Hello killtube,
someone is sending millions of packets that are same as packets from real clients to my server.
When attack is active, I can see only "Hitch warning: X msec frame time" and "SV_AuthorizeIpPacket: challenge not found" in console and server is consuming so much CPU.
He is also sending the attack directly to port 28960, because servers on other ports work without any problem.
As I know it should be fixed by using libcod, I'm using latest libcod by voron, but looks like it doesn't help.

Can you please help me with setting up firewall or so?

answer will be use libcod. yes use libcod :D are u sure u are using libcod ? :D

Hi feanor, yes, I'm using libcod :D All function from libcod works (including MySQL etc.).

:confused:

With iptraf (https://linux.die.net/man/8/iptraf) you can find out where the traffic comes from and block the IP using iptables.

Block IP via iptables.

iptables -A INPUT -s IP-ADDRESS -j DROP

With iptraf (https://linux.die.net/man/8/iptraf) you can find out where the traffic comes from and block the IP using iptables.

Block IP via iptables.

iptables -A INPUT -s IP-ADDRESS -j DROP

He is sending it from like 40k IP addresses in few seconds and addresses changing all the time. Also all IP addresses are spoofed (faked).

He is sending it from like 40k IP addresses in few seconds and addresses changing all the time. Also all IP addresses are spoofed (faked).

Rate limiting via iptables might work better with that amount of traffic.

e.g.

iptables -N QUERY-BLOCK
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
iptables -N QUERY-CHECK
iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo bm --from 32 --to 41 -j RETURN
iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30 --hitcount 1 -j DROP
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit-above 15/second -j QUERY-BLOCK
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK

You could also try to only allow valid traffic e.g.



iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP # syn flood
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP # bogus TCP Flags
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 28960 -j ACCEPT
# ACCEPT all ports (+ used protocol) you are using for incoming traffic
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # accepts traffic requested by your server

Rate limiting via iptables might work better with that amount of traffic.

e.g.

iptables -N QUERY-BLOCK
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
iptables -N QUERY-CHECK
iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo bm --from 32 --to 41 -j RETURN
iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30 --hitcount 1 -j DROP
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit-above 15/second -j QUERY-BLOCK
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK

You could also try to only allow valid traffic e.g.



iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP # syn flood
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP # bogus TCP Flags
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 28960 -j ACCEPT
# ACCEPT all ports (+ used protocol) you are using for incoming traffic
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # accepts traffic requested by your server


Hello, I'm not home right now.. I will test it tomorrow and let u know if it helped. Thanks :)

Hello, I'm not home right now.. I will test it tomorrow and let u know if it helped. Thanks :)

You can also dump part of the traffic to a file and analyse it using Wireshark.
Then you can find out with what kind of traffic your server is flooded with.


tcpdump -G 60 -W 1 -i eth0 'port 28960' -w output.pcap

You can also dump part of the traffic to a file and analyse it using Wireshark.
Then you can find out with what kind of traffic your server is flooded with.


tcpdump -G 60 -W 1 -i eth0 'port 28960' -w output.pcap

does that capture udp?

does that capture udp?

Yes, the name is misleading.

https://en.wikipedia.org/wiki/Tcpdump

It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

Hello, sorry for late answer, but it did not help. I have tried "tcpdump -G 60 -W 1 -i eth0 'port 28960' -w output.pcap".
File sile was about 100mb in few seconds, when I opened it, there were so much IP addresses sending packets to port 28960.

All packets were very similar to this: (idk if you need it or something.. If you need something else, send pm or so.)
1360


Is there any other way what can I try? :/

Well, given that the getchallenge hits your server already, there's very little you can do. If you ask your provider to block getchallenge on a network level, then players would not be able to join. If you were to try and block (or filter) it on your own vps, then you would still saturate your network port causing packetloss for your clients.