Block IP address scrip

[gemcneill]

Hey guys I am looking for a way to create a script to block an ip address using ipsec after it has too many connections from one ip. As you may know there is an issue with sof2 and the getstatus command. Basically they spoof an ip and then send a shit ton of getstatus requests to the server, and it floods the real ip. I have found a script to add and ipsec rule to block an ip.

 

 

REM ? Microsoft Corporation 1997-2003

 

REM Packet Fileters for Server Hardening

REM

REM Name: PacketFilters-ServerHost.CMD

REM Version: 1.0

 

REM This CMD file provides the proper NETSH syntax for creating an IPSec Policy

REM that blocks all network traffic to an SMTP Bastion Host except for what is

REM explicitly allowed as described in the Windows 2003 Server Solution Guide.

REM Please read the entire guide before using this CMD file.

 

REM Revision History

REM 0000 - Original March 21, 2003

REM 0001 - Original April 16, 2003

 

:IPSec Policy Definition

netsh ipsec static add policy name="Packet Filters - Your Web Host" description="Server Hardening Policy" assign=no

 

:IPSec Filter List Definitions

netsh ipsec static add filterlist name="Banned IPS" description="Server Hardening"

 

:IPSec Filter Action Definitions

netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit

netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block

 

:IPSec Filter Definitions

netsh ipsec static add filter filterlist="Banned IPS" srcaddr=PUT.BANNED.IP.HERE dstaddr=me description="Banned IPS" protocol=any srcport=0 dstport=0

 

:IPSec Rule Definitions

netsh ipsec static add rule name="Banned IP Rule" policy="Packet Filters - Your Web Host" filterlist="Banned IPS" kerberos=yes filteraction=Block

 

This script will create the rule and add the first ip. You then have to activate the rule. Once that is done this command will add further ips

 

netsh ipsec static add filter filterlist="Banned IPS" srcaddr=PUT.BANNED.IP.HERE dstaddr=me description="Banned IPS" protocol=any srcport=0 dstport=0

 

 

So the command to add further ips is easy, but is it possible to have something check if too much traffic or too many connections are made from a single ip and then run that last command. If this is possible I think we should explore it as it could be a useful script for game server providers.

 

George

[adamnp]

Aluigi's workaround works....

 

http://aluigi.freeforums.org/sof2-dos-patch-t1701.html

 

 

 

Edit: I now see that thats you in that post....

 

I haven't had any issues recently with anything...Odd?

[gemcneill]

Yes the patch seems to work but I would still like to explore this script idea to block ips. I really dont know how to write scripts but I am pretty good and finding ones. However all I have found is what I posted above which does a great deal of the work but still manual. I am not sure if it is possible to write a script but I think it is.

 

George