[KnoXviLLe]

Quote:

Originally Posted by nikooo777 you could try and detect an attack based on the packets per second you're receiving. Check your average and try to understand what number is considered not normal for you. then you can tweak this script that i made PHP Code: #!/bin/bash TOGGLE=0 while true do         R1=`cat /sys/class/net/eth0/statistics/rx_packets`         sleep 1         R2=`cat /sys/class/net/eth0/statistics/rx_packets`         RXPPS=`expr $R2 - $R1`         if [ "$RXPPS" -gt "28000" ]; then #UNUSUAL TRAFFIC DETECTED! LOG IT                 iptables-save > .current.bac                 iptables -t nat -F                 if [ "$RXPPS" -gt "70000" ]; then #VERY UNUSUAL TRAFFIC DETECTED, DROP ALL NEW CONNECTIONS BUT MAINTAIN THE OLD ONES                         iptables -A INPUT -p udp -m state --state NEW -j DROP                 fi                 echo "$(date) - Attack detected ($RXPPS pps)! Applying Security means!" >> /var/log/ids.log                 FILE=$(date +%d-%m-%Y_%Hh%Mm%Ss)                 timeout 0.8 tcpdump -nX "dst host YOURIPHERE" > /var/log/ids/$FILE.log                 SIZE=$(du -k "$FILE" | cut -f 1)                 if [ "$SIZE" -lt "1" ]; then                         timeout 1.2 tcpdump -nX "dst host YOURIPHERE" > /var/log/ids/$FILE.log                 fi                 sleep 60                 iptables-restore .current.bac                 rm .current.bac                 echo "$(date) - Back to normal" >> /var/log/ids.log         fi         sleep 5 done  up to you to understand it tho. I'm releasing it only because i don't use it anymore but could still help others. also perhaps consider OVH. I did some analysis over that specific source query attack and helped OVH out with it. never had a problem ever since.

iptables -A INPUT -p udp -m state --state NEW -j DROP

New connecting closed ? Attack or new connecting drop.Same sht

[nistnesus]

Quote:

Originally Posted by KnoXviLLe iptables -A INPUT -p udp -m state --state NEW -j DROP New connecting closed ? Attack or new connecting drop.Same sht

that script is just a basic automation that disables any new connections thru udp packets after you get 70k packets per second. just to let the server live and to not affect players that are already inside. the user who supplied the script didnt promise anything else anyway

[ish12321]

Quote:

Originally Posted by nikooo777 you could try and detect an attack based on the packets per second you're receiving. Check your average and try to understand what number is considered not normal for you. then you can tweak this script that i made PHP Code: #!/bin/bash TOGGLE=0 while true do         R1=`cat /sys/class/net/eth0/statistics/rx_packets`         sleep 1         R2=`cat /sys/class/net/eth0/statistics/rx_packets`         RXPPS=`expr $R2 - $R1`         if [ "$RXPPS" -gt "28000" ]; then #UNUSUAL TRAFFIC DETECTED! LOG IT                 iptables-save > .current.bac                 iptables -t nat -F                 if [ "$RXPPS" -gt "70000" ]; then #VERY UNUSUAL TRAFFIC DETECTED, DROP ALL NEW CONNECTIONS BUT MAINTAIN THE OLD ONES                         iptables -A INPUT -p udp -m state --state NEW -j DROP                 fi                 echo "$(date) - Attack detected ($RXPPS pps)! Applying Security means!" >> /var/log/ids.log                 FILE=$(date +%d-%m-%Y_%Hh%Mm%Ss)                 timeout 0.8 tcpdump -nX "dst host YOURIPHERE" > /var/log/ids/$FILE.log                 SIZE=$(du -k "$FILE" | cut -f 1)                 if [ "$SIZE" -lt "1" ]; then                         timeout 1.2 tcpdump -nX "dst host YOURIPHERE" > /var/log/ids/$FILE.log                 fi                 sleep 60                 iptables-restore .current.bac                 rm .current.bac                 echo "$(date) - Back to normal" >> /var/log/ids.log         fi         sleep 5 done  up to you to understand it tho. I'm releasing it only because i don't use it anymore but could still help others. also perhaps consider OVH. I did some analysis over that specific source query attack and helped OVH out with it. never had a problem ever since.

/sys/class/net/eth0/statistics/rx_packets: N
o such file or directory

[dedimark]

Quote:

GAMESERVERPORTS="27015:27050" iptables -A INPUT -p udp -m multiport --dports $GAMESERVERPORTS -d 108.61.111.111 -m string --string 'Source Engine' --algo bm -m limit --limit 20/s --limit-burst 1 -j ACCEPT iptables -A INPUT -p udp -m multiport --dports $GAMESERVERPORTS -d 108.61.111.111 -m string --string 'Source Engine' --algo bm -j DROP iptables -A INPUT -p udp -m multiport --dports $GAMESERVERPORTS -d 108.61.111.111 -m string --string 'qconnect' --algo bm -m limit --limit 20/s --limit-burst 1 -j ACCEPT iptables -A INPUT -p udp -m multiport --dports $GAMESERVERPORTS -d 108.61.111.111 -m string --string 'qconnect' --algo bm -j DROP