<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
You can check my iptables hit count bellow. Is any option to block
these inbound traffic? Because my ISP is getting angry about that. I
will try to block some IPs manually to decrease the traffic a bit,
because I see that they repeat, but I think they will restart with
other sources.<br>
<br>
<br>
<small>Chain INPUT (policy ACCEPT 10M packets, 776M bytes)<br>
pkts bytes target prot opt in out
source destination<br>
85 99018 DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 length 1162:1168<br>
9342M 392G udp -- * *
0.0.0.0/0 0.0.0.0/0 length 42 recent: SET
name: getstatus_cod side: source<br>
9224M 387G DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 STRING match "getstatus"
ALGO name bm TO 65535 recent: UPDATE seconds: 1 hit_count: 20
name: getstatus_cod side: source<br>
58G 2895G QUERY-CHECK udp -- * *
0.0.0.0/0 0.0.0.0/0 udp dpts:27960:29000<br>
0 0 DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 length 1162:1168<br>
6134 258K udp -- * *
0.0.0.0/0 0.0.0.0/0 length 42 recent: SET
name: getstatus_cod side: source<br>
0 0 DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 STRING match "getstatus"
ALGO name bm TO 65535 recent: UPDATE seconds: 1 hit_count: 20
name: getstatus_cod side: source<br>
10M 772M QUERY-CHECK udp -- * *
0.0.0.0/0 0.0.0.0/0 udp dpts:27960:29000<br>
<br>
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br>
pkts bytes target prot opt in out
source destination<br>
0 0 DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 length 1162:1168<br>
0 0 DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 length 1162:1168<br>
<br>
Chain OUTPUT (policy ACCEPT 5172K packets, 729M bytes)<br>
pkts bytes target prot opt in out
source destination<br>
228K 265M DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 length 1162:1168<br>
0 0 DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 length 1162:1168<br>
<br>
Chain QUERY-BLOCK (2 references)<br>
pkts bytes target prot opt in out
source destination<br>
36858 1540K DROP all -- * *
0.0.0.0/0 0.0.0.0/0 recent: SET name:
blocked-hosts side: source<br>
0 0 DROP all -- * *
0.0.0.0/0 0.0.0.0/0 recent: SET name:
blocked-hosts side: source<br>
<br>
Chain QUERY-CHECK (2 references)<br>
pkts bytes target prot opt in out
source destination<br>
13G 955G RETURN udp -- * *
0.0.0.0/0 0.0.0.0/0 STRING match !"getstatus"
ALGO name bm FROM 32 TO 41<br>
5973M 257G DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 udp spts:0:1025<br>
13M 560M DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 udp spt:3074<br>
523K 22M DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 udp spt:7777<br>
8626K 361M DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 udp spts:27015:27100<br>
428K 18M DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 udp spt:25200<br>
2503K 105M DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 udp spt:25565<br>
39G 1682G DROP all -- * *
0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds:
30 hit_count: 1 name: blocked-hosts side: source<br>
34723 1449K QUERY-BLOCK all -- * *
0.0.0.0/0 0.0.0.0/0 limit: above 20/sec burst
5 mode srcip<br>
0 0 RETURN udp -- * *
0.0.0.0/0 0.0.0.0/0 STRING match !"getstatus"
ALGO name bm FROM 32 TO 41<br>
0 0 DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 udp spts:0:1025<br>
0 0 DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 udp spt:3074<br>
0 0 DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 udp spt:7777<br>
0 0 DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 udp spts:27015:27100<br>
0 0 DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 udp spt:25200<br>
0 0 DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 udp spt:25565<br>
0 0 DROP all -- * *
0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds:
30 hit_count: 1 name: blocked-hosts side: source<br>
2135 91496 QUERY-BLOCK all -- * *
0.0.0.0/0 0.0.0.0/0 limit: above 4/sec burst
5 mode srcip</small><br>
<br>
<br>
<pre class="moz-signature" cols="72">Andrej
+386 31 247 707
<a class="moz-txt-link-abbreviated" href="mailto:aparovel@gmail.com">aparovel@gmail.com</a></pre>
<br>
On 13.4.2012 21:00, John wrote:
<blockquote cite="mid:4F8877B7.3090707@nuclearfallout.net"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
If you're running the iptables rules on the machine with the
servers, you will still see inbound traffic from the requests. The
advantage to the rules is that they'll prevent that traffic from
reaching the application layer and being processed by your
servers.<br>
<br>
You can see the hit count for the iptables rules to make sure that
they're working with this command (look for increasing numbers
next to statements with the "DROP" action):<br>
<br>
iptables -nv --list<br>
<br>
-John<br>
<br>
