zombiebob, on 05 March 2012 - 07:02 PM, said:
the current iptables I use without problems is this: (please test on your own server as it may be different for you)
note: I only use this for COD2 so you may need to change the port range "--dport 28000:29000"
iptables -I INPUT 1 -i eth1 -p udp -m udp --dport 28000:29000 -m string --algo bm --string "getstatus" -m limit --limit 5/s --limit-burst 10 -j ACCEPT
iptables -I INPUT 2 -i eth1 -p udp -m udp --dport 28000:29000 -m string --algo bm --string "getstatus" -j DROP
iptables -I INPUT 3 -i eth1 -p udp -m udp --dport 28000:29000 -m string --algo bm --string "getinfo" -m limit --limit 5/s --limit-burst 10 -j ACCEPT
iptables -I INPUT 4 -i eth1 -p udp -m udp --dport 28000:29000 -m string --algo bm --string "getinfo" -j DROP
I too also got a notification today from a victim of the attack, looking closely at their logs I see they only recieve a max of 3 packets ever few seconds from me so I believe the patch is still working (as by nature it has to respond to the first few packets before it determines a possible DDOS) like I said before a more advance patch that added the source IP to a blacklist after it was blocked would mean that we only send 3-4 packets at first then complete block responses AFTER we determine a possible DDOS this way our servers are never constantly responding to the same ip all the time with even just low amounts of packets, and a whitelist to prevent bots from being black listed.
This is the log I recieved today
Quote
============================================
2012-03-05 10:56:48.908447 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1007
2012-03-05 10:56:48.908795 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1007
2012-03-05 10:56:48.908997 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1007
2012-03-05 10:56:51.350766 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:56:51.351065 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:56:51.351517 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:56:53.793022 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:56:53.793300 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:56:53.793756 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:56:56.235553 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:56:56.235874 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:56:56.236115 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:56:58.676985 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:56:58.677281 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:56:58.677709 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:57:01.119265 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:57:01.119440 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:57:01.119816 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:57:03.560484 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:57:03.560827 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:57:03.561103 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 1006
2012-03-05 10:57:06.001469 IP 83.142.230.13.27960 > 50.23.212.166.8396: UDP, length 994
This post has been edited by Nitro: 05 March 2012 - 10:54 PM