Use TCP instead UDP

[mrche]

Hi guys!

How I can switch server protocol to tcp? UDP port has the issue with ddos (udp flood) on our servers, and to hard to block anonymous requests.

It is not possible to play at all.

[cezarica]

Since your question is rather technical one I think it's safe to assume you are using some linux distribution. In that case have a look at Using iptables to rate-limit incoming connections

Something like:

iptables -I INPUT -p udp --dport 27018:27019 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p udp --dport 27018:27019 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

will limit any IP to 10 connections per minute for instance on the ports 27018 (master) and 27019 (caves).

[mrche]

8 hours ago, cezarica said:

Since your question is rather technical one I think it's safe to assume you are using some linux distribution. In that case have a look at Using iptables to rate-limit incoming connections

Something like:

iptables -I INPUT -p udp --dport 27018:27019 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p udp --dport 27018:27019 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

will limit any IP to 10 connections per minute for instance on the ports 27018 (master) and 27019 (caves).

UDP is allowed to substitute source ip (all packets have random ip) and rate limit is not help. I try to use  "-m string --algo kmp" to drop packets, it is helps. But it is require to much cpu performance. 

Currently I tried to write the rule based on a u32 filter to allow only game packets.

[cezarica]

Out of curiosity what stuff you see in tcpdump log that you want to filter/block if you don't mind sharing?

So, you tested with limiting the UDP packets with something like:

iptables -I INPUT -p udp -m limit --limit 10/s -j DROP

and didn't work? Saw this.. give that a try?

[mrche]

15 hours ago, cezarica said:

Out of curiosity what stuff you see in tcpdump log that you want to filter/block if you don't mind sharing?

So, you tested with limiting the UDP packets with something like:

iptables -I INPUT -p udp -m limit --limit 10/s -j DROP

and didn't work? Saw this.. give that a try?

Yes, like this. But without the log, immediately drop. (Logs affect cpu and creates logs file with up to gigabytes size: D)

Flood looks like this:

23:58:03.585169 IP 192.69.7.87.10607 > XXX.XXX.XXX.XXX.10999: UDP, length 35
        0x0000:  4500 003f 71c4 0000 3611 32fa c045 0757  E..?q...6.2..E.W
        0x0010:  8ac9 8d8a 296f 2af7 002b 9563 5858 5858  ....)o*..+.cXXXX
        0x0020:  5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
        0x0030:  5858 5858 5858 5858 5858 5858 5858 58    XXXXXXXXXXXXXXX
23:58:03.585187 IP 206.176.87.158.10608 > XXX.XXX.XXX.XXX.10999: UDP, length 35
        0x0000:  4500 003f f2c7 0000 3611 5344 ceb0 579e  E..?....6.SD..W.
        0x0010:  8ac9 8d8a 2970 2af7 002b 36b0 5858 5858  ....)p*..+6.XXXX
        0x0020:  5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
        0x0030:  5858 5858 5858 5858 5858 5858 5858 58    XXXXXXXXXXXXXXX
23:58:03.585201 IP 93.96.62.68.10617 > XXX.XXX.XXX.XXX.10999: UDP, length 35
        0x0000:  4500 003f 7872 0000 3611 5844 5d60 3e44  E..?xr..6.XD]`>D
        0x0010:  8ac9 8d8a 2979 2af7 002b c151 5858 5858  ....)y*..+.QXXXX
        0x0020:  5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
        0x0030:  5858 5858 5858 5858 5858 5858 5858 58    XXXXXXXXXXXXXXX
23:58:03.585219 IP 124.22.84.158.10615 > XXX.XXX.XXX.XXX.10999: UDP, length 35
        0x0000:  4500 003f 665d 0000 3611 3549 7c16 549e  E..?f]..6.5I|.T.
        0x0010:  8ac9 8d8a 2977 2af7 002b 8c43 5858 5858  ....)w*..+.CXXXX
        0x0020:  5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
        0x0030:  5858 5858 5858 5858 5858 5858 5858 58    XXXXXXXXXXXXXXX
23:58:03.585241 IP 36.139.35.123.10613 > XXX.XXX.XXX.XXX.10999: UDP, length 35
        0x0000:  4500 003f b69c 0000 3611 6db8 248b 237b  E..?....6.m.$.#{
        0x0010:  8ac9 8d8a 2975 2af7 002b 14f4 5858 5858  ....)u*..+..XXXX
        0x0020:  5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
        0x0030:  5858 5858 5858 5858 5858 5858 5858 58    XXXXXXXXXXXXXXX
23:58:03.585255 IP 180.76.17.25.10611 > XXX.XXX.XXX.XXX.10999: UDP, length 35
        0x0000:  4500 003f 9b79 0000 3611 0b7c b44c 1119  E..?.y..6..|.L..
        0x0010:  8ac9 8d8a 2973 2af7 002b 9796 5858 5858  ....)s*..+..XXXX
        0x0020:  5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
        0x0030:  5858 5858 5858 5858 5858 5858 5858 58    XXXXXXXXXXXXXXX
23:58:03.585268 IP 18.161.165.60.10620 > XXX.XXX.XXX.XXX.10999: UDP, length 35
        0x0000:  4500 003f 6212 0000 3611 526b 12a1 a53c  E..?b...6.Rk...<
        0x0010:  8ac9 8d8a 297c 2af7 002b a515 5858 5858  ....)|*..+..XXXX
        0x0020:  5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX
        0x0030:  5858 5858 5858 5858 5858 5858 5858 58    XXXXXXXXXXXXXXX
23:58:03.585318 IP 189.8.70.187.10623 > XXX.XXX.XXX.XXX.10999: UDP, length 35
        0x0000:  4500 003f 666f 0000 3611 0228 bd08 46bb  E..?fo..6..(..F.
        0x0010:  8ac9 8d8a 297f 2af7 002b 592c 5858 5858  ....).*..+Y,XXXX
        0x0020:  5858 5858 5858 5858 5858 5858 5858 5858  XXXXXXXXXXXXXXXX

