THIS IS A BETA BUILD OF COD4. RUN AT YOUR OWN RISK.
Call Of Duty 4(tm)
Linux Multiplayer Server Code
Version 1.7.1
Readme
Last update: 2011-08-01
2. Upgrading to 1.7.1
Just stop the game server, replace cod4_lnxded-bin, etc on your server with
the files included in this package, and restart the game server. New files
may be added, such as main/iw_12.iwd; make sure they land in the correct
subdirectory. Please verify that your mods are compatible with the new
version; that is beyond the scope of this document.
[...]
7. Linux-specific version!
Version 1.7.1 is Linux-specific hotfix, and is otherwise equivalent to
version 1.7 on other platforms. The server will report itself as 1.7.
This patch adds support for query limits.
About query limits:
There is a class of DDoS attack that can utilize COD4 servers to flood a
third party, by spoofing UDP packets so that the game server sends its
reply for information to an unsuspecting party, over and over, as fast as
it can. Unlike most packets sent by the server, this reply packet does not
require a player with a legitimate connection before sending.
This patch sets up some reasonable defaults to limit the rate at which the
server will send these reply packets to a given IP address. It does not
throttle legitimate connections in the process.
The gist is this: If someone sends a query packet, we note their IP
address and ignore any further queries for X seconds. If they send a
port-unreachable packet (person being spoofed isn't playing the game),
we ignore their IP address for Y seconds. This will let normal people
play, it prevents people that don't have a legitimate player connection
from flooding the server with queries, and it'll stop DDoS attacks
against third parties.
If millions of computers try to wail on a single server, this patch
should handle it gracefully (we don't allocate memory when adding IP
addresses to the ignore list, we use a hashtable so we don't have to
check millions of IP addresses for every query, and we clean out old
addresses a little each frame).
People that are connected to the server don't have their packets
ignored; this only limits server responses to packets that don't need a
valid player connection (like the infostring, etc). LAN addresses are
never limited.
Admins can tune it (and turn it off completely) with cvars.
Note that a single IP address using different ports all get lumped into
the same ignore list entry. This is to make life difficult for attackers
and keep things efficient on the server. If 16 players are all behind
the same NAT, they might notice it takes longer for the server to
respond to each of them individually at the start. They should run a LAN
server anyhow, but gameplay will still perform normally here.
Server admins have 4 cvars to control this:
sv_queryIgnoreDebug: set to 1 to log information about attacks. This will
write out a lot of logging. Defaults to 0.
sv_queryIgnoreMegs: Number of megabytes we should use to store the
ignore list. Set to 0 to turn off the ignore list (basically disables
this patch). 1 megabyte handles about 65000 IP addresses, each megabyte
after the first adds about 87000 more. 1 is probably fine unless you're
under serious attack, but maybe a server wants to spare 12 megs to block
a million IP addresses simultaneously.
Defaults to 1.
sv_queryIgnoreTime: Number of milliseconds to ignore an IP address's
info requests after responding to one of them. Set to 0 to not ignore at
all. Defaults to 2000 (2 seconds).
sv_queryBounceIgnoreTime: Number of milliseconds to ignore an IP
address's info requests after a server packet bounced with an ICMP Port
Unreachable notice. Set to 0 to not ignore at all. Defaults to 12000 (2
_minutes_).
// end of README.linux ...