LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-18-2007, 11:00 AM   #1
LandRover
LQ Newbie
 
Registered: Jul 2007
Posts: 9

Rep: Reputation: 0
Filter UDP flood using iptables


Hey,
As you probably know most of the game servers using UDP protocol for connecting clients.

Recently I've came across udp floods on my GTA SA:MP server which choke it to death.
The attacks usually on the game port it self 7777/UDP which is allowed in the firewall inorder to allow clients to connect. some sort of DDoS

A typical attack looks like this in the logs:
Code:
Oct 18 13:23:25 beta kernel: IPTABLES TOTAL LOG: IN=eth0 OUT= MAC=00:16:3e:05:e4:fc:00:0c:ce:da:84:8a:08:00 SRC=***.XXX.***.XXX DST=XXX.***.XXX.*** LEN=46 TOS=0x00 PREC=0x00 TTL=119 ID=5378 PROTO=UDP SPT=3633 DPT=7777 LEN=26
Oct 18 13:23:25 beta kernel: IPTABLES TOTAL LOG: IN=eth0 OUT= MAC=00:16:3e:05:e4:fc:00:0c:ce:da:84:8a:08:00 SRC=***.XXX.***.XXX DST=XXX.***.XXX.*** LEN=28 TOS=0x00 PREC=0x00 TTL=119 ID=5379 PROTO=UDP SPT=3633 DPT=7777 LEN=8
Oct 18 13:23:25 beta kernel: IPTABLES TOTAL LOG: IN=eth0 OUT= MAC=00:16:3e:05:e4:fc:00:0c:ce:da:84:8a:08:00 SRC=***.XXX.***.XXX DST=XXX.***.XXX.*** LEN=46 TOS=0x00 PREC=0x00 TTL=119 ID=5380 PROTO=UDP SPT=3633 DPT=7777 LEN=26
Oct 18 13:23:25 beta kernel: IPTABLES TOTAL LOG: IN=eth0 OUT= MAC=00:16:3e:05:e4:fc:00:0c:ce:da:84:8a:08:00 SRC=***.XXX.***.XXX DST=XXX.***.XXX.*** LEN=28 TOS=0x00 PREC=0x00 TTL=119 ID=5381 PROTO=UDP SPT=3633 DPT=7777 LEN=8
Oct 18 13:23:25 beta kernel: IPTABLES TOTAL LOG: IN=eth0 OUT= MAC=00:16:3e:05:e4:fc:00:0c:ce:da:84:8a:08:00 SRC=***.XXX.***.XXX DST=XXX.***.XXX.*** LEN=46 TOS=0x00 PREC=0x00 TTL=119 ID=5382 PROTO=UDP SPT=3633 DPT=7777 LEN=26
Oct 18 13:23:25 beta kernel: IPTABLES TOTAL LOG: IN=eth0 OUT= MAC=00:16:3e:05:e4:fc:00:0c:ce:da:84:8a:08:00 SRC=***.XXX.***.XXX DST=XXX.***.XXX.*** LEN=28 TOS=0x00 PREC=0x00 TTL=119 ID=5383 PROTO=UDP SPT=3633 DPT=7777 LEN=8
and a typical log of a regular flocks playing:
Code:
aOct 18 12:46:23 igvg2 kernel: IPTABLES SAMP: IN=eth0 OUT= MAC=00:10:6f:02:1c:70:00:0c:ce:f6:d6:80:08:00 SRC=XXX.70.86.59 DST=XXX.***.XXX.*** LEN=71 TOS=0x00 PREC=0x00 TTL=123 ID=7905 PRO
TO=UDP SPT=1042 DPT=7777 LEN=51
Oct 18 12:46:23 igvg2 kernel: IPTABLES SAMP: IN=eth0 OUT= MAC=00:10:6f:02:1c:70:00:0c:ce:f6:d6:80:08:00 SRC=XXX.228.95.213 DST=XXX.***.XXX.*** LEN=113 TOS=0x00 PREC=0x00 TTL=125 ID=45218
 PROTO=UDP SPT=1271 DPT=7777 LEN=93
Oct 18 12:46:23 igvg2 kernel: IPTABLES SAMP: IN=eth0 OUT= MAC=00:10:6f:02:1c:70:00:0c:ce:f6:d6:80:08:00 SRC=XXX.1.179.182 DST=XXX.***.XXX.*** LEN=83 TOS=0x00 PREC=0x00 TTL=121 ID=23001 P
ROTO=UDP SPT=3786 DPT=7777 LEN=63
Oct 18 12:46:23 igvg2 kernel: IPTABLES SAMP: IN=eth0 OUT= MAC=00:10:6f:02:1c:70:00:0c:ce:f6:d6:80:08:00 SRC=XXX.132.164.205 DST=XXX.***.XXX.*** LEN=90 TOS=0x00 PREC=0x00 TTL=122 ID=3357
0 PROTO=UDP SPT=3860 DPT=7777 LEN=70
Oct 18 12:46:23 igvg2 kernel: IPTABLES SAMP: IN=eth0 OUT= MAC=00:10:6f:02:1c:70:00:0c:ce:f6:d6:80:08:00 SRC=XXX.228.1.224 DST=XXX.***.XXX.*** LEN=89 TOS=0x00 PREC=0x00 TTL=125 ID=36458 P
ROTO=UDP SPT=4846 DPT=7777 LEN=69
Oct 18 12:46:23 igvg2 kernel: IPTABLES SAMP: IN=eth0 OUT= MAC=00:10:6f:02:1c:70:00:0c:ce:f6:d6:80:08:00 SRC=XXX.70.96.6 DST=XXX.***.XXX.*** LEN=83 TOS=0x00 PREC=0x00 TTL=122 ID=24530 PRO
TO=UDP SPT=1309 DPT=7777 LEN=63
Oct 18 12:46:23 igvg2 kernel: IPTABLES SAMP: IN=eth0 OUT= MAC=00:10:6f:02:1c:70:00:0c:ce:f6:d6:80:08:00 SRC=XXX.110.112.54 DST=XXX.***.XXX.*** LEN=107 TOS=0x00 PREC=0x00 TTL=123 ID=57291
 PROTO=UDP SPT=2307 DPT=7777 LEN=87
I'm trying to create an iptables rule to divide the flooders and the regular players without any luck.
The packets on the flood are small and fast but the game's packets are larger I just cant to make the correct rule.

