You did not understand. I only wanted to limit the packets that match the DOS attack. Only the DOS attacks that match the Query string and length would be rate limited. I think. But maybe you are saying the server browser uses the same string and length? At least the server will not lag for the players that find the server.
} -----Original Message----- } From: [email protected] [mailto:hlds_linux- } [email protected]] On Behalf Of Kaspars } Sent: Sunday, September 06, 2009 11:58 AM } To: Half-Life dedicated Linux server mailing list } Subject: Re: [hlds_linux] A2S_INFO DDOS fix } } As I said before, you could just set sv_max_queries_sec to very small } number, but that would lead to server not showing up in the server browser } list. The same goes for the limiting - it will just drop out of the list } and } thats why there is a proxy which takes off the load from gameserver. } } I can confirm what Ronny Schedel said that iptables does sometime redirect } wrong packets to the proxy, I'm investigating this now... } } 2009/9/6 Guy Watkins <[email protected]> } } > Could you use the firewall to rate limit using "-m limit --limit 1/s } > --limit-burst 10" or similar? } > } > Maybe something like this? } > iptables -t nat -A PREROUTING -p udp -d SERVER_IP --dport SERVER_PORT -m } > string --algo kmp --string 'TSource Engine Query' -m length --length 53 } -m } > limit --limit 1/s --limit-burst 10 -j REDIRECT --to-port 21015 } > } > Maybe won't even need the proxy if the firewall is limiting the DOS } > packets? } > } > I have not tried the above. } > } > } -----Original Message----- } > } From: [email protected] [mailto:hlds_linux- } > } [email protected]] On Behalf Of Kaspars } > } Sent: Sunday, September 06, 2009 9:43 AM } > } To: Half-Life dedicated Linux server mailing list } > } Subject: Re: [hlds_linux] A2S_INFO DDOS fix } > } } > } firewall rule could be adjusted to this: } > } iptables -t nat -A PREROUTING -p udp -d SERVER_IP --dport SERVER_PORT } -m } > } string --algo kmp --string 'TSource Engine Query' -m length --length } 53 } > -j } > } REDIRECT --to-port 21015 } > } } > } As for the rate limit... I don't think this is a good idea, because } > } setting } > } such a limit will make the server disappear from the browser list for } > } legit } > } clients. And if you have a good connection, you probably will not } notice } > } the } > } traffic increase anyway. } > } } > } } > } 2009/9/6 Ronny Schedel <[email protected]> } > } } > } > } > } > I forgot an important part, your query proxy has still no rate } limit. } > It } > } > can } > } > be used to flood spoofed IP's. } > } > } > } > } > } > > Hi, } > } > > } > } > > If you are on the hlds windows mailing list, then you probably } > already } > } > > know } > } > > about A2S_INFO DDOS attacks. I have mistakenly posted a *fix* on } the } > } list } > } > > for *nix servers which I should have posted here. } > } > > } > } > > In short: } > } > > If your server gets ddosed with A2S_INFO packets, it will get } really } > } > > laggy. } > } > > Setting sv_max_queries_sec to a low value will make the server } > } disappear } > } > > from the server browser list. I'm providing you with a UDP Caching } > } Proxy } > } > > which will query the server with A2S_INFO requests not more than } once } > } in } > } > a } > } > > five seconds and respond to the client with the cached data. } > } > > } > } > > Setup: } > } > > 1. Get the source from http://www.gign.lv/tmp/querycache.c } > } > > 2. Compile with gcc querycache.c -o querycache } > } > > 3. Open an UDP port in firewall for the proxy server, lets say } 21015 } > } > > 4. Make sure you have iptables NAT, REDIRECT and string match } support } > } > > compiled into kernel or as modules } > } > > 5. execute: iptables -t nat -A PREROUTING -p udp -d } > } > > YOUR_EXTERNAL_TF2_SERVER_IP --dport YOUR_SERVER_PORT -m string -- } algo } > } kmp } > } > > --string 'TSource Engine Query' -j REDIRECT --to-port 21015 } > } > > 6. Run querycache (probably under screen, so you can detach from } it) } > } > > } > } > > I've been ddosed with about 300req/sec and it works good, however } I } > } don't } > } > > give any warranty that it will work for you. } > } > > _______________________________________________ } > } > > To unsubscribe, edit your list preferences, or view the list } > archives, } > } > > please visit: } > } > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux } > } > > } > } > } > } > } > } > _______________________________________________ } > } > To unsubscribe, edit your list preferences, or view the list } archives, } > } > please visit: } > } > http://list.valvesoftware.com/mailman/listinfo/hlds_linux } > } > } > } _______________________________________________ } > } To unsubscribe, edit your list preferences, or view the list archives, } > } please visit: } > } http://list.valvesoftware.com/mailman/listinfo/hlds_linux } > } > } > _______________________________________________ } > To unsubscribe, edit your list preferences, or view the list archives, } > please visit: } > http://list.valvesoftware.com/mailman/listinfo/hlds_linux } > } _______________________________________________ } To unsubscribe, edit your list preferences, or view the list archives, } please visit: } http://list.valvesoftware.com/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