There is snapshot of metrics from server:

https://snapshot.raintank.io/dashboard/snapshot/lK9iewQgG9L7B4z2DvMUvJfBf64kcPfE

And rules what help (If the attack is not too powerful and you have enough resources):

iptables -t raw -A PREROUTING -p udp --dport 10990:11001 -j DROP -m length --length 0:28 -m comment --comment "dontstarve_drop_zero_size"
iptables -t raw -A PREROUTING -p udp --dport 10990:11001 -j DROP -m string --algo kmp --hex-string '|58 58 58 58 58 58|' -m comment --comment "dontstarve_drop_flood"

If the villain is guesses to send packets with random payload it's not be work. 

 

[cezarica]

Oh my. The graphs are with or without log filtering? Or not at all? oO

How's stuff with the two commands you listed? And why add a comment to them anyway? Oh, and if the IP's that flood you don't change why not null route them with ip route add blackhole ip?

If the packets have the same length (35 in this case) you can also use that like: -m length --length 35 -j DROP

[mrche]

3 hours ago, cezarica said:

Oh my. The graphs are with or without log filtering? Or not at all? oO

The graphs with enabled "zero size" and "string" filter and without logging. 

Quote

How's stuff with the two commands you listed? And why add a comment to them anyway?

Currently it's work. Previous flood packet was zero size (28 bytes only). The comments used for more convenience (for automatic add and drop from script).

Quote

Oh, and if the IP's that flood you don't change why not null route them with ip route add blackhole ip?

Sry, I not understand what you mean.

Quote

If the packets have the same length (35 in this case) you can also use that like: -m length --length 35 -j DROP

Game can to send packets with this size, it's will be affect gameplay (freeze and lags).

I think the filter with u32 must be more fast and more reliable.

[cezarica]

If for instance you got flood from 192.69.7.87 then null route trafic from and to it with:

ip route add blackhole 192.69.7.87

for each IP's in the list if aren't too many of them.

[mrche]

19 hours ago, cezarica said:

If for instance you got flood from 192.69.7.87 then null route trafic from and to it with:

ip route add blackhole 192.69.7.87

for each IP's in the list if aren't too many of them.

As I told before, all of packets have a random ip.