<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Unfortunately OpenVZ does not have all the needed iptables modules
ported yet, so the new protection scheme won't work with OpenVZ. It
will work with Xen though (that's what I use on my VPS's) and of
course regular non-virtualized Linux servers.<br>
<br>
Hopefully OpenVZ will eventually get the needed modules implemented.<br>
<br>
Specifically, the protection scripts use the following iptables
modules:<br>
<br>
1) recent (with --reap option, for whitelisting)<br>
2) string (with |hexval| matching, for basic packet content
matching)<br>
3) limit (for general packet rate limiting)<br>
4) hashlimit (for player whitelisted packet rate limiting)<br>
<br>
Some older implementations of iptables do not have the --reap option
on the recent module, which is absolutely necessary to expire
whitelisted players after they have left the game server.<br>
<br>
To determine if your server supports --reap, just type<br>
<br>
<tt>man iptables</tt><br>
<br>
and then<br>
<br>
<tt>/--reap[enter]</tt><br>
<br>
If you find your cursor on the --reap option in the iptables manual,
you are good to go.<br>
<br>
Thanks,<br>
<br>
<i>Boyd</i><br>
<div class="moz-signature"><i><font size="-1">__________________________________<br>
Boyd G. Gafford Ph.D.<br>
Manager of Software Development<br>
Westport Research Associates Inc.<br>
7001 Blue Ridge Blvd<br>
Raytown, MO 64133<br>
(816) 358-8990<br>
<a class="moz-txt-link-abbreviated" href="mailto:drboyd@westportresearch.com">drboyd@westportresearch.com</a><br>
</font></i><br>
</div>
<br>
On 04/17/2012 01:29 PM, Robert Mount wrote:
<blockquote
cite="mid:CAEOFrae-=d83HYgtq88xEiAjV-OdjM-Wc8sUMNnm65rvWUmyjg@mail.gmail.com"
type="cite">
<pre wrap="">Would love to see this integrated with csf/lfd somehow.
<a class="moz-txt-link-freetext" href="http://www.configserver.com/cp/csf.html">http://www.configserver.com/cp/csf.html</a>
--Rob
On Tue, Apr 17, 2012 at 2:09 PM, Brandon R. Miller
<a class="moz-txt-link-rfc2396E" href="mailto:brandonm@branzone.com"><brandonm@branzone.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Will it work on CentOS 5.x with iptables 1.3.5?
- Brandon M.
On 4/17/2012 10:12 AM, Boyd G. Gafford Ph.D. wrote:
Just wanted to let everyone know that I am making the dynamic whitelisting
iptables rules I have been testing available to anyone who runs a
Q3-protocol server under Linux and wants to try them out. These rules were
designed for the most severe of all attacks, and that is attacks where the
source IP is spoofed and is random. It also works for attacks from a single
IP as well, as well as indirect reflection attacks.
We have 2 commercial server companies using these rules currently in their
production environment, and I am currently working with two more. I also
have test servers running on several VPS's that I use for development.
So what do the iptables do? Here's the list:
1) Players have their IP saved automatically at the kernel level when they
join a game server, and then those IPs are used as a filter for other
rules. When they leave the game server the IP is retired after 10 minutes.
(This is what we call a whitelisted player). This is the main guts of the
protection, as identifying valid players is important to mitigating attacks.
2) Server query packets like 'getstatus' and 'getinfo' are rate limited to
10/sec to prevent lag when they are used in a DOS attack. Players that are
whitelisted have their packets allowed (so they can see server status while
in game even during an attack).
3) 'getchallenge' packets (normally used by a player to join the game) are
rate limited to 2/sec, to prevent lag when they are used in a DOS attack.
Players that are whitelisted always have their requests to join the server
processed. This allows a player who was recently playing the ability to
join the server again, even when the DOSer is trying to lock down the
population on the server by spamming fake players joining.
4) All other packets are rate limited per whitelisted player IP to no more
than 100/second, to prevent lag when a DOSer has stolen a valid player IP
address and is attacking with it in an attempt to break through the
whitelist rules.
5) Attempts to use your game server as a reflector to attack other game
servers is blocked (due to rate limiting in 1-4).
6) Reflection attack packets hitting your server are dropped (again due to
rate limiting in 1-4).
7) A custom packet (not part of the Q3 protocol) can be sent by a player to
break into and join a game that is under 24/7 'getchallenge' attack. This
is one of the slicker features of the iptables rules, as this 'server
lockdown' DOS attack is now easily breached.
The iptables rules are added dynamically per server IP:PORT pair. That way
the rules affect nothing but UDP packets to that game server. No other
types of packets are affected whatsoever. To make it easy, the rules have
been put into shell scripts.
Example: Protect the game running on 10.1.2.3 port 28000.
# ./protectgame.sh 10.1.2.3 28000
Example: Show the iptables rules currently protecting the game running on
10.1.2.3 port 28000.
# ./listgame.sh 10.1.2.3 28000
Example: Remove the iptables rules protecting the game running on 10.1.2.3
port 28000.
# ./unprotectgame.sh 10.1.2.3 28000
Rather than just send the scripts to the whole list here, I've decided to
ask anyone interested to Email me personally and request it. If you run a
commercial gaming service (or even your own COD server and agree not to
share it with anyone else), I will be happy to send it to you and help you
understand how to use it in your environment.
Thanks,
Boyd
__________________________________
Boyd G. Gafford Ph.D.
Manager of Software Development
Westport Research Associates Inc.
7001 Blue Ridge Blvd
Raytown, MO 64133
(816) 358-8990
<a class="moz-txt-link-abbreviated" href="mailto:drboyd@westportresearch.com">drboyd@westportresearch.com</a>
_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>