Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Attack on server

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Private
    Join Date
    Mar 2014
    Location
    Czech Republic
    Posts
    11
    Thanks
    1
    Thanked 2 Times in 1 Post

    Attack on server

    Hello killtube,
    someone is sending millions of packets that are same as packets from real clients to my server.
    When attack is active, I can see only "Hitch warning: X msec frame time" and "SV_AuthorizeIpPacket: challenge not found" in console and server is consuming so much CPU.
    He is also sending the attack directly to port 28960, because servers on other ports work without any problem.
    As I know it should be fixed by using libcod, I'm using latest libcod by voron, but looks like it doesn't help.

    Can you please help me with setting up firewall or so?
    Last edited by DaWe; 8th September 2017 at 18:44.

  2. The Following 2 Users Say Thank You to DaWe For This Useful Post:

    kubislav23 (8th September 2017),Sandro (8th September 2017)

  3. #2
    Private First Class
    Join Date
    Nov 2015
    Posts
    128
    Thanks
    37
    Thanked 14 Times in 14 Posts
    answer will be use libcod. yes use libcod are u sure u are using libcod ?

  4. #3
    Private
    Join Date
    Mar 2014
    Location
    Czech Republic
    Posts
    11
    Thanks
    1
    Thanked 2 Times in 1 Post
    Hi feanor, yes, I'm using libcod All function from libcod works (including MySQL etc.).

  5. #4
    Private Jumper's Avatar
    Join Date
    Aug 2012
    Location
    Germany
    Posts
    31
    Thanks
    7
    Thanked 8 Times in 4 Posts
    Dont drink and drive, Smoke a Joint and Fly Home.

  6. #5
    Global Mossaderator Mitch's Avatar
    Join Date
    Nov 2012
    Posts
    654
    Thanks
    204
    Thanked 450 Times in 305 Posts
    With iptraf you can find out where the traffic comes from and block the IP using iptables.

    Block IP via iptables.
    PHP Code:
    iptables -A INPUT -s IP-ADDRESS -j DROP 

  7. #6
    Private
    Join Date
    Mar 2014
    Location
    Czech Republic
    Posts
    11
    Thanks
    1
    Thanked 2 Times in 1 Post
    Quote Originally Posted by Mitch View Post
    With iptraf you can find out where the traffic comes from and block the IP using iptables.

    Block IP via iptables.
    PHP Code:
    iptables -A INPUT -s IP-ADDRESS -j DROP 
    He is sending it from like 40k IP addresses in few seconds and addresses changing all the time. Also all IP addresses are spoofed (faked).

  8. #7
    Global Mossaderator Mitch's Avatar
    Join Date
    Nov 2012
    Posts
    654
    Thanks
    204
    Thanked 450 Times in 305 Posts
    Quote Originally Posted by DaWe View Post
    He is sending it from like 40k IP addresses in few seconds and addresses changing all the time. Also all IP addresses are spoofed (faked).
    Rate limiting via iptables might work better with that amount of traffic.

    e.g.
    PHP Code:
    iptables -N QUERY-BLOCK
    iptables 
    -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
    iptables 
    -N QUERY-CHECK
    iptables 
    -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo bm --from 32 --to 41 -RETURN
    iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30 --hitcount 1 -j DROP
    iptables 
    -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit-above 15/second -j QUERY-BLOCK
    iptables 
    -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK 
    You could also try to only allow valid traffic e.g.

    PHP Code:
    iptables -P INPUT DROP
    iptables 
    -P FORWARD DROP
    iptables 
    -P OUTPUT ACCEPT
    iptables 
    -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP # syn flood
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables 
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP # bogus TCP Flags
    iptables -A INPUT -i lo -j ACCEPT
    iptables 
    -A INPUT -p icmp -j ACCEPT
    iptables 
    -A INPUT -p udp -m udp --dport 28960 -j ACCEPT
    # ACCEPT all ports (+ used protocol) you are using for incoming traffic
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # accepts traffic requested by your server 
    Last edited by Mitch; 9th September 2017 at 13:30.

  9. #8
    Private
    Join Date
    Mar 2014
    Location
    Czech Republic
    Posts
    11
    Thanks
    1
    Thanked 2 Times in 1 Post
    Quote Originally Posted by Mitch View Post
    Rate limiting via iptables might work better with that amount of traffic.

    e.g.
    PHP Code:
    iptables -N QUERY-BLOCK
    iptables 
    -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
    iptables 
    -N QUERY-CHECK
    iptables 
    -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo bm --from 32 --to 41 -RETURN
    iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30 --hitcount 1 -j DROP
    iptables 
    -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit-above 15/second -j QUERY-BLOCK
    iptables 
    -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK 
    You could also try to only allow valid traffic e.g.

    PHP Code:
    iptables -P INPUT DROP
    iptables 
    -P FORWARD DROP
    iptables 
    -P OUTPUT ACCEPT
    iptables 
    -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP # syn flood
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables 
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP # bogus TCP Flags
    iptables -A INPUT -i lo -j ACCEPT
    iptables 
    -A INPUT -p icmp -j ACCEPT
    iptables 
    -A INPUT -p udp -m udp --dport 28960 -j ACCEPT
    # ACCEPT all ports (+ used protocol) you are using for incoming traffic
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # accepts traffic requested by your server 
    Hello, I'm not home right now.. I will test it tomorrow and let u know if it helped. Thanks

  10. #9
    Global Mossaderator Mitch's Avatar
    Join Date
    Nov 2012
    Posts
    654
    Thanks
    204
    Thanked 450 Times in 305 Posts
    Quote Originally Posted by DaWe View Post
    Hello, I'm not home right now.. I will test it tomorrow and let u know if it helped. Thanks
    You can also dump part of the traffic to a file and analyse it using Wireshark.
    Then you can find out with what kind of traffic your server is flooded with.

    PHP Code:
    tcpdump -G 60 -W 1 -i eth0 'port 28960' -w output.pcap 

  11. #10
    Assadministrator IzNoGoD's Avatar
    Join Date
    Aug 2012
    Posts
    1,718
    Thanks
    17
    Thanked 1,068 Times in 674 Posts
    Quote Originally Posted by Mitch View Post
    You can also dump part of the traffic to a file and analyse it using Wireshark.
    Then you can find out with what kind of traffic your server is flooded with.

    PHP Code:
    tcpdump -G 60 -W 1 -i eth0 'port 28960' -w output.pcap 
    does that capture udp?
    "Does not work" is an error report for a bug between keyboard and chair.

    All hail Artie Effem

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •