Forum


Notice to all users

We are migrating towards a new forum system located at community.teamspeak.com, as such this forum will become read-only on January 29, 2020

Results 1 to 7 of 7
  1. #1
    Join Date
    November 2012
    Posts
    1

    block DDoS Attack with IPTables

    Hello Community,

    Maybe my Thread isn't the first one in this direction.. But I really have a problem with DDoS attacks.

    I don't know, from where the attacks come from. But I think, it's the normal TS3 protocol. The problem is, I can't block the whole protocol. Does anyone know, how I can configure my IPTables, that this will never happen?

    greez.

  2. #2
    Join Date
    May 2006
    Location
    Europe/Czech Rep.
    Posts
    1,616
    No, it is not that simple kiddo.

    It is hardly doable, and mainly it is not efficient in the end because you believe it is more simple than that(DDoS) situation actualy is.

  3. #3
    Join Date
    July 2005
    Location
    SK
    Posts
    44
    Quote Originally Posted by Tomas View Post
    It is hardly doable, and mainly it is not efficient in the end because you believe it is more simple than that(DDoS) situation actualy is.
    I do not agree. IPtables is mighty tool if you know how to use it properly. As for OP: you could use connection-rate limiting for incomming connections, i.e.:

    iptables -I INPUT -p tcp --dport $your_ts_port -m state --state NEW -m recent --set
    iptables -I INPUT -p tcp --dport $your_ts_port -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP

    This way you drop every connection which is comming faster than 3 times per minute per each source IP (IIRC, there is also option to increase threshold progresively). This protects your TS-server from overloading. Of course, DDoS attack might still saturate your incoming network capacity. If this happens, ask your IPS to use similar filtering on his perimeter...

    Of course, the above mendioned iptables-rules should not affect normal users, because they should not try to connect to your TS-server more often than 3 times per minute...

  4. #4
    Join Date
    May 2006
    Location
    Europe/Czech Rep.
    Posts
    1,616
    Quote Originally Posted by Teddy View Post
    I do not agree. IPtables is mighty tool if you know how to use it properly. As for OP: you could use connection-rate limiting for incomming connections, i.e.:

    iptables -I INPUT -p tcp --dport $your_ts_port -m state --state NEW -m recent --set
    iptables -I INPUT -p tcp --dport $your_ts_port -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP

    This way you drop every connection which is comming faster than 3 times per minute per each source IP (IIRC, there is also option to increase threshold progresively). This protects your TS-server from overloading. Of course, DDoS attack might still saturate your incoming network capacity. If this happens, ask your IPS to use similar filtering on his perimeter...

    Of course, the above mendioned iptables-rules should not affect normal users, because they should not try to connect to your TS-server more often than 3 times per minute...
    I believe you think the situation is more simple than it is.

    First, teamspeak uses UDP not TCP, you can't use -m state on that obviously.
    Checking TCP connections to filetransfer or serverquery doesn't gonna help you.
    You could use hashtable for UDP and that might work but still, you would have to test ammount of packets at highest codec highest quality, and that my dear could be big enought compared to idle connection. There is also detail that somewhere on the way packets could rarely but could be duplicated,delayed, lagged, bursted(interface queue) etc.
    Besides, there are users using NAT, some of them layers of multiple NATs and they can't fix that since their ISP is doing that. Then there could be more users from same IP. Now you would DROP them from reaching your service.

    ......

    I am mainly saying that if you gonna go and play with this, be sure to listen to everything more, connection drops, people disconnecting and connecting next second, packet loss rising.... problem is it could be cuz your setup, and it could be their ISP/connectivity, oh yes, or anything in between.
    Last edited by Tomas; November 30th, 2012 at 01:13 AM. Reason: interface queue, truncated

  5. #5
    Join Date
    July 2005
    Location
    SK
    Posts
    44
    Quote Originally Posted by Tomas View Post
    I believe you think the situation is more simple than it is...
    I'm aware of how complex the problem of traffic filtering is, but I do not think this forum is appropriate to discuss this topic in full depth. That is why I did not provide solution, but rather just hint about one possible direction in which OP could go (but there are many more ways). I also touched the problem of down/up-link saturation, and offered one of many ways where he could start looking for solution (honestly, if ISP does not have hw or will to fight ddos-attacks, he should do some other business). No filtering is bullet-proof, but if set up properly, he can filter 90% of all ddos attacks out. And that might be just enough, depending on how much effort the "bad guy" is willing to invest in causing him harm...

    (BTW, you *can* use -m state with udp. It just works differently than for tcp, of course)

  6. #6
    Join Date
    September 2013
    Posts
    3
    tcpdump -nXvvvc 100

    screen please.

  7. #7
    Join Date
    September 2013
    Posts
    4
    DDoS attacks can't be blocked. There's a few hosting company's that offer limited protection from DDoS attacks like NFOServers. You can use IPTables to slow the attack but if the attack itself is at a higher speed then you get from the hosting company the server will go down.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. DDOS Attack on Server
    By Nawaz032 in forum Server Support
    Replies: 1
    Last Post: June 30th, 2015, 03:33 PM
  2. Massive DDOS Attack on Teamspeak 3 server
    By BL3ND in forum Off Topic
    Replies: 3
    Last Post: June 30th, 2014, 08:05 PM
  3. Mitigate DDoS Attack in Teamspeak Server
    By Nicocaps in forum Off Topic
    Replies: 1
    Last Post: November 20th, 2012, 07:35 PM
  4. Log DDoS Attack in logs
    By Nicocaps in forum Suggestions and Feedback
    Replies: 1
    Last Post: October 8th, 2012, 08:04 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •