<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
the only way is your ISP blackholes this, there's nothing you can do
on your end<br>
<br>
El 13/04/12 22:17, Andrej Parovel escribió:
<blockquote cite="mid:4F8889DA.5080409@gmail.com" type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
I didn't notice thank you!<br>
<br>
Yes I see i blocked some IPs but in iptraf I still get the same
IPs, but it is anoying me, I will try to send to my ISP so he can
block these IPs on router.<br>
<br>
It is quite annoying, because I had never before so much traffic.<br>
<br>
<pre class="moz-signature" cols="72">Andrej
+386 31 247 707
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:aparovel@gmail.com">aparovel@gmail.com</a></pre>
<br>
On 13.4.2012 21:53, Marco Padovan wrote:
<blockquote cite="mid:4F88844C.2020004@evcz.tk" type="cite">
<meta content="text/html; charset=UTF-8"
http-equiv="Content-Type">
Hi,<br>
<br>
please be aware that you posted your username and password in
plaintext :|<br>
<br>
Btw since 2days I got a box having constant 12mbit/sec incoming
(even when having 0kbit/sec outgoing) ... there's nothing you
can do about it... incoming intraffic comes in even if you ban
every single ip....<br>
<br>
Il 13/04/2012 20:09, Andrej Parovel ha scritto:
<blockquote cite="mid:4F886BD9.5050406@gmail.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
Hello,<br>
<br>
I have followed your directions about UDP flood for Call of
Duty servers and installed a blocking iptables script (you can
check it down) but I am still reciving a lot of UDP traffic on
my server. <br>
Before I had a lot of outgoing traffic now I am having a lot
of incoming traffic. Any help?<br>
<table align="center">
<tbody>
<tr align="center">
<th bgcolor="#808080"><br>
</th>
<th bgcolor="#808080"><br>
</th>
<th bgcolor="#ff0000"><br>
</th>
<th bgcolor="#00ff00"><br>
</th>
<th bgcolor="#0000ff"><br>
</th>
</tr>
<tr align="right">
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
</tr>
<tr align="right">
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
</tr>
<tr align="right">
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
</tr>
<tr align="right">
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
<td><br>
</td>
</tr>
</tbody>
</table>
<br>
<br>
<br>
│ UDP (46 bytes) from 180.235.128.13:28690 to
91.185.199.169:28987 on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to
91.185.199.169:28987 on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to
91.185.199.169:28975 on
eth0
│<br>
│ UDP (46 bytes) from 180.235.128.13:28690 to
91.185.199.169:28973 on
eth0
│<br>
│ UDP (46 bytes) from 180.235.128.13:28690 to
91.185.199.169:28977 on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to
91.185.199.169:28977 on
eth0
│<br>
│ UDP (46 bytes) from 96.31.79.153:28690 to
91.185.199.169:28973 on
eth0
│<br>
│ UDP (46 bytes) from 50.23.201.54:28690 to
91.185.199.169:28987 on eth0 <br>
<br>
<br>
Here is my iptables script:<br>
<br>
/sbin/iptables -A OUTPUT -p UDP -m length --length 1162:1168
-j DROP<br>
/sbin/iptables -A FORWARD -p UDP -m length --length 1162:1168
-j DROP<br>
/sbin/iptables -A INPUT -p UDP -m length --length 1162:1168 -j
DROP<br>
/sbin/iptables -A INPUT -p UDP -m length --length 42 -m recent
--set --name getstatus_cod<br>
/sbin/iptables -A INPUT -p UDP -m string --algo bm --string
"getstatus" -m recent --update --seconds 1 --hitcount 20
--name getstatus_cod -j DROP<br>
<br>
# add a host to the banlist and then drop the packet.<br>
iptables -N QUERY-BLOCK<br>
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts
-j DROP<br>
<br>
# is this a query packet? if so, block commonly attacked ports
outright,<br>
# then see if it's a known attacking IP, then see if it is
sending at a high<br>
# rate and should be added to the list of known attacking IPs.<br>
iptables -N QUERY-CHECK<br>
iptables -A QUERY-CHECK -p udp -m string ! --string
"getstatus" --algo bm --from 32 --to 41 -j RETURN<br>
iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP<br>
iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP<br>
# is it already blocked? continue blocking it and update the
counter so it<br>
# gets blocked for at least another 30 seconds.<br>
iptables -A QUERY-CHECK -m recent --update --name
blocked-hosts --seconds 30 --hitcount 1 -j DROP<br>
# check to see if it exceeds our rate threshold,<br>
# and add it to the list if it does.<br>
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
--hashlimit-name getstatus --hashlimit-above 4/second -j
QUERY-BLOCK<br>
<br>
# look at all the packets going to q3/cod*/et/etc servers<br>
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK<br>
<br>
<pre class="moz-signature" cols="72">--
Andrej
+386 31 247 707
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:aparovel@gmail.com">aparovel@gmail.com</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="Content-Style-Type" content="text/css">
<title></title>
<meta name="Generator" content="Cocoa HTML Writer">
<meta name="CocoaVersion" content="949.54">
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Times; min-height: 14.0px}
p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier; color: #2e3bfb}
p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier}
p.p4 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier; min-height: 14.0px}
p.p5 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Courier; color: #0018ea}
p.p6 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Times}
span.s1 {text-decoration: underline}
</style>
<p class="p1"><br>
</p>
<p class="p2"><b>David Aguilar Valero</b></p>
<p class="p3">Dpto. Comercial y Soporte técnico</p>
<p class="p3">NewLight Systems</p>
<p class="p2"><b>Servidores de juegos, HW, Dedicados</b></p>
<p class="p4"><br>
</p>
<p class="p5"><span class="s1"><a href="mailto:c"><b>crk01@nls.es</b></a></span></p>
<p class="p5"><span class="s1"><a
href="mailto:crk01@newlightsystems.com">crk01@newlightsystems.com</a></span></p>
<p class="p5"><span class="s1"><a
href="mailto:tecnico@newlightsystems.com">tecnico@newlightsystems.com</a></span></p>
<p class="p3">#NewLight_Systems @ irc-hispano.org</p>
<p class="p5"><span class="s1"><a
href="http://www.newlightsystems.com/"><b>www.newlightsystems.com</b></a></span></p>
<p class="p5"><span class="s1"><a href="http://www.nls.es/"><b>www.nls.es</b></a></span></p>
<p class="p6">This email and any files or attachments transmitted
with it are intended solely for the use of the intended
recipient. This email is confidential and may contain legally
privileged information. If you are not the intended recipient
you should not read, disseminate, distribute, or copy this
email. If you have received this email in error, please notify
the sender immediately and delete it from your system.</p>
</div>
</body>
</html>