Uncategorized · October 30, 2011 0

Server DDOS workaround

We have come across a situation where our ioquake3 server was being used for a Distributed Reflection Denial of Service attack.

This happens if attackers spoofs some packets (with target server ip) and asks the gameserver to send all server information (about 2k of data). The gameserver sends all server information (500k of data). Attacker repeats for thousands of gameservers.

This exploit is around several years and raises its head now and then. There is one of these attacks happening right now across thousands of quake 3 servers, targeting several webservers (install and run iftop on your Linux server. Note the amount of outgoing traffic is incredibly high on port 27960 if your server is being used in the attack).

So how to stop? While infomation is scarce, and there is no REAL way to block this kind of attack, you can handle it on your Linux server easily enough with some clever use of iptables. Here’s the rules:

# create chain

iptables -N quake3_ddos

# accept real client/player traffic
iptables -A quake3_ddos -m u32 ! –u32 “0x1c=0xffffffff” -j ACCEPT

# match “getstatus” queries and remember their address
iptables -A quake3_ddos -m u32 –u32 “0×20=0×67657473&&0×24=0×74617475&&0×25&0xff=0×73″ -m recent –name getstatus –set

# drop packet if “hits” per “seconds” is reached
# NOTE: if you run multiple servers on a single host, you will need to higher these limits
# as otherwise you will block regular server queries, like Spider or QConnect
# e.g. they will query all of your servers within a second to update the list
iptables -A quake3_ddos -m recent –update –name getstatus –hitcount 5 –seconds 2 -j DROP

# accept otherwise
iptables -A quake3_ddos -j ACCEPT

# finally insert the chain as the top most input filter

# single server
# iptables -I INPUT 1 -p udp –dport 27960 -j quake3_ddos

# multiple servers
iptables -I INPUT 1 -p udp –dports 27960,27961,27962 -j quake3_ddos

You ideally should add this to your init scripts to make sure it survives a reboot of the server. Now, although requests will come in from the spoofed IPs, no traffic will go back out to them and your game server won’t get blacklisted

Eventually, requests from the spoofed IPs will stop altogether (took 60 mins on our server)