Hello, I have had these attacks aswell, I have made a firewall script which has stopped them for me.
Make sure you properly configure this firewall script with your UDP and TCP ports, also add your IPs needed for rcon whitelist such as gameme stats etc and get rid of any tcp / udp ports which you don't need.
After you are done, save this file as firewall.sh and then chmod 777 to make it executable, after you have done this run the command ./firewall.sh It will install the firewall rules and also automatically save them for reboot.
PHP Code:
#!/bin/bash
LANG=C; LC_ALL=C; export LANG LC_ALL
clear
################################################
#################CONFIGURATION##################
# Path to iptables
IPTABLES='/sbin/iptables'
# Server Ports (UDP)
GS_PORTS="
27015:27020
1337
9987
42020
28015
"
# Services ports (TCP)
SRV_PORTS="
21
22
80
3306
12679
10011
30033
10044:10045
29799:29899
27015:27020
28015
1337
2044:2050
17017:17022
42020
"
# RCON Whitelist
RCON_IPS="
127.0.0.1
"
################################################
#################CONFIGURATION##################
# Clean IPTables
`$IPTABLES -F; $IPTABLES -X`
# Keep active connections alive.
`$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT`
`$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT`
# List policies first
`$IPTABLES -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT ACCEPT`
# Performance-wise let this back in early:
`$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT`
# Allow gameservers
echo -e "\e[92mAllowing server ports (UDP) \e[0m"
for i in $GS_PORTS
do
`$IPTABLES -A INPUT -m state --state NEW -m udp -p udp --dport $i -j ACCEPT`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff54|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff54|' -j DROP`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff55|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff55|' -j DROP`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff56|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff56|' -j DROP`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff57|' -m limit --limit 1/s --limit-burst 1 -j ACCEPT`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo bm --hex-string '|ffffffff57|' -j DROP`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m length --length 60 -m recent --set --name GameSynF`
`$IPTABLES -A INPUT -p udp -m udp --dport $i -m string --algo kmp --hex-string "|ff ff ff ff 56|" -m recent --set --name GameSynF -j DROP`
echo Port: $i
done
# Allow service ports
echo -e "\n\e[92mAllowing service ports (TCP) \e[0m"
for i in $SRV_PORTS
do
`$IPTABLES -A INPUT -m state --state NEW -m tcp -p tcp --dport $i -j ACCEPT`
echo Port: $i
done
# Allow RCON only from certain IPs.
echo -e "\n\e[92mAllowing RCON IPS \e[0m"
for i in $RCON_IPS
do
`$IPTABLES -A INPUT -m state --state NEW -m tcp -p tcp -s $i --dport 27015:27019 -j ACCEPT`
echo IP: $i
done
# Always allow loopback
`$IPTABLES -A INPUT -i lo -j ACCEPT`
# Allow Local connections
`$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT`
# Allow 3 way handshake
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop Query Spam
`$IPTABLES -N CHECK1`
`$IPTABLES -A INPUT -p udp -m length --length 829 -j CHECK1`
`$IPTABLES -A CHECK1 -p udp -m length --length 829:65535 -m limit --limit 128/second -j ACCEPT`
`$IPTABLES -A CHECK1 -j DROP`
# Drop Fragmented packets
`$IPTABLES -A INPUT -f -j DROP`
# Drop Malformed packets
`$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP`
# Drop null packets
`$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP`
# Drop invalid packets
`$IPTABLES -A INPUT -m state --state INVALID -j DROP`
`$IPTABLES -A FORWARD -m state --state INVALID -j DROP`
`$IPTABLES -A OUTPUT -m state --state INVALID -j DROP`
`$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP`
`$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP`
`$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP`
`$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP`
`$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP`
`$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP`
`$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP`
# Drop spoofed packets
`$IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP`
`$IPTABLES -A INPUT -d 0.0.0.0/8 -j DROP`
`$IPTABLES -A INPUT -d 239.255.255.0/24 -j DROP`
`$IPTABLES -A INPUT -d 255.255.255.255 -j DROP`
`$IPTABLES -A INPUT -s 224.0.0.0/4 -j DROP`
`$IPTABLES -A INPUT -d 224.0.0.0/4 -j DROP`
`$IPTABLES -A INPUT -s 240.0.0.0/5 -j DROP`
`$IPTABLES -A INPUT -d 240.0.0.0/5 -j DROP`
`$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP`
`$IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP`
`$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP`
`$IPTABLES -A INPUT -s 192.168.0.0/24 -j DROP`
# Misc
`$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT`
`$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP`
# Save for reboot
iptables-save > /etc/firewall.conf
echo "#!/bin/sh" > /etc/network/if-up.d/iptables
echo "iptables-restore < /etc/firewall.conf" >> /etc/network/if-up.d/iptables
chmod +x /etc/network/if-up.d/iptables
echo -e "\n\e[92mFirewall Installed & Active! \e[0m"
echo -e "\n\n\e[92mFirewall script written by SM9 \e[0m"
# End script
exit 0
Also inside sourcemod.cfg add these lines:
PHP Code:
sm_cvar net_maxroutable 768
sm_cvar net_minroutable 768
sm_cvar sv_max_queries_sec_global 10
sm_cvar sv_max_queries_sec 5
sm_cvar sv_max_queries_window 10
And finally install this:
https://forums.alliedmods.net/attach...1&d=1404744439
Hope this helps.