my today iptable rules http://pastebin.com/HLucnkcU
can someone help ? How to protect from that kind of attack? 31.10.2015, 18:03, "Левинчук Федор" <[email protected]>: > Hi > > i catched ddos attack > in wireshark it look like that, mass ssdp packages to server > http://imgur.com/EMrA7F4 > > this is dumps > https://yadi.sk/d/E0PFxjEuk8vHM (~150mb) > dump36 < it ok, no other packages than steam/csgo > dump37 < start ddos, ssdp packages > dump38 < continue ddos, all players timed out > dump39 ... > > 07.10.2015, 13:16, "Ryan Bentley" <[email protected]>: >> Using hashlimit will certainly cause UDP packets to be erroneously dropped. >> UDP is stateless, however iptables counters this with the hashlimit module >> to create a hash based on the header of the packet to try and match it to a >> 'connection' or a sequence of UDP packets. srcds is UDP based, 130/s will >> probably cause packets to be dropped. >> >> On Wed, Oct 7, 2015 at 3:49 AM, Левинчук Федор <[email protected]> >> wrote: >>> I`m reading iptables man >>> >>> hashlimit >>> >>> it`s limit like -limit key but create different query for each host >>> for SRCDS it will limit packages for one connection? >>> >>> for ex in >>> >>> net_channels >>> - remote IP: 79.105.25.42:27005 >>> - online: 14:00 >>> - reliable: available >>> - latency: 0.1, loss 0.00 >>> - packets: in 62.8/s, out 64.5/s >>> - choke: in 0.52, out 0.00 >>> - flow: in 9.5, out 22.4 kB/s >>> - total: in 7.7, out 19.8 MB >>> >>> NetChannel 'psch': >>> - remote IP: 94.245.190.164:27005 >>> - online: 07:16 >>> - reliable: available >>> - latency: 0.1, loss 0.00 >>> - packets: in 128.6/s, out 130.0/s >>> - choke: in 0.00, out 0.00 >>> - flow: in 20.6, out 43.5 kB/s >>> - total: in 8.2, out 19.4 MB >>> my servers has 128 tiks >>> >>> and if I make >>> >>> IPTABLES -A INPUT -p udp --dport 27015:27540 -m state --state NEW -m >>> hashlimit --hashlimit-mode srcip --hashlimit-upto 130/s -j ACCEPT >>> IPTABLES -A INPUT -p udp --dport 27015:27540 -j DROP >>> >>> it will pass normal players connect and drop if more then 130 packages in >>> secoond for each? or i mistaking? >>> >>> 06.10.2015, 09:34, "Calvin J" <[email protected]>: >>>> :\ >>>> >>>> sv_max_queries_sec 15 >>>> >>>> On 10/5/2015 7:26 PM, Левинчук Федор wrote: >>>>> ok thx, i`ll bring it to default >>>>> description of this cvar is not clear >>>>> I tested with sv_max_queries_sec "2.0" at console saw lines of >>>>> limitations for my HLSW queries, thought it some kind of protection, and >>>>> if cvar lower is better >>>>> >>>>> Now i thinking maybe there are commands that increase IO operations? >>>>> like it was with "sound_test" ? >>>> >>>> -- >>>> Calvin Judy >>>> Founder & CEO >>>> PH#: (843) 410-8486 >>>> Mail: [email protected] >>>> >>>> , >>>> >>>> _______________________________________________ >>>> Csgo_servers mailing list >>>> [email protected] >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >>> >>> _______________________________________________ >>> Csgo_servers mailing list >>> [email protected] >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >> >> , >> >> _______________________________________________ >> Csgo_servers mailing list >> [email protected] >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers > > _______________________________________________ > Csgo_servers mailing list > [email protected] > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers _______________________________________________ Csgo_servers mailing list [email protected] https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
