<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Also, just a quick shout out to Escaped Turkey (escapedturkey.com),
who has been a big help in this whole development process.<br>
<br>
The rules have been a collaboration between us for several months
now, to get to the point where the rules are mature enough to
withstand so many different attacks. Escaped Turkey was one of the
first companies to give ServerArk a try, which led to moving all the
ServerArk logic into the kernel with these custom iptables rules,
and to eventually getting the whitelisting working.<br>
<br>
Thanks ET!<br>
<br>
:)<br>
<br>
<div class="moz-signature"><i><font size="-1">__________________________________<br>
Boyd G. Gafford Ph.D.<br>
Manager of Software Development<br>
Westport Research Associates Inc.<br>
7001 Blue Ridge Blvd<br>
Raytown, MO 64133<br>
(816) 358-8990<br>
<a class="moz-txt-link-abbreviated" href="mailto:drboyd@westportresearch.com">drboyd@westportresearch.com</a><br>
</font></i><br>
</div>
<br>
On 04/17/2012 10:58 AM, escapedturkey wrote:
<blockquote
cite="mid:CALCvV0yOk8yjsnKuf36OpUZJoeUuMBSGXNd_UWVxZJ0tw+FoDA@mail.gmail.com"
type="cite">
<div>On top of that, using webmin and usermin, I have developed
scripts (to utilize Boyd's scripts) where the user simply clicks
on of two buttons, then within 30 minutes protection is enabled
or disabled. There is another script to display the protection
status. This way root runs a script, every 30 minutes, searches
to see who has enabled or disabled protection, then adds or
removes the rules to iptables. </div>
<div><br>
</div>
<div>For more information on how the scripts work, please see the
following:</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="https://www.escapedturkey.com/links/serverprotection">https://www.escapedturkey.com/links/serverprotection</a></div>
<div><br>
</div>
<div>I will gladly share these scripts as well. Please drop me an
e-mail if you are interested. The more protection we have for
everyone's game servers, the better the community will be. =)</div>
<br>
<div class="gmail_quote">
On Tue, Apr 17, 2012 at 11:12 AM, Boyd G. Gafford Ph.D. <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:drboyd@westportresearch.com">drboyd@westportresearch.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Just wanted to let
everyone know that I am making the dynamic whitelisting
iptables rules I have been testing available to anyone who
runs a Q3-protocol server under Linux and wants to try them
out. These rules were designed for the most severe of all
attacks, and that is attacks where the source IP is spoofed
and is random. It also works for attacks from a single IP
as well, as well as indirect reflection attacks.<br>
<br>
We have 2 commercial server companies using these rules
currently in their production environment, and I am
currently working with two more. I also have test servers
running on several VPS's that I use for development.<br>
<br>
So what do the iptables do? Here's the list:<br>
<br>
1) Players have their IP saved automatically at the kernel
level when they join a game server, and then those IPs are
used as a filter for other rules. When they leave the game
server the IP is retired after 10 minutes. (This is what we
call a whitelisted player). This is the main guts of the
protection, as identifying valid players is important to
mitigating attacks.<br>
<br>
2) Server query packets like 'getstatus' and 'getinfo' are
rate limited to 10/sec to prevent lag when they are used in
a DOS attack. Players that are whitelisted have their
packets allowed (so they can see server status while in game
even during an attack).<br>
<br>
3) 'getchallenge' packets (normally used by a player to join
the game) are rate limited to 2/sec, to prevent lag when
they are used in a DOS attack. Players that are whitelisted
always have their requests to join the server processed.
This allows a player who was recently playing the ability to
join the server again, even when the DOSer is trying to lock
down the population on the server by spamming fake players
joining.<br>
<br>
4) All other packets are rate limited per whitelisted player
IP to no more than 100/second, to prevent lag when a DOSer
has stolen a valid player IP address and is attacking with
it in an attempt to break through the whitelist rules.<br>
<br>
5) Attempts to use your game server as a reflector to attack
other game servers is blocked (due to rate limiting in 1-4).<br>
<br>
6) Reflection attack packets hitting your server are dropped
(again due to rate limiting in 1-4).<br>
<br>
7) A custom packet (not part of the Q3 protocol) can be sent
by a player to break into and join a game that is under 24/7
'getchallenge' attack. This is one of the slicker features
of the iptables rules, as this 'server lockdown' DOS attack
is now easily breached.<br>
<br>
<br>
The iptables rules are added dynamically per server IP:PORT
pair. That way the rules affect nothing but UDP packets to
that game server. No other types of packets are affected
whatsoever. To make it easy, the rules have been put into
shell scripts.<br>
<br>
Example: Protect the game running on 10.1.2.3 port 28000.<br>
<br>
<tt># ./protectgame.sh 10.1.2.3 28000</tt><br>
<br>
Example: Show the iptables rules currently protecting the
game running on 10.1.2.3 port 28000.<br>
<br>
<tt># ./listgame.sh 10.1.2.3 28000</tt><br>
<br>
Example: Remove the iptables rules protecting the game
running on 10.1.2.3 port 28000.<br>
<br>
<tt># ./unprotectgame.sh 10.1.2.3 28000</tt><br>
<br>
Rather than just send the scripts to the whole list here,
I've decided to ask anyone interested to Email me personally
and request it. If you run a commercial gaming service (or
even your own COD server and agree not to share it with
anyone else), I will be happy to send it to you and help you
understand how to use it in your environment.<br>
<br>
Thanks,<br>
<br>
<i>Boyd</i><br>
<div> <br>
<i><font size="-1">__________________________________<br>
<font color="#888888"> Boyd G. Gafford Ph.D.<br>
Manager of Software Development<br>
Westport Research Associates Inc.<br>
7001 Blue Ridge Blvd<br>
Raytown, MO 64133<br>
<a moz-do-not-send="true"
href="tel:%28816%29%20358-8990"
value="+18163588990" target="_blank">(816)
358-8990</a><br>
<a moz-do-not-send="true"
href="mailto:drboyd@westportresearch.com"
target="_blank">drboyd@westportresearch.com</a><br>
</font></font></i><br>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true" href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a moz-do-not-send="true"
href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>