4

I have a game server and someone is spamming it with bots. The SpamBot client makes the handshake with my server using UDP connections. It does this through a list of proxies. Basically, the Spambot Client sends lots of UDP packets to my server and spams it with bots.

Now I've got 6 big lists of proxies that I know the person who spambots me uses them. I can write a shell script to block every IP from every list. Every IP is on a new line, so it's pretty easy to do it with a for loop.

The problem is that I'm concerned about the performance of my server. If I'll block 15k IP addresses, is that going to affect my server's performance?

At the moment, I run CentOS 7. Can you tell me if IP Tables is the good way to go, or what other alternatives should I try? Please write the commands, too. I just want my server to stop responding to these IP addresses, to not establish any connections with them.

Improve this question
2
  • NO iptables wont affect performance. Commented Jan 28, 2016 at 10:33
  • 1
    @AngRed there is considerable evidence demonstrating that large numbers of rules do indeed slow down traffic throughput. Here's one as a starter. Commented Jan 28, 2016 at 17:20

4 Answers 4

Reset to default
11

For such a large amount of IPs you should use the ipsets module. ipset creates datasets on which iptables can react, it can easily handle 10s of 1000s of entries.

Make sure you have the EPEL repo enabled and then install ipset via:

yum install ipset

An example:

ipset -N blockedip iphash

creates a set called 'blockedip' in format 'iphash' (there are different formats, this one is for IPs only).

with ipset -A you can add data (in this case IPs) to the dataset:

ipset -A blockedip 192.168.1.1 ipset -A blockedip 192.168.1.2

and so on...

Or to batch create it without having to run one ipset invocation for each IP address, assuming you big-file.list is a list of IPv4 addresses, one per line:

ipset -N blockedip iphash sed 's/^/add blockedip /' < big-file.list | ipsec restore

With the following iptables command you can tell the kernel to drop all packets coming from any of the sources in this set:

iptables -A INPUT -m set --set blockedip src -j DROP
Improve this answer
2
  • Is it a safe method? I have a game server running on it, and it tracks even the simplest movement of the player, that means that packets are sent. Then there's the chat, and the interaction with different items, etc. I just want to know if it is not going to slow down the server. The servers runs on an UDP infrastructure, so does this method iterate through the list when even the simplest packet is sent? Everything you do on the server means that there is a packet sent to the server from the client, so does it affect the performance of the server? Give me a command to stop iptables if needed:) Commented Jan 28, 2016 at 11:35
  • 1
    Every packet inspection does need resources. On the server or on router level. Ipsets have been designed to deal with large datasets (as opposed to iptables) and have a near linear latency. Please read the 2nd link ( daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset ) I had in my answer. At the end you have to run your own tests, what is acceptable for you. Commented Jan 28, 2016 at 12:00
2

If you're talking about 15,000 different IP addresses you really do not want to be using a separate iptables rule for each address. This will slow down your network throughput.

Instead you should consider using a single IP Set and putting your 15000 addresses in that.

ipset create spambots iphash iptables -A INPUT -m set --match-set spambots src -j DROP while read ip; do ipset add spambots "$ip"; done < ip_addresses.txt

You can del (delete) individual addresses from the IP Set, flush the entire set of entries, or destroy the IP Set completely.

Improve this answer
-1

Given an input file "ips.txt" in the format:

1.2.3.4 2.3.4.5

Then this scripty will add all of the ip-addresses to the iptables input chain, target DROP, so the matching packets will be dropped:

 cat ips.txt| while read a; do echo $a; iptables -I INPUT -p udp -s $a -j DROP ; done

When you try to add a large amount of ip's try to accumulate them similar to the example bewlow, so that

1.2.3.4 1.2.3.5

becomes

1.2.3.0/28

or similar. This accumulation may also be done by a script.

Improve this answer
1
  • 1
    The game server uses an UDP infrastructure. When I'm getting spambotted, fake players connect to my server just to stress my CPU. The person who does this uses a public proxy list. I want to block all those proxies, but they're like 15k. If I'm going to do that, isn't it going to affect the performance of my server? Every time I receive a packet from a normal player the server needs to iterate through that list to check if it's a safe ip address? I think that would affect my servers performance sinec every player movement is tracked by the server (so.. packets incoming). Currently I have an i7 Commented Jan 28, 2016 at 10:56
-1

An alternative would be to block such IPs using so called route blackholing. ip route add blackhole 8.8.8.8/32 This means you set a route for mentioned address which will send data nowhere. It depends on your server config whether it can perform better than regular iptables solution. I guess you should benchmark these two methods before deploying on production systems.

Improve this answer
4
  • For 15000 IP addresses? Commented Jan 28, 2016 at 20:27
  • I do not see any problem here. Honestly, I think this will take the same amount of memory etc. and still routing code part CAN do better job here. This downvote is completely unjustified IMO. Commented Jan 28, 2016 at 20:38
  • The OP says they're trying to block UDP traffic. Your suggestion would stop outgoing packets but does nothing to block the inbound UDP that is of concern Commented Jan 28, 2016 at 20:49
  • Ok, if the UDP part was in the question when I was reading it, it is my obvious screw up. Commented Jan 28, 2016 at 21:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.