That wouldn't help in the long run. If I do that what about web sites, statistics, clients, and others who do status checks?<br><br><div class="gmail_quote">On Fri, Mar 9, 2012 at 1:46 PM, Christian Gerbrandt <span dir="ltr"><<a href="mailto:gerbra@gotadsl.co.uk">gerbra@gotadsl.co.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-GB" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Then whitelist the IP the qstat request is coming from</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> escapedturkey [mailto:<a href="mailto:escapedturkey@escapedturkey.com" target="_blank">escapedturkey@escapedturkey.com</a>] <br>
<b>Sent:</b> 09 March 2012 18:09<br><b>To:</b> Call of Duty server admin list.<br><b>Subject:</b> Re: [cod] Some new cool iptables!</span></p><div><div class="h5"><p class="MsoNormal"> </p><p class="MsoNormal" style="margin-bottom:12.0pt">
Seems to have killed qstat status check. <br><br>Without ServerArk:<br><br>qstat -old -R -P -a2s <a href="http://208.43.15.2:27015" target="_blank">208.43.15.2:27015</a><br><a href="http://208.43.15.2:27015" target="_blank">208.43.15.2:27015</a> "EscapedTurkey.com Dallas, TX" map de_dust at (null) 0/32 players 1 ms<br>
<br>ServerArk running:<br><br>qstat -old -R -P -a2s <a href="http://208.43.15.2:27015" target="_blank">208.43.15.2:27015</a><br><a href="http://208.43.15.2:27015" target="_blank">208.43.15.2:27015</a> no response<br><br>This is what I am using:<br>
<br># The main logic of ServerArk, all done with /sbin/iptables!<br><br># Version 1.01<br># (C) 2012 Boyd G. Gafford Ph.D. (Usage is under the LGPL)<br># To contact me, simply post on the forum at <a href="http://elitewarriors.net" target="_blank">elitewarriors.net</a>.<br>
#<br># Please note these rules ONLY affect UDP packets to the game servers, nothing else!<br># This script will protect all Q3-protocol servers on the port 28960. It protects<br><br># against both 'getstatus' and 'getinfo' attacks, as well as 'getchallenge' atttacks,<br>
# even from a UDP flood with random source IPs.<br><br># Add a limit/drop chain for "getstatus" packets that limits it to 10 a second for all servers.<br># If you are only protecting one server, you can set the number from 10 down to 4 (or 2 even).<br>
<br>/sbin/iptables -N LIMITSTAT<br>/sbin/iptables -A LIMITSTAT -p udp -m limit --limit 10/sec --limit-burst 10 -j ACCEPT<br>/sbin/iptables -A LIMITSTAT -p udp -j DROP<br><br><br># Add a limit/drop chain for "getinfo" packets that limits it to 10 a second for all servers.<br>
# If you are only protecting one server, you can set the number from 10 down to 4 (or 2 even).<br><br>/sbin/iptables -N LIMITINFO<br>/sbin/iptables -A LIMITINFO -p udp -m limit --limit 10/sec --limit-burst 10 -j ACCEPT<br>
/sbin/iptables -A LIMITINFO -p udp -j DROP<br><br><br># Add a limit/drop chain for "getchallenge" packets that limits it to 5 a second for all servers.<br># If you are only protecting one server, you can set the number from 5 down to 2. Setting it<br>
# at 2 means only 2 players could connect to the server per second. Set LIMITCONN to the<br># same, as there is one getchallenge/connect packet sequence per valid player connection.<br><br>/sbin/iptables -N LIMITCHLG<br>/sbin/iptables -A LIMITCHLG -p udp -m limit --limit 5/sec --limit-burst 5 -j ACCEPT<br>
/sbin/iptables -A LIMITCHLG -p udp -j DROP<br><br><br># Add a limit/drop chain for "connect" packets that limits it to 5 a second for all servers.<br># If you are only protecting one server, you can set the number from 5 down to 2. Setting it<br>
# at 2 means only 2 players could connect to the server per second. Set LIMITCHLG to the<br># same, as there is one getchallenge/connect packet sequence per valid player connection.<br><br>/sbin/iptables -N LIMITCONN<br>/sbin/iptables -A LIMITCONN -p udp -m limit --limit 5/sec --limit-burst 5 -j ACCEPT<br>
/sbin/iptables -A LIMITCONN -p udp -j DROP<br><br><br># Add a limit chain that prevents more than 70 packets a second per player.<br># This is the main logic of ServerArk, but just performed by an iptable rule.<br># We allow up to 128 players which is enough for 4 servers full (at 32 players each).<br>
# If you only have one server, you could the size and max to 32.<br># If you have players who have manually set their packet rate up to 100, just change the 70 to 100.<br><br>/sbin/iptables -N LIMITPLRS<br>/sbin/iptables -A LIMITPLRS -p udp -m hashlimit --hashlimit-name PLAYERS --hashlimit-above 100/sec --hashlimit-burst 100 --hashlimit-mode srcip,srcport --hashlimit-htable-size 128 --hashlimit-htable-max 128 --hashlimit-htable-gcinterval 1000 --hashlimit-htable-expire 10000 -j DROP<br>
/sbin/iptables -A LIMITPLRS -p udp -j ACCEPT<br><br><br># Add the rules to pick out the various special packets and send them to appropriate limit chains.<br># To protect 5 ports, just specify a range like "--dport 28960:28964" below.<br>
