[cod] CoD2 UDP flood
Marco Padovan
evcz at evcz.tk
Thu Feb 23 10:14:21 EST 2012
iptables --flush ; iptables --delete-chain
that will completly empty your firewall...
then run your script
Il 23/02/2012 16:06, escapedturkey ha scritto:
> iptables --flush
>
> /sbin/iptables -N QUERY-BLOCK
> iptables: Chain already exists.
>
> /sbin/iptables -N QUERY-CHECK
> iptables: Chain already exists.
>
> Any help? =)
>
>
> On Thu, Feb 23, 2012 at 10:03 AM, Marco Padovan <evcz at evcz.tk
> <mailto:evcz at evcz.tk>> wrote:
>
> The
>
> "Chain already exists." error should appear...
>
> iptables --flush
>
> then run the script...
>
> eventually run all the rules one by one and see which one is
> giving you the error...
>
> you can monitor the number of blocked packets issuing:
>
> iptables -nvx -L QUERY-BLOCK
>
> and
>
> iptables -nvx -L QUERY-CHECK
>
> Il 23/02/2012 15:53, escapedturkey ha scritto:
>> # These commands, for instance, would block external IPs that
>> send queries
>> # at a rate of 2/second or higher:
>> # add a host to the banlist and then drop the packet.
>> /sbin/iptables -N QUERY-BLOCK
>> /sbin/iptables -A QUERY-BLOCK -m recent --set --name
>> blocked-hosts -j DROP
>> # is this a query packet? if so, block commonly attacked ports
>> outright,
>> # then see if it's a known attacking IP, then see if it is
>> sending at a high
>> # rate and should be added to the list of known attacking IPs.
>> /sbin/iptables -N QUERY-CHECK
>> /sbin/iptables -A QUERY-CHECK -p udp -m string ! --string
>> "getstatus" --algo bm --from 32 --to 41 -j RETURN
>> /sbin/iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP
>> /sbin/iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP
>> /sbin/iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP
>> /sbin/iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP
>> /sbin/iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP
>> /sbin/iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP
>> # is it already blocked? continue blocking it and update the
>> counter so it
>> # gets blocked for at least another 30 seconds.
>> /sbin/iptables -A QUERY-CHECK -m recent --update --name
>> blocked-hosts --seconds 30 --hitcount 1 -j DROP
>> # check to see if it exceeds our rate threshold,
>> # and add it to the list if it does.
>> # /sbin/iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode
>> srcip --hashlimit-name getstatus --hashlimit-above 2/second -j
>> QUERY-BLOCK
>> # CentOS 5 or CentOS 6 compatible
>> /sbin/iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip
>> --hashlimit-name getstatus --hashlimit 2/s -j RETURN
>> /sbin/iptables -A QUERY-CHECK -j QUERY-BLOCK
>> # look at all the packets going to q3/cod*/et/etc servers
>> # /sbin/iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK
>> /sbin/iptables -A INPUT -p udp --dport 27000:30000 -j QUERY-CHECK
>>
>> ./spamblock.bsh
>> iptables: Chain already exists.
>> iptables: Chain already exists.
>>
>> iptables -L -n
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> QUERY-CHECK udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0> udp dpts:27000:30000
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain QUERY-BLOCK (1 references)
>> target prot opt source destination
>> DROP all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0> recent: SET name: blocked-hosts side: source
>>
>> Chain QUERY-CHECK (1 references)
>> target prot opt source destination
>> RETURN udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0> STRING match !"getstatus" ALGO name bm FROM 32
>> TO 41
>> DROP udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0> udp spts:0:1025
>> DROP udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0> udp spt:3074
>> DROP udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0> udp spt:7777
>> DROP udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0> udp spts:27015:27100
>> DROP udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0> udp spt:25200
>> DROP udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0> udp spt:25565
>> DROP all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0> recent: UPDATE seconds: 30 hit_count: 1 name:
>> blocked-hosts side: source
>> RETURN all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0> limit: up to 2/sec burst 5 mode srcip
>> QUERY-BLOCK all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
>> <http://0.0.0.0/0>
>>
>> Should I be concerned with " iptables: Chain already exists."?
>>
>>
>> On Thu, Feb 23, 2012 at 9:44 AM, Marco Padovan <evcz at evcz.tk
>> <mailto:evcz at evcz.tk>> wrote:
>>
>> sure, do it :)
>>
>> Il 23/02/2012 15:44, escapedturkey ha scritto:
>>> I support most Q3 engine games. Some go beyond the range
>>> specified in the original post.
>>>
>>> Can I change:
>>>
>>> iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK
>>>
>>> To:
>>>
>>> iptables -A INPUT -p udp --dport 27000:30000 -j QUERY-CHECK
>>>
>>> Or will that cause problems?
>>>
>>> Ex: JK2 =28070 JA = 29070
>>>
>>> On Thu, Feb 23, 2012 at 9:30 AM, Marco Padovan <evcz at evcz.tk
>>> <mailto:evcz at evcz.tk>> wrote:
>>>
>>> Let us know if that works ;)
>>>
>>> Il 23/02/2012 15:20, escapedturkey ha scritto:
>>>> Thank you. Much appreciated. =)
>>>>
>>>> On Thu, Feb 23, 2012 at 7:33 AM, Marco Padovan
>>>> <evcz at evcz.tk <mailto:evcz at evcz.tk>> wrote:
>>>>
>>>> Ehm,
>>>> nope :D
>>>>
>>>> You need all the lines John posted:
>>>>
>>>> http://icculus.org/pipermail/cod/2012-January/015861.html
>>>>
>>>> To make it works in centos5 / 6 change into that
>>>> ruleset:
>>>>
>>>> iptables -A QUERY-CHECK -m hashlimit
>>>> --hashlimit-mode srcip --hashlimit-name getstatus
>>>> --hashlimit-above 2/second -j QUERY-BLOCK
>>>>
>>>> in this way (two different lines):
>>>> iptables -A QUERY-CHECK -m hashlimit
>>>> --hashlimit-mode srcip --hashlimit-name getstatus
>>>> --hashlimit 2/s -j RETURN
>>>> iptables -A QUERY-CHECK -j QUERY-BLOCK
>>>>
>>>> all the other rules should be kept as they are :)
>>>>
>>>> Il 23/02/2012 13:10, escapedturkey ha scritto:
>>>>> Thank you. I missed those lines.
>>>>>
>>>>> Here is what I have so far:
>>>>>
>>>>> /sbin/iptables -N QUERY-BLOCK
>>>>> /sbin/iptables -A QUERY-BLOCK -m recent --set
>>>>> --name blocked-hosts -j DROP
>>>>> /sbin/iptables -A QUERY-CHECK -m hashlimit
>>>>> --hashlimit-mode srcip --hashlimit-name getstatus
>>>>> --hashlimit 2/s -j RETURN
>>>>> /sbin/iptables -A QUERY-CHECK -j QUERY-BLOCK
>>>>>
>>>>> Is this correct?
>>>>>
>>>>> Thank you again. =)
>>>>>
>>>>> On Thu, Feb 23, 2012 at 5:32 AM, Marco Padovan
>>>>> <evcz at evcz.tk <mailto:evcz at evcz.tk>> wrote:
>>>>>
>>>>> did you issued all the other commands?
>>>>>
>>>>> like:
>>>>>
>>>>> iptables -N QUERY-BLOCK
>>>>> iptables -A QUERY-BLOCK -m recent --set --name
>>>>> blocked-hosts -j DROP
>>>>>
>>>>> ?
>>>>>
>>>>> Il 23/02/2012 03:54, escapedturkey ha scritto:
>>>>>> iptables v1.4.7: Couldn't load target
>>>>>> `QUERY-BLOCK':/lib64/xtables/libipt_QUERY-BLOCK.so:
>>>>>> cannot open shared object file: No such file
>>>>>> or directory
>>>>>>
>>>>>> Any ideas?
