Originally Posted by
DaWe
He is sending it from like 40k IP addresses in few seconds and addresses changing all the time. Also all IP addresses are spoofed (faked).
Rate limiting via iptables might work better with that amount of traffic.
e.g.
PHP Code:
iptables -N QUERY-BLOCK
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
iptables -N QUERY-CHECK
iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo bm --from 32 --to 41 -j RETURN
iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30 --hitcount 1 -j DROP
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit-above 15/second -j QUERY-BLOCK
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK
You could also try to only allow valid traffic e.g.
PHP Code:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP # syn flood
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP # bogus TCP Flags
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 28960 -j ACCEPT
# ACCEPT all ports (+ used protocol) you are using for incoming traffic
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # accepts traffic requested by your server