this is windows, iptables is nonexistant. i no people have suggested plenty of linux solutions for this problem in different ways to solve it :) but i dont think something that easy exists for windows. ipsec doesnt do anything like that nor does any normal software firewall for windows, seems the only thing that could help is a UDP proxy but requires c programming.
On Sun, Sep 6, 2009 at 1:29 AM, Kyle Sanderson <kyle.l...@gmail.com> wrote: > Um... I'm going out on a limb here that no one has read the other topics > that have discussed this. Since it has yet to be posted here... has anyone > tried what Tony suggested by limiting the amount of queries via iptables > then logging the blocked ips? This rule was made by Tony, as simple as it > is > I would still like to give him credit as I didn't think of it. > > -A INPUT -p udp -m udp --dport 27015:27016 -m length --length 53 -m > hashlimit --hashlimit 15/sec --hashlimit-burst 30 --hashlimit-mode > dstip,dstport --hashlimit-name a2sspam -j ACCEPT > -A INPUT -p udp -m udp --dport 27015:27016 -m length --length 53 -j DROP > > But yeah... Not sure if this did it or not but I haven't been "lagged out" > since. If this is something completely different, I'm sorry. > Kyle. > > On Sat, Sep 5, 2009 at 9:06 PM, Kenny Loggins <kenny.logg...@clanao.com > >wrote: > > > I have an open request on a fix for this problem. I'm willing to > completely > > pay for a programmers time and I'm willing to bet other people would also > > chip in on this. Anyone willing to work this let me know > > > > http://forums.alliedmods.net/showthread.php?t=102779 > > > > > > > > -----Original Message----- > > From: hlds-boun...@list.valvesoftware.com > > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Shizzle Nizzle > > Sent: Saturday, September 05, 2009 11:00 PM > > To: Half-Life dedicated Win32 server mailing list > > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack > > > > from what i no ipsec does nothing to what iptables is capable of doing so > > thats out of the picture completely. the sudpipe udp proxy program > requires > > i suppose a background knowledge of C, only know php/sql myself :) i see > > plenty of bright people around here that have solutions for linux lol :) > > wrong mailing list :P maybe some for windows? :) > > > > anyways im ready to put down $65 to any plugin/program for windows that > > manages these UDP floods specifically for source servers. i think a few > > others said they would be willing to put money in the pot too. > > > > On Sat, Sep 5, 2009 at 9:37 PM, Kenny Loggins > > <kenny.logg...@clanao.com>wrote: > > > > > Anyone know of any hardware solutions to this problem? > > > > > > ClanAO.com > > > > > > On Sep 5, 2009, at 8:09 PM, Kaspars <kasp...@micro.lv> wrote: > > > > > > > Actually I got inspired by the word "daemon" and I realized that the > > > > key to > > > > the problem is a daemon... a proxy daemon... a caching proxy > > > > daemon :) I > > > > didn't have much time to check the incoming packet pattern, however > > > > I'm not > > > > sure that they all were 53 bytes long, actually the number was > > > > something > > > > like 33 that showed up a LOT of times in iptables logs (but I might > be > > > > wrong... and I'm sure the fault lies in drinking too much beer). > > > > Nevertheless I went for the 100% match with the -m string and it > works > > > > really good. I'm having about 300r/s and I don't see any CPU usage > > > > with this > > > > method. Anyways you are free to modify the source or iptables filter > > > > command > > > > :) > > > > > > > > 2009/9/6 Nephyrin Zey <nephy...