>>>>>>
>>>>>>
>>>>>> On Wed, Feb 22, 2012 at 4:51 PM, Marco
>>>>>> Padovan <evcz at evcz.tk <mailto:evcz at evcz.tk>>
>>>>>> wrote:
>>>>>>
>>>>>> on centos5 and centos6
>>>>>>
>>>>>> modifying this line:
>>>>>> iptables -A QUERY-CHECK -m hashlimit
>>>>>> --hashlimit-mode srcip --hashlimit-name
>>>>>> getstatus --hashlimit-above 2/second -j
>>>>>> QUERY-BLOCK
>>>>>>
>>>>>> in this way (two different lines):
>>>>>> iptables -A QUERY-CHECK -m hashlimit
>>>>>> --hashlimit-mode srcip --hashlimit-name
>>>>>> getstatus --hashlimit 2/s -j RETURN
>>>>>> iptables -A QUERY-CHECK -j QUERY-BLOCK
>>>>>>
>>>>>> should mimic the same behaviour
>>>>>>
>>>>>> Il 22/02/2012 18:43, Geoff Goas ha scritto:
>>>>>>> Hi,
>>>>>>>
>>>>>>> On CentOS 5.5, /--hashlimit-above/ is
>>>>>>> not a valid option for the "hashlimit"
>>>>>>> match. Which version of iptables
>>>>>>> introduces this, and how can I mimic
>>>>>>> that same ruleset with the options
>>>>>>> available to me in version 1.3.5 of
>>>>>>> iptables?
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> On Fri, Jan 20, 2012 at 7:51 PM, John
>>>>>>> <lists.cod at nuclearfallout.net
>>>>>>> <mailto:lists.cod at nuclearfallout.net>>
>>>>>>> wrote:
>>>>>>>
>>>>>>> On 1/20/2012 3:27 PM, Marco Padovan
>>>>>>> wrote:
>>>>>>>> I was referring to dynamic
>>>>>>>> filtering using -m recent
>>>>>>>>
>>>>>>>> [not] to manually adding IPs O.o
>>>>>>>
>>>>>>> Marco's right about this. The most
>>>>>>> effective way to prevent effects
>>>>>>> from these attacks on Linux is to
>>>>>>> use a combination of the "string",
>>>>>>> "hashlimit", and "recent" modules.
>>>>>>> Done right, the solution is mostly
>>>>>>> automatic, so you shouldn't need to
>>>>>>> manually add IPs.
>>>>>>>
>>>>>>> These commands, for instance, would
>>>>>>> block external IPs that send queries
>>>>>>> at a rate of 2/second or higher:
>>>>>>>
>>>>>>> # add a host to the banlist and then
>>>>>>> drop the packet.
>>>>>>> iptables -N QUERY-BLOCK
>>>>>>> iptables -A QUERY-BLOCK -m recent
>>>>>>> --set --name blocked-hosts -j DROP
>>>>>>>
>>>>>>> # is this a query packet? if so,
>>>>>>> block commonly attacked ports outright,
>>>>>>> # then see if it's a known attacking
>>>>>>> IP, then see if it is sending at a high
>>>>>>> # rate and should be added to the
>>>>>>> list of known attacking IPs.
>>>>>>> iptables -N QUERY-CHECK
>>>>>>> iptables -A QUERY-CHECK -p udp -m
>>>>>>> string ! --string "getstatus" --algo
>>>>>>> bm --from 32 --to 41 -j RETURN
>>>>>>> iptables -A QUERY-CHECK -p udp
>>>>>>> --sport 0:1025 -j DROP
>>>>>>> iptables -A QUERY-CHECK -p udp
>>>>>>> --sport 3074 -j DROP
>>>>>>> iptables -A QUERY-CHECK -p udp
>>>>>>> --sport 7777 -j DROP
>>>>>>> iptables -A QUERY-CHECK -p udp
>>>>>>> --sport 27015:27100 -j DROP
>>>>>>> iptables -A QUERY-CHECK -p udp
>>>>>>> --sport 25200 -j DROP
>>>>>>> iptables -A QUERY-CHECK -p udp
>>>>>>> --sport 25565 -j DROP
>>>>>>> # is it already blocked? continue
>>>>>>> blocking it and update the counter so it
>>>>>>> # gets blocked for at least another
>>>>>>> 30 seconds.
