Here are some more details as it seems all or most servers are affected at the moment. All this trouble lately is the result of a botnet utilizing your Quake 3 server to attack others. They do this by sending a tiny "getstatus" request with a spoofed/faked victim address (telling your server the request came from 123.123.123.123 or any other IP they need to attack) and your server replies with a much bigger message to that victim address. Now your server is not the only one sending trash to the victim address, many other servers are used to do the same at the very same time and as a result the victim denails service/is unavailable because of the huge load of traffic it receives.

Spoofed UDP packets can't be tracked from your end, you will have to get in touch with your provider/hoster but there isn't much hope to ever find the origin.

Well, now we identified the real targets of the attack but still your server is abused to harm others and at the same time it lags your server and generates high traffic. To get rid of this, here is the iptables solution for *nix based servers.

This will make your server not respond to the flood requests and thus prevents the attacks of other targets. It will also eliminate the lag, as your server will have to deal with incoming trash instead of both incoming (tiny) and outgoing (huge).

# create chain
iptables -N quake3_ddos
 
# accept real client/player traffic
iptables -A quake3_ddos -m u32 ! --u32 "0x1c=0xffffffff" -j ACCEPT
 
# match "getstatus" queries and remember their address
iptables -A quake3_ddos -m u32 --u32 "0x20=0x67657473&&0x24=0x74617475&&0x25&0xff=0x73" -m recent --name getstatus --set
 
# drop packet if "hits" per "seconds" is reached
#
# NOTE: if you run multiple servers on a single host, you will need to higher these limits
#       as otherwise you will block regular server queries, like Spider or QConnect
#       e.g. they will query all of your servers within a second to update the list
iptables -A quake3_ddos -m recent --update --name getstatus --hitcount 5 --seconds 2 -j DROP
 
# accept otherwise
iptables -A quake3_ddos -j ACCEPT
 
#
#
# finally insert the chain as the top most input filter

# single server
# iptables -I INPUT 1 -p udp --dport 27960 -j quake3_ddos

# multiple servers
iptables -I INPUT 1 -p udp --dports 27960,27961,27962 -j quake3_ddos

This is the full automated version that will block anyone who sends too many "getstatus" requests but it requires iptables to have "u32" and "recent" modules.

ligas or shadow?

Each of our servers got about 500 requests per second. 15 should be fine.

I will regenerate the flags, as soon as possible.

Seems that your solution easy did not work, atleast for us I applied it on our 1 root machine but I still see the spam comming, btw its a script or a one-time apply commands for the iptables, i added them once one by one, i got iptables v1.4.8 but on other machine its older 1.4.2 and it doesnt work at all and its the pain in the ass to update iptables to newer version on the debian.

I wrote email to Aluigi Auriemma - he provide tools to patch well knows hacking tools and vulnerablies on game servers and more, maybe he might help us resolve this nasty problem.

wrote:

iptables 1.4.8 has everything, older versions not