Oh I'm sorry, I didn't realize this was the Win32 mailing list. I'll make my mail sorting rules more specific, sorry guys >.< Kyle.
On Sat, Sep 5, 2009 at 11:45 PM, Shizzle Nizzle <[email protected]> wrote: > this is windows, iptables is nonexistant. i no people have suggested plenty > of linux solutions for this problem in different ways to solve it :) but i > dont think something that easy exists for windows. ipsec doesnt do anything > like that nor does any normal software firewall for windows, seems the only > thing that could help is a UDP proxy but requires c programming. > > On Sun, Sep 6, 2009 at 1:29 AM, Kyle Sanderson <[email protected]> > wrote: > > > Um... I'm going out on a limb here that no one has read the other topics > > that have discussed this. Since it has yet to be posted here... has > anyone > > tried what Tony suggested by limiting the amount of queries via iptables > > then logging the blocked ips? This rule was made by Tony, as simple as it > > is > > I would still like to give him credit as I didn't think of it. > > > > -A INPUT -p udp -m udp --dport 27015:27016 -m length --length 53 -m > > hashlimit --hashlimit 15/sec --hashlimit-burst 30 --hashlimit-mode > > dstip,dstport --hashlimit-name a2sspam -j ACCEPT > > -A INPUT -p udp -m udp --dport 27015:27016 -m length --length 53 -j DROP > > > > But yeah... Not sure if this did it or not but I haven't been "lagged > out" > > since. If this is something completely different, I'm sorry. > > Kyle. > > > > On Sat, Sep 5, 2009 at 9:06 PM, Kenny Loggins <[email protected] > > >wrote: > > > > > I have an open request on a fix for this problem. I'm willing to > > completely > > > pay for a programmers time and I'm willing to bet other people would > also > > > chip in on this. Anyone willing to work this let me know > > > > > > http://forums.alliedmods.net/showthread.php?t=102779 > > > > > > > > > > > > -----Original Message----- > > > From: [email protected] > > > [mailto:[email protected]] On Behalf Of Shizzle > Nizzle > > > Sent: Saturday, September 05, 2009 11:00 PM > > > To: Half-Life dedicated Win32 server mailing list > > > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack > > > > > > from what i no ipsec does nothing to what iptables is capable of doing > so > > > thats out of the picture completely. the sudpipe udp proxy program > > requires > > > i suppose a background knowledge of C, only know php/sql myself :) i > see > > > plenty of bright people around here that have solutions for linux lol > :) > > > wrong mailing list :P maybe some for windows? :) > > > > > > anyways im ready to put down $65 to any plugin/program for windows that > > > manages these UDP floods specifically for source servers. i think a few > > > others said they would be willing to put money in the pot too. > > > > > > On Sat, Sep 5, 2009 at 9:37 PM, Kenny Loggins > > > <[email protected]>wrote: > > > > > > > Anyone know of any hardware solutions to this problem? > > > > > > > > ClanAO.com > > > > > > > > On Sep 5, 2009, at 8:09 PM, Kaspars <[email protected]> wrote: > > > > > > > > > Actually I got inspired by the word "daemon" and I realized that > the > > > > > key to > > > > > the problem is a daemon... a proxy daemon... a caching proxy > > > > > daemon :) I > > > > > didn't have much time to check the incoming packet pattern, however > > > > > I'm not > > > > > sure that they all were 53 bytes long, actually the number was > > > > > something > > > > > like 33 that showed up a LOT of times in iptables logs (but I might > > be > > > > > wrong... and I'm sure the fault lies in drinking too much beer). > > > > > Nevertheless I went for the 100% match with the -m string and it > > works > > > > > really good. I'm having about 300r/s and I don't see any CPU usage > > > > > with this > > > > > method. Anyways you are free to modify the source or iptables > filter > > > > > command > > > > > :) > > > > > > > > > > 2009/9/6 Nephyrin Zey <[email protected]> > > > > > > > > > >> As an alternative to using -m string, you can just filter length > 53 > > > > >> packets - no packets aside from the query packet end up being that > > > > >> length. Not super elegant, but a lot less overhead. > > > > >> > > > > >> And, as I said, my daemon works differently and could be used to > > > > >> easily > > > > >> start thousands of fake servers on a single box, which would screw > > > > >> more > > > > >> things over than it would help. > > > > >> > > > > >> - Neph > > > > >> > > > > >> On 09/05/2009 05:20 PM, Kaspars wrote: > > > > >>> God dammit... this is really fucked up... sorry for my language, > I > > > > >>> just > > > > >> got > > > > >>> too many beers today... > > > > >>> Anyways, I just wanted to give something to the community as Neph > > > > >>> is not > > > > >>> willing to do it. This will fix the ddos attack for *nix however > > > > >>> if you > > > > >> are > > > > >>> using it, I'm not giving any warranty :) > > > > >>> > > > > >>> Here goes: > > > > >>> first, get the source and compile: http://www.gign.lv/tmp/test.c > > > > >>> run it in the screen like ./test 21015 > YOUR_EXTERNAL_TF2_SERVER_IP > > > > >>> YOUR_SERVER_PORT > > > > >>> 21015 is some random port for the udp proxy :) it must be opened > in > > > > >> firewall > > > > >>> > > > > >>> then some iptables magic: > > > > >>> iptables -t nat -A PREROUTING -p udp -d > YOUR_EXTERNAL_TF2_SERVER_IP > > > > >> --dport > > > > >>> YOUR_SERVER_PORT -m string --algo kmp --string 'TSource Engine > > > > >>> Query' -j > > > > >>> REDIRECT --to-port 21015 > > > > >>> > > > > >>> thats about it... > > > > >>> > > > > >>> 2009/9/6 Nephyrin Zey<[email protected]> > > > > >>> > > > > >>> > > > > >>>> The problem with my solution is the daemon would be really > really > > > > >>>> abusive in the wrong hands. We dont need someone using it to > > easily > > > > >>>> start 100 fake servers at 255/255 slots and polluting the server > > > > >>>> list. > > > > >>>> It's not some super complex feat, but releasing an easy compiled > > > > >>>> prepackaged version is just asking for it - and the real > solution > > > > >>>> needs > > > > >>>> to be valve. Plus, it's not very easy to configure and I'm not > > > > >>>> even sure > > > > >>>> windows ipsec is capable of that level of packet interception. > > > > >>>> > > > > >>>> Something on the lines of tony's plugin would be a much better > > > > >>>> solution, > > > > >>>> but you'll have to hound him about that > > > > >>>> > > > > >>>> - Neph > > > > >>>> > > > > >>>> On 09/05/2009 03:14 PM, Kenny Loggins wrote: > > > > >>>> > > > > >>>>> I don't think either you or Neph have released your plugins to > > the > > > > >> public > > > > >>>>> > > > > >>>> so > > > > >>>> > > > > >>>>> this solution works great for you guys. Maybe we can have some > > > > >>>>> into or > > > > >>>>> direction from you so the general public can do something about > > > > >>>>> this? > > > > >>>>> > > > > >>>>> As long as they get away with this it's going to keep happening > > > > >>>>> if a > > > > >>>>> > > > > >>>> plugin > > > > >>>> > > > > >>>>> was available to stop this it is not long "fun" or productive > to > > > > >>>>> DOS > > > > >>>>> > > > > >>>> servers > > > > >>>> > > > > >>>>> anymore. > > > > >>>>> > > > > >>>>> > > > > >>>> > > > > >>>> _______________________________________________ > > > > >>>> To unsubscribe, edit your list preferences, or view the list > > > > >>>> archives, > > > > >>>> please visit: > > > > >>>> http://list.valvesoftware.com/mailman/listinfo/hlds > > > > >>>> > > > > >>>> > > > > >>> _______________________________________________ > > > > >>> To unsubscribe, edit your list preferences, or view the list > > > > >>> archives, > > > > >> please visit: > > > > >>> http://list.valvesoftware.com/mailman/listinfo/hlds > > > > >>> > > > > >> > > > > >> > > > > >> _______________________________________________ > > > > >> To unsubscribe, edit your list preferences, or view the list > > > > >> archives, > > > > >> please visit: > > > > >> http://list.valvesoftware.com/mailman/listinfo/hlds > > > > >> > > > > > _______________________________________________ > > > > > To unsubscribe, edit your list preferences, or view the list > > > > > archives, please visit: > > > > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > > > > > > > _______________________________________________ > > > > To unsubscribe, edit your list preferences, or view the list > archives, > > > > please visit: > > > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list archives, > > > please visit: > > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > > > > > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list archives, > > > please visit: > > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
