This topic is locked
As I run many games and applications from a server in Australia, in the recent months (since December 2011), a Botnet has attacked my Urban Terror Server Ports, causing it to use high-bandwidth and send me over my monthly quota.
As URT runs off the Q3A ports, it has also attacked Q3A servers world wide, A fix has been made, but is only for Linux Servers.
Quote
Here are some more details as it seems all or most servers are affected at the moment. All this trouble lately is the result of a botnet utilizing your Quake 3 server to attack others. They do this by sending a tiny "getstatus" request with a spoofed/faked victim address (telling your server the request came from 123.123.123.123 or any other IP they need to attack) and your server replies with a much bigger message to that victim address. Now your server is not the only one sending trash to the victim address, many other servers are used to do the same at the very same time and as a result the victim denails service/is unavailable because of the huge load of traffic it receives.
Spoofed UDP packets can't be tracked from your end, you will have to get in touch with your provider/hoster but there isn't much hope to ever find the origin.
Well, now we identified the real targets of the attack but still your server is abused to harm others and at the same time it lags your server and generates high traffic. To get rid of this, here is the iptables solution for *nix based servers.
This will make your server not respond to the flood requests and thus prevents the attacks of other targets. It will also eliminate the lag, as your server will have to deal with incoming trash instead of both incoming (tiny) and outgoing (huge).
Spoofed UDP packets can't be tracked from your end, you will have to get in touch with your provider/hoster but there isn't much hope to ever find the origin.
Well, now we identified the real targets of the attack but still your server is abused to harm others and at the same time it lags your server and generates high traffic. To get rid of this, here is the iptables solution for *nix based servers.
This will make your server not respond to the flood requests and thus prevents the attacks of other targets. It will also eliminate the lag, as your server will have to deal with incoming trash instead of both incoming (tiny) and outgoing (huge).
# create chain
iptables -N quake3_ddos
# accept real client/player traffic
iptables -A quake3_ddos -m u32 ! --u32 "0x1c=0xffffffff" -j ACCEPT
# match "getstatus" queries and remember their address
iptables -A quake3_ddos -m u32 --u32 "0x20=0x67657473&&0x24=0x74617475&&0x25&0xff=0x73" -m recent --name getstatus --set
# drop packet if "hits" per "seconds" is reached
#
# NOTE: if you run multiple servers on a single host, you will need to higher these limits
# as otherwise you will block regular server queries, like Spider or QConnect
# e.g. they will query all of your servers within a second to update the list
iptables -A quake3_ddos -m recent --update --name getstatus --hitcount 5 --seconds 2 -j DROP
# accept otherwise
iptables -A quake3_ddos -j ACCEPT
#
#
# finally insert the chain as the top most input filter
# single server
# iptables -I INPUT 1 -p udp --dport 27960 -j quake3_ddos
# multiple servers
iptables -I INPUT 1 -p udp --dports 27960,27961,27962 -j quake3_ddos
Quote
This is the full automated version that will block anyone who sends too many "getstatus" requests but it requires iptables to have "u32" and "recent" modules.
So there you have it, if any programers are able to make a Windows fix that would be great for all the Windows Based servers out there.
SOURCE: http://www.excessive...ers-warp?page=3
This post has been edited by futurebreeze: 13 January 2012 - 08:47 AM
MultiQuote
clan leader
