Tutorial TeamSpeak3 IPTABLES (99.9% DDOS PROTECTION)

dosh · Jul 12, 2019

Sorry but I still don't believe that and a 20€ shit stresser will take this down with ease.

If you need to rely on iptables rules and netfilter you are in the wrong host. This is not 2017 those rules will do nothing to stop most of the tools out there that kids can buy with their parents money.

NatureNMoon · Jul 12, 2019

dosh said:
I stopped reading after "I would really like to let know that this script will block almost all (D)Dos attacks and will keep your TeamSpeak3 servers alive!"

Sorry what?
So you can do this script in a shit host with 10mbps and send me the IP and that iptables script will block everything? Thats amazing. I don't get why OVH and others din't come up with this..
Maybe you should edit your post remove the DDOS for DOS and make sure you say "might block some DOS Attacks".

Hello;

Here is the description, of course it depends on your CPU,RAM,NIC, NETWORK BANDWIDTH etc..

# If you ask why I choose *raw chain, raw chain is the most important chain in IPTABLES, you can think this chain as a "root" in linux and this chain can block 1.000.000 Packet Per Second (depends on the power of your servers(CPU,RAM,NIC, NETWORK BANDWIDTH

FromLondon said:
Hello,
Do am i right understand filtering logic like:
*User connecting*
Client sending udp packet starting with "TS3INIT"
*This client connection is OK* ?

What related to "Accept 5 users each second if the users" and "burst to 10". Imagine we restarting the server. There is will be only 5-10 users per second who can reconnect to server, right ?
What if attacking simulate TS3 packets ?

If the person attacks you by using TS3INIT payload, the hashsize in iptables rule will block new connections and accept 5 new connections per second, meaning our users in TeamSpeak3 servers will not be blocked by IPTABLES. The most important thing is to keep the users in your TeamSpeak3 servers safe.

dosh said:
I stopped reading after "I would really like to let know that this script will block almost all (D)Dos attacks and will keep your TeamSpeak3 servers alive!"

Sorry what?
So you can do this script in a shit host with 10mbps and send me the IP and that iptables script will block everything? Thats amazing. I don't get why OVH and others din't come up with this..
Maybe you should edit your post remove the DDOS for DOS and make sure you say "might block some DOS Attacks".

First of all, thank you for your interest, but there is a description in the script which is below;

Code:

# If you ask why I choose *raw chain, raw chain is the most important chain in IPTABLES, you can think this chain as a "root" in linux and this chain can block 1.000.000 Packet Per Second (depends on the power of your servers(CPU,RAM,NIC, NETWORK BANDWIDTH))

I wish I could fix all the attacks in virtual life, but there is no way, there is always a way to attack the servers and there is always a way to block the attacks as well. All the mitigations or preventions depend on your machine -its ram,cpu,nic, etc..-

dosh · Jul 12, 2019

NatureNMoon said:
Hello;

Here is the description, of course it depends on your CPU,RAM,NIC, NETWORK BANDWIDTH etc..

# If you ask why I choose *raw chain, raw chain is the most important chain in IPTABLES, you can think this chain as a "root" in linux and this chain can block 1.000.000 Packet Per Second (depends on the power of your servers(CPU,RAM,NIC, NETWORK BANDWIDTH

If the person attacks you by using TS3INIT payload, the hashsize in iptables rule will block new connections and accept 5 new connections per second, meaning our users in TeamSpeak3 servers will not be blocked by IPTABLES. The most important thing is to keep the users in your TeamSpeak3 servers safe.

First of all, thank you for your interest, but there is a description in the script which is below;

Code:

# If you ask why I choose *raw chain, raw chain is the most important chain in IPTABLES, you can think this chain as a "root" in linux and this chain can block 1.000.000 Packet Per Second (depends on the power of your servers(CPU,RAM,NIC, NETWORK BANDWIDTH))

I wish I could fix all the attacks in virtual life, but there is no way, there is always a way to attack the servers and there is always a way to block the attacks as well. All the mitigations or preventions depend on your machine -its ram,cpu,nic, etc..-

Ok so I can buy the best hetzner server and use this and my server is safe 99.99%?

