DDOS attack
4.213248 91.204.63.5 -> 176.58.101.xx UDP Source port: 28960 Destination pot: 28915
4.213252 194.146.132.110 -> 176.58.101.xx UDP Source port: 28960 Destinationport: 28915
4.213257 217.65.3.29 -> 176.58.101.xx UDP Source port: 28960 Destination pot: 28915
4.213261 208.167.240.68 -> 176.58.101.xx UDP Source port: 28960 Destination ort: 28915
4.213266 94.141.160.17 -> 176.58.101.xx QUAKE3 Connectionless Server to Clien
4.213270 83.217.192.242 -> 176.58.101.xx UDP Source port: 28960 Destination ort: 28915
4.213275 188.134.31.51 -> 176.58.101.xx UDP Source port: 28967 Destination prt: 28915
4.216109 208.167.24.111 -> 176.58.101.xx UDP Source port: 28960 Destinationport: 28915
4.216125 66.55.149.202 -> 176.58.101.xx UDP Source port: 28960 Destination prt: 28915
4.216133 208.167.24.27 -> 176.58.101.xx UDP Source port: 28960 Destination ort
4.216176 85.21.79.25 -> 176.58.101.xx UDP Source port: 28960 Destination pot: 28915
4.216183 208.167.24.127 -> 176.58.101.xx UDP Source port: 28960 Destinationport: 28915
4.216190 94.229.34.11 -> 176.58.101.xx UDP Source port: 28960 Destination pot: 28915
4.216197 91.203.178.84 -> 176.58.101.xx QUAKE3 Connectionless Server to Client
I just figured out that some packets have Quake3 protocol or kind of, that is strange since im not hosting any quake server.
My question is, can I use iptables to filter the incoming packets that have that Quake3 conectionless procotol? if so how?
Help is very appreciated
12 Replies
I'd try and find a way to report that, it could be a well funded hacker group using its resources for fun DDOS'ing and the authorities might like to catch them.
@vonskippy:
Why would you not already have IPTABLES dropping ALL TRAFFIC that's you don't specifically allow?
Please describe how to propose to use IPTABLES determine which UDP traffic to specifically allow or deny? Having IPTABLES tell good traffic from bad traffic on the same port using the same protocol is rather difficult.
@jebblue:
On the Quake thing this is from memory so I could be wrong but I think Valve's Half-Life used the Quake II engine. It could be when the wrote their Source engine that the packet formats were kept similar for code re-use.
I'd try and find a way to report that, it could be a well funded hacker group using its resources for fun DDOS'ing and the authorities might like to catch them.
Normal packets sent by players dont have that quake thing, only shows up when they are making ddos, they have done 4 for now.
I think that the quake thing is because they are using some kind of tool for making ddos attacks. Stil, is there any way to deny the packets with that header or whatever that quake thing is?
Legitimate traffic: Quake-like UDP packets coming in on port 28915
Blocking ports won't do jack squat. Why do people keep suggesting port blocking? Get with the program.
agrs700: You can't really do what you want without custom-written deep packet inspection rules, and considering how similar these quake-based games are going to be, that's going to be very difficult, if not impossible. You might be better off coming up with some sort of solution that gets data (such as aborted connection attempts) from HLDS and blocks those IPs if they pass a certain threshold of aborted attempts. What impact is this having on your linode? Is it causing a system-wide impact, or is it just breaking HLDS itself?
@Guspaz:
Malicious traffic: Quake-like UDP packets coming in on port 28915
Legitimate traffic: Quake-like UDP packets coming in on port 28915
Ah! I get it now.
@Guspaz:
Malicious traffic: Quake-like UDP packets coming in on port 28915
Legitimate traffic: Quake-like UDP packets coming in on port 28915
Blocking ports won't do jack squat. Why do people keep suggesting port blocking? Get with the program.
agrs700: You can't really do what you want without custom-written deep packet inspection rules, and considering how similar these quake-based games are going to be, that's going to be very difficult, if not impossible. You might be better off coming up with some sort of solution that gets data (such as aborted connection attempts) from HLDS and blocks those IPs if they pass a certain threshold of aborted attempts. What impact is this having on your linode? Is it causing a system-wide impact, or is it just breaking HLDS itself?
Thanks for the tip. During the attacks the linode has about 100 mb/s download usage. All connectivity to my linode is lost, I cant even log with ssh
@agrs700:
Thanks for the tip. During the attacks the linode has about 100 mb/s download usage. All connectivity to my linode is lost, I cant even log with ssh
When you can't get in use lish
