Hello. Now one unfortunate fact about DoS attacks is that they are designed to interrupt service. The main reason why they work so well is because UDP packets can be spoofed. Thus you are unable to identify a IP to ban as the IPs reported will not be the real source of the packet. Almost a year ago I suffered a 30Mbit/sec DoS attack on a CS:S server. (Everyone who knows my name can probably guess why someone would want to attack me.) Given the nature of the attack and the fact that my game server was empty I just firewalled off the port they were attacking (save bandwidth). While Query Cache can help you server show that its up, in the end if someone has enough bandwidth they can take your server down.
While VALVe can probably make a better query mechanism they won't be able to fix this problem. Since this problem is actually a problem with the way the internet is designed. The main problem lies in the UDP protocol. Since no handshakes are required (since UDP is stateless) its easy to spoof the source IP with just a Linux box (or a modded Windows). The only true solution when your getting DoS'd is for your ISP (host) to find the source of the attack through tickets to up-stream providers. However, most ISPs will not bother to trace the origin of the attack (due to the fact that most come from zombie machines). On Thu, Jan 6, 2011 at 11:53 AM, Marco Padovan <[email protected]> wrote: > Nice! Will give it a try if it's already part of the kernel I use :) > > Thank you > Il giorno 06/gen/2011 18.43, "frostschutz" <[email protected]> ha > scritto: >> On Thu, Jan 06, 2011 at 05:28:43PM +0100, Marco Padovan wrote: >>> The single bucket is problematic due to how we manage the gameservers, > will >>> update the status this evening :p >> >> So I came across this in the iptables man page... >> >> ---- >> hashlimit >> >> This patch adds a new match called 'hashlimit'. The idea is to have > something like 'limit', but either per destination-ip or per > (destip,destport) tuple. >> >> It gives you the ability to express >> '1000 packets per second for every host in 192.168.0.0/16' >> >> '100 packets per second for every service of 192.168.1.1' >> with a single iptables rule. >> ---- >> >> So you can use hashlimit for a 20 pps for each port solution, >> still with just a single rule. >> >> iptables -m hashlimit --hashlimit 20/s --hashlimit-mode destip-destport >> >> (might also need --hashlimit-htable-size/max/, not sure...) >> >> Regards >> frostschutz >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, > please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
