srcds DOS attack?

[lhffan]

Thanx:

like this:

Code:

iptables -N logattacker
$IPT -A INPUT -p udp -m udp --dport 27015 -m length --length 0:32 -j logattacker
$IPT -A INPUT -p udp -m udp --dport 27035 -m length --length 0:32 -j logattacker
$IPT -A logattacker -j LOG --log-prefix "SRCDS:ATTACK: " --log-ip-options -m limit --limit 2/sec
$IPT -A logattacker -j DROP

$IPT -A INPUT -p udp --destination-port 1200 -m state --state NEW,ESTABLISHED,RELATED  -j ACCEPT
$IPT -A OUTPUT -p udp --sport 1200 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --destination-port 27015:27035 -m state --state NEW,ESTABLISHED,RELATED  -j ACCEPT
$IPT -A OUTPUT -p udp --sport 27015:27035 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp --destination-port 27000:27050 -m state --state NEW,ESTABLISHED,RELATED  -j ACCEPT
$IPT -A OUTPUT -p udp --sport 27000:27050 -m state --state ESTABLISHED,RELATED -j ACCEPT

Do i need to alter anything else? I have noticed that my ssh login is wery slow. And when i used an wery basic deny all INPUT/OUTPUT. Exept for dns/ssh and stuff i realy needs. My ssh login is instant. Fells strange.

[css]

You've apparently blocked inadvertently port 53 which is being used for domain name server queries. That's why SSH logins take long because sshd can't lookup the hostname. Usually it's quite safe to make the default OUTPUT policy ACCEPT. Unless you want to do that, then just add ACCEPT rule for destination port 53 on UDP.

[lhffan]

dns queries rule:

Code:

$IPT -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED  -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

Strange part. If i run this:

Code:

$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

ssh login is slow still. And after quitting and startin putty and il run iptables -L. I have no rules applied. Ssh is still slow.

But if i run this below it is instant login:

Code:

#!/bin/sh

# The location of the IPtables binary file on your system.
IPT="/sbin/iptables"

# The Network Interface.
INT="eth0"

# Clear out old rules.
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

# My system IP/set ip address of server
SERVER_IP="xx.xxx.xxx.xxx"

#Setting default filter policy
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Allow unlimited traffic on loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Allow incoming ssh only
$IPT -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 2222 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

# Allow mumble - tcp
$IPT -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 64738 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 64738 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

# Allow mumble - udp
$IPT -A INPUT -p udp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 64738 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp -s $SERVER_IP -d 0/0 --sport 64738 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

#Apache.
$IPT -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 80 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

# make sure nothing comes or goes out of this box
$IPT -A INPUT -j DROP
$IPT -A OUTPUT -j DROP

[css]

(12-30-2009, 11:32 AM)lhffan Wrote:  dns queries rule:

Code:

$IPT -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED  -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

You have source port and destination port mixed up (or from other perspective you have INPUT and OUTPUT chains mixed up).

Your queries to DNS servers are targeted to port 53 and thus they're matched using the OUTPUT chain. That's why you need to have "-A OUTPUT --dport 53". The same thing in INPUT chain would mean that you'd be expecting the answer from the DNS server to port 53 (which is not happening).

Also you can match almost every "legal" incoming connection with these:

Code:

iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

It might be even possible to write it in one line without the specific protocol definition:

Code:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

It's safe rule because the state must be either ESTABLISHED (you've initialized the connection) or RELATED (eg. passive FTP or some UDP connection which you've started). Then you don't have to specify all the incoming ports separately.

Then practically everywhere where you now have "-m state --state NEW,ESTABLISHED,RELATED" you can remove all the options. The state is always one of the three, so if you specify them all, then it's the same as not having them specified at all. It makes it easier to read and understand.

[lhffan]

Thanx for the tip´s will edit some now

[Peter_Pan123]

iptables -A INPUT -p udp --dport 27015 -m length --length 0:28 -j DROP

i tried it but the result was > iptables: no match/chain

what did i wrong? or do i need something more?

-p

[css]

Make sure you write "INPUT" with capitals. Copy & paste the commands.

[Peter_Pan123]

iptables -A "INPUT" -p udp --dport 27015 -m length --length 0:28 -j DROP

why did they all write it without?

[Peter_Pan123]

iptables: No chain/target/match by that name


ist does not work

[css]

CAPITALS means the BIG LETTERS. I thought you had written "iptables -a input ..."

If you have normal Linux installation you should have iptables installed and that way also the three basic chains: INPUT, OUTPUT and FORWARD.

Copy&paste the output of the following command:

Code:

iptables -L -v -n

[c400]

i have one problem
i have the next realization of my home net
internet-------(linux router with ipTables (NAT+port forwarding))--------CSS_Server
if i do this on CSS_Server then everything works like a charm
///////iptables -N logattacker
///////$IPT -A INPUT -p udp -m udp --dport 27015 -m length --length 0:32 -j logattacker
///////$IPT -A INPUT -p udp -m udp --dport 27035 -m length --length 0:32 -j logattacker
///////$IPT -A logattacker -j LOG --log-prefix "SRCDS:ATTACK: " --log-ip-options -m limit --limit 2/sec
///////$IPT -A logattacker -j DROP

but i want to use the rule on my router machine:
what should i change? Should i change INPUT on POSTROUTING or do something else?
Because jus using those rules without any changes on the router machine does not work

[jheiv]

Prerouting comes before Input which comes before postrouting IIRC.

You could hook onto the prerouting chain (change INPUT to PREROUTING) instead of the input chain, but that isn't really what the prerouting chain is for.

Depending on how your linux router is configured to forward packets, I think either changing to the forward chain (change INPUT to FORWARD) or leaving it on the input chain (change nothing) should work.

The first thing I'd do is try the forward chain, then I'd try leaving it as the input chain, then if that fails, the prerouting chain should work in any case, but isn't really what the prerouting chain is for.

[Devilfish]

Also might want to take a look at this to make life easier. Set up the firewall to output to its own log.

[c400]

i`ve found a solution to protect my CSS server with my linux router (not linux box where the server is installed). The router also forwards game ports (udp 27015)
Here is the solution:

Code:

iptables -N logattacker
iptables -I FORWARD -p udp -m udp -d 192.168.1.4 --dport 27015 -m length --length 0:32 -j logattacker
iptables -A logattacker -j LOG --log-prefix "SRCDS:ATTACK: " --log-ip-options -m limit --limit 2/sec
iptables -A logattacker -j DROP

where 192.168.1.4 is the box with SRCDS server