servers warp

80 replies [Last post]
easy
Developer
easy's picture
Offline
Joined: Sep 2003
Posts:
Re: servers warp

This is the minimal output iptables -L gives you to have it work.

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
quake3_ddos  udp  --  anywhere             anywhere            udp dpt:27960
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain quake3_ddos (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            u32 ! 0x1c=0xffffffff
           all  --  anywhere             anywhere            u32 0x20=0x67657473&&0x24=0x74617475&&0x25&0xff=0x73 recent: SET name: getstatus side: source
DROP       all  --  anywhere             anywhere            recent: UPDATE seconds: 2 hit_count: 5 name: getstatus side: source
ACCEPT     all  --  anywhere             anywhere

If your output looks similar, it should be functional. Where do you measure the "trash"? tcpdump, ngrap and similar tools grab the packets right before they get filtered but the Quake 3 console should not flood you with "getstatus" messages if you enable /developer 1.

Edit: It is true what Aluigi said. During the attacks your incoming traffic will multiply by factor 2 or 3, which is not high in any case but the outgoing traffic will multiply by factor 60 getting close to 100MBit/s (data based on our servers). The rules above cut this outgoing traffic and eventually it comes to an end after a while, once they realize that your server is not amplifying the attacks.

cml
Forum moderator Rank moderator LIVING LEGEND
camel-xp's picture
Offline
Joined: Mar 2006
Posts:
PL Poland
Re: servers warp

ok previously it was working
iptables -I INPUT 1 -p udp --dports 27960 -j quake3_ddos

now after cleaing up whole list i get
iptables v1.4.8: unknown option `--dports'

Who knows how to build custom iptables on Debian 6 ?
it was always a problem for me to do that =/

easy
Developer
easy's picture
Offline
Joined: Sep 2003
Posts:
Re: servers warp

If you have "u32" and "recent" then just ignore "multiport". Setup one rule per server.

iptables -I INPUT 1 -p udp --dport 27960 -j quake3_ddos
iptables -I INPUT 1 -p udp --dport 27961 -j quake3_ddos
iptables -I INPUT 1 -p udp --dport 27962 -j quake3_ddos

You can get a list of available modules by cat /proc/net/ip_tables_matches.

cml
Forum moderator Rank moderator LIVING LEGEND
camel-xp's picture
Offline
Joined: Mar 2006
Posts:
PL Poland
Re: servers warp
easy wrote:

If you have "u32" and "recent" then just ignore "multiport". Setup one rule per server.

iptables -I INPUT 1 -p udp --dport 27960 -j quake3_ddos
iptables -I INPUT 1 -p udp --dport 27961 -j quake3_ddos
iptables -I INPUT 1 -p udp --dport 27962 -j quake3_ddos

You can get a list of available modules by cat /proc/net/ip_tables_matches.

u32
recent
udplite
udp
tcp
multiport
multiport
icmp

so I need to apply
iptables -I INPUT 1 -p udp --dport 27960 -j quake3_ddos
for each port that runs on dedicated server to get it secured?

cml
Forum moderator Rank moderator LIVING LEGEND
camel-xp's picture
Offline
Joined: Mar 2006
Posts:
PL Poland
Re: servers warp

ok I dont know why but adding rules manually display only error, so i adding them into file and then force firewall to load it and put all rules and it works, heres output:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
quake3_ddos  udp  --  anywhere             anywhere            udp dpt:27960
quake3_ddos  udp  --  anywhere             anywhere            udp dpt:27202
quake3_ddos  udp  --  anywhere             anywhere            udp dpt:22960
quake3_ddos  udp  --  anywhere             anywhere            udp dpt:27300
quake3_ddos  udp  --  anywhere             anywhere            udp dpt:21960
quake3_ddos  udp  --  anywhere             anywhere            udp dpt:21961
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:5000:5100
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8821
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8891
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8890
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8880
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
 
Chain quake3_ddos (6 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            u32 ! 0x1c=0xffffffff
           all  --  anywhere             anywhere            u32 0x20=0x67657473&&0x24=0x74617475&&0x25&0xff=0x73 recent: SET name: getstatus side: source
DROP       all  --  anywhere             anywhere            recent: UPDATE seconds: 2 hit_count: 15 name: getstatus side: source
ACCEPT     all  --  anywhere             anywhere

3M'darkangel
darkangelspa's picture
Offline
Joined: Feb 2010
Posts:
ES Spain
Re: servers warp

hope this will end soon......cos playing with ping 200 and loss packets :F sax!!


Gloria Mōmentum
Talent wins games, but teamwork and intelligence wins championships.”



“There is no hunting like the hunting of man, and those who have hunted armed men long enough and liked it, never care for anything else thereafter.”
—Ernest Hemingway

FASTER OF BORG
faster of borg's picture
Offline
Joined: Nov 2009
Posts:
Re: servers warp

So I need to upgrade to latest IPtables plus I have to put all the rules in one executable file, I will give it a try tonight. Thanks easy cml+ for your feed back.
By the way my Iptables INPUT and Forward policy is DROP and I just open ports that I need, it seems your IPtables policy is ACCEPT..... this might be bad idea, can you edit your script based on INPUT DROP policy.

easy
Developer
easy's picture
Offline
Joined: Sep 2003
Posts:
Re: servers warp
FASTER OF BORG wrote:

By the way my Iptables INPUT and Forward policy is DROP and I just open ports that I need, it seems your IPtables policy is ACCEPT.....

No, it was an example, this will fit both policies. The chain's policy is ACCEPT but you run the chain only for specific UDP ports which you want to be open.

cml
Forum moderator Rank moderator LIVING LEGEND
camel-xp's picture
Offline
Joined: Mar 2006
Posts:
PL Poland
Re: servers warp

Anyway the simplest method in this case if you got some problems by adding them manually as I had:
first save your iptables rules to a file
iptables-save > iptables.conf
then get my list from the attachment, open your saved rules iptables.conf copy/paste from mine, change server ports on top to your needs, save and flush
iptables -F
then restore by typing:
iptables-restore < iptables.conf

FASTER OF BORG
faster of borg's picture
Offline
Joined: Nov 2009
Posts:
Re: servers warp

I couldn't compile Iptables with latest version with kernal-sources package, I am using Centos 5.7, some one have any guide line or site related to this issue. This is bad really bad.