@doublezen.net> > > > > > > > >> As an alternative to using -m string, you can just filter length 53 > > > >> packets - no packets aside from the query packet end up being that > > > >> length. Not super elegant, but a lot less overhead. > > > >> > > > >> And, as I said, my daemon works differently and could be used to > > > >> easily > > > >> start thousands of fake servers on a single box, which would screw > > > >> more > > > >> things over than it would help. > > > >> > > > >> - Neph > > > >> > > > >> On 09/05/2009 05:20 PM, Kaspars wrote: > > > >>> God dammit... this is really fucked up... sorry for my language, I > > > >>> just > > > >> got > > > >>> too many beers today... > > > >>> Anyways, I just wanted to give something to the community as Neph > > > >>> is not > > > >>> willing to do it. This will fix the ddos attack for *nix however > > > >>> if you > > > >> are > > > >>> using it, I'm not giving any warranty :) > > > >>> > > > >>> Here goes: > > > >>> first, get the source and compile: http://www.gign.lv/tmp/test.c > > > >>> run it in the screen like ./test 21015 YOUR_EXTERNAL_TF2_SERVER_IP > > > >>> YOUR_SERVER_PORT > > > >>> 21015 is some random port for the udp proxy :) it must be opened in > > > >> firewall > > > >>> > > > >>> then some iptables magic: > > > >>> iptables -t nat -A PREROUTING -p udp -d YOUR_EXTERNAL_TF2_SERVER_IP > > > >> --dport > > > >>> YOUR_SERVER_PORT -m string --algo kmp --string 'TSource Engine > > > >>> Query' -j > > > >>> REDIRECT --to-port 21015 > > > >>> > > > >>> thats about it... > > > >>> > > > >>> 2009/9/6 Nephyrin Zey<nephy...@doublezen.net> > > > >>> > > > >>> > > > >>>> The problem with my solution is the daemon would be really really > > > >>>> abusive in the wrong hands. We dont need someone using it to > easily > > > >>>> start 100 fake servers at 255/255 slots and polluting the server > > > >>>> list. > > > >>>> It's not some super complex feat, but releasing an easy compiled > > > >>>> prepackaged version is just asking for it - and the real solution > > > >>>> needs > > > >>>> to be valve. Plus, it's not very easy to configure and I'm not > > > >>>> even sure > > > >>>> windows ipsec is capable of that level of packet interception. > > > >>>> > > > >>>> Something on the lines of tony's plugin would be a much better > > > >>>> solution, > > > >>>> but you'll have to hound him about that > > > >>>> > > > >>>> - Neph > > > >>>> > > > >>>> On 09/05/2009 03:14 PM, Kenny Loggins wrote: > > > >>>> > > > >>>>> I don't think either you or Neph have released your plugins to > the > > > >> public > > > >>>>> > > > >>>> so > > > >>>> > > > >>>>> this solution works great for you guys. Maybe we can have some > > > >>>>> into or > > > >>>>> direction from you so the general public can do something about > > > >>>>> this? > > > >>>>> > > > >>>>> As long as they get away with this it's going to keep happening > > > >>>>> if a > > > >>>>> > > > >>>> plugin > > > >>>> > > > >>>>> was available to stop this it is not long "fun" or productive to > > > >>>>> DOS > > > >>>>> > > > >>>> servers > > > >>>> > > > >>>>> anymore. > > > >>>>> > > > >>>>> > > > >>>> > > > >>>> _______________________________________________ > > > >>>> To unsubscribe, edit your list preferences, or view the list > > > >>>> archives, > > > >>>> please visit: > > > >>>> http://list.valvesoftware.com/mailman/listinfo/hlds > > > >>>> > > > >>>> > > > >>> _______________________________________________ > > > >>> To unsubscribe, edit your list preferences, or view the list > > > >>> archives, > > > >> please visit: > > > >>> http://list.valvesoftware.com/mailman/listinfo/hlds > > > >>> > > > >> > > > >> > > > >> _______________________________________________ > > > >> To unsubscribe, edit your list preferences, or view the list > > > >> archives, > > > >> please visit: > > > >> http://list.valvesoftware.com/mailman/listinfo/hlds > > > >> > > > > _______________________________________________ > > > > To unsubscribe, edit your list preferences, or view the list > > > > archives, please visit: > > > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list archives, > > > please visit: > > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
