My guess is the person that is doing the attack is on this reading the little discussion. :p
Sent from my iPhone 4 On Jan 6, 2011, at 7:47 AM, frostschutz <[email protected]> wrote: > On Thu, Jan 06, 2011 at 04:16:23PM +0100, Marco Padovan wrote: >> as suspected that appear to keep a single bucket and allowing 20/sec on >> the whole server... not on every single port :( > > Yes, it's a single bucket. Does it really have to be per server? > I'd just use a sane value for limit and a large burst here (1000), > so short spikes will work but continuous DoS won't. > > After all even if just one gameserver gets DoSed, in the end > it's the whole server that has to cope with the network and CPU. > And as long as there is no DoS it will work normally, even > with just one bucket. > > Of course you could still add a separate bucket for each port > in the querylimit chain (no need for a drop rule for each port, > just put a single drop rule at the end). But if you do that > you'll likely run into performance problems again. > > So I think single bucket is preferable. > > Also consider combining this with fail2ban or similar, > so you can block IPs who are spamming you completely. > This will ease load both on your server, and the bucket. > > Regards > frostschutz > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