<br>/sbin/iptables -A INPUT -p udp --dport 27000:30000 -m string --string "getstatus" --algo bm --from 32 --to 33 -j LIMITSTAT<br>/sbin/iptables -A INPUT -p udp --dport 27000:30000 -m string --string "getinfo" --algo bm --from 32 --to 33 -j LIMITINFO<br>
/sbin/iptables -A INPUT -p udp --dport 27000:30000 -m string --string "getchallenge" --algo bm --from 32 --to 33 -j LIMITCHLG<br>/sbin/iptables -A INPUT -p udp --dport 27000:30000 -m string --string "connect" --algo bm --from 32 --to 33 -j LIMITCONN<br>
<br><br># Send all other packets (normal player packets) to the limit players chain.<br># A port range like "--dport 28960:28964" could also be used here as well.<br># /sbin/iptables -A INPUT -p udp --dport 28960 -j LIMITPLRS</p>
<div><p class="MsoNormal">/sbin/iptables -A INPUT -p udp --dport 27000:30000 -j LIMITPLRS</p></div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">On Fri, Mar 9, 2012 at 11:41 AM, Boyd G. Gafford Ph.D. <<a href="mailto:drboyd@westportresearch.com" target="_blank">drboyd@westportresearch.com</a>> wrote:</p>
<div><p class="MsoNormal">Yeah, if they flood "getstatus" and "getinfo", during the attack your server will not be visible from the master list.<br><br>If they flood "getchallenge", during the attack nobody will be able to join your server.<br>
<br>Once the attack ends, then you'll be visible again and people can join normally.<br><br>Since most of these attacks are from spoofed random IP addresses (millions of them), you can't limit per IP, as no IP repeats.<br>
<br>This set of rules is about the best I've found short of doing a whitelisted server, where you only allow IP's of known good players, and block everything else, and then people have to join the server with "connect IP:PORT". That's fairly inconvenient for most players, so these rules are about as good as you can get and still allow usage from the master list.<br>
<br> Thanks,<br><span style="color:#888888"><br><i> Boyd</i></span></p><div><p class="MsoNormal"> </p><div><p class="MsoNormal" style="margin-bottom:12.0pt"><i><span style="font-size:10.0pt">__________________________________<br>
Boyd G. Gafford Ph.D.<br>Manager of Software Development<br>Westport Research Associates Inc.<br>7001 Blue Ridge Blvd<br>Raytown, MO 64133<br><a href="tel:%28816%29%20358-8990" target="_blank">(816) 358-8990</a><br><a href="mailto:drboyd@westportresearch.com" target="_blank">drboyd@westportresearch.com</a></span></i></p>
</div><p class="MsoNormal"> </p></div><div><div><p class="MsoNormal">On 03/09/2012 10:00 AM, Ruediger Meier wrote: </p><pre>On Friday 09 March 2012, Boyd G. Gafford Ph.D. wrote:</pre><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Just wanted to share these with the COD group here. I've been</pre><pre>running these rules for about a week now, and they have been working</pre><pre>wonderfully. Let me know if you end up using them and how they work</pre>
<pre>for you.</pre></blockquote><pre>Be aware that now it's easy for a attacker to make your servers </pre><pre>invisible for others by flooding your limit rules.</pre><pre>Maybe you should rather limit per ip.</pre><pre>
</pre><pre>cu,</pre><pre>Rudi</pre><pre> </pre><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><pre>#!/bin/bash</pre><pre># The main logic of ServerArk, all done with iptables!</pre><pre># Version 1.01</pre><pre>
# (C) 2012 Boyd G. Gafford Ph.D. (Usage is under the LGPL)</pre><pre># To contact me, simply post on the forum at <a href="http://elitewarriors.net" target="_blank">elitewarriors.net</a>.</pre><pre>#</pre><pre># Please note these rules ONLY affect UDP packets to the game</pre>
<pre>servers, nothing else!</pre><pre># This script will protect all Q3-protocol servers on the port 28960.</pre><pre>It protects</pre><pre># against both 'getstatus' and 'getinfo' attacks, as well as</pre>
<pre>'getchallenge' atttacks,</pre><pre># even from a UDP flood with random source IPs.</pre><pre> </pre><pre># Add a limit/drop chain for "getstatus" packets that limits it to 10</pre><pre>a second for all servers.</pre>
<pre># If you are only protecting one server, you can set the number from</pre><pre>10 down to 4 (or 2 even).</pre><pre>iptables -N LIMITSTAT</pre><pre>iptables -A LIMITSTAT -p udp -m limit --limit 10/sec --limit-burst 10</pre>
<pre>-j ACCEPT</pre><pre>iptables -A LIMITSTAT -p udp -j DROP</pre><pre> </pre><pre># Add a limit/drop chain for "getinfo" packets that limits it to 10 a</pre><pre>second for all servers.</pre><pre># If you are only protecting one server, you can set the number from</pre>
<pre>10 down to 4 (or 2 even).</pre><pre>iptables -N LIMITINFO</pre><pre>iptables -A LIMITINFO -p udp -m limit --limit 10/sec --limit-burst 10</pre><pre>-j ACCEPT</pre><pre>iptables -A LIMITINFO -p udp -j DROP</pre><pre> </pre>
<pre># Add a limit/drop chain for "getchallenge" packets that limits it to</pre><pre>5 a second for all servers.</pre><pre># If you are only protecting one server, you can set the number from</pre><pre>5 down to 2. Setting it</pre>
<pre># at 2 means only 2 players could connect to the server per second. </pre><pre>Set LIMITCONN to the</pre><pre># same, as there is one getchallenge/connect packet sequence per</pre><pre>valid player connection.</pre><pre>
iptables -N LIMITCHLG</pre><pre>iptables -A LIMITCHLG -p udp -m limit --limit 5/sec --limit-burst 5</pre><pre>-j ACCEPT</pre><pre>iptables -A LIMITCHLG -p udp -j DROP</pre><pre> </pre><pre># Add a limit/drop chain for "connect" packets that limits it to 5 a</pre>
<pre>second for all servers.</pre><pre># If you are only protecting one server, you can set the number from</pre><pre>5 down to 2. Setting it</pre><pre># at 2 means only 2 players could connect to the server per second. </pre>
<pre>Set LIMITCHLG to the</pre><pre># same, as there is one getchallenge/connect packet sequence per</pre><pre>valid player connection.</pre><pre>iptables -N LIMITCONN</pre><pre>iptables -A LIMITCONN -p udp -m limit --limit 5/sec --limit-burst 5</pre>
<pre>-j ACCEPT</pre><pre>iptables -A LIMITCONN -p udp -j DROP</pre><pre> </pre><pre># Add a limit chain that prevents more than 70 packets a second per</pre><pre>player. # This is the main logic of ServerArk, but just performed by</pre>
<pre>an iptable rule.</pre><pre># We allow up to 128 players which is enough for 4 servers full (at</pre><pre>32 players each).</pre><pre># If you only have one server, you could the size and max to 32.</pre><pre># If you have players who have manually set their packet rate up to</pre>
<pre>100, just change the 70 to 100.</pre><pre>iptables -N LIMITPLRS</pre><pre>iptables -A LIMITPLRS -p udp -m hashlimit --hashlimit-name PLAYERS</pre><pre>--hashlimit-above 70/sec --hashlimit-burst 70 --hashlimit-mode</pre>
<pre>srcip,srcport --hashlimit-htable-size 128 --hashlimit-htable-max 128</pre><pre>--hashlimit-htable-gcinterval 1000 --hashlimit-htable-expire 10000 -j</pre><pre>DROP iptables -A LIMITPLRS -p udp -j ACCEPT</pre><pre> </pre>
<pre># Add the rules to pick out the various special packets and send them</pre><pre>to appropriate limit chains.</pre><pre># To protect 5 ports, just specify a range like "--dport 28960:28964"</pre><pre>below. iptables -A INPUT -p udp --dport 28960-m string --string</pre>
<pre>"getstatus" --algo bm --from 32 --to 33 -j LIMITSTAT</pre><pre>iptables -A INPUT -p udp --dport 28960-m string --string "getinfo"</pre><pre>--algo bm --from 32 --to 33 -j LIMITINFO</pre><pre>iptables -A INPUT -p udp --dport 28960-m string --string</pre>
<pre>"getchallenge" --algo bm --from 32 --to 33 -j LIMITCHLG</pre><pre>iptables -A INPUT -p udp --dport 28960-m string --string "connect"</pre><pre>--algo bm --from 32 --to 33 -j LIMITCONN</pre><pre> </pre>
<pre># Send all other packets (normal player packets) to the limit players</pre><pre>chain. # A port range like "--dport 28960:28964" could also be used</pre><pre>here as well. iptables -A INPUT -p udp --dport 28960-j LIMITPLRS</pre>
<pre>/</pre><pre>/Also, you can do an "iptables -L -v -n" to see what kind of attacks</pre><pre>these rules have blocked. Here's an example of this command after a</pre><pre>"getchallenge" flood attack from random IPs, on our Dallas server</pre>
<pre>running on port 29070.</pre><pre> </pre><pre>ew@server1:~$ sudo iptables -L -v -n</pre><pre>Chain INPUT (policy ACCEPT 11368 packets, 1538K bytes)</pre><pre> pkts bytes target prot opt in out source</pre>
<pre>destination</pre><pre> 3880 177K LIMITSTAT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:29070 STRING match "getstatus" ALGO name</pre>
<pre>bm FROM 32 TO 33</pre><pre>14036 617K LIMITINFO udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:29070 STRING match "getinfo" ALGO name bm</pre>
<pre>FROM 32 TO 33</pre><pre> 37M 1620M LIMITCHLG udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:29070 STRING match "getchallenge" ALGO</pre>
