[hlds_linux] A2S_INFO DDOS fix

Discussion in 'HLDS / Valve Linux newsletter' started by Kaspars, Sep 6, 2009.

  1. Kaspars

    Kaspars Guest

    Hi,

    If you are on the hlds windows mailing list, then you probably already know
    about A2S_INFO DDOS attacks. I have mistakenly posted a *fix* on the list
    for *nix servers which I should have posted here.

    In short:
    If your server gets ddosed with A2S_INFO packets, it will get really laggy.
    Setting sv_max_queries_sec to a low value will make the server disappear
    from the server browser list. I'm providing you with a UDP Caching Proxy
    which will query the server with A2S_INFO requests not more than once in a
    five seconds and respond to the client with the cached data.

    Setup:
    1. Get the source from http://www.gign.lv/tmp/querycache.c
    2. Compile with gcc querycache.c -o querycache
    3. Open an UDP port in firewall for the proxy server, lets say 21015
    4. Make sure you have iptables NAT, REDIRECT and string match support
    compiled into kernel or as modules
    5. execute: iptables -t nat -A PREROUTING -p udp -d
    YOUR_EXTERNAL_TF2_SERVER_IP --dport YOUR_SERVER_PORT -m string --algo kmp
    --string 'TSource Engine Query' -j REDIRECT --to-port 21015
    6. Run querycache (probably under screen, so you can detach from it)

    I've been ddosed with about 300req/sec and it works good, however I don't
    give any warranty that it will work for you.
    _______________________________________________
    To unsubscribe, edit your list preferences, or view the list archives, please visit:
    http://list.valvesoftware.com/mailman/listinfo/hlds_linux
     
  2. I guess I'll post my fix tool here too, since it is buried down in the
    other discussion.

    Here is a fix for windows servers, that doesn't require a firewall to work
    http://www.wantedgov.it/page/62-srcds-query-cache/


    On Sun, Sep 6, 2009 at 1:13 PM, Kaspars<kaspark (AT) lv> wrote:
    > Hi,
    >
    > If you are on the hlds windows mailing list, then you probably already know
    > about A2S_INFO DDOS attacks. I have mistakenly posted a *fix* on the list
    > for *nix servers which I should have posted here.
    >
    > In short:
    > If your server gets ddosed with A2S_INFO packets, it will get really laggy.
    > Setting sv_max_queries_sec to a low value will make the server disappear
    > from the server browser list. I'm providing you with a UDP Caching Proxy
    > which will query the server with A2S_INFO requests not more than once in a
    > five seconds and respond to the client with the cached data.
    >
    > Setup:
    > 1. Get the source from http://www.gign.lv/tmp/querycache.c
    > 2. Compile with gcc querycache.c -o querycache
    > 3. Open an UDP port in firewall for the proxy server, lets say 21015
    > 4. Make sure you have iptables NAT, REDIRECT and string match support
    > compiled into kernel or as modules
    > 5. execute: iptables -t nat -A PREROUTING -p udp -d
    > YOUR_EXTERNAL_TF2_SERVER_IP --dport YOUR_SERVER_PORT -m string --algo kmp
    > --string 'TSource Engine Query' -j REDIRECT --to-port 21015
    > 6. Run querycache (probably under screen, so you can detach from it)
    >
    > I've been ddosed with about 300req/sec and it works good, however I don't
    > give any warranty that it will work for you.
    > _______________________________________________
    > To unsubscribe, edit your list preferences, or view the list archives, please visit:
    > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    >


    _______________________________________________
    To unsubscribe, edit your list preferences, or view the list archives, please visit:
    http://list.valvesoftware.com/mailman/listinfo/hlds_linux
     
  3. I have seen you changed your code, the first version was not working for me.
    The stdlib is still not included, this leads to some warnings. You have
    defined the response size, but you use the 1000 byte msg.size instead, I
    don't know if this could be a problem, I don't think so.

    Anyways, I have coded my own proxy in PHP, because yours wasn't working. As
    I can see, the firewall rule also redirect some packets which are 9 bytes
    and the A2S_PLAYER request. I have adjusted my proxy to send all malformed
    packets to the server, otherwise you reply with a wrong response.

