q3 engine getstatus ddos filter

block_q3dd

#!/bin/bash

function numcommas () {
    local S="${1//[^,]/}"
    echo ${#S}
}

PORTS=${1:-27960}
NUMPORTS=$(($(numcommas ${PORTS}) + 1))
HITS=$((${2:-5} * ${NUMPORTS}))
SECONDS=${3:-2}

iptables -N quake3_ddos
iptables -A quake3_ddos -m u32 ! --u32 "0x1c=0xffffffff" -j ACCEPT
iptables -A quake3_ddos -m u32 --u32 "0x20=0x67657473&&0x24=0x74617475&&0x25&0xff=0x73" -m recent --name getstatus --set
iptables -A quake3_ddos -m recent --update --name getstatus --hitcount ${HITS} --seconds ${SECONDS} -j DROP
iptables -A quake3_ddos -j ACCEPT

if [ ${NUMPORTS} -eq 1 ]; then
    iptables -I INPUT -p udp --dport ${PORTS} -j quake3_ddos
else
    iptables -I INPUT -m multiport -p udp --dports ${PORTS} -j quake3_ddos
fi

how to exec:
./block_q3dd 27960,27961 3 1
./sh port or ports,ports hits seconds

SOURCE:
http://blog.alejandronolla.com/2013/06/24/amplification-ddos-attack-with-quake3-servers-an-analysis-1-slash-2/
http://blog.alejandronolla.com/2013/08/05/amplification-ddos-attack-with-quake3-servers-an-analysis-2-slash-2/