On Fri, Jan 07, 2011 at 08:09:40PM +0100, Marco Padovan wrote: > 20 minutes later: > Chain QUERYLIMIT (4 references) > pkts bytes target prot opt in out source > destination > 396253 20611768 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 limit: avg 15/sec burst 5 mode dstport > 50483 2675483 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0
If the number of dropped packets keeps rising slowly here, you are probably dropping legitimate queries. Maybe the limit is a bit too low then. Also consider using a larger burst. The burst will allow short, random spikes, but under actual and constant DoS, the limit will still be respected, same as without burst. I'd try limit 20 burst 40 here and see how that goes. You can be generous with burst as it will vanish completely during a DoS attack anyhow (and it will take 40 below-limit seconds to recharge). > another box of ours that generally suffer a lot of is now reporting: > > Chain QUERYLIMIT (4 references) > pkts bytes target prot opt in out source > destination > 333352 16966756 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 limit: avg 15/sec burst 5 mode dstport > 563098 29844034 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 drop >> accept is to be expected during a DoS attack. > nobody complained yet... so looks like its holding :) Test it yourself - see if you can get a complete server list using the standard steam server browser. If half of your servers are missing there most of the time (while there is NO DoS going on), chances are your limit is too low. Regards frostschutz _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux