RawShark wrote:There are additional rules, which you can add as well as the previous, which help decrease the attacks further:
iptables -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_game
iptables -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_game -j DROP
iptables -A quake3_ddos -m recent --update --name getstatus --hitcount 5 --seconds 2 -j DROP
RawShark wrote:This looks out for something slightly different, but combined with the previous should halt nearly ALL unwanted traffic. You'll still have incoming requests form the spoofed IPs, but no traffic will go back out to the real IPs, hence no more DOS attacks form your server.
Chain quake3_ddos (1 references)
pkts bytes target prot opt in out source destination
23326 1571K ACCEPT all -- any any anywhere anywhere u32 ! "0x1c=0xffffffff"
39M 1631M all -- any any anywhere anywhere u32 "0x20=0x67657473&&0x24=0x74617475&&0x25&0xff=0x73" recent: SET name: getstatus side: source
39M 1626M DROP all -- any any anywhere anywhere recent: UPDATE seconds: 2 hit_count: 5 name: getstatus side: source
111K 4772K ACCEPT all -- any any anywhere anywhere
RawShark wrote:iftop is a good tool to use to see the traffic flows before and after applying. We use iftop -P, which shows ports as well as hosts.
RawShark wrote:As regards combining it all into one chain? Not really my forté, I don't understand iptables enough (everything so far is cut/paste from various forums). I bow on this to the superior knowledge of others - anyone want to present an "ultimate" firewall script for Quake 3 servers?
Users browsing this forum: No registered users and 3 guests