I've tried to limit iptables using this:
Code:
$IPTABLES -N SAMP
$IPTABLES -A SNMP -m limit --limit 1/s --limit-burst 2 -j DROP
$IPTABLES -A SAMP -j LOG --log-prefix "IPTABLES TOTAL LOG: "
$IPTABLES -A SAMP -j ACCEPT
This didn't work either among other tries, hope anyone got a clue how to find the difference between regular packets and flood packets.

Any help/ideas are welcome!

Regards,
Oleg G.

Last edited by LandRover; 08-30-2008 at 11:43 AM.
 
Old 10-18-2007, 06:18 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by LandRover View Post
The packets on the flood are small and fast but the game's packets are larger I just cant to make the correct rule.
Maybe use the length module?
 
  


Reply

Tags
attack, ddos, iptables, udp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables v1.3.8: can't initialize iptables table `filter' sebastien.lorandel Linux - Networking 11 09-22-2007 07:34 AM
Stopping UDP Packtet Flood on Port: 28960 murder Linux - Security 6 09-19-2005 10:42 PM
How To Stop a UDP Packet Flood ! murder Linux - Newbie 2 09-19-2005 11:14 AM
Stoping UDP Packtet Flood on Port: 28960 murder Linux - Networking 1 09-19-2005 09:43 AM
iptables FLOOD FLAGS and INVALID chains - need another module? MadCactus Linux - Security 3 11-19-2003 09:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration