[MUST SEE] Anti Ddos

[Aggro]

L2J Revision: latest
L2JDP Revision: latest

Hi everyone. I am trying to insert Ddos protection (iptables) for loginserver, but i need some help. Help me to make it working

anti_ddos.sh

Code: Select all

#!/bin/sh IPT=/sbin/iptables UNPRIPORTS="1024:65535" INET_IFACE="eth0" $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT $IPT -A OUTPUT -o eth0 -j ACCEPT $IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT $IPT -A INPUT -i eth0 -p tcp -m tcp --dport 2106 -j ACCEPT $IPT -A INPUT -i eth0 -p tcp --dport 7000 -j ACCEPT $IPT -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT $IPT -A INPUT -i eth0 -p tcp --dport 3306 -j ACCEPT -s 127.0.0.1 $IPT -A INPUT -i eth0 -p tcp -m tcp --dport 7777 -j DROP $IPT -I INPUT -i eth0 -p tcp --dport 2106 -m connlimit --connlimit-above 2 -j DROP $IPT -I INPUT -i eth0 -p tcp --dport 7777 -m connlimit --connlimit-above 5 -j DROP $IPT -A INPUT -p icmp -i eth0 -j ACCEPT $IPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT $IPT -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT $IPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-port-unreachable $IPT -A INPUT -p icmp --icmp-type 8 -s 0/0 $IPT -A INPUT -p udp -m udp -i $INET_IFACE --dport $UNPRIPORTS --sport 53 -j ACCEPT $IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport 1024:65353 --sport 53 -j ACCEPT $IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 21 -j ACCEPT ! --syn $IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE --dport $UNPRIPORTS -j ACCEPT --sports 80,443 ! --syn $IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 25 -j ACCEPT $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT

loginserver.properties

Code: Select all

@@ -94,2 +94,10 @@ Assert = False Developer = False++# ---------------------------------------------------------------------------+# Anti Ddos+# ---------------------------------------------------------------------------++# EnableDdosProSystem = True+# Deny_noallow_ip_ddos = /sbin/iptables -I INPUT 13 -p tcp --dport 7777 -s $IP -j ACCEPT+# Fulllog_mode_print = false

Config.java

Code: Select all

 +        public static boolean ENABLE_DDOS_PROTECTION_SYSTEM;+        public static boolean ENABLE_DEBUG_DDOS_PROTECTION_SYSTEM;+        public static String DDOS_COMMAND_BLOCK;         // --------------------------------------------------         // MMO Settings@@ -3548,5 +3553,9 @@                          LOGIN_ATTEMPT_CHECK_ENABLE = getBoolean(properties, override, "EnableLoginAttemptInfo", false);-                        ++                        ENABLE_DDOS_PROTECTION_SYSTEM = getBoolean(properties, override,"EnableDdosProSystem", false);+                        DDOS_COMMAND_BLOCK = getString(properties, override, "Deny_noallow_ip_ddos", "/sbin/iptables -I INPUT -p tcp --dport 7777 -s $IP -j ACCEPT");+                        ENABLE_DEBUG_DDOS_PROTECTION_SYSTEM = getBoolean(properties, override, "Fulllog_mode_print", false);

RequestAuthLogin.java

Code: Select all

@@ -112,4 +112,15 @@                 LoginController lc = LoginController.getInstance();                 L2LoginClient client = getClient();+                +                InetAddress address = getClient().getConnection().getInetAddress();+                if(address == null) +                {+                        _log.warning("Socket is not connected: " + client.getAccount());+                        client.close();+                        return;+                }+                String addhost = address.getHostAddress();                 try                 {@@ -129,4 +140,20 @@                                                 getClient().sendPacket(new ServerList(getClient()));                                         }+                                        if(Config.ENABLE_DDOS_PROTECTION_SYSTEM) {+                                        String deny_comms = Config.DDOS_COMMAND_BLOCK;+                                        deny_comms = deny_comms.replace("$IP", addhost);+                                                try {+                                                Runtime.getRuntime().exec(deny_comms);+                                                        if(Config.ENABLE_DEBUG_DDOS_PROTECTION_SYSTEM) {+                                                System.out.println("Accepted IP access GS by "+addhost);+                                                System.out.println("Command is"+deny_comms);+                                                        }+                                                } catch(Exception e) {+                                                System.out.println("Accepts by ip "+addhost+" no allowed");+                                                System.out.println("Command is"+deny_comms);                                            +                                                }+                                        }                                         break;                                 case INVALID_PASSWORD:

[qwerty13]

This is useless for real ddos.

[Aggro]

Maybe i can see alternative for this ?

[qwerty13]

Backbone\cisco

[kama3a]

if u ask me ... $$$$ = cisco/etc

[Aggro]

another alternatives ?

[kama3a]

another alternatives ?

filter packets
firewall
2nd side scripts on linux.
ISP protection
order protection from profesional website .. but they are kinda expensive.
cisco router - best way to stop attack but also is expensive.

[Aggro]

why iptables is bad choise ?

[qwerty13]

Iptables is not bad solution. But it not protect you from ddos. To avoid flood - probably.

[lion]

why iptables is bad choise ?

because all packet server already have on network card, and only than drop

[n0name12]

i'll have to say those were the lamest iptable rules i have seen.
keep in mind that in order to protect from something you have to know what that is.