next »

[-:Uis:-:Dr. Box:-]

Hello people,

I seemed to get a few abuse reports saying my game servers were spamming random hosts.
After analysing the traffic I found out that it was something spoofing source addresses and then send a getstatus message to our server in which it responds with an answer, but only 30 times a second and with changing source IP's every now and then. So this when used with a lot of servers was basically DDoS-ing some sites.



I started using a script that is also used for Q3 based games, but it is not perfect as it needs to run every x minutes to update the ban list.

Instead I found this thread: http://icculus.org/pipermail/cod/2011-August/015397.html
Here they talk about this problem and already have a server patch to test out. So if you also have the same issue as I have with your linux CoD4 server follow that thread!

Just a heads up.

Greetings,
Box

[xlr8or]

Thanks for sharing this info.

This issue is also announced here: http://forum.bigbrotherbot.net/cod4/important-pactch-for-cod4-servers/

[Courgette]

[troll]Is that the replacement DDOS tools for LOIC that the Anonymous are trying out ?[/troll]

[-real-]

how can I know I need this patch or not?
What symptoms of DDoS cod4 server?
What can I check it?

[Freelander]

You better install the patch anyways I think.

[-:Uis:-:Dr. Box:-]

What i did to check out is run a tcpdump -i eth0 -nn "port 28960" in the SSH shell as root. Alternatively you could write to a pcap file and view in wireshark.
This is what I see now for ex.:

Code:

19:25:13.591194 IP 85.17.159.77.80 > 78.129.232.31.28960: UDP, length 14
19:25:13.596441 IP 85.17.159.77.80 > 78.129.232.21.28960: UDP, length 14
19:25:13.601938 IP 85.17.159.77.80 > 78.129.232.21.28960: UDP, length 14
19:25:13.626675 IP 85.17.159.77.80 > 78.129.232.31.28960: UDP, length 14
19:25:13.642666 IP 85.17.159.77.80 > 78.129.232.21.28960: UDP, length 14
19:25:13.642674 IP 85.17.159.77.80 > 78.129.232.21.28960: UDP, length 14
19:25:13.644415 IP 85.17.159.77.80 > 78.129.232.21.28960: UDP, length 14
19:25:13.649911 IP 85.17.159.77.80 > 78.129.232.22.28960: UDP, length 14
19:25:13.670399 IP 85.17.159.77.80 > 78.129.232.31.28960: UDP, length 14
19:25:13.670410 IP 85.17.159.77.80 > 78.129.232.31.28960: UDP, length 14
19:25:13.674647 IP 85.17.159.77.80 > 78.129.232.31.28960: UDP, length 14

But the best way is to patch it anyways. Better to be safe than sorry.

On my server it does not reply to requests made by IP's using a source port lower than 1024 anyways (in normal situations it should always be 1024+), set using IPTables (default DENY policy):

Code:

iptables -A INPUT -m state --state NEW -m udp -p udp --sport 1024: --dport 28960 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT