I decided to set up a game server a while back. It grew and we started renting a larger one. It is Debian 6.0 multiarch running on xenserver 6.0 Our server was used in a UDP Flood attack.

Our Host contacted us and showed us the nastygram we received.

I am an administrator from ******** Hosting, and I am writing to report an attack incident that appears to have originated from an IP address belonging to your network. During the time frame listed below, one of our hosts, *********, received a sharp spike in UDP traffic over a variety of ports, which flooded our bandwidth links for a segment of our customer hosting servers. While there were multiple sources of the traffic, an IP from your network, ********, was one of the main contributors to the flood. Using a sample of all traffic recorded on the server between 16:31 and 16:35 UTC, we counted a large number of UDP packets directed at *********. It appears that the traffic is likely spoofed gameserver traffic. Please review your network and take all actions to prevent these attacks from continuing in the future. We appreciate your cooperation in resolving this issue.

So I was under the impression that Ports were only active when they were being listened to by a service. There is not very much installed on the server. 2 game servers and a webconsole. We didn't have any problems before as the server has been up for a few months. I did install call of duty 2 on it recently. Since in the email it referneces that the traffic was spoofed game traffic, I guess it probably is this. So my question is, how can I check which traffic it was? should I just disable the game server that caused this? Are there any countermeasures I can set up to prevent this?

Just to point out that I started this as a hobby and I am a total noob at Linux. I did consider buying a server 2k3 x64 key and reinstalling but I won't learn anything by reverting to windows.

We've seen more of those threads recently.


They're talking outbound traffic from your server to their ports.


You could capture traffic:
where "eth" is your 'net-facing Ethernet device name (like "eth0") and "/path/to/eth.pcap" is the path and file name on a partition with enough space to support storing 3 packet captures of 50 megs each. Once you have got these packet captures feel free to send me an email so we can discuss where I can download the files for analysis. (See this post for what analysis might look like and this post for the rule set we came up with in his case.)


Ensure your server, services (whatever you provide next to the games) are properly hardened. Ensure game admin console is only accessible by authorized admins. Ensure the game has seen all vendor patches and doesn't enable plugins, extension, mods or whatever else is vulnerable to in-game trickery. Finally you could run iptables with rate limiting and logging rules. For a rate-limiting example see this post.

Hi Unspawn, thanks for the reply. The attack had stopped already but I will start collecting a dump once I bring the server online in case it happens again in the near future. In the mean time I will start going over the rate limiting post that you supplied. Thanks again.

Hi Unspawn, I configured a firewall on the debian server and followed the instructions in the rate limiting guide you linked to. I have the server running online again for a week now. My host has contacted me and says that everything seems fine on their end. You can consider this issue resolved. Thank you for your assistance.

Rate limiting may be masking the symptoms of a problem. Have you identified the cause, i.e. the process responsible or captured any traffic. Between words, are you sure that it has stopped and is not just being slowed down?