LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Filter UDP flood using iptables (http://www.linuxquestions.org/questions/linux-security-4/filter-udp-flood-using-iptables-592759/)

LandRover 10-18-2007 10:00 AM

Filter UDP flood using iptables
 
Hey,
As you probably know most of the game servers using UDP protocol for connecting clients.

Recently I've came across udp floods on my GTA SA:MP server which choke it to death.
The attacks usually on the game port it self 7777/UDP which is allowed in the firewall inorder to allow clients to connect. some sort of DDoS

A typical attack looks like this in the logs:
Code:

Oct 18 13:23:25 beta kernel: IPTABLES TOTAL LOG: IN=eth0 OUT= MAC=00:16:3e:05:e4:fc:00:0c:ce:da:84:8a:08:00 SRC=***.XXX.***.XXX DST=XXX.***.XXX.*** LEN=46 TOS=0x00 PREC=0x00 TTL=119 ID=5378 PROTO=UDP SPT=3633 DPT=7777 LEN=26
Oct 18 13:23:25 beta kernel: IPTABLES TOTAL LOG: IN=eth0 OUT= MAC=00:16:3e:05:e4:fc:00:0c:ce:da:84:8a:08:00 SRC=***.XXX.***.XXX DST=XXX.***.XXX.*** LEN=28 TOS=0x00 PREC=0x00 TTL=119 ID=5379 PROTO=UDP SPT=3633 DPT=7777 LEN=8
Oct 18 13:23:25 beta kernel: IPTABLES TOTAL LOG: IN=eth0 OUT= MAC=00:16:3e:05:e4:fc:00:0c:ce:da:84:8a:08:00 SRC=***.XXX.***.XXX DST=XXX.***.XXX.*** LEN=46 TOS=0x00 PREC=0x00 TTL=119 ID=5380 PROTO=UDP SPT=3633 DPT=7777 LEN=26
Oct 18 13:23:25 beta kernel: IPTABLES TOTAL LOG: IN=eth0 OUT= MAC=00:16:3e:05:e4:fc:00:0c:ce:da:84:8a:08:00 SRC=***.XXX.***.XXX DST=XXX.***.XXX.*** LEN=28 TOS=0x00 PREC=0x00 TTL=119 ID=5381 PROTO=UDP SPT=3633 DPT=7777 LEN=8
Oct 18 13:23:25 beta kernel: IPTABLES TOTAL LOG: IN=eth0 OUT= MAC=00:16:3e:05:e4:fc:00:0c:ce:da:84:8a:08:00 SRC=***.XXX.***.XXX DST=XXX.***.XXX.*** LEN=46 TOS=0x00 PREC=0x00 TTL=119 ID=5382 PROTO=UDP SPT=3633 DPT=7777 LEN=26
Oct 18 13:23:25 beta kernel: IPTABLES TOTAL LOG: IN=eth0 OUT= MAC=00:16:3e:05:e4:fc:00:0c:ce:da:84:8a:08:00 SRC=***.XXX.***.XXX DST=XXX.***.XXX.*** LEN=28 TOS=0x00 PREC=0x00 TTL=119 ID=5383 PROTO=UDP SPT=3633 DPT=7777 LEN=8

and a typical log of a regular flocks playing:
Code:

aOct 18 12:46:23 igvg2 kernel: IPTABLES SAMP: IN=eth0 OUT= MAC=00:10:6f:02:1c:70:00:0c:ce:f6:d6:80:08:00 SRC=XXX.70.86.59 DST=XXX.***.XXX.*** LEN=71 TOS=0x00 PREC=0x00 TTL=123 ID=7905 PRO
TO=UDP SPT=1042 DPT=7777 LEN=51
Oct 18 12:46:23 igvg2 kernel: IPTABLES SAMP: IN=eth0 OUT= MAC=00:10:6f:02:1c:70:00:0c:ce:f6:d6:80:08:00 SRC=XXX.228.95.213 DST=XXX.***.XXX.*** LEN=113 TOS=0x00 PREC=0x00 TTL=125 ID=45218
 PROTO=UDP SPT=1271 DPT=7777 LEN=93
Oct 18 12:46:23 igvg2 kernel: IPTABLES SAMP: IN=eth0 OUT= MAC=00:10:6f:02:1c:70:00:0c:ce:f6:d6:80:08:00 SRC=XXX.1.179.182 DST=XXX.***.XXX.*** LEN=83 TOS=0x00 PREC=0x00 TTL=121 ID=23001 P
ROTO=UDP SPT=3786 DPT=7777 LEN=63
Oct 18 12:46:23 igvg2 kernel: IPTABLES SAMP: IN=eth0 OUT= MAC=00:10:6f:02:1c:70:00:0c:ce:f6:d6:80:08:00 SRC=XXX.132.164.205 DST=XXX.***.XXX.*** LEN=90 TOS=0x00 PREC=0x00 TTL=122 ID=3357
0 PROTO=UDP SPT=3860 DPT=7777 LEN=70
Oct 18 12:46:23 igvg2 kernel: IPTABLES SAMP: IN=eth0 OUT= MAC=00:10:6f:02:1c:70:00:0c:ce:f6:d6:80:08:00 SRC=XXX.228.1.224 DST=XXX.***.XXX.*** LEN=89 TOS=0x00 PREC=0x00 TTL=125 ID=36458 P
ROTO=UDP SPT=4846 DPT=7777 LEN=69
Oct 18 12:46:23 igvg2 kernel: IPTABLES SAMP: IN=eth0 OUT= MAC=00:10:6f:02:1c:70:00:0c:ce:f6:d6:80:08:00 SRC=XXX.70.96.6 DST=XXX.***.XXX.*** LEN=83 TOS=0x00 PREC=0x00 TTL=122 ID=24530 PRO
TO=UDP SPT=1309 DPT=7777 LEN=63
Oct 18 12:46:23 igvg2 kernel: IPTABLES SAMP: IN=eth0 OUT= MAC=00:10:6f:02:1c:70:00:0c:ce:f6:d6:80:08:00 SRC=XXX.110.112.54 DST=XXX.***.XXX.*** LEN=107 TOS=0x00 PREC=0x00 TTL=123 ID=57291
 PROTO=UDP SPT=2307 DPT=7777 LEN=87

I'm trying to create an iptables rule to divide the flooders and the regular players without any luck.
The packets on the flood are small and fast but the game's packets are larger I just cant to make the correct rule.

I've tried to limit iptables using this:
Code:

$IPTABLES -N SAMP
$IPTABLES -A SNMP -m limit --limit 1/s --limit-burst 2 -j DROP
$IPTABLES -A SAMP -j LOG --log-prefix "IPTABLES TOTAL LOG: "
$IPTABLES -A SAMP -j ACCEPT

This didn't work either among other tries, hope anyone got a clue how to find the difference between regular packets and flood packets.

Any help/ideas are welcome!

Regards,
Oleg G.

win32sux 10-18-2007 05:18 PM

Quote:

Originally Posted by LandRover (Post 2928518)
The packets on the flood are small and fast but the game's packets are larger I just cant to make the correct rule.

Maybe use the length module?


All times are GMT -5. The time now is 07:43 PM.