    > Hi,
    >
    > If you are on the hlds windows mailing list, then you probably already
    > know
    > about A2S_INFO DDOS attacks. I have mistakenly posted a *fix* on the list
    > for *nix servers which I should have posted here.
    >
    > In short:
    > If your server gets ddosed with A2S_INFO packets, it will get really
    > laggy.
    > Setting sv_max_queries_sec to a low value will make the server disappear
    > from the server browser list. I'm providing you with a UDP Caching Proxy
    > which will query the server with A2S_INFO requests not more than once in a
    > five seconds and respond to the client with the cached data.
    >
    > Setup:
    > 1. Get the source from http://www.gign.lv/tmp/querycache.c
    > 2. Compile with gcc querycache.c -o querycache
    > 3. Open an UDP port in firewall for the proxy server, lets say 21015
    > 4. Make sure you have iptables NAT, REDIRECT and string match support
    > compiled into kernel or as modules
    > 5. execute: iptables -t nat -A PREROUTING -p udp -d
    > YOUR_EXTERNAL_TF2_SERVER_IP --dport YOUR_SERVER_PORT -m string --algo kmp
    > --string 'TSource Engine Query' -j REDIRECT --to-port 21015
    > 6. Run querycache (probably under screen, so you can detach from it)
    >
    > I've been ddosed with about 300req/sec and it works good, however I don't
    > give any warranty that it will work for you.
    > _______________________________________________
    > To unsubscribe, edit your list preferences, or view the list archives,
    > please visit:
    > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    >



    _______________________________________________
    To unsubscribe, edit your list preferences, or view the list archives, please visit:
    http://list.valvesoftware.com/mailman/listinfo/hlds_linux
     
  4. I forgot an important part, your query proxy has still no rate limit. It can
    be used to flood spoofed IP's.


    > Hi,
    >
    > If you are on the hlds windows mailing list, then you probably already
    > know
    > about A2S_INFO DDOS attacks. I have mistakenly posted a *fix* on the list
    > for *nix servers which I should have posted here.
    >
    > In short:
    > If your server gets ddosed with A2S_INFO packets, it will get really
    > laggy.
    > Setting sv_max_queries_sec to a low value will make the server disappear
    > from the server browser list. I'm providing you with a UDP Caching Proxy
    > which will query the server with A2S_INFO requests not more than once in a
    > five seconds and respond to the client with the cached data.
    >
    > Setup:
    > 1. Get the source from http://www.gign.lv/tmp/querycache.c
    > 2. Compile with gcc querycache.c -o querycache
    > 3. Open an UDP port in firewall for the proxy server, lets say 21015
    > 4. Make sure you have iptables NAT, REDIRECT and string match support
    > compiled into kernel or as modules
    > 5. execute: iptables -t nat -A PREROUTING -p udp -d
    > YOUR_EXTERNAL_TF2_SERVER_IP --dport YOUR_SERVER_PORT -m string --algo kmp
    > --string 'TSource Engine Query' -j REDIRECT --to-port 21015
    > 6. Run querycache (probably under screen, so you can detach from it)
    >
    > I've been ddosed with about 300req/sec and it works good, however I don't
    > give any warranty that it will work for you.
    > _______________________________________________
    > To unsubscribe, edit your list preferences, or view the list archives,
    > please visit:
    > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    >



    _______________________________________________
    To unsubscribe, edit your list preferences, or view the list archives, please visit:
    http://list.valvesoftware.com/mailman/listinfo/hlds_linux
     
  5. Kaspars

    Kaspars Guest

    firewall rule could be adjusted to this:
    iptables -t nat -A PREROUTING -p udp -d SERVER_IP --dport SERVER_PORT -m
    string --algo kmp --string 'TSource Engine Query' -m length --length 53 -j
    REDIRECT --to-port 21015

    As for the rate limit... I don't think this is a good idea, because setting
    such a limit will make the server disappear from the browser list for legit
    clients. And if you have a good connection, you probably will not notice the
    traffic increase anyway.


    2009/9/6 Ronny Schedel <info (AT) de>

    >
    > I forgot an important part, your query proxy has still no rate limit. It
    > can
    > be used to flood spoofed IP's.
    >
    >
    > > Hi,
    > >
    > > If you are on the hlds windows mailing list, then you probably already
    > > know
    > > about A2S_INFO DDOS attacks. I have mistakenly posted a *fix* on the list
    > > for *nix servers which I should have posted here.
    > >
    > > In short:
    > > If your server gets ddosed with A2S_INFO packets, it will get really
    > > laggy.
    > > Setting sv_max_queries_sec to a low value will make the server disappear
    > > from the server browser list. I'm providing you with a UDP Caching Proxy
    > > which will query the server with A2S_INFO requests not more than once in

    > a
    > > five seconds and respond to the client with the cached data.
    > >
    > > Setup:
    > > 1. Get the source from http://www.gign.lv/tmp/querycache.c
    > > 2. Compile with gcc querycache.c -o querycache
    > > 3. Open an UDP port in firewall for the proxy server, lets say 21015
    > > 4. Make sure you have iptables NAT, REDIRECT and string match support
    > > compiled into kernel or as modules
    > > 5. execute: iptables -t nat -A PREROUTING -p udp -d
    > > YOUR_EXTERNAL_TF2_SERVER_IP --dport YOUR_SERVER_PORT -m string --algo kmp
    > > --string 'TSource Engine Query' -j REDIRECT --to-port 21015
    > > 6. Run querycache (probably under screen, so you can detach from it)
    > >
    > > I've been ddosed with about 300req/sec and it works good, however I don't
    > > give any warranty that it will work for you.
    > > _______________________________________________
    > > To unsubscribe, edit your list preferences, or view the list archives,
    > > please visit:
    > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    > >

    >
    >
    > _______________________________________________
    > To unsubscribe, edit your list preferences, or view the list archives,
    > please visit:
    > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    >

    _______________________________________________
    To unsubscribe, edit your list preferences, or view the list archives, please visit:
    http://list.valvesoftware.com/mailman/listinfo/hlds_linux
     
  6. Guy Watkins

    Guy Watkins Guest

    Could you use the firewall to rate limit using "-m limit --limit 1/s
    --limit-burst 10" or similar?

    Maybe something like this?
    iptables -t nat -A PREROUTING -p udp -d SERVER_IP --dport SERVER_PORT -m
    string --algo kmp --string 'TSource Engine Query' -m length --length 53 -m
    limit --limit 1/s --limit-burst 10 -j REDIRECT --to-port 21015

    Maybe won't even need the proxy if the firewall is limiting the DOS packets?

    I have not tried the above.

    } -----Original Message-----
    } From: hlds_linux-bounces (AT) valvesoftware.com [mailto:hlds_linux-
    } bounces (AT) valvesoftware.com] On Behalf Of Kaspars
    } Sent: Sunday, September 06, 2009 9:43 AM
    } To: Half-Life dedicated Linux server mailing list
    } Subject: Re: [hlds_linux] A2S_INFO DDOS fix
    }
    } firewall rule could be adjusted to this:
    } iptables -t nat -A PREROUTING -p udp -d SERVER_IP --dport SERVER_PORT -m
    } string --algo kmp --string 'TSource Engine Query' -m length --length 53 -j
    } REDIRECT --to-port 21015
    }
    } As for the rate limit... I don't think this is a good idea, because
    } setting
    } such a limit will make the server disappear from the browser list for
    } legit
    } clients. And if you have a good connection, you probably will not notice
    } the
    } traffic increase anyway.
    }
    }
    } 2009/9/6 Ronny Schedel <info (AT) de>
    }
    } >
    } > I forgot an important part, your query proxy has still no rate limit. It
    } > can
    } > be used to flood spoofed IP's.
    } >
    } >
    } > > Hi,
    } > >
    } > > If you are on the hlds windows mailing list, then you probably already
    } > > know
    } > > about A2S_INFO DDOS attacks. I have mistakenly posted a *fix* on the
    } list
    } > > for *nix servers which I should have posted here.
    } > >
    } > > In short:
    } > > If your server gets ddosed with A2S_INFO packets, it will get really
    } > > laggy.
    } > > Setting sv_max_queries_sec to a low value will make the server
    } disappear
    } > > from the server browser list. I'm providing you with a UDP Caching
    } Proxy
    } > > which will query the server with A2S_INFO requests not more than once
    } in
    } > a
    } > > five seconds and respond to the client with the cached data.
    } > >
    } > > Setup:
    } > > 1. Get the source from http://www.gign.lv/tmp/querycache.c
    } > > 2. Compile with gcc querycache.c -o querycache
    } > > 3. Open an UDP port in firewall for the proxy server, lets say 21015
    } > > 4. Make sure you have iptables NAT, REDIRECT and string match support
    } > > compiled into kernel or as modules
    } > > 5. execute: iptables -t nat -A PREROUTING -p udp -d
    } > > YOUR_EXTERNAL_TF2_SERVER_IP --dport YOUR_SERVER_PORT -m string --algo
    } kmp
    } > > --string 'TSource Engine Query' -j REDIRECT --to-port 21015
    } > > 6. Run querycache (probably under screen, so you can detach from it)
    } > >
    } > > I've been ddosed with about 300req/sec and it works good, however I
    } don't
    } > > give any warranty that it will work for you.
    } > > _______________________________________________
    } > > To unsubscribe, edit your list preferences, or view the list archives,
    } > > please visit:
    } > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    } > >
    } >
    } >
    } > _______________________________________________
    } > To unsubscribe, edit your list preferences, or view the list archives,
    } > please visit:
    } > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    } >
    } _______________________________________________
    } To unsubscribe, edit your list preferences, or view the list archives,
    } please visit:
    } http://list.valvesoftware.com/mailman/listinfo/hlds_linux


