<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas","serif";
mso-fareast-language:EN-GB;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Then whitelist the IP the qstat request is coming from<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> escapedturkey [mailto:escapedturkey@escapedturkey.com] <br><b>Sent:</b> 09 March 2012 18:09<br><b>To:</b> Call of Duty server admin list.<br><b>Subject:</b> Re: [cod] Some new cool iptables!<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'>Seems to have killed qstat status check. <br><br>Without ServerArk:<br><br>qstat -old -R -P -a2s <a href="http://208.43.15.2:27015">208.43.15.2:27015</a><br><a href="http://208.43.15.2:27015">208.43.15.2:27015</a> "EscapedTurkey.com Dallas, TX" map de_dust at (null) 0/32 players 1 ms<br><br>ServerArk running:<br><br>qstat -old -R -P -a2s <a href="http://208.43.15.2:27015">208.43.15.2:27015</a><br><a href="http://208.43.15.2:27015">208.43.15.2:27015</a> no response<br><br>This is what I am using:<br><br># The main logic of ServerArk, all done with /sbin/iptables!<br><br># Version 1.01<br># (C) 2012 Boyd G. Gafford Ph.D. (Usage is under the LGPL)<br># To contact me, simply post on the forum at <a href="http://elitewarriors.net">elitewarriors.net</a>.<br>#<br># Please note these rules ONLY affect UDP packets to the game servers, nothing else!<br># This script will protect all Q3-protocol servers on the port 28960. It protects<br><br># against both 'getstatus' and 'getinfo' attacks, as well as 'getchallenge' atttacks,<br># even from a UDP flood with random source IPs.<br><br># Add a limit/drop chain for "getstatus" packets that limits it to 10 a second for all servers.<br># If you are only protecting one server, you can set the number from 10 down to 4 (or 2 even).<br><br>/sbin/iptables -N LIMITSTAT<br>/sbin/iptables -A LIMITSTAT -p udp -m limit --limit 10/sec --limit-burst 10 -j ACCEPT<br>/sbin/iptables -A LIMITSTAT -p udp -j DROP<br><br><br># Add a limit/drop chain for "getinfo" packets that limits it to 10 a second for all servers.<br># If you are only protecting one server, you can set the number from 10 down to 4 (or 2 even).<br><br>/sbin/iptables -N LIMITINFO<br>/sbin/iptables -A LIMITINFO -p udp -m limit --limit 10/sec --limit-burst 10 -j ACCEPT<br>/sbin/iptables -A LIMITINFO -p udp -j DROP<br><br><br># Add a limit/drop chain for "getchallenge" packets that limits it to 5 a second for all servers.<br># If you are only protecting one server, you can set the number from 5 down to 2. Setting it<br># at 2 means only 2 players could connect to the server per second. Set LIMITCONN to the<br># same, as there is one getchallenge/connect packet sequence per valid player connection.<br><br>/sbin/iptables -N LIMITCHLG<br>/sbin/iptables -A LIMITCHLG -p udp -m limit --limit 5/sec --limit-burst 5 -j ACCEPT<br>/sbin/iptables -A LIMITCHLG -p udp -j DROP<br><br><br># Add a limit/drop chain for "connect" packets that limits it to 5 a second for all servers.<br># If you are only protecting one server, you can set the number from 5 down to 2. Setting it<br># at 2 means only 2 players could connect to the server per second. Set LIMITCHLG to the<br># same, as there is one getchallenge/connect packet sequence per valid player connection.<br><br>/sbin/iptables -N LIMITCONN<br>/sbin/iptables -A LIMITCONN -p udp -m limit --limit 5/sec --limit-burst 5 -j ACCEPT<br>/sbin/iptables -A LIMITCONN -p udp -j DROP<br><br><br># Add a limit chain that prevents more than 70 packets a second per player.<br># This is the main logic of ServerArk, but just performed by an iptable rule.<br># We allow up to 128 players which is enough for 4 servers full (at 32 players each).<br># If you only have one server, you could the size and max to 32.<br># If you have players who have manually set their packet rate up to 100, just change the 70 to 100.