Snort Rate Limiting

Good Afternoon,

I have a Windows 2008 dedicated server which runs a server daemon for the video game "Renegade".  This daemon has a serious flaw, any large quantity of any size UDP packets will cause it to crash.  Lately I have been experiencing serious problems with this, as one small computer can use a simple perl script to send several small (2-byte) packets to the server on port 5000 and crash it, in spite of the actual dedicated box being unaffected.

I have searched for the best solution for this, and the only thing I can come up with is to create a Snort rule using rate limiting to drop packets from an IP that has been sending a large number of them in a short time, however Snot is a bit difficult to learn.

I was hoping someone here might be able to provide me with a Snort rule to accomplish this, or perhaps another alternative to keep the server from crashing under this load.  It must be run on Windows and cannot be moved to Linux, where iptables would offer a simple solution.
PrivateKeyAsked:
Who is Participating?
 
expert_tanmayConnect With a Mentor Commented:
The following snort rule will drop udp packets to your W2K8 server with payload size of more than 2 bytes .

drop udp 192.168.1.0/24 any -> W2k8-IP/24 5000 (dsize:> 2; msg: "UDP Packet attack";)

Cheers..
0
 
expert_tanmayCommented:
I think my answer is correct using snort. The other way around is to switch on windows firewall which comes by default on W2K8..

Thanks..
0
 
younghvCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
All Courses

From novice to tech pro — start learning today.