    _______________________________________________
    To unsubscribe, edit your list preferences, or view the list archives, please visit:
    http://list.valvesoftware.com/mailman/listinfo/hlds_linux
     
  7. Kaspars

    Kaspars Guest

    As I said before, you could just set sv_max_queries_sec to very small
    number, but that would lead to server not showing up in the server browser
    list. The same goes for the limiting - it will just drop out of the list and
    thats why there is a proxy which takes off the load from gameserver.

    I can confirm what Ronny Schedel said that iptables does sometime redirect
    wrong packets to the proxy, I'm investigating this now...

    2009/9/6 Guy Watkins <hlds_linux (AT) com>

    > Could you use the firewall to rate limit using "-m limit --limit 1/s
    > --limit-burst 10" or similar?
    >
    > Maybe something like this?
    > iptables -t nat -A PREROUTING -p udp -d SERVER_IP --dport SERVER_PORT -m
    > string --algo kmp --string 'TSource Engine Query' -m length --length 53 -m
    > limit --limit 1/s --limit-burst 10 -j REDIRECT --to-port 21015
    >
    > Maybe won't even need the proxy if the firewall is limiting the DOS
    > packets?
    >
    > I have not tried the above.
    >
    > } -----Original Message-----
    > } From: hlds_linux-bounces (AT) valvesoftware.com [mailto:hlds_linux-
    > } bounces (AT) valvesoftware.com] On Behalf Of Kaspars
    > } Sent: Sunday, September 06, 2009 9:43 AM
    > } To: Half-Life dedicated Linux server mailing list
    > } Subject: Re: [hlds_linux] A2S_INFO DDOS fix
    > }
    > } firewall rule could be adjusted to this:
    > } iptables -t nat -A PREROUTING -p udp -d SERVER_IP --dport SERVER_PORT -m
    > } string --algo kmp --string 'TSource Engine Query' -m length --length 53
    > -j
    > } REDIRECT --to-port 21015
    > }
    > } As for the rate limit... I don't think this is a good idea, because
    > } setting
    > } such a limit will make the server disappear from the browser list for
    > } legit
    > } clients. And if you have a good connection, you probably will not notice
    > } the
    > } traffic increase anyway.
    > }
    > }
    > } 2009/9/6 Ronny Schedel <info (AT) de>
    > }
    > } >
    > } > I forgot an important part, your query proxy has still no rate limit.
    > It
    > } > can
    > } > be used to flood spoofed IP's.
    > } >
    > } >
    > } > > Hi,
    > } > >
    > } > > If you are on the hlds windows mailing list, then you probably
    > already
    > } > > know
    > } > > about A2S_INFO DDOS attacks. I have mistakenly posted a *fix* on the
    > } list
    > } > > for *nix servers which I should have posted here.
    > } > >
    > } > > In short:
    > } > > If your server gets ddosed with A2S_INFO packets, it will get really
    > } > > laggy.
    > } > > Setting sv_max_queries_sec to a low value will make the server
    > } disappear
    > } > > from the server browser list. I'm providing you with a UDP Caching
    > } Proxy
    > } > > which will query the server with A2S_INFO requests not more than once
    > } in
    > } > a
    > } > > five seconds and respond to the client with the cached data.
    > } > >
    > } > > Setup:
    > } > > 1. Get the source from http://www.gign.lv/tmp/querycache.c
    > } > > 2. Compile with gcc querycache.c -o querycache
    > } > > 3. Open an UDP port in firewall for the proxy server, lets say 21015
    > } > > 4. Make sure you have iptables NAT, REDIRECT and string match support
    > } > > compiled into kernel or as modules
    > } > > 5. execute: iptables -t nat -A PREROUTING -p udp -d
    > } > > YOUR_EXTERNAL_TF2_SERVER_IP --dport YOUR_SERVER_PORT -m string --algo
    > } kmp
    > } > > --string 'TSource Engine Query' -j REDIRECT --to-port 21015
    > } > > 6. Run querycache (probably under screen, so you can detach from it)
    > } > >
    > } > > I've been ddosed with about 300req/sec and it works good, however I
    > } don't
    > } > > give any warranty that it will work for you.
    > } > > _______________________________________________
    > } > > To unsubscribe, edit your list preferences, or view the list
    > archives,
    > } > > please visit:
    > } > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    > } > >
    > } >
    > } >
    > } > _______________________________________________
    > } > To unsubscribe, edit your list preferences, or view the list archives,
    > } > please visit:
    > } > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    > } >
    > } _______________________________________________
    > } To unsubscribe, edit your list preferences, or view the list archives,
    > } please visit:
    > } http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    >
    >
    > _______________________________________________
    > To unsubscribe, edit your list preferences, or view the list archives,
    > please visit:
    > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    >

    _______________________________________________
    To unsubscribe, edit your list preferences, or view the list archives, please visit:
    http://list.valvesoftware.com/mailman/listinfo/hlds_linux
     
  8. Guy Watkins

    Guy Watkins Guest

    You did not understand. I only wanted to limit the packets that match the
    DOS attack. Only the DOS attacks that match the Query string and length
    would be rate limited. I think. But maybe you are saying the server
    browser uses the same string and length? At least the server will not lag
    for the players that find the server.

