Urban Terror Forums: DRDoS - Urban Terror Forums

Jump to content

 Login | Register 
Advertisement
  • (27 Pages)
  • +
  • « First
  • 4
  • 5
  • 6
  • 7
  • 8
  • Last »
  • You cannot start a new topic
  • This topic is locked

DRDoS Rate Topic: ***** 1 Votes

Server used as reflector fro DRDoS

#51 User is offline   ItsMe Icon

  • Account: itsme
  • Main tag: bc`
  • Joined: 28-February 10
  • Posts: 76

Posted 30 December 2011 - 01:36 PM

View Postnitro, on 28 December 2011 - 10:43 PM, said:



iptables -I INPUT 1 -i eth1 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getstatus" -m limit --limit 3/s --limit-burst 10 -j ACCEPT;
iptables -I INPUT 2 -i eth1 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getstatus" -j DROP; 
iptables -I INPUT 3 -i eth1 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getinfo" -m limit --limit 3/s --limit-burst 10 -j ACCEPT;
iptables -I INPUT 4 -i eth1 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getinfo" -j DROP;




I think these settings will be to rigorous because the setting to _under_ 3/ sec will cause that the server will disapear from the masterserver list and from gametracker/ qstat lists.

#52 User is offline   Nitro Icon

  •   QA member   
  • Account: nitro
  • Main tag: |P|
  • Country:
  • Joined: 15-March 10
  • Posts: 1,133

Posted 30 December 2011 - 09:36 PM

View PostItsMe, on 30 December 2011 - 01:36 PM, said:

I think these settings will be to rigorous because the setting to _under_ 3/ sec will cause that the server will disapear from the masterserver list and from gametracker/ qstat lists.


no its doesnt because prior to setting these rules i explicitly set the firewall to allow master servers + gametracker ips through without the need to pass through the next set of rules, the same goes for B3bot and or admin tools that require status updates that can be trusted. a white-list so to speak.

second i tested the settings above without the need of the ip whitelist and they worked fine for the in game server list (unless you spam the get new list option) it worked perfectly fine.

Infact I am going to be running a test tonight with 2 per sec and 5 burst :)

This post has been edited by nitro: 30 December 2011 - 09:36 PM

Lian Li pc-o11dw Der 8auer Edition · Gigabyte x570 Aorus Xtreme · AMD Ryzen 9 5950x 16-Core
32GB DDR4 3800MHz CL16 · 2x 1TB Samsung NVMe RAID 0 · 16GB Radeon RX 6900XT Liquid Cooled

#53 User is offline   ItsMe Icon

  • Account: itsme
  • Main tag: bc`
  • Joined: 28-February 10
  • Posts: 76

Posted 01 January 2012 - 11:48 AM

View Postnitro, on 30 December 2011 - 09:36 PM, said:

no its doesnt because prior to setting these rules i explicitly set the firewall to allow master servers + gametracker ips through without the need to pass through the next set of rules, the same goes for B3bot and or admin tools that require status updates that can be trusted. a white-list so to speak.

That you should have written in your first Posting because less experienced Users will take your settings and their servers disappear in the serverlist.

Quote

second i tested the settings above without the need of the ip whitelist and they worked fine for the in game server list (unless you spam the get new list option) it worked perfectly fine.

TBH, I doubt that those settings will work without heavy problems for the server with the server browser. But when it is working for you well - OK :)

I did/ do the iptables stuff to but my next thought is, that's tinkering on the Symptoms. After a quick search i found out that the Problem is solved by the Team of ioQuake for more than 1 year:

Quote

Re: drDOS udp getstatus flood
by Cyrax » Tue Dec 27, 2011 12:48 pm

IIRC it was fixed in r1762 (4th-Jan-2010)

Link:
http://www.ioquake.o...lit=drdos#p4082 (drDOS udp getstatus flood)

As i mentioned earlier in this thread that fixing that issue will be the Job of the Developers. How much effort is it to just compile the sources from trunk and adapt it to work with UrT, upload it and make a Notice on urbanterror.info? 1 Hour? 2 Hours? But it seems more important to show some renderings for the upcoming game to jolly the Community along than fix serious Problems.

Maybe the work on HD is that much that all Resources are bound for the Development of the new Game?
Maybe the approach is: we do it in our free time and it does not cost anything and we have not the time and/ or we are not in the mood to fix Problems on the current release - You're free to use it - or not?

#54 User is offline   Nitro Icon

  •   QA member   
  • Account: nitro
  • Main tag: |P|
  • Country:
  • Joined: 15-March 10
  • Posts: 1,133

Posted 01 January 2012 - 02:31 PM

@itsme

The server code has already been patched both by wizardofgore and rambetter, updating your server binary to the ones provided or compiling your own from ram's source will solve the problem.

