servers warp

80 replies [Last post]
_|▲▶█
JADO's picture
Offline
Joined: Sep 2010
Posts:
Re: servers warp

Ok man thanks for your effort.

“Do or do not... there is no try.”-Yoda

easy
Developer
easy's picture
Offline
Joined: Sep 2003
Posts:
Re: servers warp

Here are some more details as it seems all or most servers are affected at the moment. All this trouble lately is the result of a botnet utilizing your Quake 3 server to attack others. They do this by sending a tiny "getstatus" request with a spoofed/faked victim address (telling your server the request came from 123.123.123.123 or any other IP they need to attack) and your server replies with a much bigger message to that victim address. Now your server is not the only one sending trash to the victim address, many other servers are used to do the same at the very same time and as a result the victim denails service/is unavailable because of the huge load of traffic it receives.

Spoofed UDP packets can't be tracked from your end, you will have to get in touch with your provider/hoster but there isn't much hope to ever find the origin.

Well, now we identified the real targets of the attack but still your server is abused to harm others and at the same time it lags your server and generates high traffic. To get rid of this, here is the iptables solution for *nix based servers.

This will make your server not respond to the flood requests and thus prevents the attacks of other targets. It will also eliminate the lag, as your server will have to deal with incoming trash instead of both incoming (tiny) and outgoing (huge).

# create chain
iptables -N quake3_ddos
 
# accept real client/player traffic
iptables -A quake3_ddos -m u32 ! --u32 "0x1c=0xffffffff" -j ACCEPT
 
# match "getstatus" queries and remember their address
iptables -A quake3_ddos -m u32 --u32 "0x20=0x67657473&&0x24=0x74617475&&0x25&0xff=0x73" -m recent --name getstatus --set
 
# drop packet if "hits" per "seconds" is reached
#
# NOTE: if you run multiple servers on a single host, you will need to higher these limits
#       as otherwise you will block regular server queries, like Spider or QConnect
#       e.g. they will query all of your servers within a second to update the list
iptables -A quake3_ddos -m recent --update --name getstatus --hitcount 5 --seconds 2 -j DROP
 
# accept otherwise
iptables -A quake3_ddos -j ACCEPT
 
#
#
# finally insert the chain as the top most input filter

# single server
# iptables -I INPUT 1 -p udp --dport 27960 -j quake3_ddos

# multiple servers
iptables -I INPUT 1 -p udp --dports 27960,27961,27962 -j quake3_ddos

This is the full automated version that will block anyone who sends too many "getstatus" requests but it requires iptables to have "u32" and "recent" modules.

rUnThEoN?!
Site administrator
Skullheadq3's picture
Offline
Joined: Dec 2005
Posts:
DE Germany
Re: servers warp

woa, so some mofo is sending netpackets with wrong shells? lame way of attacking, but who would do such a thing??

hurrenson: "This idiot is apparently not familiar with a rail/sniper style."

mow Q [EN]
Offline
Joined: Nov 2003
Posts:
Re: servers warp

ligas or shadow? Nerd

FASTER OF BORG
faster of borg's picture
Offline
Joined: Nov 2009
Posts:
Re: servers warp


# NOTE: if you run multiple servers on a single host, you will need to higher these limits
# as otherwise you will block regular server queries, like Spider or QConnect
# e.g. they will query all of your servers within a second to update the list
iptables -A quake3_ddos -m recent --update --name getstatus --hitcount 5 --seconds 2 -j DROP

First of all thank you easy for the IPtables script.If server has more than one server lats say three server how much I have to increase the limit ?
my guess will be;
iptables -A quake3_ddos -m recent --update --name getstatus --hitcount 15 --seconds 2 -j DROP

Second please easy change my country flag from green to our new lovely flag red black green flag we have victory in my country for more than two month now. We hate green flag and we hate Gadaffi

easy
Developer
easy's picture
Offline
Joined: Sep 2003
Posts:
Re: servers warp

Each of our servers got about 500 requests per second. 15 should be fine.

I will regenerate the flags, as soon as possible.

BOZO
Bozo's picture
Offline
Joined: Feb 2010
Posts:
Re: servers warp
easy wrote:

Here are some more details

Thanks man for the explanation and the fix of course!

cml
Forum moderator Rank moderator LIVING LEGEND
camel-xp's picture
Offline
Joined: Mar 2006
Posts:
Re: servers warp

Seems that your solution easy did not work, atleast for us I applied it on our 1 root machine but I still see the spam comming, btw its a script or a one-time apply commands for the iptables, i added them once one by one, i got iptables v1.4.8 but on other machine its older 1.4.2 and it doesnt work at all and its the pain in the ass to update iptables to newer version on the debian.

I wrote email to Aluigi Auriemma - he provide tools to patch well knows hacking tools and vulnerablies on game servers and more, maybe he might help us resolve this nasty problem.

oldskool'hammer
Offline
Joined: Jan 2008
Posts:
Re: servers warp

U extended ure iptables with a module camel ?
i heard faster about it and he said that he had to install an extra module called : u32"

Then it should work

altough that module gave some errors by faster so maby someone knows about that?

cml
Forum moderator Rank moderator LIVING LEGEND
camel-xp's picture
Offline
Joined: Mar 2006
Posts:
Re: servers warp
oldskool'hammer wrote:

iptables 1.4.8 has everything, older versions not

Aluigi wrote:

the problem is that there is nothing you can do because it's just your
connection that receives packets so you can block them at firewall
level but the bandwidth gets consumed in any case.

it's a known old jurassik problem and it can't be easily fixed because
all the game servers out there can act as amplifiers and even the master
servers can amplify traffic.
fixing the problem means creating patches that "limit" this effect for
each existent game