    } -----Original Message-----
    } From: hlds_linux-bounces (AT) valvesoftware.com [mailto:hlds_linux-
    } bounces (AT) valvesoftware.com] On Behalf Of Kaspars
    } Sent: Sunday, September 06, 2009 11:58 AM
    } To: Half-Life dedicated Linux server mailing list
    } Subject: Re: [hlds_linux] A2S_INFO DDOS fix
    }
    } As I said before, you could just set sv_max_queries_sec to very small
    } number, but that would lead to server not showing up in the server browser
    } list. The same goes for the limiting - it will just drop out of the list
    } and
    } thats why there is a proxy which takes off the load from gameserver.
    }
    } I can confirm what Ronny Schedel said that iptables does sometime redirect
    } wrong packets to the proxy, I'm investigating this now...
    }
    } 2009/9/6 Guy Watkins <hlds_linux (AT) com>
    }
    } > Could you use the firewall to rate limit using "-m limit --limit 1/s
    } > --limit-burst 10" or similar?
    } >
    } > Maybe something like this?
    } > iptables -t nat -A PREROUTING -p udp -d SERVER_IP --dport SERVER_PORT -m
    } > string --algo kmp --string 'TSource Engine Query' -m length --length 53
    } -m
    } > limit --limit 1/s --limit-burst 10 -j REDIRECT --to-port 21015
    } >
    } > Maybe won't even need the proxy if the firewall is limiting the DOS
    } > packets?
    } >
    } > I have not tried the above.
    } >
    } > } -----Original Message-----
    } > } From: hlds_linux-bounces (AT) valvesoftware.com [mailto:hlds_linux-
    } > } bounces (AT) valvesoftware.com] On Behalf Of Kaspars
    } > } Sent: Sunday, September 06, 2009 9:43 AM
    } > } To: Half-Life dedicated Linux server mailing list
    } > } Subject: Re: [hlds_linux] A2S_INFO DDOS fix
    } > }
    } > } firewall rule could be adjusted to this:
    } > } iptables -t nat -A PREROUTING -p udp -d SERVER_IP --dport SERVER_PORT
    } -m
    } > } string --algo kmp --string 'TSource Engine Query' -m length --length
    } 53
    } > -j
    } > } REDIRECT --to-port 21015
    } > }
    } > } As for the rate limit... I don't think this is a good idea, because
    } > } setting
    } > } such a limit will make the server disappear from the browser list for
    } > } legit
    } > } clients. And if you have a good connection, you probably will not
    } notice
    } > } the
    } > } traffic increase anyway.
    } > }
    } > }
    } > } 2009/9/6 Ronny Schedel <info (AT) de>
    } > }
    } > } >
    } > } > I forgot an important part, your query proxy has still no rate
    } limit.
    } > It
    } > } > can
    } > } > be used to flood spoofed IP's.
    } > } >
    } > } >
    } > } > > Hi,
    } > } > >
    } > } > > If you are on the hlds windows mailing list, then you probably
    } > already
    } > } > > know
    } > } > > about A2S_INFO DDOS attacks. I have mistakenly posted a *fix* on
    } the
    } > } list
    } > } > > for *nix servers which I should have posted here.
    } > } > >
    } > } > > In short:
    } > } > > If your server gets ddosed with A2S_INFO packets, it will get
    } really
    } > } > > laggy.
    } > } > > Setting sv_max_queries_sec to a low value will make the server
    } > } disappear
    } > } > > from the server browser list. I'm providing you with a UDP Caching
    } > } Proxy
    } > } > > which will query the server with A2S_INFO requests not more than
    } once
    } > } in
    } > } > a
    } > } > > five seconds and respond to the client with the cached data.
    } > } > >
    } > } > > Setup:
    } > } > > 1. Get the source from http://www.gign.lv/tmp/querycache.c
    } > } > > 2. Compile with gcc querycache.c -o querycache
    } > } > > 3. Open an UDP port in firewall for the proxy server, lets say
    } 21015
    } > } > > 4. Make sure you have iptables NAT, REDIRECT and string match
    } support
    } > } > > compiled into kernel or as modules
    } > } > > 5. execute: iptables -t nat -A PREROUTING -p udp -d
    } > } > > YOUR_EXTERNAL_TF2_SERVER_IP --dport YOUR_SERVER_PORT -m string --
    } algo
    } > } kmp
    } > } > > --string 'TSource Engine Query' -j REDIRECT --to-port 21015
    } > } > > 6. Run querycache (probably under screen, so you can detach from
    } it)
    } > } > >
    } > } > > I've been ddosed with about 300req/sec and it works good, however
    } I
    } > } don't
    } > } > > give any warranty that it will work for you.
    } > } > > _______________________________________________
    } > } > > To unsubscribe, edit your list preferences, or view the list
    } > archives,
    } > } > > please visit:
    } > } > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    } > } > >
    } > } >
    } > } >
    } > } > _______________________________________________
    } > } > To unsubscribe, edit your list preferences, or view the list
    } archives,
    } > } > please visit:
    } > } > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    } > } >
    } > } _______________________________________________
    } > } To unsubscribe, edit your list preferences, or view the list archives,
    } > } please visit:
    } > } http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    } >
    } >
    } > _______________________________________________
    } > To unsubscribe, edit your list preferences, or view the list archives,
    } > please visit:
    } > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    } >
    } _______________________________________________
    } To unsubscribe, edit your list preferences, or view the list archives,
    } please visit:
    } http://list.valvesoftware.com/mailman/listinfo/hlds_linux


    _______________________________________________
    To unsubscribe, edit your list preferences, or view the list archives, please visit:
    http://list.valvesoftware.com/mailman/listinfo/hlds_linux
     
  9. Kaspars

    Kaspars Guest

    You cannot distinguish good packets from bad, they all seem legit, they are
    just A LOT and from A LOT of sources. If it would be that simple, you could
    just drop the bad packets with iptables.

