[cod] Hey everyone
NewLight Systems
nls at newlightsystems.com
Thu Feb 23 17:46:13 EST 2012
The problem is that we are receiving for example 1 GBPS attacks to one
IP from serveral sources ( maybe 15 - 20 ips )
That means that 1 GB of inbound is occupied. We have iptables rules, of
course, but is affecting all services on that dedicated server
El 23/02/12 23:42, Boyd G. Gafford Ph.D. escribió:
> Hey there, thanks for responding.
>
> I'm not sure I understand what you mean by "the line is occupied
> anyway." If you mean the bandwidth to the server is saturated by the
> flood, then yeah, its going to affect game play. Fortunately most
> servers at data centers have high enough bandwidth to them that a
> typical attack doesn't saturate.
>
> If your game server port is the target of a single IP UDP flood
> attack, then typically an iptables drop rule handled by the kernel is
> more efficient than the game server itself, especially if the flooded
> packets are server commands that are being processed by the game
> server, which is sending out UDP reply packets. That takes up much
> more CPU than a kernel-level packet drop.
>
> Under those circumstances, the cheap VPS we use in Dallas has endured
> 64Mbps attacks for hours and the game server is still very playable.
> It would be nice if the flood was blocked at the router or carrier
> level, but still iptables is pretty amazing when the kernel drop is
> your last line of defense.
>
> Thanks,
>
> /Boyd/
>
>
> On 02/23/2012 04:22 PM, NewLight Systems wrote:
>> It's ok but this isn't working if the UDP floods to your server
>> because the line is occupied anyway.
>>
>> If you are the target, there's nothing you can do in a dedicated
>> server level.
>>
>> This type of attack ( allways if you are the target ) have to be
>> erradicated in a higher level ( router or carrier ) if you want to
>> preserve your connection
>>
>> El 23/02/12 23:12, Boyd G. Gafford Ph.D. escribió:
>>> Hey everyone, EscapedTurkey told me about this group, and so I Just
>>> wanted to say a quick hello.
>>>
>>> I'm the guy who got frustrated enough with UDP flood attacks that I
>>> wrote ServerArk to deal with the majority of them. If anyone has
>>> any questions about the program, or any ideas on what they would
>>> like to see in it in the future, by all means let me know.
>>>
>>> Since I've been using it on our JA (Q3 protocol) servers
>>> (http://elitewarriors.net) its blocked about 20 high volume attacks
>>> (one at 64Mbps) successfully over the past few months. As long as
>>> the source IP of the UDP flood is not random, it works really well.
>>>
>>> I have a few new ideas on flood detection on random IP attacks I
>>> will ping off your guys over the next few days to see what you think.
>>>
>>> Also kudos to whoever did the "I don't want to participate in
>>> reflection attacks" iptables rule that matches off of the
>>> 'getstatus' UDP packet payload. If everyone who had a Q3 protocol
>>> server (COD, JA, etc) had that rule running reflection attacks would
>>> be a LOT less potent.
>>>
>>> :)
>>>
>>> Thanks,
>>>
>>> /Boyd/
>>>
>>> /__________________________________
>>> Boyd G. Gafford Ph.D.
>>> Manager of Software Development
>>> Westport Research Associates Inc.
>>> 7001 Blue Ridge Blvd
>>> Raytown, MO 64133
>>> (816) 358-8990
>>> drboyd at westportresearch.com
>>> /
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>>
>> --
>>
>>
>> *David Aguilar Valero*
>>
>> Dpto. Comercial y Soporte técnico
>>
>> NewLight Systems
>>
>> *Servidores de juegos, HW, Dedicados*
>>
>>
>> *crk01 at nls.es* <mailto:c>
>>
>> crk01 at newlightsystems.com <mailto:crk01 at newlightsystems.com>
>>
>> tecnico at newlightsystems.com <mailto:tecnico at newlightsystems.com>
>>
>> #NewLight_Systems @ irc-hispano.org
>>
>> *www.newlightsystems.com* <http://www.newlightsystems.com/>
>>
>> *www.nls.es* <http://www.nls.es/>
>>
>> This email and any files or attachments transmitted with it are
>> intended solely for the use of the intended recipient. This email is
>> confidential and may contain legally privileged information. If you
>> are not the intended recipient you should not read, disseminate,
>> distribute, or copy this email. If you have received this email in
>> error, please notify the sender immediately and delete it from your
>> system.
>>
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
--
*David Aguilar Valero*
Dpto. Comercial y Soporte técnico
NewLight Systems
*Servidores de juegos, HW, Dedicados*
*crk01 at nls.es* <mailto:c>
crk01 at newlightsystems.com <mailto:crk01 at newlightsystems.com>
tecnico at newlightsystems.com <mailto:tecnico at newlightsystems.com>
#NewLight_Systems @ irc-hispano.org
*www.newlightsystems.com* <http://www.newlightsystems.com/>
*www.nls.es* <http://www.nls.es/>
This email and any files or attachments transmitted with it are intended
solely for the use of the intended recipient. This email is confidential
and may contain legally privileged information. If you are not the
intended recipient you should not read, disseminate, distribute, or copy
this email. If you have received this email in error, please notify the
sender immediately and delete it from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120223/9c738ac3/attachment-0001.htm>
More information about the cod
mailing list