I think this is easily handled on Linux than win32. In fact, you may want to look at this site: http://www.netfilter.org/
At least, from what I've seen so far. 2 out of the 3 mirrors we have running right now have a dynamic anti-DoS filter. This means that they're automatically adding blocks for sp00fed packets. One mirror added this after the first attack. The other, already had these measures in place. The SYN attacks typically come in blocks at a time. See an example log here: http://grc.com/dos/drdos.htm Ours was very similar. Once one packet was detected as a SYN packet, the filter would block the entire group and I think maybe an entire range. What this does is, eliminates any response (ack) attempts by the server (that webpage has some good illustrations on what is happening). Therefore, eliminating resources used on the server. To the SYN attacker, it would appear that the IP was taken offline. So far, it's been working like a charm. In fact, the firewall guys at the mirror sites are now laughing at the attack as their firewall is effectively blocking it. Well, at least until the attacker attempts a different attack, which it'll be difficult for them to do across multiple mirrors and especially across multiple countries, where bandwidth speed adding lag to the connection effectively kills the SYN packets on its own. I suppose Valve could build into HLDS something similar, but it's still something better handled on the server side, IMO anyway. Oh, and regarding flooding the router first, if this happens, it'll be up to your upstream provider to implement this anti-SYN type of filtering. I believe some firewall routers have this built-in now, like this one from NetGear: http://www.netgear.com/products/prod_details.asp?prodID=155 HoundDawg ----- Original Message ----- From: "Florian Zschocke" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, January 23, 2003 11:43 PM Subject: Re: [hlds_apps] preventing DDoS (was: hlds_apps digest, Vol 1 #138 - 3 msgs) > HoundDawg wrote: > > > In any event, I think > > that the server or the firewall should already be configured for anti-dDoS > > attacks rather than having every software, including HLDS, handle it > > themselves. Why add the fat? > > I don't see how this should work. The DDoS attack (we were talking > about) will flood your connection. The router will already be > choking, what good is it to have the server configured with > anti-DDoS measures? > > Florian. > > -- > Want to produce professional emails and Usenet postings? > http://www.netmeister.org/news/learn2quote.html > > _______________________________________________ > hlds_apps mailing list > [EMAIL PROTECTED] > http://list.valvesoftware.com/mailman/listinfo/hlds_apps > > _______________________________________________ hlds_apps mailing list [EMAIL PROTECTED] http://list.valvesoftware.com/mailman/listinfo/hlds_apps
