0

I'm currently experiencing a massive UDP attack on my server. I host a couple of gameservers, mainly Tf2, CS:GO, CS 1.6 and CS:Source, and my 1.6 server is being flooded. I tried different rules in iptables, but none of them seemed to work. I'm on a 100mbps bandwidth tariff, but the flood i receive is 500+mbps. This is the log of the latest tcpdump -> http://pastebin.com/HSgFVeBs Packet length varies throughout the day. Only my gameserver ports are being flooded - 27015, 27016, 27018 via UDP packets. Are there any iptables rules, that might prevent this?

Petar Simeonov
  • 1
  • 1
  • 2
  • 1
    If your gameserver is also using UDP, you have to think about how you are going to distinguish genuine game packets vs. fake game-like packets that are sent by the attacker(s). Which of those lines in your tcpdump paste are genuine and which are attacks? – Skaperen Nov 11 '12 at 17:35
  • All of those in the log I gave are unwanted. The log was 2+gb big and I greped only the ones with 1428 length. – Petar Simeonov Nov 11 '12 at 19:20
  • 1
    DDoS attacks tend to be effective because it is hard to set up a smart filter at the internet end of your link. WHile you might find an ISP that can handle this in their network and host the server there, this is still possible to saturate the server itself to take and ignore/reject all those UDP packets while the game server processes also run on it. A dedicated high power filter machine is needed that can figure out what each packets is. – Skaperen Nov 12 '12 at 05:42

2 Answers2

1

The only iptable rules that would help you even remotely would be dropping all traffic coming in on those ports. The problem with that is that your service will go down as well. The only thing you can do is talk to your ISP and ask them to drop all incoming udp traffic before it reaches you.

Lucas Kauffman
  • 16,880
  • 9
  • 58
  • 93
0

If you have a separate (or separated) means of game users to login with (not by UDP), you can leave all UDP ports denied, and set up a means to dynamically allow the source addresses of logged in users. As Lucas Kauffman said, your would need to do this upstream to avoid your link from being saturated. It would be even more complex to arrange for the upstream to let you do dynamic allows on the logged in source hosts. You'd probably need to run your own router (that can handle 500mbps of attack) that you can engage dynamic filtering on.

Skaperen
  • 1,094
  • 2
  • 11
  • 23
  • So what your's saying is, that a software firewall (iptables) won't do the trick? I'd need a router to filter the packets before they reach the server. But won't the router be useless once the bandwidth reaches 100mbps (channel gets filled)? If not, what router would you suggest (I'm on a budged...). What rules should I add on it? – Petar Simeonov Nov 11 '12 at 18:52
  • If you are on a budget, you can forget it I'm afraid. DDoS mitigation at 500 mbps is not easy nor cheap to mitigate. – Lucas Kauffman Nov 11 '12 at 19:19
  • You could use a sufficient powered server with a paid of gigabit ethernet cards to do that filtering at the location where you 100mbps comes from. The idea is to avoid saturating your link. But this is also new development to set up a means to automatically whitelist your known users in an efficient way. – Skaperen Nov 12 '12 at 05:38