[cod] ServerArk: A UDP flood attack analyzer and adaptive blocker for gaming servers

Boyd G. Gafford Ph.D. drboyd at westportresearch.com
Tue Mar 13 11:55:49 EDT 2012 

I don't see any packets matching the new rules at all.  All the packets 
are 0 (and bytes 0).

That means one of your rules (probably the one with 40044 dropped 
packets, 1881K dropped bytes) is killing the traffic before it gets to 
the new rules. /Notice how in your listing below the protocol shows 
"all" for an early REJECT rule./

The UDP packets have to get down to the various "getstatus", "getinfo", 
etc rules, and then finally to the rule that limits the player to 70 
packets a second.

None of your UDP packets are getting that far.

Once you adjust your rule stopping all UDP packets, you should start 
seeing packets in the various LIMITXXXX chains, and when people are 
playing you'll start seeing packets in the LIMITPLRS chain.


Also, if you are going to protect more than just a few game servers with 
the rules I sent, you'll need to eventually up the packets in the 
various LIMITXXX chains.  The rules I sent handle 3 servers just fine.  
If you are running 30 servers, you might want to up the 5/sec connection 
limit to maybe something around 20 or 30 per second, and the 10/sec 
"getstatus" and "getinfo" up to something around 50 per second.


Thanks,

/Boyd/


On 03/13/2012 09:50 AM, Mavrick wrote:
> This is the output:
>
> [root at game1 source]# iptables -L -v -n
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>   707 47868 ACCEPT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state RELATED,ESTABLISHED
>     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
> 0.0.0.0/0
>     0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            
> 0.0.0.0/0
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state NEW tcp dpt:22
> 40044 1881K REJECT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           reject-with icmp-host-prohibited
>     0     0 LIMITSTAT  udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           udp dpts:27960:28980 STRING match "getstatus" ALGO 
> name bm FROM 32 TO 33
>     0     0 LIMITINFO  udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           udp dpts:27960:28980 STRING match "getinfo" ALGO 
> name bm FROM 32 TO 33
>     0     0 LIMITCHLG  udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           udp dpts:27960:28980 STRING match "getchallenge" 
> ALGO name bm FROM 32 TO 33
>     0     0 LIMITCONN  udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           udp dpts:27960:28980 STRING match "connect" ALGO 
> name bm FROM 32 TO 33
>     0     0 LIMITPLRS  udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           udp dpts:27960:28980
>     0     0 LIMITPLRS  udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           udp dpt:25565
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:25565
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state RELATED,ESTABLISHED
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>     0     0 REJECT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           reject-with icmp-host-prohibited
>
> Chain OUTPUT (policy ACCEPT 332 packets, 72567 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>
> Chain LIMITCHLG (1 references)
>  pkts bytes target     prot opt in     out     source               
> destination
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           limit: avg 5/sec burst 5
>     0     0 DROP       udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
>
> Chain LIMITCONN (1 references)
>  pkts bytes target     prot opt in     out     source               
> destination
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           limit: avg 5/sec burst 5
>     0     0 DROP       udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
>
> Chain LIMITINFO (1 references)
>  pkts bytes target     prot opt in     out     source               
> destination
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           limit: avg 10/sec burst 10
>     0     0 DROP       udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
>
> Chain LIMITPLRS (2 references)
>  pkts bytes target     prot opt in     out     source               
> destination
>     0     0 DROP       udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           limit: above 70/sec burst 70 mode srcip-srcport 
> htable-size 128 htable-max 128
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
>
> Chain LIMITSTAT (1 references)
>  pkts bytes target     prot opt in     out     source               
> destination
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           limit: avg 10/sec burst 10
>     0     0 DROP       udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
> [root at game1 source]#
>
> Now that I have applied the rules, I am unable to get connections to 
> any of the game servers :( Any ideas?
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120313/dddad01f/attachment.htm>

More information about the cod mailing list