    I have updated the querycache.c file so it understands also other packets...
    player listing will now work correctly.

    2009/9/6 Guy Watkins <hlds_linux (AT) com>

    > You did not understand. I only wanted to limit the packets that match the
    > DOS attack. Only the DOS attacks that match the Query string and length
    > would be rate limited. I think. But maybe you are saying the server
    > browser uses the same string and length? At least the server will not lag
    > for the players that find the server.
    >
    > } -----Original Message-----
    > } From: hlds_linux-bounces (AT) valvesoftware.com [mailto:hlds_linux-
    > } bounces (AT) valvesoftware.com] On Behalf Of Kaspars
    > } Sent: Sunday, September 06, 2009 11:58 AM
    > } To: Half-Life dedicated Linux server mailing list
    > } Subject: Re: [hlds_linux] A2S_INFO DDOS fix
    > }
    > } As I said before, you could just set sv_max_queries_sec to very small
    > } number, but that would lead to server not showing up in the server
    > browser
    > } list. The same goes for the limiting - it will just drop out of the list
    > } and
    > } thats why there is a proxy which takes off the load from gameserver.
    > }
    > } I can confirm what Ronny Schedel said that iptables does sometime
    > redirect
    > } wrong packets to the proxy, I'm investigating this now...
    > }
    > } 2009/9/6 Guy Watkins <hlds_linux (AT) com>
    > }
    > } > Could you use the firewall to rate limit using "-m limit --limit 1/s
    > } > --limit-burst 10" or similar?
    > } >
    > } > Maybe something like this?
    > } > iptables -t nat -A PREROUTING -p udp -d SERVER_IP --dport SERVER_PORT
    > -m
    > } > string --algo kmp --string 'TSource Engine Query' -m length --length
    > 53
    > } -m
    > } > limit --limit 1/s --limit-burst 10 -j REDIRECT --to-port 21015
    > } >
    > } > Maybe won't even need the proxy if the firewall is limiting the DOS
    > } > packets?
    > } >
    > } > I have not tried the above.
    > } >
    > } > } -----Original Message-----
    > } > } From: hlds_linux-bounces (AT) valvesoftware.com [mailto:hlds_linux-
    > } > } bounces (AT) valvesoftware.com] On Behalf Of Kaspars
    > } > } Sent: Sunday, September 06, 2009 9:43 AM
    > } > } To: Half-Life dedicated Linux server mailing list
    > } > } Subject: Re: [hlds_linux] A2S_INFO DDOS fix
    > } > }
    > } > } firewall rule could be adjusted to this:
    > } > } iptables -t nat -A PREROUTING -p udp -d SERVER_IP --dport SERVER_PORT
    > } -m
    > } > } string --algo kmp --string 'TSource Engine Query' -m length --length
    > } 53
    > } > -j
    > } > } REDIRECT --to-port 21015
    > } > }
    > } > } As for the rate limit... I don't think this is a good idea, because
    > } > } setting
    > } > } such a limit will make the server disappear from the browser list for
    > } > } legit
    > } > } clients. And if you have a good connection, you probably will not
    > } notice
    > } > } the
    > } > } traffic increase anyway.
    > } > }
    > } > }
    > } > } 2009/9/6 Ronny Schedel <info (AT) de>
    > } > }
    > } > } >
    > } > } > I forgot an important part, your query proxy has still no rate
    > } limit.
    > } > It
    > } > } > can
    > } > } > be used to flood spoofed IP's.
    > } > } >
    > } > } >
