Hiding a SRCDS Server

[celltech]

I am not a srcds guru by any means. My kid was hosting a server on our home DSL connection. The connection kept dying and I figured out we were getting thousands of connections a second to port 27015. The resulting flood was enough to take out the DSL router and render it useless.

I kept having the telco release my DHCP lease, I would get a new IP, and the problem would go away for a day or two.

From helping my kid get this up and running I have seen how some central entity (Steam?) is in communication with the server and shows it up and running. Assuming that some jerk is singling out my kid and letting a dos attack fly, is there a way to block the rest of the world from knowing it's up and running? I only want his friends to have access once they have been told the correct IP.

Thanks!

[Stinkyfax]

(03-31-2012, 04:49 AM)celltech Wrote:  I am not a srcds guru by any means. My kid was hosting a server on our home DSL connection. The connection kept dying and I figured out we were getting thousands of connections a second to port 27015. The resulting flood was enough to take out the DSL router and render it useless.

I kept having the telco release my DHCP lease, I would get a new IP, and the problem would go away for a day or two.

From helping my kid get this up and running I have seen how some central entity (Steam?) is in communication with the server and shows it up and running. Assuming that some jerk is singling out my kid and letting a dos attack fly, is there a way to block the rest of the world from knowing it's up and running? I only want his friends to have access once they have been told the correct IP.

Thanks!

if you happen to run linux it will be as easy as writing a rule to drop udp 27015 packets unless IP is whitelisted
If windows, you might have to install some firewall software

[celltech]

The packets are taking out the DSL modem/router upstream of my server. I have no way to interject a powerful firewall before the router.

[Mike]

Well, for any home enviroment I suggest pfSense as a firewall, got an old machine? Install pfSense on it, it's going to run on whatever you put it on lol. Other than that, try to somehow set the master server to 0.0.0.0 via the setmaster command.

[celltech]

My ISP router allows you to dump a configuration file that you can reload if needed. I took a look in the file and found a section that seems to activate rate limiting on certain packet types. I think it was the router trying to block so many messages that caused it to choke. I have changed all the enabled(1) to (0) and reloaded the config. Now to see if the attacks return and how the server/network responds to it.

(protect
(udpflood
(enabled(1))
(rate_limit(30))
)
(icmpflood
(enabled(1))
(rate_limit(30))
)
(synflood
(enabled(1))
(rate_limit(30))

[Mike]

Do you have any ability to find out what attack it was/is? If it's a attack coming from one IP you |may| be able to stop it. Also, I suggest getting your kid to install some addons on his server, DaF and Query Cache would be a start.

[celltech]

Based on the rate_limit logs the router was generating it was all UDP packets coming from multiple source IPs. Each log was showing thousands of packets being blocked from one IP at a time....and each log had a different source IP. The router was choking so hard it might not have been showing me everything.

I will take a look at some addons to see if they can help. I am kinda interested in catching a sample of an attack.... In the end I don't care if his server takes the brunt of the hit, I just need my connection to stay up. I have a 25Mb connection and wonder how much of that they are consuming.

[Mike]

I doubt they are acutally saturating your line, and the udp packets are probably spoofed. I think the packets go right trough and busts your ruter because of the massive amount of packets.