PDA

View Full Version : getstatus source ip



v1rto
17th February 2023, 14:18
Hi, I have modified the libcod getstatus function to allow a certain IP with no limits, but limit all other, my language knowledge isnt the best but it works.
Now how can I modify this to load a list query_whitelist.txt of whitelisted IPs into a array in libcod and check them the same way?
I have only 1 IP for now, but want it to be more flexible, as to not have it hardcoded and have to recompile to change it or add more.



void hook_SVC_Status(netadr_t from)
{
char ip[64];
Com_sprintf (ip, sizeof(ip), "%i.%i.%i.%i", from.ip[0], from.ip[1], from.ip[2], from.ip[3]);

if ( strcmp(ip, "XXX.XXX.XXX.XXX") == 0)
{
SVC_Status(from);
}
else
{
// Prevent using getstatus as an amplifier
// 3x in 5 minutes per address
if ( SVC_RateLimitAddress( from, 3, 200000 ) )
{
Com_DPrintf( "SVC_Status: rate limit from %s exceeded, dropping request\n", NET_AdrToString( from ) );
return;
}

// Global
// Allow getstatus to be DoSed relatively easily, but prevent
// excess outbound bandwidth usage when being flooded inbound
if ( SVC_RateLimit( &outboundLeakyBucket, 5, 1000 ) )
{
Com_DPrintf( "SVC_Status: rate limit exceeded, dropping request\n" );
return;
}

SVC_Status(from);
}
}

kung foo man
17th February 2023, 16:16
I wouldn't overcomplicate it, something like:



#include "stdio.h"
#include "string.h"
int main() {
char *ips = "127.0.0.1 234.44.23.52 1.2.3.4";
char *test1 = "1.2.3.4";
char *test2 = "2.3.4.5";
printf("%s is %s in %s", test1, strstr(ips, test1) ? " " : " NOT ", ips);
printf("%s is %s in %s", test2, strstr(ips, test2) ? " " : " NOT ", ips);
}


Output:



1.2.3.4 is in 127.0.0.1 234.44.23.52 1.2.3.4
2.3.4.5 is NOT in 127.0.0.1 234.44.23.52 1.2.3.4


And ips you can just get from a cvar?

v1rto
17th February 2023, 16:39
Hmm, so im a bit confused, can I use the cvar_t to define for example "sv_querywhitelist" and then use that in server config for example sv_querywhitelist "127.0.0.1 234.44.23.52 1.2.3.4"
How would I then check that list against the source IP in libcod code, I also dont know if my current check is correct and performant, as I dont really know C++ well :D

kung foo man
18th February 2023, 09:42
Hmm, so im a bit confused, can I use the cvar_t to define for example "sv_querywhitelist" and then use that in server config for example sv_querywhitelist "127.0.0.1 234.44.23.52 1.2.3.4"
How would I then check that list against the source IP in libcod code, I also dont know if my current check is correct and performant, as I dont really know C++ well :D

You can take a look at https://github.com/M-itch/libcod/blob/e58d6a01b11c911fbf886659b6ea67795776cf4a/libcod.cpp#L52

Mostly self-explaining, you get a reference to the cvar and can just compare the current IP with the list of cvar ips. I don't see a huge performance issue, but if needed, you could of course optimize it (mostly overcomplicating here).

IzNoGoD
19th February 2023, 09:16
I'd say load the cvar on server load (don't update it runtime), let some c-code extract the stuff, store it in the 4 bytes of netadr_t and compare that run-time (4 byte compare for every getstatus you get). Probably best to store them in a fixed-size array with a size indicator for how many are populated.

kung foo man
19th February 2023, 09:57
Depending on the amount of IP's, searching a linear array isn't very effective either. So we could escalate this into either "use a hashmap" or "do binary search of sorted IP's"

How many IP's are supposed to be whitelisted?

v1rto
19th February 2023, 15:20
Only one IP :D but as I said, its not completely excluded that there wont be more, or this one is changed, I was bored and thought to make this prettier and more future proof, but I guess I am overcomplicating it.
I thought it would be easy to just load a txt file with whitelisted IP/s at server start something like TS3 does, anyways thanks for your time and suggestions.

I have one more question, my server was once ddosed with about 150Kpps small useless NTP packets, and the server would respond to them with ffffdisconnect at a 42Kpps rate with about the same bandwidth, can anything be done with libcod, why is the server responding to that in the first place

dacajoca
21st February 2023, 19:40
Only one IP :D but as I said, its not completely excluded that there wont be more, or this one is changed, I was bored and thought to make this prettier and more future proof, but I guess I am overcomplicating it.
I thought it would be easy to just load a txt file with whitelisted IP/s at server start something like TS3 does, anyways thanks for your time and suggestions.

I have one more question, my server was once ddosed with about 150Kpps small useless NTP packets, and the server would respond to them with ffffdisconnect at a 42Kpps rate with about the same bandwidth, can anything be done with libcod, why is the server responding to that in the first place

Hi !
In first, you must know that: If bad traffic ( any bad traffic, even is that, 4KB/s or 4GB/s ), become thru the router from service ( hosting ) provider, initiate DDOS from your server ( DDOS for Q3 engine not become from outside, DDOS for Q3 engine only initiate you sever to start post endless number of packet's ). Only effective protection for CoD2 server is to choose provide who guarantee for DDoS protection, and who have firewall configured on his router's for CoD2 DDoS protection ( must be carefully, you must ask if that provider 100% guarantee for CoD2 DDoS protection ).

v1rto
21st February 2023, 20:56
I know once the traffic hits my server its too late, my servers cant be used for ddosing others as its responding very conservative to queries, I was specifically talking about the server responding with disconnect packets to NTP traffic, which I mitigated allowing NTP traffic only to 123 port for date sync. But thanks for input.