Actually I got inspired by the word "daemon" and I realized that the key to the problem is a daemon... a proxy daemon... a caching proxy daemon :) I didn't have much time to check the incoming packet pattern, however I'm not sure that they all were 53 bytes long, actually the number was something like 33 that showed up a LOT of times in iptables logs (but I might be wrong... and I'm sure the fault lies in drinking too much beer). Nevertheless I went for the 100% match with the -m string and it works really good. I'm having about 300r/s and I don't see any CPU usage with this method. Anyways you are free to modify the source or iptables filter command :)
2009/9/6 Nephyrin Zey <nephy...@doublezen.net> > As an alternative to using -m string, you can just filter length 53 > packets - no packets aside from the query packet end up being that > length. Not super elegant, but a lot less overhead. > > And, as I said, my daemon works differently and could be used to easily > start thousands of fake servers on a single box, which would screw more > things over than it would help. > > - Neph > > On 09/05/2009 05:20 PM, Kaspars wrote: > > God dammit... this is really fucked up... sorry for my language, I just > got > > too many beers today... > > Anyways, I just wanted to give something to the community as Neph is not > > willing to do it. This will fix the ddos attack for *nix however if you > are > > using it, I'm not giving any warranty :) > > > > Here goes: > > first, get the source and compile: http://www.gign.lv/tmp/test.c > > run it in the screen like ./test 21015 YOUR_EXTERNAL_TF2_SERVER_IP > > YOUR_SERVER_PORT > > 21015 is some random port for the udp proxy :) it must be opened in > firewall > > > > then some iptables magic: > > iptables -t nat -A PREROUTING -p udp -d YOUR_EXTERNAL_TF2_SERVER_IP > --dport > > YOUR_SERVER_PORT -m string --algo kmp --string 'TSource Engine Query' -j > > REDIRECT --to-port 21015 > > > > thats about it... > > > > 2009/9/6 Nephyrin Zey<nephy...@doublezen.net> > > > > > >> The problem with my solution is the daemon would be really really > >> abusive in the wrong hands. We dont need someone using it to easily > >> start 100 fake servers at 255/255 slots and polluting the server list. > >> It's not some super complex feat, but releasing an easy compiled > >> prepackaged version is just asking for it - and the real solution needs > >> to be valve. Plus, it's not very easy to configure and I'm not even sure > >> windows ipsec is capable of that level of packet interception. > >> > >> Something on the lines of tony's plugin would be a much better solution, > >> but you'll have to hound him about that > >> > >> - Neph > >> > >> On 09/05/2009 03:14 PM, Kenny Loggins wrote: > >> > >>> I don't think either you or Neph have released your plugins to the > public > >>> > >> so > >> > >>> this solution works great for you guys. Maybe we can have some into or > >>> direction from you so the general public can do something about this? > >>> > >>> As long as they get away with this it's going to keep happening if a > >>> > >> plugin > >> > >>> was available to stop this it is not long "fun" or productive to DOS > >>> > >> servers > >> > >>> anymore. > >>> > >>> > >> > >> _______________________________________________ > >> To unsubscribe, edit your list preferences, or view the list archives, > >> please visit: > >> http://list.valvesoftware.com/mailman/listinfo/hlds > >> > >> > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
