[cod] ServerArk: A UDP flood attack analyzer and adaptive blocker for gaming servers

Boyd G. Gafford Ph.D. drboyd at westportresearch.com
Tue Mar 13 09:12:11 EDT 2012


Looks like the executable is older than your pcap library.  Just type 
the following to build the executable:

gcc -o serverark serverark.c -lpcap

It should compile and link successfully, and then use that executable.

/Boyd/


On 03/12/2012 10:50 PM, Mavrick wrote:
> Bump on the rules, however I am trying to use serverark and i'm 
> getting this:
>
> # ./serverark -d
> ./serverark: error while loading shared libraries: libpcap.so.0.8: 
> cannot open shared object file: No such file or directory
>
> # locate libpcap
> /usr/lib64/libpcap.so.1
> /usr/lib64/libpcap.so.1.0.0
> /usr/share/doc/libpcap-1.0.0
>
> # uname -a
> Linux game1.frag-live.com 2.6.32-220.4.2.el6.x86_64 #1 SMP Tue Feb 14 
> 04:00:16 GMT 2012 x86_64 x86_64 x86_64 GNU/Linux
>
>
> Best Regards,
>
> Daniel "mavrick" Lang
>
>
> On 23/02/12 6:34 AM, escaped turkey wrote:
>> Can you repost those rules please?
>>
>> Thank you. :)
>>
>> EscapedTurkey Billing and Support
>> https://escapedturkey.com/helpdesk
>>
>> On Feb 22, 2012, at 3:26 PM, Marco Padovan <evcz at evcz.tk 
>> <mailto:evcz at evcz.tk>> wrote:
>>
>>> I still don't know why people do not use the rules you posted a few 
>>> weeks ago that should do everything by themself :|
>>>
>>> Il 22/02/2012 19:29, John ha scritto:
>>>> The comments on the tool say this:
>>>>
>>>>  * So how does it work?  Very simply, it captures one second of
>>>>  * UDP frames every minute directly from the kernel, via the pcap
>>>>  * interface (the same one tcpdump uses).  It then analyzes only those
>>>>  * UDP frames targeted to a port on which a game server is running.
>>>>  * It then tallies all the different IP addresses (one for each 
>>>> "player"),
>>>>  * and if there are "too many" packets for the IP, it uses iptables to
>>>>  * tell the kernel to drop those packets, so they never make it to the
>>>>  * game server itself. This effectively blocks the attack from 
>>>> affecting
>>>>  * the current players on the server.  See the serverark.conf file for
>>>>  * more information.
>>>>
>>>> This will help with specific types of attacks, but if you are the 
>>>> target of a distributed flood, you could see quite a few iptables 
>>>> rules created. For performance reasons, the author should consider 
>>>> switching to the "ipset" module and tools, with a single iptables 
>>>> rule. (By default, I see that it limits the number of blocked IPs 
>>>> to 128, so it's meant for small attacks.)
>>>>
>>>> The tool will also unfortunately not help against attacks involving 
>>>> randomized, spoofed IPs, which are a significant percentage of the 
>>>> ones we see. For that type of attack, traffic will need to be 
>>>> manually analyzed.
>>>>
>>>> -John
>>>>
>>>>
>>>> On 2/22/2012 9:36 AM, Geoff Goas wrote:
>>>>> Has anyone tried this yet?
>>>>>
>>>>> I just got hit with a bandwidth overage fee on my dedi, further 
>>>>> investigation shows my CoD2 servers are being used for these 
>>>>> reflection attacks... sigh.
>>>>>
>>>>> On Tue, Feb 21, 2012 at 1:25 PM, escapedturkey 
>>>>> <escapedturkey at escapedturkey.com 
>>>>> <mailto:escapedturkey at escapedturkey.com>> wrote:
>>>>>
>>>>>     I was given permission by the developer to share this program
>>>>>     that he has been developing.
>>>>>
>>>>>     It supposedly stops spam kind of attacks against servers --
>>>>>     specifically for Jedi Academy. I am curious if it helps for
>>>>>     other games too.
>>>>>
>>>>>     # ServerArk (C) 2011 Boyd G. Gafford Ph.D.
>>>>>
>>>>>     "# A UDP flood attack analyzer and adaptive blocker for gaming
>>>>>     servers."
>>>>>
>>>>>     http://elitewarriors.net/serverark/serverark_0.93.zip
>>>>>
>>>>>
>>>>>
>>>>>     _______________________________________________
>>>>>     cod mailing list
>>>>>     cod at icculus.org <mailto:cod at icculus.org>
>>>>>     http://icculus.org/mailman/listinfo/cod
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> /*Geoff Goas
>>>>> Systems Engineer*/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> cod mailing list
>>>>> cod at icculus.org
>>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> http://icculus.org/mailman/listinfo/cod
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120313/a3a430a6/attachment.htm>


More information about the cod mailing list