<br><br>/sbin/iptables -N LIMITPLRS<br>/sbin/iptables -A LIMITPLRS -p udp -m hashlimit --hashlimit-name PLAYERS --hashlimit-above 100/sec --hashlimit-burst 100 --hashlimit-mode srcip,srcport --hashlimit-htable-size 128 --hashlimit-htable-max 128 --hashlimit-htable-gcinterval 1000 --hashlimit-htable-expire 10000 -j DROP<br>/sbin/iptables -A LIMITPLRS -p udp -j ACCEPT<br><br><br># Add the rules to pick out the various special packets and send them to appropriate limit chains.<br># To protect 5 ports, just specify a range like "--dport 28960:28964" below.<br><br>/sbin/iptables -A INPUT -p udp --dport 27000:30000 -m string --string "getstatus" --algo bm --from 32 --to 33 -j LIMITSTAT<br>/sbin/iptables -A INPUT -p udp --dport 27000:30000 -m string --string "getinfo" --algo bm --from 32 --to 33 -j LIMITINFO<br>/sbin/iptables -A INPUT -p udp --dport 27000:30000 -m string --string "getchallenge" --algo bm --from 32 --to 33 -j LIMITCHLG<br>/sbin/iptables -A INPUT -p udp --dport 27000:30000 -m string --string "connect" --algo bm --from 32 --to 33 -j LIMITCONN<br><br><br># Send all other packets (normal player packets) to the limit players chain.<br># A port range like "--dport 28960:28964" could also be used here as well.<br># /sbin/iptables -A INPUT -p udp --dport 28960 -j LIMITPLRS<o:p></o:p></p><div><p class=MsoNormal>/sbin/iptables -A INPUT -p udp --dport 27000:30000 -j LIMITPLRS<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>On Fri, Mar 9, 2012 at 11:41 AM, Boyd G. Gafford Ph.D. <<a href="mailto:drboyd@westportresearch.com" target="_blank">drboyd@westportresearch.com</a>> wrote:<o:p></o:p></p><div><p class=MsoNormal>Yeah, if they flood "getstatus" and "getinfo", during the attack your server will not be visible from the master list.<br><br>If they flood "getchallenge", during the attack nobody will be able to join your server.<br><br>Once the attack ends, then you'll be visible again and people can join normally.<br><br>Since most of these attacks are from spoofed random IP addresses (millions of them), you can't limit per IP, as no IP repeats.<br><br>This set of rules is about the best I've found short of doing a whitelisted server, where you only allow IP's of known good players, and block everything else, and then people have to join the server with "connect IP:PORT". That's fairly inconvenient for most players, so these rules are about as good as you can get and still allow usage from the master list.<br><br> Thanks,<br><span style='color:#888888'><br><i> Boyd</i></span><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><i><span style='font-size:10.0pt'>__________________________________<br>Boyd G. Gafford Ph.D.<br>Manager of Software Development<br>Westport Research Associates Inc.<br>7001 Blue Ridge Blvd<br>Raytown, MO 64133<br><a href="tel:%28816%29%20358-8990" target="_blank">(816) 358-8990</a><br><a href="mailto:drboyd@westportresearch.com" target="_blank">drboyd@westportresearch.com</a></span></i><o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal>On 03/09/2012 10:00 AM, Ruediger Meier wrote: <o:p></o:p></p><pre>On Friday 09 March 2012, Boyd G. Gafford Ph.D. wrote:<o:p></o:p></pre><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>Just wanted to share these with the COD group here. I've been<o:p></o:p></pre><pre>running these rules for about a week now, and they have been working<o:p></o:p></pre><pre>wonderfully. Let me know if you end up using them and how they work<o:p></o:p></pre><pre>for you.<o:p></o:p></pre></blockquote><pre>Be aware that now it's easy for a attacker to make your servers <o:p></o:p></pre><pre>invisible for others by flooding your limit rules.<o:p></o:p></pre><pre>Maybe you should rather limit per ip.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>cu,<o:p></o:p></pre><pre>Rudi<o:p></o:p></pre><pre><o:p> </o:p></pre><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>#!