SRCDS Steam group


srcds DOS attack?
#16
Good catch. I've updated my rules. No hits even to the previous rules yet, though.
Reply
#17
(10-08-2009, 04:04 PM)jheiv Wrote:  Quick update, I screwed up the IP Tables I posted -- if you read that carefully, I'm actually limiting the jump from input to "logattacker". I really wanted to limit the logging.

Here are my updated rules:
Code:
-A INPUT -p udp -m udp --dport 27015 -m length --length 0:32 -j logattacker
-A logattacker -j LOG --log-prefix "SRCDS:ATTACK: " --log-ip-options -m limit --limit 2/sec
-A logattacker -j DROP

With the previous rules, you'll get a log of the attack, but it will do nothing to prevent it from crashing your server.


And if i have two servers 27015 and 27035 how do i do then?
Reply
#18
You can use the same "logattacker" iptables chain.

Add this for your 27035 server:

iptables -A INPUT -p udp -m udp --dport 27035 -m length --length 0:32 -j logattacker

If the both servers are attacked at the same time then it's possible in theory that you don't get log entry for the other attacker on the other server, but I don't think it's too diffuclt to draw the conclusion that it's the same attacker than on the other server Wink
Reply
#19
Quick update, I have gotten attacked since and the rules worked like a charm.

Blocked 10M of traffic in 367,000 packets and the players said there was no noticeable lag.

With a 2/sec log frequency I logged about 3,000 entries -- not too bad -- but I could afford to decrease the frequency I'm sure.

I always grep out the logs from each IP and send it to the abuse email from the apparent IP whois entry -- who knows if they even look at it though.
Reply
#20
Sounds good.

I'll do my quick update too: The iptables rule is not blocking any real traffic. I've had the rules for a week and there's only one caught packet. I wonder what that was all about Smile
Reply
#21
Trying but get´s an error:

Couldn't load target `logattacker':/lib/xtables/libipt_logattacker.so: cannot open shared object file: No such file or directory


debian lenny
Reply
#22
(10-13-2009, 11:35 PM)lhffan Wrote:  Trying but get´s an error:

Couldn't load target `logattacker':/lib/xtables/libipt_logattacker.so: cannot open shared object file: No such file or directory


debian lenny

Sorry, you probably need to declare logattacker as a new chain so it doesn't try to join a non-existent chain named logattacker.

Use this before the iptables -A rules:
Code:
iptables -N logattacker

... That should clear it up.
Reply
#23
ahh Smile thanx


seems to work. How does i also limit connection to my rcon to my second server ip?
Does this look okey?

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh
logattacker  udp  --  anywhere             anywhere            udp dpt:27015 length 0:32
logattacker  udp  --  anywhere             anywhere            udp dpt:27035 length 0:32

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain logattacker (2 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level warning ip-options prefix `SRCDS:ATTACK: '
DROP       all  --  anywhere             anywhere
Reply
#24
Sorry for double post. But why does my new chains and rules dont stay after an reboot?
Reply
#25
Oh very nice, got the first little shit trying to crash my server yesterday.
Reply
#26
(10-14-2009, 01:54 AM)lhffan Wrote:  ahh Smile thanx


seems to work. How does i also limit connection to my rcon to my second server ip?
Does this look okey?

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh
logattacker  udp  --  anywhere             anywhere            udp dpt:27015 length 0:32
logattacker  udp  --  anywhere             anywhere            udp dpt:27035 length 0:32

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain logattacker (2 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level warning ip-options prefix `SRCDS:ATTACK: '
DROP       all  --  anywhere             anywhere
Yes this looks OK.


If you want to limit access to your rcon port try (untested):
Code:
# Make new chain
iptables -N rcon
# Pull all packets to tcp port 27015 into rcon chain
iptables -A INPUT -p tcp --dport 27015 -j rcon
# If source ip matches whitelisted ip, accept
iptables -A rcon --source 123.123.123.13 -j ACCEPT
# Otherwise (optionally log and) drop
iptables -A rcon -j LOG --log-prefix "SRCDS:RCON: " --log-ip-options
iptables -A rcon -j DROP
... where 123.123.123.123 is the IP address that you want whitelisted


Alternatively, you could leave your rcon port open and just log the access attempts (untested tested):
Code:
# Build RCON Attack Rules
iptables -N rcon
iptables -A INPUT -p tcp --dport 27015 -j rcon
iptables -A rcon -j LOG --log-prefix "SRCDS:RCON: " --log-ip-options
iptables -A rcon -j ACCEPT
...You could also use the chain ULOG if you want to log the entire packet (not just the header)


(10-14-2009, 02:58 AM)lhffan Wrote:  Sorry for double post. But why does my new chains and rules dont stay after an reboot?

Because you didn't save them. Add them again then try:
Code:
service iptables save
(as sudo or root)
Reply
#27
SRCDS only needs udp connection?
Reply
#28
What question is this?

Srcds uses UDP for gameplay and TCP for RCON.
Reply
#29
ok thanx. Sorry for the cryptic question. But i got an answer anyways Smile

Will trye to build up my rules some more today. Folowing this guide:
http://www.lysator.liu.se/~kjell-e/tekla/linux/security/iptables/iptables.html
Reply
#30
This is my DOS attack stats
http://proj.c400.ru/CSS_DOS_Attack.txt
i am shocked! WTF?!
[Image: b_560x95.png]
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)