<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
If the attacks are spoofed from just a few IPs (and not a random
spoofed IP, which almost could be a different IP for each packet)
then ServerArk will block the ones being used. ServerArk is only
good for a small number of spoofed IPs though, it doesn't work at
all for random ones.<br>
<br>
If you are getting random IP spammed (perhaps millions of spoofed
IPs), don't run ServerArk, just run these rate-limiting rules.<br>
<br>
<font size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">#!/bin/bash<br>
# The main logic of ServerArk, all done with iptables!<br>
# Version 1.01<br>
# (C) 2012 Boyd G. Gafford Ph.D. (Usage is under the LGPL)<br>
# To contact me, simply post on the forum at elitewarriors.net.<br>
#<br>
# Please note these rules ONLY affect UDP packets to the game
servers, nothing else!<br>
# This script will protect all Q3-protocol servers on the port
28960. It protects<br>
# against both 'getstatus' and 'getinfo' attacks, as well as
'getchallenge' atttacks,<br>
# even from a UDP flood with random source IPs.<br>
<br>
# Add a limit/drop chain for "getstatus" packets that limits it
to 10 a second for all servers.<br>
# If you are only protecting one server, you can set the number
from 10 down to 4 (or 2 even).<br>
iptables -N LIMITSTAT<br>
iptables -A LIMITSTAT -p udp -m limit --limit 10/sec
--limit-burst 10 -j ACCEPT<br>
iptables -A LIMITSTAT -p udp -j DROP<br>
<br>
# Add a limit/drop chain for "getinfo" packets that limits it to
10 a second for all servers.<br>
# If you are only protecting one server, you can set the number
from 10 down to 4 (or 2 even).<br>
iptables -N LIMITINFO<br>
iptables -A LIMITINFO -p udp -m limit --limit 10/sec
--limit-burst 10 -j ACCEPT<br>
iptables -A LIMITINFO -p udp -j DROP<br>
<br>
# Add a limit/drop chain for "getchallenge" packets that limits
it to 5 a second for all servers.<br>
# If you are only protecting one server, you can set the number
from 5 down to 2. Setting it<br>
# at 2 means only 2 players could connect to the server per
second. Set LIMITCONN to the<br>
# same, as there is one getchallenge/connect packet sequence per
valid player connection.<br>
iptables -N LIMITCHLG<br>
iptables -A LIMITCHLG -p udp -m limit --limit 5/sec
--limit-burst 5 -j ACCEPT<br>
iptables -A LIMITCHLG -p udp -j DROP<br>
<br>
# Add a limit/drop chain for "connect" packets that limits it to
5 a second for all servers.<br>
# If you are only protecting one server, you can set the number
from 5 down to 2. Setting it<br>
# at 2 means only 2 players could connect to the server per
second. Set LIMITCHLG to the<br>
# same, as there is one getchallenge/connect packet sequence per
valid player connection.<br>
iptables -N LIMITCONN<br>
iptables -A LIMITCONN -p udp -m limit --limit 5/sec
--limit-burst 5 -j ACCEPT<br>
iptables -A LIMITCONN -p udp -j DROP<br>
<br>
# Add a limit chain that prevents more than 70 packets a second
per player.<br>
# This is the main logic of ServerArk, but just performed by an
iptable rule.<br>
# We allow up to 128 players which is enough for 4 servers full
(at 32 players each).<br>
# If you only have one server, you could the size and max to 32.<br>
# If you have players who have manually set their packet rate up
to 100, just change the 70 to 100.<br>
iptables -N LIMITPLRS<br>
iptables -A LIMITPLRS -p udp -m hashlimit --hashlimit-name
PLAYERS --hashlimit-above 70/sec --hashlimit-burst 70
--hashlimit-mode srcip,srcport --hashlimit-htable-size 128
--hashlimit-htable-max 128 --hashlimit-htable-gcinterval 1000
--hashlimit-htable-expire 10000 -j DROP<br>
iptables -A LIMITPLRS -p udp -j ACCEPT<br>
<br>
# Add the rules to pick out the various special packets and send
them to appropriate limit chains.<br>
# To protect 5 ports, just specify a range like "--dport </span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28960</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">:</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28964</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">" below.<br>
iptables -A INPUT -p udp --dport </span></font><font size="2"><span
style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28960</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> -m string --string
"getstatus" --algo bm --from 32 --to 33 -j LIMITSTAT<br>
iptables -A INPUT -p udp --dport </span></font><font size="2"><span
style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28960</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> -m string --string
"getinfo" --algo bm --from 32 --to 33 -j LIMITINFO<br>
iptables -A INPUT -p udp --dport </span></font><font size="2"><span
style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28960</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> -m string --string
