mrche Posted May 11, 2017 Share Posted May 11, 2017 Hi guys! How I can switch server protocol to tcp? UDP port has the issue with ddos (udp flood) on our servers, and to hard to block anonymous requests. It is not possible to play at all. Link to comment Share on other sites More sharing options...
cezarica Posted May 12, 2017 Share Posted May 12, 2017 Since your question is rather technical one I think it's safe to assume you are using some linux distribution. In that case have a look at Using iptables to rate-limit incoming connections Something like: iptables -I INPUT -p udp --dport 27018:27019 -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p udp --dport 27018:27019 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP will limit any IP to 10 connections per minute for instance on the ports 27018 (master) and 27019 (caves). Link to comment Share on other sites More sharing options...
mrche Posted May 12, 2017 Author Share Posted May 12, 2017 8 hours ago, cezarica said: Since your question is rather technical one I think it's safe to assume you are using some linux distribution. In that case have a look at Using iptables to rate-limit incoming connections Something like: iptables -I INPUT -p udp --dport 27018:27019 -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p udp --dport 27018:27019 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP will limit any IP to 10 connections per minute for instance on the ports 27018 (master) and 27019 (caves). UDP is allowed to substitute source ip (all packets have random ip) and rate limit is not help. I try to use "-m string --algo kmp" to drop packets, it is helps. But it is require to much cpu performance. Currently I tried to write the rule based on a u32 filter to allow only game packets. Link to comment Share on other sites More sharing options...
cezarica Posted May 12, 2017 Share Posted May 12, 2017 Out of curiosity what stuff you see in tcpdump log that you want to filter/block if you don't mind sharing? So, you tested with limiting the UDP packets with something like: iptables -I INPUT -p udp -m limit --limit 10/s -j DROP and didn't work? Saw this.. give that a try? Link to comment Share on other sites More sharing options...
mrche Posted May 13, 2017 Author Share Posted May 13, 2017 15 hours ago, cezarica said: Out of curiosity what stuff you see in tcpdump log that you want to filter/block if you don't mind sharing? So, you tested with limiting the UDP packets with something like: iptables -I INPUT -p udp -m limit --limit 10/s -j DROP and didn't work? Saw this.. give that a try? Yes, like this. But without the log, immediately drop. (Logs affect cpu and creates logs file with up to gigabytes size: D) Flood looks like this: 23:58:03.585169 IP 192.69.7.87.10607 > XXX.XXX.XXX.XXX.10999: UDP, length 35 0x0000: 4500 003f 71c4 0000 3611 32fa c045 0757 E..?q...6.2..E.W 0x0010: 8ac9 8d8a 296f 2af7 002b 9563 5858 5858 ....)o*..+.cXXXX 0x0020: 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX 0x0030: 5858 5858 5858 5858 5858 5858 5858 58 XXXXXXXXXXXXXXX 23:58:03.585187 IP 206.176.87.158.10608 > XXX.XXX.XXX.XXX.10999: UDP, length 35 0x0000: 4500 003f f2c7 0000 3611 5344 ceb0 579e E..?....6.SD..W. 0x0010: 8ac9 8d8a 2970 2af7 002b 36b0 5858 5858 ....)p*..+6.XXXX 0x0020: 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX 0x0030: 5858 5858 5858 5858 5858 5858 5858 58 XXXXXXXXXXXXXXX 23:58:03.585201 IP 93.96.62.68.10617 > XXX.XXX.XXX.XXX.10999: UDP, length 35 0x0000: 4500 003f 7872 0000 3611 5844 5d60 3e44 E..?xr..6.XD]`>D 0x0010: 8ac9 8d8a 2979 2af7 002b c151 5858 5858 ....)y*..+.QXXXX 0x0020: 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX 0x0030: 5858 5858 5858 5858 5858 5858 5858 58 XXXXXXXXXXXXXXX 23:58:03.585219 IP 124.22.84.158.10615 > XXX.XXX.XXX.XXX.10999: UDP, length 35 0x0000: 4500 003f 665d 0000 3611 3549 7c16 549e E..?f]..6.5I|.T. 0x0010: 8ac9 8d8a 2977 2af7 002b 8c43 5858 5858 ....)w*..+.CXXXX 0x0020: 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX 0x0030: 5858 5858 5858 5858 5858 5858 5858 58 XXXXXXXXXXXXXXX 23:58:03.585241 IP 36.139.35.123.10613 > XXX.XXX.XXX.XXX.10999: UDP, length 35 0x0000: 4500 003f b69c 0000 3611 6db8 248b 237b E..?....6.m.