I am merely continuing to help with the iptables because right now this is the only way to prevent other games such as cod2 from being attacked as it is no longer supported by activision. I host a call of duty 2 server so I need these rules to protect it. also I have a udp flood tool that spams hundred of packets with getstatus so I can test these rules work, which they do.

P.S.


this is what my iptables looks like now.


# White list Trusted IP addresses.
iptables -I INPUT 1 -i eth1 -p udp -s 127.0.0.1 --dport 27000:29000 -j ACCEPT			# Local host
iptables -I INPUT 2 -i eth1 -p udp -s 83.142.230.13 --dport 27000:29000 -j ACCEPT		# My servers IP
iptables -I INPUT 3 -i eth1 -p udp -s 91.121.24.62 --dport 27000:29000 -j ACCEPT		# fs1.urbanterror.info
iptables -I INPUT 4 -i eth1 -p udp -s 91.121.30.80 --dport 27000:29000 -j ACCEPT		# fs2.urbanterror.info
iptables -I INPUT 5 -i eth1 -p udp -s 192.246.40.56 --dport 27000:29000 -j ACCEPT		# monster.idsoftware.com

# Prevent DRDoS Exploit in Q3 based games.
iptables -I INPUT 6 -i eth1 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getstatus" -m limit --limit 3/s --limit-burst 10 -j ACCEPT
iptables -I INPUT 7 -i eth1 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getstatus" -j DROP 
iptables -I INPUT 8 -i eth1 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getinfo" -m limit --limit 3/s --limit-burst 10 -j ACCEPT
iptables -I INPUT 9 -i eth1 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getinfo" -j DROP





P.P.S. if you dont like the 3 packets per second rules then edit it yourself. will take you 20 seconds max to change it.

This post has been edited by nitro: 01 January 2012 - 02:34 PM

Lian Li pc-o11dw Der 8auer Edition · Gigabyte x570 Aorus Xtreme · AMD Ryzen 9 5950x 16-Core
32GB DDR4 3800MHz CL16 · 2x 1TB Samsung NVMe RAID 0 · 16GB Radeon RX 6900XT Liquid Cooled

#55 User is offline   ItsMe Icon

  • Account: itsme
  • Main tag: bc`
  • Joined: 28-February 10
  • Posts: 76

Posted 01 January 2012 - 05:43 PM

View Postnitro, on 01 January 2012 - 02:31 PM, said:

@itsme

The server code has already been patched both by wizardofgore and rambetter, updating your server binary to the ones provided or compiling your own from ram's source will solve the problem.

Don't get me wrong, I appreciate the work of rambetter and wizardofgore. But that's not the thing i want to Point to. IIRC they are not in the FS dev team or am i wrong? I find it sad that FS just trust on the Community to fix such a (imho _major_) Problem.

Quote

I am merely continuing to help with the iptables because right now this is the only way to prevent other games such as cod2 from being attacked as it is no longer supported by activision. I host a call of duty 2 server so I need these rules to protect it. also I have a udp flood tool that spams hundred of packets with getstatus so I can test these rules work, which they do.

I just flushed my iptables and tried yours. Without some accept rule(s) the server will not be seen in the Server Browser nor Gamtracker.
Exactly what you did in your code snippet below - thats what i wanted to say... :)


# White list Trusted IP addresses.
iptables -I INPUT 1 -i eth1 -p udp -s 127.0.0.1 --dport 27000:29000 -j ACCEPT                   # Local host
iptables -I INPUT 2 -i eth1 -p udp -s 83.142.230.13 --dport 27000:29000 -j ACCEPT               # My servers IP
iptables -I INPUT 3 -i eth1 -p udp -s 91.121.24.62 --dport 27000:29000 -j ACCEPT                # fs1.urbanterror.info
iptables -I INPUT 4 -i eth1 -p udp -s 91.121.30.80 --dport 27000:29000 -j ACCEPT                # fs2.urbanterror.info
iptables -I INPUT 5 -i eth1 -p udp -s 192.246.40.56 --dport 27000:29000 -j ACCEPT               # monster.idsoftware.com



Quote

P.P.S. if you dont like the 3 packets per second rules then edit it yourself. will take you 20 seconds max to change it.

Its not the thing what i like, your first posted iptables just make the server disappear from the serverlist. Thats all what i wanted to say.

PS.
I don't wrote this to be a bad ass, I appreciate your help to this Problem much and just wanted to contribute a small piece of experience.

