While true, it is somewhat different in matters of actual possession of resources to blow a connection out of the sky with 40x155mbit hacked boxes and able to take down 5-6 different gameservers with your crappy 512kbit dsl-line from home due to improper handling of packets.
-TheG On Thu, Jan 6, 2011 at 10:37 PM, Kigen <theki...@gmail.com> wrote: > Hello. > > Now one unfortunate fact about DoS attacks is that they are designed > to interrupt service. The main reason why they work so well is > because UDP packets can be spoofed. Thus you are unable to identify a > IP to ban as the IPs reported will not be the real source of the > packet. Almost a year ago I suffered a 30Mbit/sec DoS attack on a > CS:S server. (Everyone who knows my name can probably guess why > someone would want to attack me.) Given the nature of the attack and > the fact that my game server was empty I just firewalled off the port > they were attacking (save bandwidth). While Query Cache can help you > server show that its up, in the end if someone has enough bandwidth > they can take your server down. > > While VALVe can probably make a better query mechanism they won't be > able to fix this problem. Since this problem is actually a problem > with the way the internet is designed. > > The main problem lies in the UDP protocol. Since no handshakes are > required (since UDP is stateless) its easy to spoof the source IP with > just a Linux box (or a modded Windows). The only true solution when > your getting DoS'd is for your ISP (host) to find the source of the > attack through tickets to up-stream providers. However, most ISPs > will not bother to trace the origin of the attack (due to the fact > that most come from zombie machines). > > On Thu, Jan 6, 2011 at 11:53 AM, Marco Padovan <evolutioncr...@gmail.com> > wrote: > > Nice! Will give it a try if it's already part of the kernel I use :) > > > > Thank you > > Il giorno 06/gen/2011 18.43, "frostschutz" <frostsch...@metamorpher.de> > ha > > scritto: > >> On Thu, Jan 06, 2011 at 05:28:43PM +0100, Marco Padovan wrote: > >>> The single bucket is problematic due to how we manage the gameservers, > > will > >>> update the status this evening :p > >> > >> So I came across this in the iptables man page... > >> > >> ---- > >> hashlimit > >> > >> This patch adds a new match called 'hashlimit'. The idea is to have > > something like 'limit', but either per destination-ip or per > > (destip,destport) tuple. > >> > >> It gives you the ability to express > >> '1000 packets per second for every host in 192.168.0.0/16' > >> > >> '100 packets per second for every service of 192.168.1.1' > >> with a single iptables rule. > >> ---- > >> > >> So you can use hashlimit for a 20 pps for each port solution, > >> still with just a single rule. > >> > >> iptables -m hashlimit --hashlimit 20/s --hashlimit-mode destip-destport > >> > >> (might also need --hashlimit-htable-size/max/, not sure...) > >> > >> Regards > >> frostschutz > >> > >> _______________________________________________ > >> To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