/bin/bash<o:p></o:p></pre><pre># The main logic of ServerArk, all done with iptables!<o:p></o:p></pre><pre># Version 1.01<o:p></o:p></pre><pre># (C) 2012 Boyd G. Gafford Ph.D. (Usage is under the LGPL)<o:p></o:p></pre><pre># To contact me, simply post on the forum at <a href="http://elitewarriors.net" target="_blank">elitewarriors.net</a>.<o:p></o:p></pre><pre>#<o:p></o:p></pre><pre># Please note these rules ONLY affect UDP packets to the game<o:p></o:p></pre><pre>servers, nothing else!<o:p></o:p></pre><pre># This script will protect all Q3-protocol servers on the port 28960.<o:p></o:p></pre><pre>It protects<o:p></o:p></pre><pre># against both 'getstatus' and 'getinfo' attacks, as well as<o:p></o:p></pre><pre>'getchallenge' atttacks,<o:p></o:p></pre><pre># even from a UDP flood with random source IPs.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre># Add a limit/drop chain for "getstatus" packets that limits it to 10<o:p></o:p></pre><pre>a second for all servers.<o:p></o:p></pre><pre># If you are only protecting one server, you can set the number from<o:p></o:p></pre><pre>10 down to 4 (or 2 even).<o:p></o:p></pre><pre>iptables -N LIMITSTAT<o:p></o:p></pre><pre>iptables -A LIMITSTAT -p udp -m limit --limit 10/sec --limit-burst 10<o:p></o:p></pre><pre>-j ACCEPT<o:p></o:p></pre><pre>iptables -A LIMITSTAT -p udp -j DROP<o:p></o:p></pre><pre><o:p> </o:p></pre><pre># Add a limit/drop chain for "getinfo" packets that limits it to 10 a<o:p></o:p></pre><pre>second for all servers.<o:p></o:p></pre><pre># If you are only protecting one server, you can set the number from<o:p></o:p></pre><pre>10 down to 4 (or 2 even).<o:p></o:p></pre><pre>iptables -N LIMITINFO<o:p></o:p></pre><pre>iptables -A LIMITINFO -p udp -m limit --limit 10/sec --limit-burst 10<o:p></o:p></pre><pre>-j ACCEPT<o:p></o:p></pre><pre>iptables -A LIMITINFO -p udp -j DROP<o:p></o:p></pre><pre><o:p> </o:p></pre><pre># Add a limit/drop chain for "getchallenge" packets that limits it to<o:p></o:p></pre><pre>5 a second for all servers.<o:p></o:p></pre><pre># If you are only protecting one server, you can set the number from<o:p></o:p></pre><pre>5 down to 2. Setting it<o:p></o:p></pre><pre># at 2 means only 2 players could connect to the server per second. <o:p></o:p></pre><pre>Set LIMITCONN to the<o:p></o:p></pre><pre># same, as there is one getchallenge/connect packet sequence per<o:p></o:p></pre><pre>valid player connection.<o:p></o:p></pre><pre>iptables -N LIMITCHLG<o:p></o:p></pre><pre>iptables -A LIMITCHLG -p udp -m limit --limit 5/sec --limit-burst 5<o:p></o:p></pre><pre>-j ACCEPT<o:p></o:p></pre><pre>iptables -A LIMITCHLG -p udp -j DROP<o:p></o:p></pre><pre><o:p> </o:p></pre><pre># Add a limit/drop chain for "connect" packets that limits it to 5 a<o:p></o:p></pre><pre>second for all servers.<o:p></o:p></pre><pre># If you are only protecting one server, you can set the number from<o:p></o:p></pre><pre>5 down to 2. Setting it<o:p></o:p></pre><pre># at 2 means only 2 players could connect to the server per second. <o:p></o:p></pre><pre>Set LIMITCHLG to the<o:p></o:p></pre><pre># same, as there is one getchallenge/connect packet sequence per<o:p></o:p></pre><pre>valid player connection.<o:p></o:p></pre><pre>iptables -N LIMITCONN<o:p></o:p></pre><pre>iptables -A LIMITCONN -p udp -m limit --limit 5/sec --limit-burst 5<o:p></o:p></pre><pre>-j ACCEPT<o:p></o:p></pre><pre>iptables -A LIMITCONN -p udp -j DROP<o:p></o:p></pre><pre><o:p> </o:p></pre><pre># Add a limit chain that prevents more than 70 packets a second per<o:p></o:p></pre><pre>player. # This is the main logic of ServerArk, but just performed by<o:p></o:p></pre><pre>an iptable rule.<o:p></o:p></pre><pre># We allow up to 128 players which is enough for 4 servers full (at<o:p></o:p></pre><pre>32 players each).<o:p></o:p></pre><pre># If you only have one server, you could the size and max to 32.