$.#{ 0x0010: 8ac9 8d8a 2975 2af7 002b 14f4 5858 5858 ....)u*..+..XXXX 0x0020: 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX 0x0030: 5858 5858 5858 5858 5858 5858 5858 58 XXXXXXXXXXXXXXX 23:58:03.585255 IP 180.76.17.25.10611 > XXX.XXX.XXX.XXX.10999: UDP, length 35 0x0000: 4500 003f 9b79 0000 3611 0b7c b44c 1119 E..?.y..6..|.L.. 0x0010: 8ac9 8d8a 2973 2af7 002b 9796 5858 5858 ....)s*..+..XXXX 0x0020: 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX 0x0030: 5858 5858 5858 5858 5858 5858 5858 58 XXXXXXXXXXXXXXX 23:58:03.585268 IP 18.161.165.60.10620 > XXX.XXX.XXX.XXX.10999: UDP, length 35 0x0000: 4500 003f 6212 0000 3611 526b 12a1 a53c E..?b...6.Rk...< 0x0010: 8ac9 8d8a 297c 2af7 002b a515 5858 5858 ....)|*..+..XXXX 0x0020: 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX 0x0030: 5858 5858 5858 5858 5858 5858 5858 58 XXXXXXXXXXXXXXX 23:58:03.585318 IP 189.8.70.187.10623 > XXX.XXX.XXX.XXX.10999: UDP, length 35 0x0000: 4500 003f 666f 0000 3611 0228 bd08 46bb E..?fo..6..(..F. 0x0010: 8ac9 8d8a 297f 2af7 002b 592c 5858 5858 ....).*..+Y,XXXX 0x0020: 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX There is snapshot of metrics from server: https://snapshot.raintank.io/dashboard/snapshot/lK9iewQgG9L7B4z2DvMUvJfBf64kcPfE And rules what help (If the attack is not too powerful and you have enough resources): iptables -t raw -A PREROUTING -p udp --dport 10990:11001 -j DROP -m length --length 0:28 -m comment --comment "dontstarve_drop_zero_size" iptables -t raw -A PREROUTING -p udp --dport 10990:11001 -j DROP -m string --algo kmp --hex-string '|58 58 58 58 58 58|' -m comment --comment "dontstarve_drop_flood" If the villain is guesses to send packets with random payload it's not be work. Link to comment Share on other sites More sharing options...
cezarica Posted May 14, 2017 Share Posted May 14, 2017 Oh my. The graphs are with or without log filtering? Or not at all? oO How's stuff with the two commands you listed? And why add a comment to them anyway? Oh, and if the IP's that flood you don't change why not null route them with ip route add blackhole ip? If the packets have the same length (35 in this case) you can also use that like: -m length --length 35 -j DROP Link to comment Share on other sites More sharing options...
mrche Posted May 14, 2017 Author Share Posted May 14, 2017 3 hours ago, cezarica said: Oh my. The graphs are with or without log filtering? Or not at all? oO The graphs with enabled "zero size" and "string" filter and without logging. Quote How's stuff with the two commands you listed? And why add a comment to them anyway? Currently it's work. Previous flood packet was zero size (28 bytes only). The comments used for more convenience (for automatic add and drop from script). Quote Oh, and if the IP's that flood you don't change why not null route them with ip route add blackhole ip? Sry, I not understand what you mean. Quote If the packets have the same length (35 in this case) you can also use that like: -m length --length 35 -j DROP Game can to send packets with this size, it's will be affect gameplay (freeze and lags). I think the filter with u32 must be more fast and more reliable. Link to comment Share on other sites More sharing options...
cezarica Posted May 14, 2017 Share Posted May 14, 2017 If for instance you got flood from 192.69.7.87 then null route trafic from and to it with: ip route add blackhole 192.69.7.87 for each IP's in the list if aren't too many of them. Link to comment Share on other sites More sharing options...
mrche Posted May 15, 2017 Author Share Posted May 15, 2017 19 hours ago, cezarica said: If for instance you got flood from 192.69.7.87 then null route trafic from and to it with: ip route add blackhole 192.69.7.87 for each IP's in the list if aren't too many of them. As I told before, all of packets have a random ip. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.
Please be aware that the content of this thread may be outdated and no longer applicable.