Re: [hlds_linux] tf2 denial of service - please do something!

[Marco Padovan]

Chain QUERYLIMIT (4 references)
    pkts      bytes target     prot opt in     out     
source               destination
    1809    90905 ACCEPT     all  --  *      *       
0.0.0.0/0            0.0.0.0/0           limit: avg 20/sec burst 5
     110     4974 DROP       all  --  *      *       
0.0.0.0/0            0.0.0.0/0


as suspected that appear to keep a single bucket and allowing 20/sec on 
the whole server... not on every single port :(

Il 06/01/2011 14:28, frostschutz ha scritto:
On Thu, Jan 06, 2011 at 01:58:13PM +0100, frostschutz wrote:
Can you post an (excerpt) of the rules you're using?
Noticed this was posted earlier.

Note: This is _untested_, it's been a while since I used iptables.

$IPTABLES -N QUERYLIMIT
$IPTABLES -A QUERYLIMIT -m limit --limit 20/s -j ACCEPT
$IPTABLES -A QUERYLIMIT -j DROP
$IPTABLES -N QUERY
$IPTABLES -A QUERY -p udp -m udp -m string --algo bm --hex-string 
'|ffffffff54|' -j QUERYLIMIT
$IPTABLES -A QUERY -p udp -m udp -m string --algo bm --hex-string 
'|ffffffff55|' -j QUERYLIMIT
$IPTABLES -A QUERY -p udp -m udp -m string --algo bm --hex-string 
'|ffffffff56|' -j QUERYLIMIT
$IPTABLES -A QUERY -p udp -m udp -m string --algo bm --hex-string 
'|ffffffff57|' -j QUERYLIMIT
$IPTABLES -A INPUT -p udp --dport 20000:30000 -j QUERY

Something like this should be sufficient to match and limit an entire port 
range.

Packets outside the port range traverse 1 rule,
Packets inside the port range traverse 5 rules,
Packets that actually match traverse 3-6 rules
and fall under a global 20 per second limit.
(maybe limit per client if it's DoS but not DDoS)

Depending on which of these 54 55 56 57 is the most frequent occurence,
they could be reordered too. If there are lots of packets that don't
start with ffffffff, that could be matched first to further reduce
the number of rules that packets that won't match have to traverse.

However you really should use port ranges that have affected traffic
exclusively, no point in forcing other stuff through all that.

Just throwing ideas around
frostschutz

_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux