<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
You need the --reap option of the recent module for this new set to
work, and I don't believe that 1.3.5 has that option.<br>
<br>
Can you check that out for me Brandon?<br>
<br>
Just do a <br>
<br>
<tt>man iptables</tt><br>
<br>
and then<br>
<br>
<tt>/--reap</tt><br>
<br>
and see if that search shows it to you.<br>
<br>
Thanks,<br>
<br>
<i>Boyd</i><br>
<div class="moz-signature"><br>
</div>
<br>
On 04/17/2012 01:09 PM, Brandon R. Miller wrote:
<blockquote cite="mid:4F8DB1CA.4060405@branzone.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Will it work on CentOS 5.x with iptables 1.3.5?<br>
<br>
<div class="moz-signature">- Brandon M.<br>
<br>
</div>
On 4/17/2012 10:12 AM, Boyd G. Gafford Ph.D. wrote:
<blockquote cite="mid:4F8D8847.8090400@westportresearch.com"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
Just wanted to let everyone know that I am making the dynamic
whitelisting iptables rules I have been testing available to
anyone who runs a Q3-protocol server under Linux and wants to
try them out. These rules were designed for the most severe of
all attacks, and that is attacks where the source IP is spoofed
and is random. It also works for attacks from a single IP as
well, as well as indirect reflection attacks.<br>
<br>
We have 2 commercial server companies using these rules
currently in their production environment, and I am currently
working with two more. I also have test servers running on
several VPS's that I use for development.<br>
<br>
So what do the iptables do? Here's the list:<br>
<br>
1) Players have their IP saved automatically at the kernel level
when they join a game server, and then those IPs are used as a
filter for other rules. When they leave the game server the IP
is retired after 10 minutes. (This is what we call a
whitelisted player). This is the main guts of the protection,
as identifying valid players is important to mitigating attacks.<br>
<br>
2) Server query packets like 'getstatus' and 'getinfo' are rate
limited to 10/sec to prevent lag when they are used in a DOS
attack. Players that are whitelisted have their packets allowed
(so they can see server status while in game even during an
attack).<br>
<br>
3) 'getchallenge' packets (normally used by a player to join the
game) are rate limited to 2/sec, to prevent lag when they are
used in a DOS attack. Players that are whitelisted always have
their requests to join the server processed. This allows a
player who was recently playing the ability to join the server
again, even when the DOSer is trying to lock down the population
on the server by spamming fake players joining.<br>
<br>
4) All other packets are rate limited per whitelisted player IP
to no more than 100/second, to prevent lag when a DOSer has
stolen a valid player IP address and is attacking with it in an
attempt to break through the whitelist rules.<br>
<br>
5) Attempts to use your game server as a reflector to attack
other game servers is blocked (due to rate limiting in 1-4).<br>
<br>
6) Reflection attack packets hitting your server are dropped
(again due to rate limiting in 1-4).<br>
<br>
7) A custom packet (not part of the Q3 protocol) can be sent by
a player to break into and join a game that is under 24/7
'getchallenge' attack. This is one of the slicker features of
the iptables rules, as this 'server lockdown' DOS attack is now
easily breached.<br>
<br>
<br>
The iptables rules are added dynamically per server IP:PORT
pair. That way the rules affect nothing but UDP packets to that
game server. No other types of packets are affected
whatsoever. To make it easy, the rules have been put into shell
scripts.<br>
<br>
Example: Protect the game running on 10.1.2.3 port 28000.<br>
<br>
<tt># ./protectgame.sh 10.1.2.3 28000</tt><br>
<br>
Example: Show the iptables rules currently protecting the game
running on 10.1.2.3 port 28000.<br>
<br>
<tt># ./listgame.sh 10.1.2.3 28000</tt><br>
<br>
Example: Remove the iptables rules protecting the game running
on 10.1.2.3 port 28000.<br>
<br>
<tt># ./unprotectgame.sh 10.1.2.3 28000</tt><br>
<br>
Rather than just send the scripts to the whole list here, I've
decided to ask anyone interested to Email me personally and
request it. If you run a commercial gaming service (or even
your own COD server and agree not to share it with anyone else),
I will be happy to send it to you and help you understand how to
use it in your environment.<br>
<br>
Thanks,<br>
<br>
<i>Boyd</i><br>
<div class="moz-signature"> <br>
<i><font size="-1">__________________________________<br>
Boyd G. Gafford Ph.D.<br>
Manager of Software Development<br>
Westport Research Associates Inc.<br>
7001 Blue Ridge Blvd<br>
Raytown, MO 64133<br>
(816) 358-8990<br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:drboyd@westportresearch.com">drboyd@westportresearch.com</a><br>
</font></i><br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>