<o:p></o:p></pre><pre># If you have players who have manually set their packet rate up to<o:p></o:p></pre><pre>100, just change the 70 to 100.<o:p></o:p></pre><pre>iptables -N LIMITPLRS<o:p></o:p></pre><pre>iptables -A LIMITPLRS -p udp -m hashlimit --hashlimit-name PLAYERS<o:p></o:p></pre><pre>--hashlimit-above 70/sec --hashlimit-burst 70 --hashlimit-mode<o:p></o:p></pre><pre>srcip,srcport --hashlimit-htable-size 128 --hashlimit-htable-max 128<o:p></o:p></pre><pre>--hashlimit-htable-gcinterval 1000 --hashlimit-htable-expire 10000 -j<o:p></o:p></pre><pre>DROP iptables -A LIMITPLRS -p udp -j ACCEPT<o:p></o:p></pre><pre><o:p> </o:p></pre><pre># Add the rules to pick out the various special packets and send them<o:p></o:p></pre><pre>to appropriate limit chains.<o:p></o:p></pre><pre># To protect 5 ports, just specify a range like "--dport 28960:28964"<o:p></o:p></pre><pre>below. iptables -A INPUT -p udp --dport 28960-m string --string<o:p></o:p></pre><pre>"getstatus" --algo bm --from 32 --to 33 -j LIMITSTAT<o:p></o:p></pre><pre>iptables -A INPUT -p udp --dport 28960-m string --string "getinfo"<o:p></o:p></pre><pre>--algo bm --from 32 --to 33 -j LIMITINFO<o:p></o:p></pre><pre>iptables -A INPUT -p udp --dport 28960-m string --string<o:p></o:p></pre><pre>"getchallenge" --algo bm --from 32 --to 33 -j LIMITCHLG<o:p></o:p></pre><pre>iptables -A INPUT -p udp --dport 28960-m string --string "connect"<o:p></o:p></pre><pre>--algo bm --from 32 --to 33 -j LIMITCONN<o:p></o:p></pre><pre><o:p> </o:p></pre><pre># Send all other packets (normal player packets) to the limit players<o:p></o:p></pre><pre>chain. # A port range like "--dport 28960:28964" could also be used<o:p></o:p></pre><pre>here as well. iptables -A INPUT -p udp --dport 28960-j LIMITPLRS<o:p></o:p></pre><pre>/<o:p></o:p></pre><pre>/Also, you can do an "iptables -L -v -n" to see what kind of attacks<o:p></o:p></pre><pre>these rules have blocked. Here's an example of this command after a<o:p></o:p></pre><pre>"getchallenge" flood attack from random IPs, on our Dallas server<o:p></o:p></pre><pre>running on port 29070.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>ew@server1:~$ sudo iptables -L -v -n<o:p></o:p></pre><pre>Chain INPUT (policy ACCEPT 11368 packets, 1538K bytes)<o:p></o:p></pre><pre> pkts bytes target prot opt in out source<o:p></o:p></pre><pre>destination<o:p></o:p></pre><pre> 3880 177K LIMITSTAT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:29070 STRING match "getstatus" ALGO name<o:p></o:p></pre><pre>bm FROM 32 TO 33<o:p></o:p></pre><pre>14036 617K LIMITINFO udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:29070 STRING match "getinfo" ALGO name bm<o:p></o:p></pre><pre>FROM 32 TO 33<o:p></o:p></pre><pre> 37M 1620M LIMITCHLG udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:29070 STRING match "getchallenge" ALGO<o:p></o:p></pre><pre>name bm FROM 32 TO 33<o:p></o:p></pre><pre> 17 4989 LIMITCONN udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:29070 STRING match "connect" ALGO name bm<o:p></o:p></pre><pre>FROM 32 TO 33<o:p></o:p></pre><pre> 237K 17M LIMITPLRS udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:29070<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></pre><pre> pkts bytes target prot opt in out source<o:p></o:p></pre><pre>destination<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Chain OUTPUT (policy ACCEPT 343K packets, 54M bytes)<o:p></o:p></pre><pre> pkts bytes target prot opt in out source<o:p></o:p></pre><pre>destination<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Chain LIMITCHLG (1 references)<o:p></o:p></pre><pre> pkts bytes target prot opt in out source<o:p></o:p></pre><pre>destination<o:p></o:p></pre><pre>40025 1761K ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> limit: avg 5/sec burst 5<o:p></o:p></pre><pre>*37M 