<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
That one's easy, it takes work.<br>
<br>
The old Q3 protocol was really designed for a different era, as it
is what, over 10 years old now? I have often thought it would be
nice if they reworked the protocol to put some light encryption on
the packets, or at least stiffen up the exchange with even some
clever identification on each frame.<br>
<br>
But yeah, some of the games that run this protocol are so old that
the companies that sold them really don't care about fixing
something that won't make them hardly any money.<br>
<br>
Sad really.<br>
<div class="moz-signature"><i><font size="-1">
</font></i><br>
</div>
<br>
On 04/17/2012 02:48 PM, Bobby wrote:
<blockquote cite="mid:044e01cd1cd3$05265d90$0f7318b0$@gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
have a dumb question, Why wont the game company fix/patch
the game to prevent further attacks?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">-Bobby<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Boyd G. Gafford Ph.D.
[<a class="moz-txt-link-freetext" href="mailto:drboyd@westportresearch.com">mailto:drboyd@westportresearch.com</a>] <br>
<b>Sent:</b> Tuesday, April 17, 2012 3:35 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<b>Subject:</b> Re: [cod] Game server whitelisting rules<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Also, just a
quick shout out to Escaped Turkey (escapedturkey.com), who has
been a big help in this whole development process.<br>
<br>
The rules have been a collaboration between us for several
months now, to get to the point where the rules are mature
enough to withstand so many different attacks. Escaped Turkey
was one of the first companies to give ServerArk a try, which
led to moving all the ServerArk logic into the kernel with
these custom iptables rules, and to eventually getting the
whitelisting working.<br>
<br>
Thanks ET!<br>
<br>
:)<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><i><span
style="font-size:10.0pt">__________________________________<br>
Boyd G. Gafford Ph.D.<br>
Manager of Software Development<br>
Westport Research Associates Inc.<br>
7001 Blue Ridge Blvd<br>
Raytown, MO 64133<br>
(816) 358-8990<br>
<a moz-do-not-send="true"
href="mailto:drboyd@westportresearch.com">drboyd@westportresearch.com</a></span></i><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
On 04/17/2012 10:58 AM, escapedturkey wrote: <o:p></o:p></p>
<div>
<p class="MsoNormal">On top of that, using webmin and usermin,
I have developed scripts (to utilize Boyd's scripts) where
the user simply clicks on of two buttons, then within 30
minutes protection is enabled or disabled. There is another
script to display the protection status. This way root runs
a script, every 30 minutes, searches to see who has enabled
or disabled protection, then adds or removes the rules to
iptables. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For more information on how the scripts
work, please see the following:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><a moz-do-not-send="true"
href="https://www.escapedturkey.com/links/serverprotection">https://www.escapedturkey.com/links/serverprotection</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I will gladly share these scripts as
well. Please drop me an e-mail if you are interested. The
more protection we have for everyone's game servers, the
better the community will be. =)<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Tue, Apr 17, 2012 at 11:12 AM, Boyd G.
Gafford Ph.D. <<a moz-do-not-send="true"
href="mailto:drboyd@westportresearch.com">drboyd@westportresearch.com</a>>
wrote:<o:p></o:p></p>
<div>
<p class="MsoNormal">Just wanted to let everyone know that I
am making the dynamic whitelisting iptables rules I have
been testing available to anyone who runs a Q3-protocol
server under Linux and wants to try them out. These rules
were designed for the most severe of all attacks, and that
is attacks where the source IP is spoofed and is random.
It also works for attacks from a single IP as well, as
well as indirect reflection attacks.<br>
<br>
We have 2 commercial server companies using these rules
currently in their production environment, and I am
currently working with two more. I also have test servers
running on several VPS's that I use for development.<br>
<br>
So what do the iptables do? Here's the list:<br>
<br>
1) Players have their IP saved automatically at the kernel
level when they join a game server, and then those IPs are
used as a filter for other rules. When they leave the
game server the IP is retired after 10 minutes. (This is
what we call a whitelisted player). This is the main guts
of the protection, as identifying valid players is
important to mitigating attacks.<br>
<br>
2) Server query packets like 'getstatus' and 'getinfo' are
rate limited to 10/sec to prevent lag when they are used
in a DOS attack. Players that are whitelisted have their
packets allowed (so they can see server status while in
game even during an attack).<br>
<br>
3) 'getchallenge' packets (normally used by a player to
join the game) are rate limited to 2/sec, to prevent lag
when they are used in a DOS attack. Players that are
whitelisted always have their requests to join the server
processed. This allows a player who was recently playing
the ability to join the server again, even when the DOSer
is trying to lock down the population on the server by
spamming fake players joining.<br>
<br>
4) All other packets are rate limited per whitelisted
player IP to no more than 100/second, to prevent lag when
a DOSer has stolen a valid player IP address and is
attacking with it in an attempt to break through the
whitelist rules.<br>
<br>
5) Attempts to use your game server as a reflector to
attack other game servers is blocked (due to rate limiting
in 1-4).<br>
<br>
6) Reflection attack packets hitting your server are
dropped (again due to rate limiting in 1-4).<br>
<br>
7) A custom packet (not part of the Q3 protocol) can be
sent by a player to break into and join a game that is
under 24/7 'getchallenge' attack. This is one of the
slicker features of the iptables rules, as this 'server
lockdown' DOS attack is now easily breached.<br>
<br>
<br>
The iptables rules are added dynamically per server
IP:PORT pair. That way the rules affect nothing but UDP
packets to that game server. No other types of packets
are affected whatsoever. To make it easy, the rules have
been put into shell scripts.<br>
<br>
Example: Protect the game running on 10.1.2.3 port 28000.<br>
<br>
<tt><span style="font-size:10.0pt"># ./protectgame.sh
10.1.2.3 28000</span></tt><br>
<br>
Example: Show the iptables rules currently protecting the
game running on 10.1.2.3 port 28000.<br>
<br>
<tt><span style="font-size:10.0pt"># ./listgame.sh
10.1.2.3 28000</span></tt><br>
<br>
Example: Remove the iptables rules protecting the game
running on 10.1.2.3 port 28000.<br>
<br>
<tt><span style="font-size:10.0pt"># ./unprotectgame.sh
10.1.2.3 28000</span></tt><br>
<br>
Rather than just send the scripts to the whole list here,
I've decided to ask anyone interested to Email me
personally and request it. If you run a commercial gaming
service (or even your own COD server and agree not to
share it with anyone else), I will be happy to send it to
you and help you understand how to use it in your
environment.<br>
<br>
Thanks,<br>
<br>
<i>Boyd</i><o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"> <br>
<i><span style="font-size:10.0pt">__________________________________<br>
</span></i><i><span
style="font-size:10.0pt;color:#888888">Boyd G.
Gafford Ph.D.<br>
Manager of Software Development<br>
Westport Research Associates Inc.<br>
7001 Blue Ridge Blvd<br>
Raytown, MO 64133<br>
<a moz-do-not-send="true"
href="tel:%28816%29%20358-8990" target="_blank">(816)
358-8990</a><br>
<a moz-do-not-send="true"
href="mailto:drboyd@westportresearch.com"
target="_blank">drboyd@westportresearch.com</a></span></i><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true" href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<br>
-- <o:p></o:p></p>
<div>
<p class="MsoNormal">EscapedTurkey.com Billing and Support<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a moz-do-not-send="true"
href="https://www.escapedturkey.com/helpdesk"
target="_blank">https://www.escapedturkey.com/helpdesk</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>cod mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:cod@icculus.org">cod@icculus.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a><o:p></o:p></pre>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>