and brainstorming: A way to validate the
abusive IP, see who owns it (i.e. actual datacenter or ISP),
checks the FQDN .. sends a formal complaint style email to abuse@
admin@ with attached sample proofs. <br>
<br>
<div class="gmail_quote">On Fri, Feb 24, 2012 at 11:05 AM, Boyd G.
Gafford Ph.D. <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:drboyd@westportresearch.com">drboyd@westportresearch.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> If every Linux server
had the iptables getstatus reflection throttle rule, it
would be harder to do massive reflection attacks like this.
<br>
<br>
Unfortunately, even if every Linux admin did this, there
would still be at least 20 servers that don't, and the
attackers would just pick the ones that don't to do the
attack.<br>
<br>
Such a pain.<br>
<br>
:(
<div>
<div class="h5"><br>
<br>
On 02/23/2012 06:15 PM, NewLight Systems wrote:
<blockquote type="cite"> Yes that's very annoying . The
problem is that is very easy to do a distributed
attack with this gameserver's bugs.<br>
<br>
And of course, any gameserver is probably on a
dedicated line with 100 or 1000 MBPS bandwidth, so 20
"zombie" gameservers throwing reflection attacks = 50
MBPS = 1 GBPS of distributed attack.<br>
<br>
I don't mind our cpus, are fast, but we are real
capped at the bottleneck that represents 1 GBPS of
fast ethernet<br>
<br>
El 24/02/12 00:15, Boyd G. Gafford Ph.D. escribió:
<blockquote type="cite"> Yep, thats getting towards
the saturated side lol. It must be a distributed
DOS UDP flood, as I can't imagine many script
kiddies with that kind of bandwidth for a single
attack spoofing 20 IPs.<br>
<br>
At that point, a lot of your CPU is just handling
the incoming IP packets. Not much to do in that
situation. Even if you bonded four GbE's together,
you're still looking at needing quite a chunk of CPU
just to offload throwing away that 1Gbps.<br>
<br>
Even if you were to dynamically interact with your
router to tell it to drop the packets, your incoming
bandwidth would still be hammered. It almost has to
happen at the carrier (preferably at the carriers of
the flooders) to do anything to help, and we all
know how likely that is to happen unfortunately.<br>
<br>
Good luck,<br>
<br>
<i>Boyd</i><br>
<div><br>
</div>
<br>
On 02/23/2012 04:46 PM, NewLight Systems wrote:
<blockquote type="cite"> The problem is that we are
receiving for example 1 GBPS attacks to one IP
from serveral sources ( maybe 15 - 20 ips )<br>
<br>
That means that 1 GB of inbound is occupied. We
have iptables rules, of course, but is affecting
all services on that dedicated server<br>
<br>
El 23/02/12 23:42, Boyd G. Gafford Ph.D. escribió:
<blockquote type="cite"> Hey there, thanks for
responding.<br>
<br>
I'm not sure I understand what you mean by "the
line is occupied anyway." If you mean the
bandwidth to the server is saturated by the
flood, then yeah, its going to affect game
play. Fortunately most servers at data centers
have high enough bandwidth to them that a
typical attack doesn't saturate.<br>
<br>
If your game server port is the target of a
single IP UDP flood attack, then typically an
iptables drop rule handled by the kernel is more
efficient than the game server itself,
especially if the flooded packets are server
commands that are being processed by the game
server, which is sending out UDP reply packets.
That takes up much more CPU than a kernel-level
packet drop.<br>
<br>
Under those circumstances, the cheap VPS we use
in Dallas has endured 64Mbps attacks for hours
and the game server is still very playable. It
would be nice if the flood was blocked at the
router or carrier level, but still iptables is
pretty amazing when the kernel drop is your last
line of defense.<br>
<br>
Thanks,<br>
<br>
<i>Boyd</i><br>
<br>
<br>
On 02/23/2012 04:22 PM, NewLight Systems wrote:
<blockquote type="cite"> It's ok but this isn't
working if the UDP floods to your server
because the line is occupied anyway.<br>
<br>
If you are the target, there's nothing you can
do in a dedicated server level.<br>
<br>
This type of attack ( allways if you are the
target ) have to be erradicated in a higher
level ( router or carrier ) if you want to
preserve your connection<br>
<br>
El 23/02/12 23:12, Boyd G. Gafford Ph.D.
