[cod] Query limiting...

Marco Padovan evcz at evcz.tk
Sat Aug 6 07:09:15 EDT 2011


Thanks :)

Already doing that since long time (see previous list messages...) using
directly the firewall...

Il 01/08/2011 22:54, Ryan C. Gordon ha scritto:
>
> So we're getting reports of DDoS attacks, where botnets will send
> infostring queries to COD4 dedicated servers as fast as possible with
> spoofed addresses. They send a small UDP packet, and the server
> replies with a larger packet to the faked address. Multiply this by
> however fast you can stuff UDP packets into the server's incoming
> packet buffer per frame, times 7500+ public COD4 servers, and you can
> really bring a victim to its knees with a serious flood of unwanted
> packets.
>
> I've got a patch for COD4 for this, and I need admins to test it
> before I make an official release.
>
>    http://treefort.icculus.org/cod/cod4-lnxsrv-query-limit-test.tar.bz2
>
> You'll need a server updated to 1.7 before applying this, because this
> is only a replacement cod4_lnxded file. The defaults for the new cvars
> are probably fine, but you can tweak them as you like.
>
> If you want to see it in action, find your patched server in the
> in-game server browser, click "Server Info" and keep hitting refresh.
> If you're doing it faster than the limit, you'll see you don't get a
> response right away.
>
> All this info is in README.linux in that tarball, but I'll post it
> here, too:
>
> *******
>
> About query limits:
>
> There is a class of DDoS attack that can utilize COD4 servers to flood
> a third party, by spoofing UDP packets so that the game server sends
> its reply for information to an unsuspecting party, over and over, as
> fast as it can. Unlike most packets sent by the server, this reply
> packet does not require a player with a legitimate connection before
> sending.
>
> This patch sets up some reasonable defaults to limit the rate at which
> the server will send these reply packets to a given IP address. It
> does not throttle legitimate connections in the process.
>
> The gist is this: If someone sends a query packet, we note their IP
> address and ignore any further queries for X seconds. If they send a
> port-unreachable packet (person being spoofed isn't playing the game),
> we ignore their IP address for Y seconds. This will let normal people
> play, it prevents people that don't have a legitimate player
> connection from flooding the server with queries, and it'll stop DDoS
> attacks against third parties.
>
> If millions of computers try to wail on a single server, this patch
> should handle it gracefully (we don't allocate memory when adding IP
> addresses to the ignore list, we use a hashtable so we don't have to
> check millions of IP addresses for every query, and we clean out old
> addresses a little each frame).
>
> People that are connected to the server don't have their packets
> ignored; this only limits server responses to packets that don't need
> a valid player connection (like the infostring, etc). LAN addresses
> are never limited.
>
> Admins can tune it (and turn it off completely) with cvars.
>
> Note that a single IP address using different ports all get lumped
> into the same ignore list entry. This is to make life difficult for
> attackers and keep things efficient on the server. If 16 players are
> all behind the same NAT, they might notice it takes longer for the
> server to respond to each of them individually at the start. They
> should run a LAN server anyhow, but gameplay will still perform
> normally here.
>
> Server admins have 4 cvars to control this:
>
> sv_queryIgnoreDebug: set to 1 to log information about attacks. This
> will write out a lot of logging. Defaults to 0.
>
> sv_queryIgnoreMegs: Number of megabytes we should use to store the
> ignore list. Set to 0 to turn off the ignore list (basically disables
> this patch). 1 megabyte handles about 65000 IP addresses, each
> megabyte after the first adds about 87000 more. 1 is probably fine
> unless you're under serious attack, but maybe a server wants to spare
> 12 megs to block a million IP addresses simultaneously.  :)  Defaults
> to 1.
>
> sv_queryIgnoreTime: Number of milliseconds to ignore an IP address's
> info requests after responding to one of them. Set to 0 to not ignore
> at all. Defaults to 2000 (2 seconds).
>
> sv_queryBounceIgnoreTime: Number of milliseconds to ignore an IP
> address's info requests after a server packet bounced with an ICMP
> Port Unreachable notice. Set to 0 to not ignore at all. Defaults to
> 12000 (2 _minutes_).
>
> *******
>
>
> Please note that I haven't touched this code since 2008, so even
> though the changes are relatively localized, don't blast this out to
> all your servers until you feel it's stable.
>
> Please give me feedback!
>
> Thanks,
> --ryan.
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20110806/e35f62b4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 552 bytes
Desc: OpenPGP digital signature
URL: <http://icculus.org/pipermail/cod/attachments/20110806/e35f62b4/attachment.pgp>


More information about the cod mailing list