8 replies to this topic

[勉Post]

Hi everyone.
as a server, i only wanna accet some client( i know their ip address) connect , is there any idea for restrict the others?
i know i can use a array to cache them, after the fun Accept() get the client' IP , and close it if i want. or maybe i can do it by setting the firewall.
any better idea?

[rip-off]

Having a firewall is the way to preemptively drop such connections. Otherwise you'll have to adopt the other approach of closing the connections after they've been accepted.

[ramdy]

If you are using Winsock you can use WSAAccept which conditionally accepts a connection based on the return value of a condition function. However, it is still accepting the connection (and automatically closing based on your conditional function return)

[hplus0603]

Hi everyone.
as a server, i only wanna accet some client( i know their ip address) connect , is there any idea for restrict the others?
i know i can use a array to cache them, after the fun Accept() get the client' IP , and close it if i want. or maybe i can do it by setting the firewall.
any better idea?

accept() will give you the IP address of the remote peer. You can then choose to close() the connection or keep it open. Beware if you're using reverse proxies for load balancing, though: The IP address that accept() sees is the proxy address.
If you want to reject connections before they even get to the server, you need a firewall, or a kernel-level rule such as "iptables" on Linux or ipfw on Windows.

[勉Post]

ok thanks you all, i think firewall is the easyway

[Essentric]

I have a problem similar to this, lets say that someone writes a program that makes many connections to my server over and over again. This can stop my server from accepting new clients, this attack also works on commercial games and voip ventrilo servers. Is there anyway to protect against this?

[Antheus]

I have a problem similar to this, lets say that someone writes a program that makes many connections to my server over and over again. This can stop my server from accepting new clients, this attack also works on commercial games and voip ventrilo servers. Is there anyway to protect against this?

Yes, at your carrier/ISP/network provider. Have multiple independent connections, when DoS occurs, they are the ones who can filter.

If attack is distributed, then blocking doesn't really work, and adding more servers to handle the extra load until it exceeds the attacker's bandwidth is about the only way.

Of course, one should be at least smart enough to design server in such a way to add only minimal load before client properly establishes connection. This does not prevent unidirectional attacks (just flooding the ports or SYN packets or similar), but prevents attackers from exerting load on back end infrastructure, so they'll only exhaust the bandwidth. If attacks are smart and establish full connection, they can be blocked at that point and the scale will be much larger, since attacker will need considerable computing and network resources.

But in general, anyone on internet can send a packet to any IP:port, so bandwidth exhaustion is always a potential threat, especially with commodity servers, where a simple slashdot effect is enough.

[hplus0603]

I have a problem similar to this, lets say that someone writes a program that makes many connections to my server over and over again. This can stop my server from accepting new clients, this attack also works on commercial games and voip ventrilo servers. Is there anyway to protect against this?

When your game is small, you have to go through the abuse channels of your upstream ISP. When the attacker has a DDoS network handy, this can be quite challenging. Also, you need to be running this on a hosting center that cares about you, which means that you're probably paying real money each month for real hosting.

As you grow in size, you start getting pipes that are bigger, and thus much harder to saturate, unless your attacker has real resources, at which point ISPs are really going to be interested, and it may even come to federal law enforcement levels, depending on what's going on.

For small games, about the best you can do is to detect if the same IP connects more than two times during any one minute, and add a firewall rule for that IP source. This means that the SYN packets will still be coming in, but at least your CPU won't be overwhelmed. In this case, though, beware ISPs that run proxies for all their users -- cell phones, AOL, etc.

[evillive2]

I use fail2ban to automate this at the load balancer/proxy level (Linux and iptables). I work for an ITSP and we get hammered on our public session border controllers all the time from all over the world. Not too many DDoS attacks but SIP REGISTER and ssh dictionary attacks are common in short bursts. Not much we can do about it except mitigate the load it puts on our systems as the source generally comes from countries where there is no recourse.