Re: [hlds_linux] tf2 denial of service - please do something!

Sat, 08 Jan 2011 03:09:36 -0800 

this should do the trick:

iptables -N QUERYLIMIT
iptables -A QUERYLIMIT -m hashlimit --hashlimit-mode dstport --hashlimit-name srcdsquery --hashlimit 20/s --hashlimit-burst 10 -j ACCEPT 
iptables -A QUERYLIMIT -j DROP
iptables -N QUERY
iptables -A QUERY -p udp -m udp -m string --algo bm --hex-string '|ffffffff54|' -j QUERYLIMIT iptables -A QUERY -p udp -m udp -m string --algo bm --hex-string '|ffffffff55|' -j QUERYLIMIT iptables -A QUERY -p udp -m udp -m string --algo bm --hex-string '|ffffffff56|' -j QUERYLIMIT iptables -A QUERY -p udp -m udp -m string --algo bm --hex-string '|ffffffff57|' -j QUERYLIMIT 
iptables -I INPUT 15 -p udp --dport 29000:30000 -j QUERY



Il 08/01/2011 11:07, daniel jokiaho ha scritto:


How does your ip tables rules look. Like.... ?
Den 8 jan 2011 03.56 skrev "Marco Padovan" <evolutioncr...@gmail.com <mailto:evolutioncr...@gmail.com>>: 
>
>
>
> Il 08/01/2011 01:01, frostschutz ha scritto:
>
>> On Fri, Jan 07, 2011 at 11:50:56PM +0100, Marco Padovan wrote:
>>>
>>> I suppose those are all spoofed udp packets as they were the last time I 
>>> checked them :(
>>
>> Only you can tell. (We can't look at the packets you're getting:)
>
> Didn't took the time because they were very short spikes... will arrange something in the next days if the thing will continue with this frequency... > The problem is that it will take days to analyze the output of half an hour worth of log :D 
>
>
>>
>>> it's difficult to justify these spikes as legit traffic..
>>> 10k spikes are not legit, I was thinking more along the lines
>>
>> of randomly getting 40 instead of just 10-20 packets in one
>> particular second. A spike of 40 could be allowed, a spike
>> of 10000 certainly not. ;)
>>
>>> check from 23:21 onward
>>> http://pastebin.com/jUjzyKY6
>>
>> Since the DROP stays at 0 for several minutes that looks fine.
>> If it increased like 1-5 packets every other second that would
>> point to a too low limit.
>>
>> You had 3 unlucky queries between 23:00 and 23:01 (legit spike
>> that got dropped), then again nothing for minutes, and then
>> comes the DoS that gets dropped correctly.
>
> yeah, I'm sorry for those 3... hope they got lucky retrying a second later ;) 
>
>> I think that's okay.
>
>
> I hope that too...
>
> thanks for your precious suggestions :)
>
>> Regards
>> frostschutz
>>
>> _______________________________________________
>> To unsubscribe, edit your list preferences, or view the list archives, please visit: 
>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>
>
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives, please visit: 
> http://list.valvesoftware.com/mailman/listinfo/hlds_linux


_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux

Reply via email to