"getchallenge" --algo bm --from 32 --to 33 -j LIMITCHLG<br>
iptables -A INPUT -p udp --dport </span></font><font size="2"><span
style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28960</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> -m string --string
"connect" --algo bm --from 32 --to 33 -j LIMITCONN<br>
<br>
# Send all other packets (normal player packets) to the limit
players chain.<br>
# A port range like "--dport </span></font><font size="2"><span
style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28960</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">:</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28964</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">" could also be used
here as well.<br>
iptables -A INPUT -p udp --dport </span></font><font size="2"><span
style="font-family: Courier
New,courier,monaco,monospace,sans-serif;">28960</span></font><font
size="2"><span style="font-family: Courier
New,courier,monaco,monospace,sans-serif;"> -j LIMITPLRS</span></font><br>
<br>
<br>
To see what kind of attacks you are getting, just do an "iptables -L
-v -n" and look at the statistics for the packets the iptables rules
are dropping to mitigate the flood. Mostly you'll probably set
'getstatus' attacks, although I've also seen quite a few
'getchallenge' attacks as well.<br>
<br>
To see a sample of the packets being flooded, wait until your server
has no players and you're under attack, then type:<br>
<br>
<tt>sudo tcpdump -c 4 -nnvvvXS -i eth0</tt><br>
<br>
which dumps the first 4 packets you get off eth0. For example, on
my server during one UDP flood attack I saw:<br>
<br>
<tt>21:09:28.368692 IP (tos 0x0, ttl 119, id 33063, offset 0, flags
[DF], proto UDP (17), length 44)<br>
79.73.200.195.29070 > 199.193.250.166.29070: [udp sum ok] UDP,
length 16<br>
0x0000: 4500 002c 8127 4000 7711 a824 4f49 c8c3 E..,.'@.w..$OI..<br>
0x0010: c7c1 faa6 718e 718e 0018 c4c1 ffff ffff ....q.q.........<br>
0x0020: 6765 7463 6861 6c6c 656e 6765 <b> getchallenge</b><br>
<br>
21:09:28.368761 IP (tos 0x0, ttl 130, id 21166, offset 0, flags
[DF], proto UDP (17), length 44)<br>
222.77.203.150.29070 > 199.193.250.166.29070: [udp sum ok] UDP,
length 16<br>
0x0000: 4500 002c 52ae 4000 8211 39c6 de4d cb96 E..,<a class="moz-txt-link-abbreviated" href="mailto:R.@...9..M">R.@...9..M</a>..<br>
0x0010: c7c1 faa6 718e 718e 0018 32ea ffff ffff ....q.q...2.....<br>
0x0020: 6765 7463 6861 6c6c 656e 6765 <b> getchallenge</b><br>
<br>
21:09:28.368773 IP (tos 0x0, ttl 89, id 12853, offset 0, flags
[DF], proto UDP (17), length 44)<br>
216.131.241.104.29070 > 199.193.250.166.29070: [udp sum ok]
UDP, length 16<br>
0x0000: 4500 002c 3235 4000 5911 6337 d883 f168 E..,<a class="moz-txt-link-abbreviated" href="mailto:25@.Y.c7...h">25@.Y.c7...h</a><br>
0x0010: c7c1 faa6 718e 718e 0018 12e2 ffff ffff ....q.q.........<br>
0x0020: 6765 7463 6861 6c6c 656e 6765 <b> getchallenge</b><br>
<br>
21:09:28.368786 IP (tos 0x0, ttl 34, id 46417, offset 0, flags
[DF], proto UDP (17), length 44)<br>
193.215.147.237.29070 > 199.193.250.166.29070: [udp sum ok]
UDP, length 16<br>
0x0000: 4500 002c b551 4000 2211 8b42 c1d7 93ed E..,.Q@."..B....<br>
0x0010: c7c1 faa6 718e 718e 0018 8709 ffff ffff ....q.q.........<br>
0x0020: 6765 7463 6861 6c6c 656e 6765 <b> getchallenge</b></tt><br>
<br>
which shows a getchallenge attack from random IP addresses (<tt>79.73.200.195,
</tt><tt>222.77.203.150</tt>, <tt>216.131.241.104</tt> and <tt>193.215.147.237</tt>).<br>
<br>
Good luck,<br>
<br>
<i>Boyd</i><br>
<br>
<div class="moz-signature"><i><font size="-1">__________________________________<br>
Boyd G. Gafford Ph.D.<br>
Manager of Software Development<br>
Westport Research Associates Inc.<br>
7001 Blue Ridge Blvd<br>
Raytown, MO 64133<br>
(816) 358-8990<br>
<a class="moz-txt-link-abbreviated" href="mailto:drboyd@westportresearch.com">drboyd@westportresearch.com</a><br>
</font></i><br>
</div>
<br>
On 03/13/2012 08:23 AM, Mavrick wrote:
<blockquote cite="mid:4F5F4A5C.7090106@gmail.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Cheers,<br>
<br>
<b>Note</b>: if you get "error: pcap.h: No such file or directory"
run the following:<br>
<br>
#yum -y install libpcap-devel<br>
<br>
to get it to compile :)<br>
<br>
Had an attack today on 3 cod4 servers with up to data of 50GB of
traffic over the course of the day - I patched the cod4_lxnded-bin
files to slow it down so hopefully serverark can finish the rest
off :)<br>
<br>
Will let you know how it goes.<br>
<br>
<br>
Best Regards,<br>
<br>
Daniel "mavrick" Lang<br>
<br>
On 13/03/12 11:12 PM, Boyd G. Gafford Ph.D. wrote:
<blockquote cite="mid:4F5F47AB.2020807@westportresearch.com"
type="cite">gcc -o serverark serverark.c -lpcap</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>