IPFW - advanced UDP dynamic rules

F

franck

Hello,

I'm posting here since I failed to configure advanced dynamic rules on IPFW. I run an application on my server that uses only UDP (single port 31578). I'm suffering from various attacks since a few days from kids flooding my appz application port with malformed UDP packets or random UDP packet sizes. Those attacks are not very powerful since it seems to come from a single connection with limited upload bandwidth ( < 100 KB/s). Banning their IP is not the solution since they have dynamic IPs but also use a third party service to hide their IP.

So it makes me think that IPFW with dynamic rules would be the best way to keep valid data packets and drop the others by doing the following:
  1. Pass UDP packets to a pipe with very limited bandwidth if they match port 31578.
  2. If an UDP packet comes from the inside (means my application answered to a valid data), it will installs a dynamic rule to leave restrictions on this particular IP only.
Does it makes sense? Here is what I tried:

Code: 
ipfw pipe 1 config mask src-ip 0xffffffff bw 3Kbit/s
ipfw pipe 2 config mask src-ip 0xffffffff bw 100Kbit/s

ipfw add check-state
ipfw add pipe 2 udp from any to me in dst-port 31578
ipfw add allow udp from any to me out dst-port 31578 keep-state
ipfw add pipe 1 udp from any to me in dst-port 31578

The following configuration doesn't work as expected since when my application is under attack, my clients' ping have high value. I believe the dynamic rules and pipe was used for the entire traffic while I was expecting to use one pipe per IP.
 
IMHO, you don't need pipes. A dynamic stateful ruleset would simply block unsolicited connections from any location, and allow responses to outgoing connections from your site.

Code: 
ipfw add 100 check-state
ipfw add 200 deny udp from any to me 31578 in
ipfw add 300 allow udp from me to any 31578 out keep-state

# add some more rules here, that allow other traffic that you need
# for example dns, ssh, smtp, web, etc., and finally block all the rest.
ipfw add 400 allow udp from me to any 53 out keep-state 
ipfw add 500 allow tcp from me to any 22,25,80 out setup keep-state 

ipfw add 65534 deny ip from any to any

Note, that I put the specific deny rule right after the check-state, so the infringing packets become blocked early in the ruleset, they have to pass a few dynamic rules though, and it is not guaranteed that the overall response delay of your machine is improved when being attacked.

I assume that all this is about online gaming. So, wouldn't it be a better choice, to find gamers who are honest enough, not to gain advantages over their colleagues by cheating and using dirty tricks?

Doesn't DoS in online gaming have quite the same attitude as cheating in poker? In the Wild West, the rule was, shoot the cheater and continue playing with the others. Nowadays we omit the shooting, though.
 
Thank you for your time and your help. Yeah you are right, its all about that :-)

Please correct me if I am wrong but I believe your current code cannot work: if I want my application to answer the client, it needs first to know someone wants to establish a new connection to it so I have to first allow an incoming packet from the client going through the firewall, am I wrong?
 
Yes, you are right. I suggested a firewall model for a game client, not for a game server.

Which game server are we talking about?
 
Pipes could be created in such a way that a single or pair of pipes handles only gaming traffic. And those pipes can be configured to consume only a subset of your total up/down bandwidth as given by your ISP. The idea being traffic to/from the server application does not consume 100% of your bandwidth.

Code: 
$ipfw -q add pipe 3 tcp from any to me ftp,http,https in
$ipfw -q add pipe 4 tcp from me 51151-51201,ftp\\-data,ftp,http,https to any out
$ipfw -q add queue 3 tcp from any to me ftp,http,https in
$ipfw -q add queue 4 tcp from me 51151-51201,ftp\\-data,ftp,http,https to any out
$ipfw -q queue 3 config pipe 3 weight 30 queue 5Kbytes
$ipfw -q queue 4 config pipe 4 weight 30 queue 5Kbytes
$ipfw -q pipe 3 config bw 200Kbits/s queue 10Kbytes  ## whatever rate is relevant for you
$ipfw -q pipe 4 config bw 450Kbits/s queue 10Kbytes

Also, ipfw has an option for
Code: 
limit src-addr
that might also be worth checking into.
 
You must log in or register to reply here.
Back
Top