Um... I'm going out on a limb here that no one has read the other topics that have discussed this. Since it has yet to be posted here... has anyone tried what Tony suggested by limiting the amount of queries via iptables then logging the blocked ips? This rule was made by Tony, as simple as it is I would still like to give him credit as I didn't think of it.
-A INPUT -p udp -m udp --dport 27015:27016 -m length --length 53 -m hashlimit --hashlimit 15/sec --hashlimit-burst 30 --hashlimit-mode dstip,dstport --hashlimit-name a2sspam -j ACCEPT -A INPUT -p udp -m udp --dport 27015:27016 -m length --length 53 -j DROP But yeah... Not sure if this did it or not but I haven't been "lagged out" since. If this is something completely different, I'm sorry. Kyle. On Sat, Sep 5, 2009 at 9:06 PM, Kenny Loggins <[email protected]>wrote: > I have an open request on a fix for this problem. I'm willing to completely > pay for a programmers time and I'm willing to bet other people would also > chip in on this. Anyone willing to work this let me know > > http://forums.alliedmods.net/showthread.php?t=102779 > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Shizzle Nizzle > Sent: Saturday, September 05, 2009 11:00 PM > To: Half-Life dedicated Win32 server mailing list > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack > > from what i no ipsec does nothing to what iptables is capable of doing so > thats out of the picture completely. the sudpipe udp proxy program requires > i suppose a background knowledge of C, only know php/sql myself :) i see > plenty of bright people around here that have solutions for linux lol :) > wrong mailing list :P maybe some for windows? :) > > anyways im ready to put down $65 to any plugin/program for windows that > manages these UDP floods specifically for source servers. i think a few > others said they would be willing to put money in the pot too. > > On Sat, Sep 5, 2009 at 9:37 PM, Kenny Loggins > <[email protected]>wrote: > > > Anyone know of any hardware solutions to this problem? > > > > ClanAO.com > > > > On Sep 5, 2009, at 8:09 PM, Kaspars <[email protected]> wrote: > > > > > Actually I got inspired by the word "daemon" and I realized that the > > > key to > > > the problem is a daemon... a proxy daemon... a caching proxy > > > daemon :) I > > > didn't have much time to check the incoming packet pattern, however > > > I'm not > > > sure that they all were 53 bytes long, actually the number was > > > something > > > like 33 that showed up a LOT of times in iptables logs (but I might be > > > wrong... and I'm sure the fault lies in drinking too much beer). > > > Nevertheless I went for the 100% match with the -m string and it works > > > really good. I'm having about 300r/s and I don't see any CPU usage > > > with this > > > method. Anyways you are free to modify the source or iptables filter > > > command > > > :) > > > > > > 2009/9/6 Nephyrin Zey <[email protected]> > > > > > >> As an alternative to using -m string, you can just filter length 53 > > >> packets - no packets aside from the query packet end up being that > > >> length. Not super elegant, but a lot less overhead. > > >> > > >> And, as I said, my daemon works differently and could be used to > > >> easily > > >> start thousands of fake servers on a single box, which would screw > > >> more > > >> things over than it would help. > > >> > > >> - Neph > > >> > > >> On 09/05/2009 05:20 PM, Kaspars wrote: > > >>> God dammit... this is really fucked up... sorry for my language, I > > >>> just > > >> got > > >>> too many beers today... > > >>> Anyways, I just wanted to give something to the community as Neph > > >>> is not > > >>> willing to do it. This will fix the ddos attack for *nix however > > >>> if you > > >> are > > >>> using it, I'm not giving any warranty :) > > >>> > > >>> Here goes: > > >>> first, get the source and compile: http://www.gign.lv/tmp/test.c > > >>> run it in the screen like ./test 21015 YOUR_EXTERNAL_TF2_SERVER_IP > > >>> YOUR_SERVER_PORT > > >>> 21015 is some random port for the udp proxy :) it must be opened in > > >> firewall > > >>> > > >>> then some iptables magic: > > >>> iptables -t nat -A PREROUTING -p udp -d YOUR_EXTERNAL_TF2_SERVER_IP > > >> --dport > > >>> YOUR_SERVER_PORT -m string --algo kmp --string 'TSource Engine > > >>> Query' -j > > >>> REDIRECT --to-port 21015 > > >>> > > >>> thats about it... > > >>> > > >>> 2009/9/6 Nephyrin Zey<[email protected]> > > >>> > > >>> > > >>>> The problem with my solution is the daemon would be really really > > >>>> abusive in the wrong hands. We dont need someone using it to easily > > >>>> start 100 fake servers at 255/255 slots and polluting the server > > >>>> list. > > >>>> It's not some super complex feat, but releasing an easy compiled > > >>>> prepackaged version is just asking for it - and the real solution > > >>>> needs > > >>>> to be valve. Plus, it's not very easy to configure and I'm not > > >>>> even sure > > >>>> windows ipsec is capable of that level of packet interception. > > >>>> > > >>>> Something on the lines of tony's plugin would be a much better > > >>>> solution, > > >>>> but you'll have to hound him about that > > >>>> > > >>>> - Neph > > >>>> > > >>>> On 09/05/2009 03:14 PM, Kenny Loggins wrote: > > >>>> > > >>>>> I don't think either you or Neph have released your plugins to the > > >> public > > >>>>> > > >>>> so > > >>>> > > >>>>> this solution works great for you guys. Maybe we can have some > > >>>>> into or > > >>>>> direction from you so the general public can do something about > > >>>>> this? > > >>>>> > > >>>>> As long as they get away with this it's going to keep happening > > >>>>> if a > > >>>>> > > >>>> plugin > > >>>> > > >>>>> was available to stop this it is not long "fun" or productive to > > >>>>> DOS > > >>>>> > > >>>> servers > > >>>> > > >>>>> anymore. > > >>>>> > > >>>>> > > >>>> > > >>>> _______________________________________________ > > >>>> To unsubscribe, edit your list preferences, or view the list > > >>>> archives, > > >>>> please visit: > > >>>> http://list.valvesoftware.com/mailman/listinfo/hlds > > >>>> > > >>>> > > >>> _______________________________________________ > > >>> To unsubscribe, edit your list preferences, or view the list > > >>> archives, > > >> please visit: > > >>> http://list.valvesoftware.com/mailman/listinfo/hlds > > >>> > > >> > > >> > > >> _______________________________________________ > > >> To unsubscribe, edit your list preferences, or view the list > > >> archives, > > >> please visit: > > >> http://list.valvesoftware.com/mailman/listinfo/hlds > > >> > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list > > > archives, please visit: > > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
