SRCDS Steam group


Preventing DoS attacks
#16
The video shows that its a TCP flood, not udp, which means that the firewall rule won't work because its blocking udp packets.
iptables -A INPUT -p tcp --dport 27015 -m length --length 28 -j DROP
might work
[Image: b_350x20_C002748-004880-FFFFFF-000000.png]
Reply
#17
You can drop all TCP traffic to the game port. Just make one rule to allow you to use RCON by yourself. TCP traffic to game port is only RCON.

For example do this:

Code:
iptables -A INPUT -p tcp --dport 27015 -s my.ip.here.xxx -j ACCEPT
iptables -A INPUT -p tcp --dport 27015 -j DROP

Note that the last rule drops all traffic to TCP port 27015. If you're not familiar with iptables rules then I suggest that you familiarize yourself with this. Otherwise you'll end up writing these commands 10 times and wondering why they don't work anymore (and that's because you have the same rules 10 times).

This TCP is easy to block because nobody needs to use TCP while playing on your server. UDP floods and UDP problems are much more difficult to block because it might affect normal players also.

Post all progress you make here. This is quite interesting topic.
Reply
#18
It appears to be back. In another form. We manually blocked packets of length 28 with iptables rules which worked, however the new attack is worse. Instead of repeated lag of stuff happening over and over, it now freezes the server for 10-20s at a time (net graph goes blank) and basicly causes everyone to time out eventually. Again, hitting servers one at a time.

No it definitely is NOT a player, nothing in logs and can happen with just me on the server. Therefore nothing related to mani (though we dont run that rubbish).
So, now what?
Reply
#19
Did you ever resolve whether it was a UDP or TCP problem? If it is a TCP problem, I would suggest trying what css mentioned above. It is worth a shot.

Also, how long was the gap between the two attacks? In other words, you fixed the first attack by dropping packets of length 28, how long did it take after that for it to start up again?

-O.K.
Reply
#20
We've had that too again.

In the latest incident I noticed that there were two different sized packets. Unfortunately I lost the tcpdump screen that had more information. The other packet size was 0, that I remember.

I've heard that new version of zBlock can disable this attack. Or then they are talking about something else. On the official site there is:

Code:
- Blocked a new server crash/lag command.
I hope it's referring to this attack.

@over_kill
It's not TCP. It's UDP and it's real bitch to track down. All that you can do is happen to play at the time somebody starts the attack. Then close the server quickly so there is no more normal server traffic. Then start tcpdump with following command:

Code:
tcpdump -n -vv -XX -s 0 'udp'

The result is lots of gibberish. You can leave -XX away so there isn't as much information printed on the screen. Then look at the last column of "length NN". There is also another column saying "length NN", but it includes also UDP header, which makes the packet look bigger. The actual payload amount is the last column.

Then if you find out what the attacker is flooding, it is possible to add new firewall rule to block all other similar attacks by blocking UDP messages of that size by executing iptables command:

Code:
iptables -I INPUT -p udp -m lenght --length NN -j DROP

Obviously it is also possible to block attacker's IP address here, but it's only very temporary solution.
Reply
#21
http://forums.srcds.com/viewtopic/11716

That helped me.
Looking for a game server? Visit fullfrag.com and pick one up as low as $2.50 / mo!
Reply
#22
Currently experiencing the same thing -- put up a firewall rule to block UDP packets between 0 and 28 bytes -- a tcp dump is shown here: http://forums.srcds.com/viewtopic/12516.

... so far the rule has been working (crosses fingers/ knocks on wood)
Reply
#23
(07-17-2009, 06:11 AM)over_kill Wrote:  Another idea, if you are willing to invest in a firewall, Cisco makes a nice hardware firewall for a good price (imho). Cisco's ASA (Adaptive Security Appliance) 5500 Series Firewalls base model runs for around $400, I believe.

Even used, you might want to add another zero... ASA's with the right licensing are crazy expensive. You can, however, get a decent PIX 515 for around $400. You can't add different security (IPS, web filtering, etc) modules like you can with the ASA, but for this purpose it's not needed. Besides, if you absolutely must have an IPS, you can stack on a 4215.

Reply
#24
Thanks for the information.
I've know something from your posting.
Reply
#25
(07-16-2009, 09:30 PM)eXDee Wrote:  Hey,
We run very many counterstrike servers with a linux game host. The server is 8 cores with 10gb of ram.
And they are being DoS attacked.
We have told the host to implement these iptables rules as found here https://forums.alliedmods.net/showthread.php?t=87794
iptables -A INPUT -p udp --dport 27015 -m length --length 28 -j DROP
iptables -A INPUT -p udp --dport 27016 -m length --length 28 -j DROP

For each of the ports our servers run on but they have done nothing. We've tried vdf mods, metamod script and none work.

We are confident its an intentional DoS attack because it affect servers one at a time, happens suddenly till the server empties, and then moves onto our 2nd server of the same gametype as players migrate there. Not server lag, its definitely intentional, the pattern is there and is designed to empty our servers, by a competing gametype provider (yes, sad i know).

As mentioned it affects 1 server at a time, the cores on the box are only at 50% usage each (checked this myself in ssh) and there is 4gb of ram free.

The lag basically causes the same actions to repeat over and over, the dying animation of players will repeat over and over, movement is incredibly jumpy and simply unplayable.

As for mods we are running eventscripts and sourcemod with several scripts/plugins under these but we have verified that none of these are causing it (or in that case being exploited). We are also confident that it is happening remotely, not from a player in the server.
Could something like this be as basic as UDP Flood?

Does anyone have any clue at all how to deal with these?


Know this is quite off your posting time, but if DDos problems are still occuring please email me or message me and I can definitely be your solution to this problem Smile
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)