>>>>>>> iptables -A QUERY-CHECK -m recent
>>>>>>> --update --name blocked-hosts
>>>>>>> --seconds 30 --hitcount 1 -j DROP
>>>>>>> # check to see if it exceeds our
>>>>>>> rate threshold,
>>>>>>> # and add it to the list if it does.
>>>>>>> iptables -A QUERY-CHECK -m hashlimit
>>>>>>> --hashlimit-mode srcip
>>>>>>> --hashlimit-name getstatus
>>>>>>> --hashlimit-above 2/second -j
>>>>>>> QUERY-BLOCK
>>>>>>>
>>>>>>> # look at all the packets going to
>>>>>>> q3/cod*/et/etc servers
>>>>>>> iptables -A INPUT -p udp --dport
>>>>>>> 27960:29000 -j QUERY-CHECK
>>>>>>>
>>>>>>> The "recent" module makes it
>>>>>>> possible to block up to 100 IPs at
>>>>>>> once with this method (any attackers
>>>>>>> beyond this would only be
>>>>>>> rate-limited). That number can be
>>>>>>> raised when the module is loaded,
>>>>>>> but I haven't seen 100 attacks
>>>>>>> happening at once yet (typically
>>>>>>> it's maybe 5-20 at once). You can
>>>>>>> see blocked hosts later by looking
>>>>>>> at /proc/net/xt_recent/blocked-hosts.
>>>>>>>
>>>>>>> (If you don't have "recent", you
>>>>>>> could get away without it -- just be
>>>>>>> aware that some of the packets will
>>>>>>> get through, increasing load on the
>>>>>>> game server. Without "hashlimit",
>>>>>>> you'd still see an advantage from
>>>>>>> the port checks, but you'd need to
>>>>>>> manually block IPs that are being
>>>>>>> hit on other ports. Without
>>>>>>> "string", you'd similarly be down to
>>>>>>> just port checks, and need to take
>>>>>>> out the other rules.)
>>>>>>>
>>>>>>> -John
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> cod mailing list
>>>>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> /*Geoff Goas
>>>>>>> Systems Engineer*/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> cod mailing list
>>>>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>
>>>>>> _______________________________________________
>>>>>> cod mailing list
>>>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> EscapedTurkey.com Billing and Support
>>>>>> https://www.escapedturkey.com/helpdesk
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> cod mailing list
>>>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>
>>>>> _______________________________________________
>>>>> cod mailing list
>>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> EscapedTurkey.com Billing and Support
>>>>> https://www.escapedturkey.com/helpdesk
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> cod mailing list
>>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> EscapedTurkey.com Billing and Support
>>>> https://www.escapedturkey.com/helpdesk
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>> http://icculus.org/mailman/listinfo/cod
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>>
>>> --
>>> EscapedTurkey.com Billing and Support
>>> https://www.escapedturkey.com/helpdesk
>>>
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> http://icculus.org/mailman/listinfo/cod
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org <mailto:cod at icculus.org>
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>> --
>> EscapedTurkey.com Billing and Support
>> https://www.escapedturkey.com/helpdesk
>>
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org <mailto:cod at icculus.org>
>> http://icculus.org/mailman/listinfo/cod
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
> --
> EscapedTurkey.com Billing and Support
> https://www.escapedturkey.com/helpdesk
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120223/8503f4d6/attachment-0001.htm>
More information about the cod
mailing list