<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
I have followed your directions about UDP flood for Call of Duty
servers and installed a blocking iptables script (you can check it
down) but I am still reciving a lot of UDP traffic on my server. <br>
Before I had a lot of outgoing traffic now I am having a lot of
incoming traffic. Any help?<br>
<br>
<table align="center">
<tbody>
<tr align="center">
<th bgcolor="#808080"><font size="-1">Date-from </font></th>
<th bgcolor="#808080"><font size="-1"> Date-to </font></th>
<th bgcolor="#ff0000"><font size="-1">GBBytes-IN </font></th>
<th bgcolor="#00ff00"><font size="-1">GBBytes-OUT </font></th>
<th bgcolor="#0000ff"><font size="-1">GBBytes-TOTAL </font></th>
</tr>
<tr align="right">
<td><font size="-1"><a
href="http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.01.html">01.01.2012
00:00 </a></font></td>
<td><font size="-1">01.02.2012 00:00 </font></td>
<td> <font size="-1">1.181</font></td>
<td> <font size="-1">4.672</font></td>
<td> <font size="-1">5.853</font></td>
</tr>
<tr align="right">
<td><font size="-1"><a
href="http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.02.html">01.02.2012
00:00 </a></font></td>
<td><font size="-1">01.03.2012 00:00 </font></td>
<td><big><big> <b><font size="-1"><big><big>1.688</big></big></font></b></big></big></td>
<td> <font size="-1">110</font></td>
<td> <font size="-1">1.797</font></td>
</tr>
<tr align="right">
<td><font size="-1"><a
href="http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.03.html">01.03.2012
00:00 </a></font></td>
<td><font size="-1">01.04.2012 00:00 </font></td>
<td><big><big> <b><font size="-1"><big><big>2.551</big></big></font></b></big></big></td>
<td> <font size="-1">112</font></td>
<td> <font size="-1">2.663</font></td>
</tr>
<tr align="right">
<td><font size="-1"><a
href="http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.04.html">01.04.2012
00:00 </a></font></td>
<td><font size="-1">01.05.2012 00:00 </font></td>
<td><big><big> <b><font size="-1"><big><big>4.763</big></big></font></b></big></big></td>
<td> <font size="-1">38</font></td>
<td> <font size="-1">4.801</font></td>
</tr>
</tbody>
</table>
<br>
<br>
<br>
│ UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28987
on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28987 on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28975 on
eth0
│<br>
│ UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28973
on
eth0
│<br>
│ UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28977
on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28977 on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28973 on
eth0
│<br>
│ UDP (46 bytes) from 50.23.201.54:28690 to 91.185.199.169:28987 on
eth0 <br>
<br>
<br>
Here is my iptables script:<br>
<br>
/sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP<br>
/sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168 -j
DROP<br>
/sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP<br>
/sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent --set
--name getstatus_cod<br>
/sbin/iptables -A INPUT -p UDP -m string --algo bm --string
"getstatus" -m recent --update --seconds 1 --hitcount 20 --name
getstatus_cod -j DROP<br>
<br>
# add a host to the banlist and then drop the packet.<br>
iptables -N QUERY-BLOCK<br>
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP<br>
<br>
# is this a query packet? if so, block commonly attacked ports
outright,<br>
# then see if it's a known attacking IP, then see if it is sending
at a high<br>
# rate and should be added to the list of known attacking IPs.<br>
iptables -N QUERY-CHECK<br>
iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus"
--algo bm --from 32 --to 41 -j RETURN<br>
iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP<br>
# is it already blocked? continue blocking it and update the counter
so it<br>
# gets blocked for at least another 30 seconds.<br>
iptables -A QUERY-CHECK -m recent --update --name blocked-hosts
--seconds 30 --hitcount 1 -j DROP<br>
# check to see if it exceeds our rate threshold,<br>
# and add it to the list if it does.<br>
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit-above 4/second -j QUERY-BLOCK<br>
<br>
# look at all the packets going to q3/cod*/et/etc servers<br>
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK<br>
<br>
<pre class="moz-signature" cols="72">--
Andrej
+386 31 247 707
<a class="moz-txt-link-abbreviated" href="mailto:aparovel@gmail.com">aparovel@gmail.com</a></pre>
</body>
</html>