I am not going to go against you anymore since none of the people that did that against staff staid very long so sure what ever you say but maybe you should give that script some real test's first.

Asphyxia · Jul 12, 2019

dosh said:
Ok so I can buy the best hetzner server and use this and my server is safe 99.99%?

He still never said any of this. Not sure why you are being an antagonist in this thread. We can all be happy and kind on this lovely day, you know?! Thread title is just hinting this will block most common DDoS attacks. Please disprove this.

It's simply a Netfilter ruleset to block potential DDoS attacks.

His ruleset is no replacement for other areas of security focus like choosing the right hosting provider, the security of TeamSpeak's product which has not been security audited, and lastly but there is more than on my list - administrative clients being secure as to not lose their private keys to an attacker.

DDoS protection happens at 3/4 and 7. His shared ruleset is an example of ONE component of DDoS protection. It may help, this is free!

Instead of apparently flaming, you could propose some constructive criticism or offer a better/alternative solution. It is clear you only care about flaming for some reason.

Very lastly, if you are going to exhaust as much energy in roasting a free ruleset to block common DDoS attack methods but totally overlook TeamSpeak's claim at military-grade encryption then I question your values.

TeamSpeak claims Ventrilo, Discord, and Skype offer no military-grade encryption. What the hell do they even mean by this? Does TeamSpeak even know what FIPS (140-2) compliance means? Has their software ever been security audited? Not to my knowledge, we have offered their two CEOs. TeamSpeak seems more concerned with features than security but their platform is spiraling downward in usage.

About that military-grade encryption:

I guess when you consider many militaries have been hacked, military-grade becomes more of a hype sales term similar to "bank-grade encryption".

User_38581 · Jul 12, 2019

Simply spoof 2 packets from the same source and use 5 sources, always ts3init and change the sources every 5 seconds makes a total of 10 pps, it will first bypass the spoofing rule, because its sending 2 packets and not 1, and then it will block the 5 connections max rule, and so server cannot be joined by anybody anymore, with the lowest of lowest pps

NatureNMoon · Jul 12, 2019

martyns said:
Simply spoof 2 packets from the same source and use 5 sources, always ts3init and change the sources every 5 seconds makes a total of 10 pps, it will first bypass the spoofing rule, because its sending 2 packets and not 1, and then it will block the 5 connections max rule, and so server cannot be joined by anybody anymore, with the lowest of lowest pps

You may block the new connections but the users, who have already joined the TeamSpeak3 server before your attacks, will have no issue. The most important thing is that you should keep your users safe. Many data centers use country block, for example, You have 1000 users and 900 users are from US and the rest are from Germany, if the attacks come from Germany, you can use country block -this is not a perfect solution but nowadays many data centers use this system. As I mentioned above, there is no 100% protection, because there is always a way to attack the servers and there is always a way to block the cyber attacks. Also, everyone has to know that the iptables is not the only one to keep your network safe. IPTABLES it not enough by itself. You have to change some things in your sysctl.conf. you should let your provider know about the attacks. He/she may help you by using ACL(Access Control List) on Switch, router etc.. On the other hand, everyone should accept that iptables is one of the best ddos mitigation service.

User_38581 · Jul 12, 2019

NatureNMoon said:
You may block the new connections but the users, who have already joined the TeamSpeak3 server before your attacks, will have no issue. The most important thing is that you should keep your users safe. Many data centers use country block, for example, You have 1000 users and 900 users are from US and the rest are from Germany, if the attacks come from Germany, you can use country block. As I mentioned above, there is no 100% protection, because there is always a way to attack the servers and there is always a way to block the cyber attacks

Agree with that for sure, but for me , someone who knows that you're having this rule and has knowledge its easy to bypass, about country block they can help you, but I prefer rate-limiting more than blocking whole country, but its about someone who want to do it by himself

NatureNMoon · Jul 12, 2019

martyns said:
Agree with that for sure, but for me , someone who knows that you're having this rule and has knowledge its easy to bypass, about country block they can help you, but I prefer rate-limiting more than blocking whole country, but its about someone who want to do it by himself

hashlimit is also a rate-limiting, I prefer to use rate-limit/connection limits for TCP protocol. You can also use the rule below to keep control UDP traffics easy.