escribió:
<blockquote type="cite"> Hey everyone,
EscapedTurkey told me about this group, and
so I Just wanted to say a quick hello.<br>
<br>
I'm the guy who got frustrated enough with
UDP flood attacks that I wrote ServerArk to
deal with the majority of them. If anyone
has any questions about the program, or any
ideas on what they would like to see in it
in the future, by all means let me know.<br>
<br>
Since I've been using it on our JA (Q3
protocol) servers (<a moz-do-not-send="true"
href="http://elitewarriors.net"
target="_blank">http://elitewarriors.net</a>)
its blocked about 20 high volume attacks
(one at 64Mbps) successfully over the past
few months. As long as the source IP of the
UDP flood is not random, it works really
well.<br>
<br>
I have a few new ideas on flood detection on
random IP attacks I will ping off your guys
over the next few days to see what you
think.<br>
<br>
Also kudos to whoever did the "I don't want
to participate in reflection attacks"
iptables rule that matches off of the
'getstatus' UDP packet payload. If everyone
who had a Q3 protocol server (COD, JA, etc)
had that rule running reflection attacks
would be a LOT less potent.<br>
<br>
:)<br>
<br>
Thanks,<br>
<br>
<i>Boyd</i><br>
<br>
<div><i><font size="-1">__________________________________<br>
Boyd G. Gafford Ph.D.<br>
Manager of Software Development<br>
Westport Research Associates Inc.<br>
7001 Blue Ridge Blvd<br>
Raytown, MO 64133<br>
<a moz-do-not-send="true"
href="tel:%28816%29%20358-8990"
value="+18163588990" target="_blank">(816)
358-8990</a><br>
<a moz-do-not-send="true"
href="mailto:drboyd@westportresearch.com"
target="_blank">drboyd@westportresearch.com</a><br>
</font></i><br>
</div>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<div>-- <br>
<p><br>
</p>
<p><b>David Aguilar Valero</b></p>
<p>Dpto. Comercial y Soporte técnico</p>
<p>NewLight Systems</p>
<p><b>Servidores de juegos, HW, Dedicados</b></p>
<p><br>
</p>
<p><span><a moz-do-not-send="true"
href="mailto:c" target="_blank"><b>crk01@nls.es</b></a></span></p>
<p><span><a moz-do-not-send="true"
href="mailto:crk01@newlightsystems.com"
target="_blank">crk01@newlightsystems.com</a></span></p>
<p><span><a moz-do-not-send="true"
href="mailto:tecnico@newlightsystems.com"
target="_blank">tecnico@newlightsystems.com</a></span></p>
<p>#NewLight_Systems @ <a
moz-do-not-send="true"
href="http://irc-hispano.org"
target="_blank">irc-hispano.org</a></p>
<p><span><a moz-do-not-send="true"
href="http://www.newlightsystems.com/"
target="_blank"><b>www.newlightsystems.com</b></a></span></p>
<p><span><a moz-do-not-send="true"
href="http://www.nls.es/"
target="_blank"><b>www.nls.es</b></a></span></p>
<p>This email and any files or attachments
transmitted with it are intended solely
for the use of the intended recipient.
This email is confidential and may contain
legally privileged information. If you are
not the intended recipient you should not
read, disseminate, distribute, or copy
this email. If you have received this
email in error, please notify the sender
immediately and delete it from your
system.</p>
</div>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<div>-- <br>
<p><br>
</p>
<p><b>David Aguilar Valero</b></p>
<p>Dpto. Comercial y Soporte técnico</p>
<p>NewLight Systems</p>
<p><b>Servidores de juegos, HW, Dedicados</b></p>
<p><br>
</p>
<p><span><a moz-do-not-send="true"
href="mailto:c" target="_blank"><b>crk01@nls.es</b></a></span></p>
<p><span><a moz-do-not-send="true"
href="mailto:crk01@newlightsystems.com"
target="_blank">crk01@newlightsystems.com</a></span></p>
<p><span><a moz-do-not-send="true"
href="mailto:tecnico@newlightsystems.com"
target="_blank">tecnico@newlightsystems.com</a></span></p>
<p>#NewLight_Systems @ <a
moz-do-not-send="true"
href="http://irc-hispano.org"
target="_blank">irc-hispano.org</a></p>
<p><span><a moz-do-not-send="true"
href="http://www.newlightsystems.com/"
target="_blank"><b>www.newlightsystems.com</b></a></span></p>
<p><span><a moz-do-not-send="true"
href="http://www.nls.es/" target="_blank"><b>www.nls.es</b></a></span></p>
<p>This email and any files or attachments
transmitted with it are intended solely for
the use of the intended recipient. This email
is confidential and may contain legally
privileged information. If you are not the
intended recipient you should not read,
disseminate, distribute, or copy this email.
If you have received this email in error,
please notify the sender immediately and
delete it from your system.</p>
</div>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<div>-- <br>
<p><br>
</p>
<p><b>David Aguilar Valero</b></p>
<p>Dpto. Comercial y Soporte técnico</p>
<p>NewLight Systems</p>
<p><b>Servidores de juegos, HW, Dedicados</b></p>
<p><br>
</p>
<p><span><a moz-do-not-send="true" href="mailto:c"
target="_blank"><b>crk01@nls.es</b></a></span></p>
<p><span><a moz-do-not-send="true"
href="mailto:crk01@newlightsystems.com"
target="_blank">crk01@newlightsystems.com</a></span></p>
<p><span><a moz-do-not-send="true"
href="mailto:tecnico@newlightsystems.com"
target="_blank">tecnico@newlightsystems.com</a></span></p>
<p>#NewLight_Systems @ <a moz-do-not-send="true"
href="http://irc-hispano.org" target="_blank">irc-hispano.org</a></p>
<p><span><a moz-do-not-send="true"
href="http://www.newlightsystems.com/"
target="_blank"><b>www.newlightsystems.com</b></a></span></p>
<p><span><a moz-do-not-send="true"
href="http://www.nls.es/" target="_blank"><b>www.nls.es</b></a></span></p>
<p>This email and any files or attachments
transmitted with it are intended solely for the
use of the intended recipient. This email is
confidential and may contain legally privileged
information. If you are not the intended recipient
you should not read, disseminate, distribute, or
copy this email. If you have received this email
in error, please notify the sender immediately and
delete it from your system.</p>
</div>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true" href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a moz-do-not-send="true"
href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>