LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   IPTABLES to block sync flood over udp port (https://www.linuxquestions.org/questions/linux-server-73/iptables-to-block-sync-flood-over-udp-port-4175420549/)

farenheitcx 08-05-2012 09:11 PM
IPTABLES to block sync flood over udp port
 
Im victim of a sync flood attack over udp port, this came from a lot of different ips. The machine, dedicated server, is hlds game server, and the attacker overload the udp ports, this cause a big trouble ingame, with packet loss and high ping for every user in the game.

The server is under linux, with iptables activated, and for now, with some rules to stop this attack, but nothing happend for my lucky.

TCPDUMP LOG (not all)
Quote:
22:04:48.662622 IP pool-96-238-164-34.rcmdva.east.verizon.net.http > MyIP.27018: UDP, length 5
22:04:48.662627 IP pool-96-238-164-34.rcmdva.east.verizon.net.http > MyIP.27018: UDP, length 5
22:04:48.662630 IP pool-96-238-164-34.rcmdva.east.verizon.net.http > MyIP.27018: UDP, length 5
22:04:48.662639 IP pool-96-238-164-34.rcmdva.east.verizon.net.http > MyIP.27018: UDP, length 5
22:04:48.662647 IP pool-96-238-164-34.rcmdva.east.verizon.net.http > MyIP.27018: UDP, length 5
22:04:48.662650 IP pool-96-238-164-34.rcmdva.east.verizon.net.http > MyIP.27018: UDP, length 5
22:04:48.662659 IP pool-96-238-164-34.rcmdva.east.verizon.net.http > MyIP.27018: UDP, length 5

22:04:50.740788 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740795 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740802 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740808 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740815 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740821 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740828 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740835 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740842 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740848 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740855 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740862 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5
22:04:50.740868 IP c-76-111-159-207.hsd1.md.comcast.net.25565 > MyIP.27015: UDP, length 5

IPTABLES
Quote:
iptables -A INPUT -p udp -m length --length 5 -j DROP
iptables -A INPUT -p udp -m multiport --dport 20000:60000 -m state --state NEW -m recent --set --name HLDSFLOOD
iptables -A INPUT -p udp -m multiport --dport 20000:60000 -m state --state NEW -m recent --update --seconds 1 --hitcount 10 --name HLDSFLOOD -j DROP
Thanks in advance. Let me know if you need more info to solve this kind of attack.

kbp 08-06-2012 06:59 AM
That rule sounds a little cpu intensive... maybe increase --seconds to 60, also make sure your HLDS is up to date.


All times are GMT -5. The time now is 10:53 PM.