LJBF :)

bullet_loaderAdvertisement

#56 User is offline   Nitro Icon

  •   QA member   
  • Account: nitro
  • Main tag: |P|
  • Country:
  • Joined: 15-March 10
  • Posts: 1,133

Posted 01 January 2012 - 06:28 PM

View PostItsMe, on 01 January 2012 - 05:43 PM, said:


I just flushed my iptables and tried yours. Without some accept rule(s) the server will not be seen in the Server Browser nor Gamtracker.




make sure your applying these rules correctly to your iptables and that you have all the specified modules.



# White list Trusted IP addresses.
iptables -I INPUT 1 -i eth1 -p udp -s 127.0.0.1 --dport 27000:29000 -j ACCEPT		# Local host
iptables -I INPUT 2 -i eth1 -p udp -s 83.142.230.13 --dport 27000:29000 -j ACCEPT	# My servers IP
iptables -I INPUT 3 -i eth1 -p udp -s 91.121.24.62 --dport 27000:29000 -j ACCEPT	# fs1.urbanterror.info
iptables -I INPUT 4 -i eth1 -p udp -s 91.121.30.80 --dport 27000:29000 -j ACCEPT	# fs2.urbanterror.info
iptables -I INPUT 5 -i eth1 -p udp -s 192.246.40.56 --dport 27000:29000 -j ACCEPT	# monster.idsoftware.com
iptables -I INPUT 6 -i eth1 -p udp -s 69.10.30.248 --dport 27000:29000 -j ACCEPT	# master0.gamespy.com:28900

# Prevent DRDoS Exploit in Q3 based games.
iptables -I INPUT 7 -i eth1 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getstatus" -m limit --limit 5/s --limit-burst 10 -j ACCEPT
iptables -I INPUT 8 -i eth1 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getstatus" -j DROP 
iptables -I INPUT 9 -i eth1 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getinfo" -m limit --limit 5/s --limit-burst 10 -j ACCEPT
iptables -I INPUT 10 -i eth1 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getinfo" -j DROP





make sure you are applying this to the correct interface (mines is eth1 - yours could be something else) secondly make sure your iptables has the string module and limit modules

I have relaxed the limits to 5/s which is still fine to prevent the attack but allow the first couple packets through.

I have also added the gamespy master server to the white list and gametracker doesnt query servers directly instead it queries the master server so its not needed for the whitelist.

If you are setting this up correctly your server should appear on the master server list regardless of what limits you imply since you are explicitly giving access to your server via the whitelist so the master servers are not getting filtered through the rest of the iptables.

p.s. i noticed one of your servers in your signature runs on port 47960 this is out side of the set rules above which are only running on ports 27000 through to 29000 you can change this to 27000:49000 if need be but would be cleaners to run your servers like 27960, 27961, 27962.

This post has been edited by nitro: 01 January 2012 - 06:33 PM

Lian Li pc-o11dw Der 8auer Edition · Gigabyte x570 Aorus Xtreme · AMD Ryzen 9 5950x 16-Core
32GB DDR4 3800MHz CL16 · 2x 1TB Samsung NVMe RAID 0 · 16GB Radeon RX 6900XT Liquid Cooled

#57 User is offline   ItsMe Icon

  • Account: itsme
  • Main tag: bc`
  • Joined: 28-February 10
  • Posts: 76

Posted 01 January 2012 - 08:25 PM

@ nitro
You completely get me wrong.

I replied to this http://www.urbanterr...post__p__322482 Post of you.

And using _this_ settings alone will surely cause that the server disappears from the serverlist and gametracker will see the server as dead.
That I do not have to test - I _know_ that for sure. I've tested it because you replied it works well for your server(s)...

Quote

p.s. i noticed one of your servers in your signature runs on port 47960 this is out side of the set rules above which are only running on ports 27000 through to 29000

Thanks for the hint - but I can read and interpret your snippet the right way.

Quote

you can change this to 27000:49000

Why the heck should I do this O.o

Quote

if need be but would be cleaners to run your servers like 27960, 27961, 27962.

It weren't. You did not know anything about the policy behind...

To say it clear, I replied _not_ because of it works not for me, I replied to your Post because the iptables rules in it deny the Server to get listed in the serverlist.
First this Post http://www.urbanterr...post__p__322608 witch includes the allow rules for the masterserver/ localhost/ $OTHERS will solve that. That was the one if primary intends of my Post.
The second one was that it still not fix the Problem, its just a quick and dirty solution.

EOD

#58 User is offline   Nitro Icon

  •   QA member   
  • Account: nitro
  • Main tag: |P|
  • Country:
  • Joined: 15-March 10
  • Posts: 1,133

Posted 02 January 2012 - 12:34 AM

@itsme I said to you already that the rules on post http://www.urbanterr...post__p__322482 work fine without causing issues with master servers, the white list addition was only to make it more efficient.

If you had trouble using them alone without the whitelist then you did something different. I also said you could relax the settings if you wanted too, so I dont understand why your saying this doesn't work when it clearly works right now (look at my signature gametracker is tracking my server fine)

also this isn't a dirty hack its probably better than running directly onto the game server that way all connections are dropped at the one source rather than on seperate servers. it also protects all games running on ports 27000 - 29000 that support q3 getstatus queries. whats even better is for those that have dedicated firewalls can run these rules so that the connection never reaches the server and wastes bandwidth.
Lian Li pc-o11dw Der 8auer Edition · Gigabyte x570 Aorus Xtreme · AMD Ryzen 9 5950x 16-Core
32GB DDR4 3800MHz CL16 · 2x 1TB Samsung NVMe RAID 0 · 16GB Radeon RX 6900XT Liquid Cooled

#59 User is offline   ItsMe Icon

  • Account: itsme
  • Main tag: bc`
  • Joined: 28-February 10
  • Posts: 76

Posted 02 January 2012 - 02:31 PM

snip - I do not want to discuss that any longer. You don't want to understand me - but it's OK :)

View Postnitro, on 02 January 2012 - 12:34 AM, said:

also this isn't a dirty hack its probably better than running directly onto the game server that way all connections are dropped at the one source rather than on seperate servers. it also protects all games running on ports 27000 - 29000 that support q3 getstatus queries. whats even better is for those that have dedicated firewalls can run these rules so that the connection never reaches the server and wastes bandwidth.


It is a _quick_ and dirty Solution because the best solution where that the problem is solved by the -> blink -> _binary_ <- blink <-

I do _not_ say your solution will fail, the only issue with it are the demanding limits of 3 hits per second, 5 - 15 per second will be fine - less will cause some strange behavior with the masterlist/ gametracker/ $WHATEVER.

Furthermore I do nothing say about protecting portranges, but why add a rule for a range of 2000 ports when just 3 are used and the others are filtered/ blocked anyway? -> useless use of grep... :)


# create chain
iptables -N urt_drdos
 
# accept legitimate players
iptables -A urt_drdos -m u32 ! --u32 "0x1c=0xffffffff" -j ACCEPT
 
# match "getstatus" queries and remember corresponding address
iptables -A urt_drdos -m u32 --u32 "0x20=0x67657473&&0x24=0x74617475&&0x25&0xff=0x73" -m recent --name getstatus --set
 
# drop packet if "hits" per "seconds" is reached
#
# NOTE: if you run multiple servers on a single host, you will need to higher these limits
#       as otherwise you will block regular server queries, like Gametracker
#       e.g. they will query all of your servers within a second to update their list
#       IMHO a Count of 15 per second will be fine
iptables -A urt_drdos -m recent --update --name getstatus --hitcount 15 --seconds 2 -j DROP
 
# accept otherwise
iptables -A urt_drdos -j ACCEPT

# take one of the following lines that matches your setup
# the first for a single server
#
# iptables -I INPUT 1 -p udp --dport 27960 -j urt_drdos
#
# and this one for multiple servers
iptables -I INPUT 1 -p udp --dports 27960,47960,60000 -j urt_drdos



No whitelist needed - seems a bit more elegant hum?

Btw, I just filter the _gestatus_ because the _getinfo_ creates not that much traffic as _getstatus_ so I think the botnet will not use it.

A con for this one is you need the modules _u32_ and _recent_ loaded in your iptables

And now realy EOD


PS. my d*ck is longer than yours and my kung-fu stronger :p

PPS. I forgot to say, last Saturday i used to play on your Lil PWNY CTF and it was lagy as Hell - are you sure your iptables are working well? ;)
--
ItsMe

This post has been edited by ItsMe: 02 January 2012 - 02:34 PM



  • (27 Pages)
  • +
  • « First
  • 4
  • 5
  • 6
  • 7
  • 8
  • Last »
  • You cannot start a new topic
  • This topic is locked

2 User(s) are reading this topic
0 members, 2 guests, 0 anonymous users

Advertisement


Copyright © 1999-2024 Frozensand Games Limited  |  All rights reserved  |  Urban Terror™ and FrozenSand™ are trademarks of Frozensand Games Limited

Frozensand Games is a Limited company registered in England and Wales. Company Reg No: 10343942