<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Just wanted to share these with the COD group here. I've been
running these rules for about a week now, and they have been working
wonderfully. Let me know if you end up using them and how they work
for you.<br>
<br>
<font size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">#!/bin/bash<br>
# The main logic of ServerArk, all done with iptables!<br>
# Version 1.01<br>
# (C) 2012 Boyd G. Gafford Ph.D. (Usage is under the LGPL)<br>
# To contact me, simply post on the forum at elitewarriors.net.<br>
#<br>
# Please note these rules ONLY affect UDP packets to the game
servers, nothing else!<br>
# This script will protect all Q3-protocol servers on the port
28960. It protects<br>
# against both 'getstatus' and 'getinfo' attacks, as well as
'getchallenge' atttacks,<br>
# even from a UDP flood with random source IPs.<br>
<br>
# Add a limit/drop chain for "getstatus" packets that limits it
to 10 a second for all servers.<br>
# If you are only protecting one server, you can set the number
from 10 down to 4 (or 2 even).<br>
iptables -N LIMITSTAT<br>
iptables -A LIMITSTAT -p udp -m limit --limit 10/sec
--limit-burst 10 -j ACCEPT<br>
iptables -A LIMITSTAT -p udp -j DROP<br>
<br>
# Add a limit/drop chain for "getinfo" packets that limits it to
10 a second for all servers.<br>
# If you are only protecting one server, you can set the number
from 10 down to 4 (or 2 even).<br>
iptables -N LIMITINFO<br>
iptables -A LIMITINFO -p udp -m limit --limit 10/sec
--limit-burst 10 -j ACCEPT<br>
iptables -A LIMITINFO -p udp -j DROP<br>
<br>
# Add a limit/drop chain for "getchallenge" packets that limits
it to 5 a second for all servers.<br>
# If you are only protecting one server, you can set the number
from 5 down to 2. Setting it<br>
# at 2 means only 2 players could connect to the server per
second. Set LIMITCONN to the<br>
# same, as there is one getchallenge/connect packet sequence per
valid player connection.<br>
iptables -N LIMITCHLG<br>
iptables -A LIMITCHLG -p udp -m limit --limit 5/sec
--limit-burst 5 -j ACCEPT<br>
iptables -A LIMITCHLG -p udp -j DROP<br>
<br>
# Add a limit/drop chain for "connect" packets that limits it to
5 a second for all servers.<br>
# If you are only protecting one server, you can set the number
from 5 down to 2. Setting it<br>
# at 2 means only 2 players could connect to the server per
second. Set LIMITCHLG to the<br>
# same, as there is one getchallenge/connect packet sequence per
valid player connection.<br>
iptables -N LIMITCONN<br>
iptables -A LIMITCONN -p udp -m limit --limit 5/sec
--limit-burst 5 -j ACCEPT<br>
iptables -A LIMITCONN -p udp -j DROP<br>
<br>
# Add a limit chain that prevents more than 70 packets a second
per player.<br>
# This is the main logic of ServerArk, but just performed by an
iptable rule.<br>
# We allow up to 128 players which is enough for 4 servers full
(at 32 players each).<br>
# If you only have one server, you could the size and max to 32.<br>
# If you have players who have manually set their packet rate up
to 100, just change the 70 to 100.<br>
iptables -N LIMITPLRS<br>
iptables -A LIMITPLRS -p udp -m hashlimit --hashlimit-name
PLAYERS --hashlimit-above 70/sec --hashlimit-burst 70
--hashlimit-mode srcip,srcport --hashlimit-htable-size 128
--hashlimit-htable-max 128 --hashlimit-htable-gcinterval 1000
--hashlimit-htable-expire 10000 -j DROP<br>
iptables -A LIMITPLRS -p udp -j ACCEPT<br>
<br>
# Add the rules to pick out the various special packets and send
them to appropriate limit chains.<br>
# To protect 5 ports, just specify a range like "--dport </span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28960</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">:</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28964</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">" below.<br>
iptables -A INPUT -p udp --dport </span></font><font size="2"><span
style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28960</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> -m string --string
"getstatus" --algo bm --from 32 --to 33 -j LIMITSTAT<br>
iptables -A INPUT -p udp --dport </span></font><font size="2"><span
style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28960</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> -m string --string
"getinfo" --algo bm --from 32 --to 33 -j LIMITINFO<br>
iptables -A INPUT -p udp --dport </span></font><font size="2"><span
style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28960</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> -m string --string
"getchallenge" --algo bm --from 32 --to 33 -j LIMITCHLG<br>
iptables -A INPUT -p udp --dport </span></font><font size="2"><span
style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28960</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> -m string --string
"connect" --algo bm --from 32 --to 33 -j LIMITCONN<br>
<br>
# Send all other packets (normal player packets) to the limit
players chain.<br>
# A port range like "--dport </span></font><font size="2"><span
style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28960</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">:</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28964</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">" could also be used
here as well.<br>
iptables -A INPUT -p udp --dport </span></font><font size="2"><span
style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28960</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> -j LIMITPLRS<br>
</span></font><em><br>
</em>Also, you can do an "iptables -L -v -n" to see what kind of
attacks these rules have blocked. Here's an example of this command
after a "getchallenge" flood attack from random IPs, on our Dallas