    > } > } > > Hi,
    > } > } > >
    > } > } > > If you are on the hlds windows mailing list, then you probably
    > } > already
    > } > } > > know
    > } > } > > about A2S_INFO DDOS attacks. I have mistakenly posted a *fix* on
    > } the
    > } > } list
    > } > } > > for *nix servers which I should have posted here.
    > } > } > >
    > } > } > > In short:
    > } > } > > If your server gets ddosed with A2S_INFO packets, it will get
    > } really
    > } > } > > laggy.
    > } > } > > Setting sv_max_queries_sec to a low value will make the server
    > } > } disappear
    > } > } > > from the server browser list. I'm providing you with a UDP
    > Caching
    > } > } Proxy
    > } > } > > which will query the server with A2S_INFO requests not more than
    > } once
    > } > } in
    > } > } > a
    > } > } > > five seconds and respond to the client with the cached data.
    > } > } > >
    > } > } > > Setup:
    > } > } > > 1. Get the source from http://www.gign.lv/tmp/querycache.c
    > } > } > > 2. Compile with gcc querycache.c -o querycache
    > } > } > > 3. Open an UDP port in firewall for the proxy server, lets say
    > } 21015
    > } > } > > 4. Make sure you have iptables NAT, REDIRECT and string match
    > } support
    > } > } > > compiled into kernel or as modules
    > } > } > > 5. execute: iptables -t nat -A PREROUTING -p udp -d
    > } > } > > YOUR_EXTERNAL_TF2_SERVER_IP --dport YOUR_SERVER_PORT -m string --
    > } algo
    > } > } kmp
    > } > } > > --string 'TSource Engine Query' -j REDIRECT --to-port 21015
    > } > } > > 6. Run querycache (probably under screen, so you can detach from
    > } it)
    > } > } > >
    > } > } > > I've been ddosed with about 300req/sec and it works good, however
    > } I
    > } > } don't
    > } > } > > give any warranty that it will work for you.
    > } > } > > _______________________________________________
    > } > } > > To unsubscribe, edit your list preferences, or view the list
    > } > archives,
    > } > } > > please visit:
    > } > } > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    > } > } > >
    > } > } >
    > } > } >
    > } > } > _______________________________________________
    > } > } > To unsubscribe, edit your list preferences, or view the list
    > } archives,
    > } > } > please visit:
    > } > } > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    > } > } >
    > } > } _______________________________________________
    > } > } To unsubscribe, edit your list preferences, or view the list
    > archives,
    > } > } please visit:
    > } > } http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    > } >
    > } >
    > } > _______________________________________________
    > } > To unsubscribe, edit your list preferences, or view the list archives,
    > } > please visit:
    > } > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    > } >
    > } _______________________________________________
    > } To unsubscribe, edit your list preferences, or view the list archives,
    > } please visit:
    > } http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    >
    >
    > _______________________________________________
    > To unsubscribe, edit your list preferences, or view the list archives,
    > please visit:
    > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
    >