On 4/13/2012 11:09 AM, Andrej Parovel wrote:
<blockquote cite="mid:4F886BD9.5050406@gmail.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
Hello,<br>
<br>
I have followed your directions about UDP flood for Call of Duty
servers and installed a blocking iptables script (you can check
it down) but I am still reciving a lot of UDP traffic on my
server. <br>
Before I had a lot of outgoing traffic now I am having a lot of
incoming traffic. Any help?<br>
<br>
<table align="center">
<tbody>
<tr align="center">
<th bgcolor="#808080"><font size="-1">Date-from </font></th>
<th bgcolor="#808080"><font size="-1"> Date-to </font></th>
<th bgcolor="#ff0000"><font size="-1">GBBytes-IN </font></th>
<th bgcolor="#00ff00"><font size="-1">GBBytes-OUT </font></th>
<th bgcolor="#0000ff"><font size="-1">GBBytes-TOTAL </font></th>
</tr>
<tr align="right">
<td><font size="-1"><a moz-do-not-send="true"
href="http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.01.html">01.01.2012
00:00 </a></font></td>
<td><font size="-1">01.02.2012 00:00 </font></td>
<td> <font size="-1">1.181</font></td>
<td> <font size="-1">4.672</font></td>
<td> <font size="-1">5.853</font></td>
</tr>
<tr align="right">
<td><font size="-1"><a moz-do-not-send="true"
href="http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.02.html">01.02.2012
00:00 </a></font></td>
<td><font size="-1">01.03.2012 00:00 </font></td>
<td><big><big> <b><font size="-1"><big><big>1.688</big></big></font></b></big></big></td>
<td> <font size="-1">110</font></td>
<td> <font size="-1">1.797</font></td>
</tr>
<tr align="right">
<td><font size="-1"><a moz-do-not-send="true"
href="http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.03.html">01.03.2012
00:00 </a></font></td>
<td><font size="-1">01.04.2012 00:00 </font></td>
<td><big><big> <b><font size="-1"><big><big>2.551</big></big></font></b></big></big></td>
<td> <font size="-1">112</font></td>
<td> <font size="-1">2.663</font></td>
</tr>
<tr align="right">
<td><font size="-1"><a moz-do-not-send="true"
href="http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.04.html">01.04.2012
00:00 </a></font></td>
<td><font size="-1">01.05.2012 00:00 </font></td>
<td><big><big> <b><font size="-1"><big><big>4.763</big></big></font></b></big></big></td>
<td> <font size="-1">38</font></td>
<td> <font size="-1">4.801</font></td>
</tr>
</tbody>
</table>
<br>
<br>
<br>
│ UDP (46 bytes) from 180.235.128.13:28690 to
91.185.199.169:28987 on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28987
on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28975
on
eth0
│<br>
│ UDP (46 bytes) from 180.235.128.13:28690 to
91.185.199.169:28973 on
eth0
│<br>
│ UDP (46 bytes) from 180.235.128.13:28690 to
91.185.199.169:28977 on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28977
on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28973
on
eth0
│<br>
│ UDP (46 bytes) from 50.23.201.54:28690 to 91.185.199.169:28987
on eth0 <br>
<br>
<br>
Here is my iptables script:<br>
<br>
/sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j
DROP<br>
/sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168 -j
DROP<br>
/sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j
DROP<br>
/sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent
--set --name getstatus_cod<br>
/sbin/iptables -A INPUT -p UDP -m string --algo bm --string
"getstatus" -m recent --update --seconds 1 --hitcount 20 --name
getstatus_cod -j DROP<br>
<br>
# add a host to the banlist and then drop the packet.<br>
iptables -N QUERY-BLOCK<br>
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j
DROP<br>
<br>
# is this a query packet? if so, block commonly attacked ports
outright,<br>
# then see if it's a known attacking IP, then see if it is
sending at a high<br>
# rate and should be added to the list of known attacking IPs.<br>
iptables -N QUERY-CHECK<br>
iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus"
--algo bm --from 32 --to 41 -j RETURN<br>
iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP<br>
# is it already blocked? continue blocking it and update the
counter so it<br>
# gets blocked for at least another 30 seconds.<br>
iptables -A QUERY-CHECK -m recent --update --name blocked-hosts
--seconds 30 --hitcount 1 -j DROP<br>
# check to see if it exceeds our rate threshold,<br>
# and add it to the list if it does.<br>
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit-above 4/second -j
QUERY-BLOCK<br>
<br>
# look at all the packets going to q3/cod*/et/etc servers<br>
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK<br>
<br>
<pre class="moz-signature" cols="72">--
Andrej
+386 31 247 707
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:aparovel@gmail.com">aparovel@gmail.com</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>