server running on port 29070.<br>
<br>
<font size="1"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">ew@server1:~$ sudo
iptables -L -v -n</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">Chain INPUT (policy
ACCEPT 11368 packets, 1538K bytes)</span><br style="font-family:
Courier New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> pkts bytes target
prot opt in out source destination
</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> 3880 177K LIMITSTAT
udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:29070 STRING match "getstatus" ALGO name bm FROM 32 TO
33 </span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">14036 617K LIMITINFO
udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:29070 STRING match "getinfo" ALGO name bm FROM 32 TO 33
</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> 37M 1620M LIMITCHLG
udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:29070 STRING match "getchallenge" ALGO name bm FROM 32
TO 33 </span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> 17 4989 LIMITCONN
udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:29070 STRING match "connect" ALGO name bm FROM 32 TO 33
</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> 237K 17M LIMITPLRS
udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:29070 </span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">Chain FORWARD (policy
ACCEPT 0 packets, 0 bytes)</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> pkts bytes target
prot opt in out source destination
</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">Chain OUTPUT (policy
ACCEPT 343K packets, 54M bytes)</span><br style="font-family:
Courier New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> pkts bytes target
prot opt in out source destination
</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">Chain LIMITCHLG (1
references)</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> pkts bytes target
prot opt in out source destination
</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">40025 1761K ACCEPT
udp -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 5/sec burst 5 </span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> <strong>37M 1618M
DROP</strong> udp -- * *
0.0.0.0/0 0.0.0.0/0 </span><br
style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">Chain LIMITCONN (1
references)</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> pkts bytes target
prot opt in out source destination
</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> 17 4989 ACCEPT
udp -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 5/sec burst 5 </span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> 0 0 DROP
udp -- * * 0.0.0.0/0 0.0.0.0/0
</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">Chain LIMITINFO (1
references)</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> pkts bytes target
prot opt in out source destination
</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">14036 617K ACCEPT
udp -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 10/sec burst 10 </span><br style="font-family:
Courier New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> 0 0 DROP
udp -- * * 0.0.0.0/0 0.0.0.0/0
</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">Chain LIMITPLRS (1
references)</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> pkts bytes target
prot opt in out source destination
</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> 1642 104K DROP
udp -- * * 0.0.0.0/0 0.0.0.0/0
limit: above 70/sec burst 70 mode srcip-srcport htable-size 128
htable-max 128 </span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> 236K 17M ACCEPT
udp -- * * 0.0.0.0/0 0.0.0.0/0
</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">Chain LIMITSTAT (1
references)</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> pkts bytes target
prot opt in out source destination
</span><br style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> 3868 177K ACCEPT
udp -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 10/sec burst 10 </span><br style="font-family:
Courier New,courier,monaco,monospace,sans-serif;">
<span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> 12 516 DROP
udp -- * * 0.0.0.0/0 0.0.0.0/0 </span></font>
<br>
<br>
Notice the bolded packet/byte statistics for the "getchallenge" drop
chain named LIMITCHLG. A total of 37 million packets dropped. I
was on the game during this attack, and although the server did lag
a bit from the sheer size of the flood (almost saturating the
bandwidth), nobody lagged out. Without this rule, the game server
deadlocked.<br>
<br>
Also notice you can tell how many players have connected to the
server, as the LIMITCONN status shows 17 packets accepted. So
during this time we had 17 players join the game.<br>
<br>
You can also see how many people requested the servers in game (as
well as other services like GameTracker getting info on you), as
that corresponds to the LIMITSTAT and LIMITINFO chains.<br>
<br>
Another cool thing you can do is "cat
/proc/srv/ipt_hashlimit/PLAYERS to see the IP addresses of all the
players currently connected to the server(s). Once a player quits
playing, he goes out of this file automatically after 10 seconds.<br>
<br>
I may refine these a bit further, but for now, these seem to be
working well on our VPS.<br>
<br>
Thanks,<br>
<br>
<em>Boyd</em><br>
<div class="moz-signature">-- <br>
<i><font size="-1">__________________________________<br>
Boyd G. Gafford Ph.D.<br>
Manager of Software Development<br>
Westport Research Associates Inc.<br>
7001 Blue Ridge Blvd<br>
Raytown, MO 64133<br>
(816) 358-8990<br>
<a class="moz-txt-link-abbreviated" href="mailto:drboyd@westportresearch.com">drboyd@westportresearch.com</a><br>
</font></i><br>
</div>
</body>
</html>