<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
If you're running the iptables rules on the machine with the
servers, you will still see inbound traffic from the requests. The
advantage to the rules is that they'll prevent that traffic from
reaching the application layer and being processed by your servers.<br>
<br>
You can see the hit count for the iptables rules to make sure that
they're working with this command (look for increasing numbers next
to statements with the "DROP" action):<br>
<br>
iptables -nv --list<br>
<br>
-John<br>
<br>
On 4/13/2012 11:09 AM, Andrej Parovel wrote:
<blockquote cite="mid:4F886BD9.5050406@gmail.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
Hello,<br>
<br>
I have followed your directions about UDP flood for Call of Duty
servers and installed a blocking iptables script (you can check it
down) but I am still reciving a lot of UDP traffic on my server. <br>
Before I had a lot of outgoing traffic now I am having a lot of
incoming traffic. Any help?<br>
<br>
<table align="center">
<tbody>
<tr align="center">
<th bgcolor="#808080"><font size="-1">Date-from </font></th>
<th bgcolor="#808080"><font size="-1"> Date-to </font></th>
<th bgcolor="#ff0000"><font size="-1">GBBytes-IN </font></th>
<th bgcolor="#00ff00"><font size="-1">GBBytes-OUT </font></th>
<th bgcolor="#0000ff"><font size="-1">GBBytes-TOTAL </font></th>
</tr>
<tr align="right">
<td><font size="-1"><a moz-do-not-send="true"
href="http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.01.html">01.01.2012
00:00 </a></font></td>
<td><font size="-1">01.02.2012 00:00 </font></td>
<td> <font size="-1">1.181</font></td>
<td> <font size="-1">4.672</font></td>
<td> <font size="-1">5.853</font></td>
</tr>
<tr align="right">
<td><font size="-1"><a moz-do-not-send="true"
href="http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.02.html">01.02.2012
00:00 </a></font></td>
<td><font size="-1">01.03.2012 00:00 </font></td>
<td><big><big> <b><font size="-1"><big><big>1.688</big></big></font></b></big></big></td>
<td> <font size="-1">110</font></td>
<td> <font size="-1">1.797</font></td>
</tr>
<tr align="right">
<td><font size="-1"><a moz-do-not-send="true"
href="http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.03.html">01.03.2012
00:00 </a></font></td>
<td><font size="-1">01.04.2012 00:00 </font></td>
<td><big><big> <b><font size="-1"><big><big>2.551</big></big></font></b></big></big></td>
<td> <font size="-1">112</font></td>
<td> <font size="-1">2.663</font></td>
</tr>
<tr align="right">
<td><font size="-1"><a moz-do-not-send="true"
href="http://elite:Q7sXw8u5@traffic.probe-networks.de/elite7/82.96.89.3_1.total.2012.04.html">01.04.2012
00:00 </a></font></td>
<td><font size="-1">01.05.2012 00:00 </font></td>
<td><big><big> <b><font size="-1"><big><big>4.763</big></big></font></b></big></big></td>
<td> <font size="-1">38</font></td>
<td> <font size="-1">4.801</font></td>
</tr>
</tbody>
</table>
<br>
<br>
<br>
│ UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28987
on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28987
on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28975
on
eth0
│<br>
│ UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28973
on
eth0
│<br>
│ UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28977
on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28977
on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28973
on
eth0
│<br>
│ UDP (46 bytes) from 50.23.201.54:28690 to 91.185.199.169:28987
on eth0 <br>
<br>
<br>
Here is my iptables script:<br>
<br>
/sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j
DROP<br>
/sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168 -j
DROP<br>
/sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j
DROP<br>
/sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent
--set --name getstatus_cod<br>
/sbin/iptables -A INPUT -p UDP -m string --algo bm --string
"getstatus" -m recent --update --seconds 1 --hitcount 20 --name
getstatus_cod -j DROP<br>
<br>
# add a host to the banlist and then drop the packet.<br>
iptables -N QUERY-BLOCK<br>
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j
DROP<br>
<br>
# is this a query packet? if so, block commonly attacked ports
outright,<br>
# then see if it's a known attacking IP, then see if it is sending
at a high<br>
# rate and should be added to the list of known attacking IPs.<br>
iptables -N QUERY-CHECK<br>
iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus"
--algo bm --from 32 --to 41 -j RETURN<br>
iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP<br>
# is it already blocked? continue blocking it and update the
counter so it<br>
# gets blocked for at least another 30 seconds.<br>
iptables -A QUERY-CHECK -m recent --update --name blocked-hosts
--seconds 30 --hitcount 1 -j DROP<br>
# check to see if it exceeds our rate threshold,<br>
# and add it to the list if it does.<br>
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit-above 4/second -j
QUERY-BLOCK<br>
<br>
# look at all the packets going to q3/cod*/et/etc servers<br>
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK<br>
<br>
<pre class="moz-signature" cols="72">--
Andrej
+386 31 247 707
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:aparovel@gmail.com">aparovel@gmail.com</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
</body>
</html>