<pre>name bm FROM 32 TO 33</pre><pre> 17 4989 LIMITCONN udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:29070 STRING match "connect" ALGO name bm</pre>
<pre>FROM 32 TO 33</pre><pre> 237K 17M LIMITPLRS udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:29070</pre>
<pre> </pre><pre>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)</pre><pre> pkts bytes target prot opt in out source</pre><pre>destination</pre><pre> </pre><pre>Chain OUTPUT (policy ACCEPT 343K packets, 54M bytes)</pre>
<pre> pkts bytes target prot opt in out source</pre><pre>destination</pre><pre> </pre><pre>Chain LIMITCHLG (1 references)</pre><pre> pkts bytes target prot opt in out source</pre><pre>destination</pre>
<pre>40025 1761K ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> limit: avg 5/sec burst 5</pre><pre>
*37M 1618M DROP* udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre> </pre><pre>Chain LIMITCONN (1 references)</pre>
<pre> pkts bytes target prot opt in out source</pre><pre>destination</pre><pre> 17 4989 ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> limit: avg 5/sec burst 5</pre>
<pre> 0 0 DROP udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre> </pre><pre>Chain LIMITINFO (1 references)</pre>
<pre> pkts bytes target prot opt in out source</pre><pre>destination</pre><pre>14036 617K ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> limit: avg 10/sec burst 10</pre>
<pre> 0 0 DROP udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre> </pre><pre>Chain LIMITPLRS (1 references)</pre>
<pre> pkts bytes target prot opt in out source</pre><pre>destination</pre><pre> 1642 104K DROP udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> limit: above 70/sec burst 70 mode srcip-srcport</pre>
<pre>htable-size 128 htable-max 128</pre><pre> 236K 17M ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre>
<pre> </pre><pre>Chain LIMITSTAT (1 references)</pre><pre> pkts bytes target prot opt in out source</pre><pre>destination</pre><pre> 3868 177K ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre>
<pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> limit: avg 10/sec burst 10</pre><pre> 12 516 DROP udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre>
<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></pre><pre> </pre><pre>Notice the bolded packet/byte statistics for the "getchallenge" drop</pre><pre>chain named LIMITCHLG. A total of 37 million packets dropped. I was</pre>
<pre>on the game during this attack, and although the server did lag a bit</pre><pre>from the sheer size of the flood (almost saturating the bandwidth),</pre><pre>nobody lagged out. Without this rule, the game server deadlocked.</pre>
<pre> </pre><pre>Also notice you can tell how many players have connected to the</pre><pre>server, as the LIMITCONN status shows 17 packets accepted. So during</pre><pre>this time we had 17 players join the game.</pre><pre>
</pre><pre>You can also see how many people requested the servers in game (as</pre><pre>well as other services like GameTracker getting info on you), as that</pre><pre>corresponds to the LIMITSTAT and LIMITINFO chains.</pre>
<pre> </pre><pre>Another cool thing you can do is "cat /proc/srv/ipt_hashlimit/PLAYERS</pre><pre>to see the IP addresses of all the players currently connected to the</pre><pre>server(s). Once a player quits playing, he goes out of this file</pre>
<pre>automatically after 10 seconds.</pre><pre> </pre><pre>I may refine these a bit further, but for now, these seem to be</pre><pre>working well on our VPS.</pre><pre> </pre><pre>Thanks,</pre><pre> </pre><pre>/Boyd/</pre>
</blockquote><pre>_______________________________________________</pre><pre>cod mailing list</pre><pre><a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a></pre><pre><a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></pre>
<pre> </pre></div></div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>_______________________________________________<br>cod mailing list<br><a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></p></div><p class="MsoNormal"><br><br clear="all"><br>-- </p><div><p class="MsoNormal">EscapedTurkey.com Billing and Support</p>
</div><div><p class="MsoNormal"><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></p></div><p class="MsoNormal"> </p></div></div></div></div><br>_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div>EscapedTurkey.com Billing and Support<br></div><div><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>