1618M DROP* udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Chain LIMITCONN (1 references)<o:p></o:p></pre><pre> pkts bytes target prot opt in out source<o:p></o:p></pre><pre>destination<o:p></o:p></pre><pre> 17 4989 ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> limit: avg 5/sec burst 5<o:p></o:p></pre><pre> 0 0 DROP udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Chain LIMITINFO (1 references)<o:p></o:p></pre><pre> pkts bytes target prot opt in out source<o:p></o:p></pre><pre>destination<o:p></o:p></pre><pre>14036 617K ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> limit: avg 10/sec burst 10<o:p></o:p></pre><pre> 0 0 DROP udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Chain LIMITPLRS (1 references)<o:p></o:p></pre><pre> pkts bytes target prot opt in out source<o:p></o:p></pre><pre>destination<o:p></o:p></pre><pre> 1642 104K DROP udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> limit: above 70/sec burst 70 mode srcip-srcport<o:p></o:p></pre><pre>htable-size 128 htable-max 128<o:p></o:p></pre><pre> 236K 17M ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Chain LIMITSTAT (1 references)<o:p></o:p></pre><pre> pkts bytes target prot opt in out source<o:p></o:p></pre><pre>destination<o:p></o:p></pre><pre> 3868 177K ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> limit: avg 10/sec burst 10<o:p></o:p></pre><pre> 12 516 DROP udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Notice the bolded packet/byte statistics for the "getchallenge" drop<o:p></o:p></pre><pre>chain named LIMITCHLG. A total of 37 million packets dropped. I was<o:p></o:p></pre><pre>on the game during this attack, and although the server did lag a bit<o:p></o:p></pre><pre>from the sheer size of the flood (almost saturating the bandwidth),<o:p></o:p></pre><pre>nobody lagged out. Without this rule, the game server deadlocked.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Also notice you can tell how many players have connected to the<o:p></o:p></pre><pre>server, as the LIMITCONN status shows 17 packets accepted. So during<o:p></o:p></pre><pre>this time we had 17 players join the game.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>You can also see how many people requested the servers in game (as<o:p></o:p></pre><pre>well as other services like GameTracker getting info on you), as that<o:p></o:p></pre><pre>corresponds to the LIMITSTAT and LIMITINFO chains.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Another cool thing you can do is "cat /proc/srv/ipt_hashlimit/PLAYERS<o:p></o:p></pre><pre>to see the IP addresses of all the players currently connected to the<o:p></o:p></pre><pre>server(s). Once a player quits playing, he goes out of this file<o:p></o:p></pre><pre>automatically after 10 seconds.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>I may refine these a bit further, but for now, these seem to be<o:p></o:p></pre><pre>working well on our VPS.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Thanks,<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>/Boyd/<o:p></o:p></pre></blockquote><pre>_______________________________________________<o:p></o:p></pre><pre>cod mailing list<o:p></o:p></pre><pre><a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><o:p></o:p></pre><pre><a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></pre><pre><o:p> </o:p></pre></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>cod mailing list<br><a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br><a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></p></div><p class=MsoNormal><br><br clear=all><br>-- <o:p></o:p></p><div><p class=MsoNormal>EscapedTurkey.com Billing and Support<o:p></o:p></p></div><div><p class=MsoNormal><a href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a><o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></body></html>