<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
please be aware that you posted your username and password in
plaintext :|<br>
<br>
Btw since 2days I got a box having constant 12mbit/sec incoming
(even when having 0kbit/sec outgoing) ... there's nothing you can do
about it... incoming intraffic comes in even if you ban every single
ip....<br>
<br>
Il 13/04/2012 20:09, Andrej Parovel ha scritto:
<blockquote cite="mid:4F886BD9.5050406@gmail.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
Hello,<br>
<br>
I have followed your directions about UDP flood for Call of Duty
servers and installed a blocking iptables script (you can check it
down) but I am still reciving a lot of UDP traffic on my server. <br>
Before I had a lot of outgoing traffic now I am having a lot of
incoming traffic. Any help?<br>
<table align="center">
<tbody>
<tr align="center">
<th bgcolor="#808080"><br>
</th>
<th bgcolor="#808080"><br>
</th>
<th bgcolor="#ff0000"><br>
</th>
<th bgcolor="#00ff00"><br>
</th>
<th bgcolor="#0000ff"><br>
</th>
</tr>
<tr align="right">
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
</tr>
<tr align="right">
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
</tr>
<tr align="right">
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
</tr>
<tr align="right">
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
<td><font size="-1"></font><br>
</td>
</tr>
</tbody>
</table>
<br>
<br>
<br>
│ UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28987
on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28987
on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28975
on
eth0
│<br>
│ UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28973
on
eth0
│<br>
│ UDP (46 bytes) from 180.235.128.13:28690 to 91.185.199.169:28977
on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28977
on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to 91.185.199.169:28973
on
eth0
│<br>
│ UDP (46 bytes) from 50.23.201.54:28690 to 91.185.199.169:28987
on eth0 <br>
<br>
<br>
Here is my iptables script:<br>
<br>
/sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j
DROP<br>
/sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168 -j
DROP<br>
/sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j
DROP<br>
/sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent
--set --name getstatus_cod<br>
/sbin/iptables -A INPUT -p UDP -m string --algo bm --string
"getstatus" -m recent --update --seconds 1 --hitcount 20 --name
getstatus_cod -j DROP<br>
<br>
# add a host to the banlist and then drop the packet.<br>
iptables -N QUERY-BLOCK<br>
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j
DROP<br>
<br>
# is this a query packet? if so, block commonly attacked ports
outright,<br>
# then see if it's a known attacking IP, then see if it is sending
at a high<br>
# rate and should be added to the list of known attacking IPs.<br>
iptables -N QUERY-CHECK<br>
iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus"
--algo bm --from 32 --to 41 -j RETURN<br>
iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP<br>
# is it already blocked? continue blocking it and update the
counter so it<br>
# gets blocked for at least another 30 seconds.<br>
iptables -A QUERY-CHECK -m recent --update --name blocked-hosts
--seconds 30 --hitcount 1 -j DROP<br>
# check to see if it exceeds our rate threshold,<br>
# and add it to the list if it does.<br>
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit-above 4/second -j
QUERY-BLOCK<br>
<br>
# look at all the packets going to q3/cod*/et/etc servers<br>
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK<br>
<br>
<pre class="moz-signature" cols="72">--
Andrej
+386 31 247 707
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:aparovel@gmail.com">aparovel@gmail.com</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>