    _______________________________________________
    To unsubscribe, edit your list preferences, or view the list archives, please visit:
    http://list.valvesoftware.com/mailman/listinfo/hlds_linux
     
  10. gulverene

    gulverene New Member

    Joined:
    Jul 5, 2011
    Messages:
    1
    Likes Received:
    0
    Hi all. My Server qconnect0x attack. How fix please.
    My firewall iptables.
    iptables -A INPUT -p udp -m udp -m string --string "qconnect0x1" --algo kmp -j DROP
    iptables -A INPUT -p udp -m udp -m string --string "qconnect0x2" --algo kmp -j DROP
    iptables -A INPUT -p udp -m udp -m string --string "qconnect0x3" --algo kmp -j DROP
    iptables -A INPUT -p udp -m udp -m string --string "qconnect0x4" --algo kmp -j DROP
    iptables -A INPUT -p udp -m udp -m string --string "qconnect0x5" --algo kmp -j DROP
    iptables -A INPUT -p udp -m udp -m string --string "qconnect0x6" --algo kmp -j DROP
    iptables -A INPUT -p udp -m udp -m string --string "qconnect0x7" --algo kmp -j DROP
    iptables -A INPUT -p udp -m udp -m string --string "qconnect0x8" --algo kmp -j DROP
    iptables -A INPUT -p udp -m udp -m string --string "qconnect0x9" --algo kmp -j DROP

    qconnect0x0 packet passed and server problem. Tsource good working. Thanks. Please How qconnect0x fix?
     

Share This Page

Loading...