DOS exploit?

[MIG]

Hello.
I am currently helping a friends who’s Garry’s Mod server is getting DOS’ed every few days, it seems that source dedicated server is susceptible to a DOS exploit that evolves sending a flood of the “ÿÿÿÿTSource Engine Query” packets to the server I verified this with Wireshark on the server. But the very scary part is the amount of packets needed to take down a server, I tested it on my server that is hosted on a 50/50M line with a small program I wrote that sends 10,000 queries to the server, my uploads from the sending computer is 25KB so not a lot but I was able to take down the server, It looked as if it crashed to the users but it hasn’t, the CPU usage and network usage on the server stayed the same. I had 3 other people on the server at the time to make sure it was not only me as well as soon as the flood stopped the server can back after about one minute.


Now my question is, is there any plug-ins that can help with preventing this exploit I have tried both DAF and qcache both do not work, the attackers also can very easily change their IP address because UDP is stateless and can be spoofed very easily.
Box is windows so I can’t do anything with IP tables.

[Dravu]

One of our TF2 servers got DOS'd the same way and the only tool that we got to work was:
http://www.wantedgov.it/page/62-srcds-query-cache/

It's a bit of work to get going and broke HLSW access to the server, but otherwise did exactly what we wanted (preventing the DOS attack from affecting the gameserver).

[MIG]

(12-05-2010, 06:04 PM)Dravu Wrote:  One of our TF2 servers got DOS'd the same way and the only tool that we got to work was:
http://www.wantedgov.it/page/62-srcds-query-cache/

It's a bit of work to get going and broke HLSW access to the server, but otherwise did exactly what we wanted (preventing the DOS attack from affecting the gameserver).

Thanks for the reply.

That is only a bandage fix I was just testing it out, it has a few issues, it raises the ping by x2, the DOSs that I am facing are at random times I don’t want to remote the server when it happens and I was still able to DOS the server if I set my program to over 1,000,000 packets, overall it would be a good fix if it was getting constantly DOSed.
Any other ways anyone can think of fixing it?
Also isn’t this a bug Valve should be fixing?

[BehaartesEtwas]

I think zBlock has a DOS protector included.

[loopyman]

IF you find anything good, please share your results MIG

[LordMarqus]

You can try this: https://forums.alliedmods.net/showthread.php?t=95312

It requires Metamod: Source. I'm using this but I can't tell if it's working .

[lol554]

I spoke with a friend about this.. SRCDS seems to flip out when it recieves packets with the size of 24 or 46 bytes which is the most "used" sizes. My own servers sometimes get DoS'ed, and i always block the IP and report them to their ISP.

BUT, i think that this can be fixed by making and iptables rule that denies 24/46 bytes on the specific port. This shouldn't be a problem since the game itself (hl2) never send any packages with that size.

For Windows-users it's just bad luck.

[realchamp]

Else just DoS them back and show them who the master is... oh wait...

The "Source Engine query" could be a script too, as it's the same when you try to get maxplayers, map and hostname (etc).

[MIG]

**UPDATE**

it seems they have found a new way to do it, it looks like a reflected DDOS they are adding the IP of the server to the Call of Duty master list and all the clients for that are sending a crapload of non-Source data at our server.

for example

statusResponse
\__promod_attack_score\0none\__promod_defence_score\0none\__promod_mode\match_mr​12\__promod_ticker\6\__promod_version\Promod LIVE V2.04 EU\_Admin\YCN Gaming\_Email\sales@ycn-gaming.com\_Irc\#ycn-gaming @ irc.quakenet.org\_Location\United Kingdom\_Website\www.ycn-gaming.com\fs_game\mods/promodlive204\g_compassShowEnemies\0\g_gametype\sd\gamename\Call of Duty 4\mapname\mp_crash\protocol\6\shortversion\1.7\sv_allowAnonymous\0\sv_disableCli​entConsole\0\sv_floodprotect\4\sv_hostname\PLAYT^6i^7ME Server\sv_maxclients\12\sv_maxPing\0\sv_maxRate\25000\sv_minPing\0\sv_privateCli​ents\0\sv_punkbuster\1\sv_pure\1\sv_voice\0\ui_maxclients\12\pswrd\1\mod\1



statusResponse
\_Admin\admin\g_compassShowEnemies\0\g_gametype\war\gamename\Call of Duty 4\mapname\mp_crossfire\protocol\6\shortversion\1.7\sv_allowAnonymous\0\sv_disabl​eClientConsole\0\sv_floodprotect\1\sv_hostname\COD4 Server\sv_maxclients\10\sv_maxPing\350\sv_maxRate\5000\sv_minPing\0\sv_privateCl​ients\0\sv_punkbuster\1\sv_pure\1\sv_voice\1\ui_maxclients\32\pswrd\0\mod\0

By doing this they are avoiding there IP from being seen and are managing to take down the server.

we are looking into getting a hardware based firewall will this help at all?


any ideas??
anyone??

[loopyman]

Possibly if you can filter out any packet that isn't required for source connections.

[BehaartesEtwas]

or you could write to the operators of the CoD master list and inform them of this abuse. they might have an interest on their own to filter out those IPs e.g. by checking if the IP really is a CoD server. then you/we will get only one single (or at least very few) requests by the master server until it recognizes the server not to be of the right kind.

[loopyman]

(12-08-2010, 06:07 PM)BehaartesEtwas Wrote:  or you could write to the operators of the CoD master list and inform them of this abuse. they might have an interest on their own to filter out those IPs e.g. by checking if the IP really is a CoD server. then you/we will get only one single (or at least very few) requests by the master server until it recognizes the server not to be of the right kind.

You know who owns CoD right? I doubt you would do anything unless you waived something that involves money or liability in front of them.

[BehaartesEtwas]

well, it's their master list that gets compromised...

[loopyman]

:/ I wouldn't think they would care.