Code:

"-p udp -j CT --notrack"

Conntrack is one of the biggest issues for netfilter module, I have already developed a netfilter module to block UDP and TCP traffics without using a lot of CPU and RAM.

Asphyxia · Jul 12, 2019

martyns said:
so server cannot be joined by anybody anymore, with the lowest of lowest pps

I agree, that is the difficulty in security though. It's finding that "sweet spot" between locking things down and making them simply accessible. Quite opposite ends of the spectrum, such a magnificent mix between art and science!

Limiting is also helpful but rules like these can be highly effective when under attack e.g. an attack is detected, filters turned on, and turned on when attacking goes away. A lot of awesome people I look up to say this:
You do not have to be the most secure, just more difficult to attack than the next guy.

Also, hashlimit is applied like Nature mentioned.

gamesbond · Jul 12, 2019

What abou

NatureNMoon said:
The ip addresses in ts3_allowed and gamesbond_whitelist will not be affected by iptables, meaning the iptables will not block the ip addresses in those ipsets

works
a lot of thanks man

Qwe2390 · Jul 13, 2019

The best post ever. Please share more.

ZombieJo · Jul 14, 2019

Hey man and thanks for your ruleset!
Will it be possible to use it on pfsense too?

aLp59 · Jul 14, 2019

I have just registered this website to reply this thread, thank you so much dear Nature. Can you please share iptables script for Fivem, Minecraft and Knight Online if it is possible?

NatureNMoon · Jul 15, 2019

ZombieJo said:
Hey man and thanks for your ruleset!
Will it be possible to use it on pfsense too?

Pfsense has a different system, if you are good at pfsense, you can easily optimize this ruleset for pfsense. Nowadays, I am working on a netfilter module which will block many amplification and reflection attacks(Layer 7). I will create a ruleset for pfsense very soon..

aLp59 said:
I have just registered this website to reply this thread, thank you so much dear Nature. Can you please share iptables script for Fivem, Minecraft and Knight Online if it is possible?

I will share some rulesets for some games especially fivem, minecraft, knight online, rust and arma3 (maybe dayz as well after searching the user dumps). After developing a netfilter module which will block almost all Layer 7 attacks like SSDP, LDAP, NTP, MDNS..., I will create a ruleset for many games very soon...

ZapicoGT · Jul 30, 2019

@NatureNMoon *Raw error iptables . /r4p3ts3.sh HELP

NatureNMoon · Jul 30, 2019

ZapicoGT said:
@NatureNMoon *Raw error iptables . /r4p3ts3.sh HELP

Can you send me your iptables. That's why, I can see where the problem is.

ZapicoGT · Jul 30, 2019

Empty iptables.

ZapicoGT · Jul 30, 2019

unknown option "--dports"

NatureNMoon · Jul 30, 2019

ZapicoGT said:
unknown option "--dports"

before "--dports", you have to add "-m multiport" here is the example;

Code:

-p tcp -m multport --dports 80,443,3389

I have just seen that I made some mistakes while creating my iptables rules, I will fix it asap.
Thank you for letting me know.

nxtRazer · Aug 16, 2019

im getting "iptables-restore: line 37 failed"
so the line where COMMIT stands
without this line

Code:

-A TS3 -p udp ! --sport 53 -m length --length 62 -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 10 --hashlimit-mode dstip --hashlimit-name ts3_ratelimit --hashlimit-htable-max 2000000 -m string --string "TS3INIT" --algo kmp -j SET --add-set ts3_allowed src

it works idk why

Tutorial TeamSpeak3 IPTABLES (99.9% DDOS PROTECTION)

dosh

Member

NatureNMoon

dosh

Member

Asphyxia

Owner

User_38581

NatureNMoon

User_38581

NatureNMoon

Asphyxia

Owner

gamesbond

Member

Qwe2390

ZombieJo

Active Member

aLp59

Member

NatureNMoon

ZapicoGT

Active Member

NatureNMoon

ZapicoGT

Active Member

ZapicoGT

Active Member

NatureNMoon

nxtRazer

Member