Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 11:48

View unanswered posts | View active topics


Board index » aluigi.org » ...anything else...

All times are UTC [ DST ]




Forum locked This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 6 posts ] 
  Print view Previous topic | Next topic 
Author Message
AndreBierlein
 Post subject: UDP amplification through W:ET servers
PostPosted: 03 Dec 2010 19:30 

Joined: 29 Aug 2009 16:44
Posts: 4
Hello,

I couldn't find the paper now, but i'm sure you once wrote a paper about UDP amplification through online game master servers.
Now the problem i have is that somebody seems to be trying to steal my bandwidth by sending a constant stream
of around 3 MB per second to my game servers, using a spoof IP. I suppose he's sending getstatus requests, haven't checked though.
So he's using my game servers (and probably a lot more) to run a DoS attack on some other site. It's been the third time now. I usually just block inbound traffic "from" the target site to stop the attack and to save bandwidth.

This is an excerpt of what iftop shows:
Code:
<my server ip>:29000                   => root1.gmod.biz:51794                                 0b      0b      0b
                                                  <=                                                    178Kb   177Kb   177Kb
<my server ip>:31100                   => root1.gmod.biz:51794                                 0b      0b      0b
                                                  <=                                                    177Kb   177Kb   177Kb
<my server ip>:23000                   => root1.gmod.biz:51794                                 0b      0b      0b
                                                  <=                                                    178Kb   177Kb   177Kb
<my server ip>:25000                   => root1.gmod.biz:51794                                 0b      0b      0b
                                                  <=                                                    177Kb   177Kb   177Kb
<my server ip>:32000                   => root1.gmod.biz:51794                                 0b      0b      0b
                                                  <=                                                    177Kb   177Kb   177Kb
<my server ip>:31000                   => root1.gmod.biz:51794                                 0b      0b      0b
                                                  <=                                                    178Kb   177Kb   177Kb


I'd like to know if there is some sort of automation i could apply to automatically detect and stop those kind of attacks. Thanks in advance.
Top
 Profile  
 
 
Sethioz
 Post subject: Re: UDP amplification through W:ET servers
PostPosted: 03 Dec 2010 22:17 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
i think you can make a blocker using proxocket. it would automatically reject packets containing some certain data.

proxocket is Luigi's tool, check on his site.
Top
 Profile  
 
AndreBierlein
 Post subject: Re: UDP amplification through W:ET servers
PostPosted: 03 Dec 2010 22:38 

Joined: 29 Aug 2009 16:44
Posts: 4
But it's not about the type of the data, more about the amount of.
It's sending around 3 MB in getstatus requests. If i am not mistaken
the response to a getstatus can be up to 50 times bigger than the request.
That's about the problem i'm dealing with here.
Top
 Profile  
 
aluigi
 Post subject: Re: UDP amplification through W:ET servers
PostPosted: 04 Dec 2010 01:11 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I noticed a post about this thing happening with ET servers... interesting :)

the solution is very obvious: filter that IP address so that your server will not act as an amplifier

automatizing the process is possible but I don't know how to do it with the pre-existent solutions like the linux firewall and so on.
for example with proxocket it would be possible, just like I did it with the playerslimiter project but I guess an deeper things (like a firewall) is probably what you are looking for
Top
 Profile  
 
AndreBierlein
 Post subject: Re: UDP amplification through W:ET servers
PostPosted: 04 Dec 2010 10:49 

Joined: 29 Aug 2009 16:44
Posts: 4
A firewall (iptables) solution would be what i'd like to see most indeed.
I have played around a bit with string matching and the limits module
( similar to this post1502.html?hilit=iptables#p1502 ),
but haven't quite come to a good solution yet.
Maybe someone here is a little more experienced with iptables in general.
I'd greatly appreciate any help.

Edit:
A solution similar to this one would probably work fine, too.
http://www.ycn-hosting.com/downloads/no ... bnoquery.c
Unfortunately, i'm not very good with C programming and i don't
want to block legit queries either.
Top
 Profile  
 
aluigi
 Post subject: Re: UDP amplification through W:ET servers
PostPosted: 04 Dec 2010 12:01 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the fact is that the "condition" is not related to the content of the packet but to the "rate" of the packets, so that bnoquery.c is of no help for your case.

I have not experience with iptables so I don't know if is possible to put a control on the amount of same packets from the same IP received in a certain range of time
Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 6 posts ] 

Board index » aluigi.org » ...anything else...

All times are UTC [ DST ]

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: