Im running 512 linode with a garrysmod server. Today I've recieved a ddos attack and I could log by using tshark the next:

4.213248 91.204.63.5 -> 176.58.101.xx UDP Source port: 28960 Destination pot: 28915
4.213252 194.146.132.110 -> 176.58.101.xx UDP Source port: 28960 Destinationport: 28915
4.213257 217.65.3.29 -> 176.58.101.xx UDP Source port: 28960 Destination pot: 28915
4.213261 208.167.240.68 -> 176.58.101.xx UDP Source port: 28960 Destination ort: 28915
4.213266 94.141.160.17 -> 176.58.101.xx QUAKE3 Connectionless Server to Clien
4.213270 83.217.192.242 -> 176.58.101.xx UDP Source port: 28960 Destination ort: 28915
4.213275 188.134.31.51 -> 176.58.101.xx UDP Source port: 28967 Destination prt: 28915
4.216109 208.167.24.111 -> 176.58.101.xx UDP Source port: 28960 Destinationport: 28915
4.216125 66.55.149.202 -> 176.58.101.xx UDP Source port: 28960 Destination prt: 28915
4.216133 208.167.24.27 -> 176.58.101.xx UDP Source port: 28960 Destination ort
4.216176 85.21.79.25 -> 176.58.101.xx UDP Source port: 28960 Destination pot: 28915
4.216183 208.167.24.127 -> 176.58.101.xx UDP Source port: 28960 Destinationport: 28915
4.216190 94.229.34.11 -> 176.58.101.xx UDP Source port: 28960 Destination pot: 28915
4.216197 91.203.178.84 -> 176.58.101.xx QUAKE3 Connectionless Server to Client

I just figured out that some packets have Quake3 protocol or kind of, that is strange since im not hosting any quake server.
My question is, can I use iptables to filter the incoming packets that have that Quake3 conectionless procotol? if so how?
Help is very appreciated

Why would you not already have IPTABLES dropping ALL TRAFFIC that's you don't specifically allow?

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

On the Quake thing this is from memory so I could be wrong but I think Valve's Half-Life used the Quake II engine. It could be when the wrote their Source engine that the packet formats were kept similar for code re-use.

I'd try and find a way to report that, it could be a well funded hacker group using its resources for fun DDOS'ing and the authorities might like to catch them.

Please describe how to propose to use IPTABLES determine which UDP traffic to specifically allow or deny? Having IPTABLES tell good traffic from bad traffic on the same port using the same protocol is rather difficult.

Normal packets sent by players dont have that quake thing, only shows up when they are making ddos, they have done 4 for now.

I think that the quake thing is because they are using some kind of tool for making ddos attacks. Stil, is there any way to deny the packets with that header or whatever that quake thing is?

Like vonskippy suggested, you can configure iptables to block all traffic by default, and allow only the ports you need open, like what seems to be UDP 28915, and whatever other service (web, ssh, ...). Also, what's with the typos? port, prt, ort, pot, ... is that automated log or did you write it by hand?

Malicious traffic: Quake-like UDP packets coming in on port 28915
Legitimate traffic: Quake-like UDP packets coming in on port 28915

Blocking ports won't do jack squat. Why do people keep suggesting port blocking? Get with the program.

agrs700: You can't really do what you want without custom-written deep packet inspection rules, and considering how similar these quake-based games are going to be, that's going to be very difficult, if not impossible. You might be better off coming up with some sort of solution that gets data (such as aborted connection attempts) from HLDS and blocks those IPs if they pass a certain threshold of aborted attempts. What impact is this having on your linode? Is it causing a system-wide impact, or is it just breaking HLDS itself?

Ah! I get it now.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

Thanks for the tip. During the attacks the linode has about 100 mb/s download usage. All connectivity to my linode is lost, I cant even log with ssh

When you can't get in use lish https://library.linode.com/troubleshoot ... node-shell

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Doing deep-packet inspection on 100+ Mbps of traffic is going to take a toll on your CPU, as a cure, I'm not sure it would be all that much better than the symptom, but I'm not an expert on this.

yea guspaz, you are right. I have also discovered that these ips are spoofed, sadly there is no way to stop it

It appears that no one has recommended OSSEC. OSSEC is well-tailored for these kinds of situations and can be configured fairly easily. I'd give it a look-over: http://www.ossec.net/