First of all, allow me to introduce myself. My name is Boyd Gafford (also known as "Jedi Boyd") and I am the CoT (Councilor of Technology) for the Elite Warriors gaming clan (http://elitewarriors.net).
As most any gamer knows from firsthand experience, UDP flood attacks are very common in the gaming community. It is very easy to send UDP packets from any computer to the main port of a gaming server in order to cause the server to lag or even crash as it tries to deal with potentially thousands of packets per second. Most UDP attacks are from spoofed IP(s), making it nearly impossible to track down the offender.
Back some time ago, I would hop on our gaming servers when the flooder was doing his thing, use tcpdump (the Linux equivalent of Wireshark's Ethernet capture) to analyze the packets, and then use iptables to block the spoofed IP (or IPs). Since both the Linux kernel and iptables are very efficient, the CPU costs to block the attack at the kernel level are low, and the server can then remain playable, without any real noticeable lag, even at very high flood rates. (I've seen sustained 64 Mbps flood attacks on EW where the game is still playable with the appropriate iptables rules in effect.)
Soon I got bored with doing this, as the flooder had more time on his hands to change up his attacks that I had to mess with him. So being a software engineer by trade, I decided to write a program to do this for me, thus freeing my time for more important things than dealing with a script kiddie.
Hence ServerArk was born. What is ServerArk? It's a Linux UDP flood analyzer and server protector that works at the kernel level to detect packets coming from non-gamers and when it finds them it then blocks their packets using kernel-level iptables rules. This prevents the server executable from even getting the packets into its incoming network queue at all, and hence allows the server to "rise above the flood" so to speak.
In the past few months of running ServerArk on the two EW Linux servers, it has successfully detected and blocked over 20 attacks, most of which happened with high populations on the server. It's been so successful that we don't notice play being affected even during an attack. Typically its only when I look back at ServerArk's logs and the network bandwidth graph that I notice that the bandwidth spiked and that at that same time ServerArk reported a successfully blocked attack.
So how much CPU does ServerArk use? Very little actually. It usually stays well below 1% of the CPU, even during attacks, and even on slower CPU's. It manages this by doing a very quick sampling of all packets periodically, and sleeping the rest of the time.
One of the cool effects of using ServerArk is that it can catch people who use lag scripts to momentarily flood the server on command. If they run their script during one of those sampling times, ServerArk will immediately block the scripts effects from then on, making it useless.
Since it is a generic UDP flood protector, it can be used with ANY game that uses UDP for communication with a player. Since the vast majority of gaming servers use UDP, that means just about every game out there.
I fully expect the DOS'ers to look at the code, and try to figure out a way around it. That means we'll continue the usual cycle of attacks changing and ServerArk adapting. Actually in the end it will make ServerArk a more robust tool, as others in the open source community will begin contributing ideas and improving on my initial logic.
For details on how to get started with ServerArk, just read the serverark configuration file (serverark.conf). It contains all the parameters to serverark, including information on how to compile it for your flavor of Linux. The Ubuntu 10.04 executable is also included (serverark), for those of you with Ubuntu and no desire to compile it.
Feel free to examine the serverark.c file, it really is a short read and contains a lot of comments that will help you understand how it works. It should be very understandable even for someone who is just starting to program in C.
I can be contacted on the forums at http://elitewarriors.net if you have any questions or comments.
Good luck!
Boyd
Download Latest Version
serverark_0.93.zip (18.1 kB)
