Jump to content

  • Log In with Google      Sign In   
  • Create Account


how to restrict client connect?


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
8 replies to this topic

#1 勉Post   Members   -  Reputation: 100

Like
0Likes
Like

Posted 14 March 2011 - 02:28 AM

Hi everyone.
as a server, i only wanna accet some client( i know their ip address) connect , is there any idea for restrict the others?
i know i can use a array to cache them, after the fun Accept() get the client' IP , and close it if i want. or maybe i can do it by setting the firewall.
any better idea?

Sponsor:

#2 rip-off   Moderators   -  Reputation: 7641

Like
1Likes
Like

Posted 14 March 2011 - 02:45 AM

Having a firewall is the way to preemptively drop such connections. Otherwise you'll have to adopt the other approach of closing the connections after they've been accepted.

#3 ramdy   Members   -  Reputation: 139

Like
1Likes
Like

Posted 14 March 2011 - 04:31 AM

If you are using Winsock you can use WSAAccept which conditionally accepts a connection based on the return value of a condition function. However, it is still accepting the connection (and automatically closing based on your conditional function return)

#4 hplus0603   Moderators   -  Reputation: 4955

Like
1Likes
Like

Posted 14 March 2011 - 01:00 PM

Hi everyone.
as a server, i only wanna accet some client( i know their ip address) connect , is there any idea for restrict the others?
i know i can use a array to cache them, after the fun Accept() get the client' IP , and close it if i want. or maybe i can do it by setting the firewall.
any better idea?


accept() will give you the IP address of the remote peer. You can then choose to close() the connection or keep it open. Beware if you're using reverse proxies for load balancing, though: The IP address that accept() sees is the proxy address.
If you want to reject connections before they even get to the server, you need a firewall, or a kernel-level rule such as "iptables" on Linux or ipfw on Windows.
enum Bool { True, False, FileNotFound };

#5 勉Post   Members   -  Reputation: 100

Like
0Likes
Like

Posted 15 March 2011 - 03:35 AM

ok thanks you all, i think firewall is the easyway :rolleyes:

#6 Essentric   Members   -  Reputation: 122

Like
0Likes
Like

Posted 17 March 2011 - 05:24 AM

I have a problem similar to this, lets say that someone writes a program that makes many connections to my server over and over again. This can stop my server from accepting new clients, this attack also works on commercial games and voip ventrilo servers. Is there anyway to protect against this?

#7 Antheus   Members   -  Reputation: 2393

Like
1Likes
Like

Posted 17 March 2011 - 10:50 AM

I have a problem similar to this, lets say that someone writes a program that makes many connections to my server over and over again. This can stop my server from accepting new clients, this attack also works on commercial games and voip ventrilo servers. Is there anyway to protect against this?


Yes, at your carrier/ISP/network provider. Have multiple independent connections, when DoS occurs, they are the ones who can filter.

If attack is distributed, then blocking doesn't really work, and adding more servers to handle the extra load until it exceeds the attacker's bandwidth is about the only way.

Of course, one should be at least smart enough to design server in such a way to add only minimal load before client properly establishes connection. This does not prevent unidirectional attacks (just flooding the ports or SYN packets or similar), but prevents attackers from exerting load on back end infrastructure, so they'll only exhaust the bandwidth. If attacks are smart and establish full connection, they can be blocked at that point and the scale will be much larger, since attacker will need considerable computing and network resources.

But in general, anyone on internet can send a packet to any IP:port, so bandwidth exhaustion is always a potential threat, especially with commodity servers, where a simple slashdot effect is enough.

#8 hplus0603   Moderators   -  Reputation: 4955

Like
1Likes
Like

Posted 18 March 2011 - 12:43 PM

I have a problem similar to this, lets say that someone writes a program that makes many connections to my server over and over again. This can stop my server from accepting new clients, this attack also works on commercial games and voip ventrilo servers. Is there anyway to protect against this?


When your game is small, you have to go through the abuse channels of your upstream ISP. When the attacker has a DDoS network handy, this can be quite challenging. Also, you need to be running this on a hosting center that cares about you, which means that you're probably paying real money each month for real hosting.

As you grow in size, you start getting pipes that are bigger, and thus much harder to saturate, unless your attacker has real resources, at which point ISPs are really going to be interested, and it may even come to federal law enforcement levels, depending on what's going on.

For small games, about the best you can do is to detect if the same IP connects more than two times during any one minute, and add a firewall rule for that IP source. This means that the SYN packets will still be coming in, but at least your CPU won't be overwhelmed. In this case, though, beware ISPs that run proxies for all their users -- cell phones, AOL, etc.
enum Bool { True, False, FileNotFound };

#9 evillive2   Members   -  Reputation: 689

Like
1Likes
Like

Posted 20 March 2011 - 10:55 PM

I use fail2ban to automate this at the load balancer/proxy level (Linux and iptables). I work for an ITSP and we get hammered on our public session border controllers all the time from all over the world. Not too many DDoS attacks but SIP REGISTER and ssh dictionary attacks are common in short bursts. Not much we can do about it except mitigate the load it puts on our systems as the source generally comes from countries where there is no recourse.
Evillive2




Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS