Results 1 to 9 of 9

Thread: getstatus source ip

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Private
    Join Date
    Jan 2016
    Posts
    17
    Thanks
    4
    Thanked 4 Times in 4 Posts

    getstatus source ip

    Hi, I have modified the libcod getstatus function to allow a certain IP with no limits, but limit all other, my language knowledge isnt the best but it works.
    Now how can I modify this to load a list query_whitelist.txt of whitelisted IPs into a array in libcod and check them the same way?
    I have only 1 IP for now, but want it to be more flexible, as to not have it hardcoded and have to recompile to change it or add more.

    Code:
    void hook_SVC_Status(netadr_t from)
    {
    	char ip[64];
    	Com_sprintf (ip, sizeof(ip), "%i.%i.%i.%i", from.ip[0], from.ip[1], from.ip[2], from.ip[3]);
    	
    	if ( strcmp(ip, "XXX.XXX.XXX.XXX") == 0)
    	{
    		SVC_Status(from);
    	}
    	else
    	{
    		// Prevent using getstatus as an amplifier
    		// 3x in 5 minutes per address
    		if ( SVC_RateLimitAddress( from, 3, 200000 ) )
    		{
    			Com_DPrintf( "SVC_Status: rate limit from %s exceeded, dropping request\n", NET_AdrToString( from ) );
    			return;
    		}
    
    		// Global
    		// Allow getstatus to be DoSed relatively easily, but prevent
    		// excess outbound bandwidth usage when being flooded inbound
    		if ( SVC_RateLimit( &outboundLeakyBucket, 5, 1000 ) )
    		{
    			Com_DPrintf( "SVC_Status: rate limit exceeded, dropping request\n" );
    			return;
    		}
    
    		SVC_Status(from);
    	}
    }
    Last edited by v1rto; 17th February 2023 at 14:26.

  2. The Following User Says Thank You to v1rto For This Useful Post:

    kung foo man (17th February 2023)

  3. #2
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,084 Times in 753 Posts
    I wouldn't overcomplicate it, something like:

    PHP Code:
    #include "stdio.h"
    #include "string.h"
    int main() {
        
    char *ips "127.0.0.1 234.44.23.52 1.2.3.4";
        
    char *test1 "1.2.3.4";
        
    char *test2 "2.3.4.5";
        
    printf("%s is %s in %s"test1strstr(ipstest1) ? "     " " NOT "ips);
        
    printf("%s is %s in %s"test2strstr(ipstest2) ? "     " " NOT "ips);

    Output:

    PHP Code:
    1.2.3.4 is       in 127.0.0.1 234.44.23.52 1.2.3.4
    2.3.4.5 is  NOT  in 127.0.0.1 234.44.23.52 1.2.3.4 
    And ips you can just get from a cvar?
    timescale 0.01

  4. The Following User Says Thank You to kung foo man For This Useful Post:

    v1rto (17th February 2023)

  5. #3
    Private
    Join Date
    Jan 2016
    Posts
    17
    Thanks
    4
    Thanked 4 Times in 4 Posts
    Hmm, so im a bit confused, can I use the cvar_t to define for example "sv_querywhitelist" and then use that in server config for example sv_querywhitelist "127.0.0.1 234.44.23.52 1.2.3.4"
    How would I then check that list against the source IP in libcod code, I also dont know if my current check is correct and performant, as I dont really know C++ well
    Last edited by v1rto; 17th February 2023 at 16:42.

  6. #4
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,084 Times in 753 Posts
    Quote Originally Posted by v1rto View Post
    Hmm, so im a bit confused, can I use the cvar_t to define for example "sv_querywhitelist" and then use that in server config for example sv_querywhitelist "127.0.0.1 234.44.23.52 1.2.3.4"
    How would I then check that list against the source IP in libcod code, I also dont know if my current check is correct and performant, as I dont really know C++ well
    You can take a look at https://github.com/M-itch/libcod/blo...libcod.cpp#L52

    Mostly self-explaining, you get a reference to the cvar and can just compare the current IP with the list of cvar ips. I don't see a huge performance issue, but if needed, you could of course optimize it (mostly overcomplicating here).
    timescale 0.01

  7. The Following User Says Thank You to kung foo man For This Useful Post:

    v1rto (19th February 2023)

  8. #5
    Assadministrator IzNoGoD's Avatar
    Join Date
    Aug 2012
    Posts
    1,718
    Thanks
    17
    Thanked 1,068 Times in 674 Posts
    I'd say load the cvar on server load (don't update it runtime), let some c-code extract the stuff, store it in the 4 bytes of netadr_t and compare that run-time (4 byte compare for every getstatus you get). Probably best to store them in a fixed-size array with a size indicator for how many are populated.
    "Does not work" is an error report for a bug between keyboard and chair.

    All hail Artie Effem

  9. The Following 2 Users Say Thank You to IzNoGoD For This Useful Post:

    kung foo man (19th February 2023),v1rto (19th February 2023)

  10. #6
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,084 Times in 753 Posts
    Depending on the amount of IP's, searching a linear array isn't very effective either. So we could escalate this into either "use a hashmap" or "do binary search of sorted IP's"

    How many IP's are supposed to be whitelisted?
    timescale 0.01

  11. #7
    Private
    Join Date
    Jan 2016
    Posts
    17
    Thanks
    4
    Thanked 4 Times in 4 Posts
    Only one IP but as I said, its not completely excluded that there wont be more, or this one is changed, I was bored and thought to make this prettier and more future proof, but I guess I am overcomplicating it.
    I thought it would be easy to just load a txt file with whitelisted IP/s at server start something like TS3 does, anyways thanks for your time and suggestions.

    I have one more question, my server was once ddosed with about 150Kpps small useless NTP packets, and the server would respond to them with ffffdisconnect at a 42Kpps rate with about the same bandwidth, can anything be done with libcod, why is the server responding to that in the first place

  12. #8
    Private
    Join Date
    Jan 2014
    Posts
    18
    Thanks
    0
    Thanked 8 Times in 8 Posts
    Quote Originally Posted by v1rto View Post
    Only one IP but as I said, its not completely excluded that there wont be more, or this one is changed, I was bored and thought to make this prettier and more future proof, but I guess I am overcomplicating it.
    I thought it would be easy to just load a txt file with whitelisted IP/s at server start something like TS3 does, anyways thanks for your time and suggestions.

    I have one more question, my server was once ddosed with about 150Kpps small useless NTP packets, and the server would respond to them with ffffdisconnect at a 42Kpps rate with about the same bandwidth, can anything be done with libcod, why is the server responding to that in the first place
    Hi !
    In first, you must know that: If bad traffic ( any bad traffic, even is that, 4KB/s or 4GB/s ), become thru the router from service ( hosting ) provider, initiate DDOS from your server ( DDOS for Q3 engine not become from outside, DDOS for Q3 engine only initiate you sever to start post endless number of packet's ). Only effective protection for CoD2 server is to choose provide who guarantee for DDoS protection, and who have firewall configured on his router's for CoD2 DDoS protection ( must be carefully, you must ask if that provider 100% guarantee for CoD2 DDoS protection ).

  13. #9
    Private
    Join Date
    Jan 2016
    Posts
    17
    Thanks
    4
    Thanked 4 Times in 4 Posts
    I know once the traffic hits my server its too late, my servers cant be used for ddosing others as its responding very conservative to queries, I was specifically talking about the server responding with disconnect packets to NTP traffic, which I mitigated allowing NTP traffic only to 123 port for date sync. But thanks for input.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •