Protect the Source Dedicated Server game server from attacks with small UDP packets
For some reason, there are a number of exploits that Valve hasn’t fixed yet, and hackers lovers try to use them to create an uncomfortable game for players on the server. As a result of these attacks, ping on a separate game server increases dramatically and it becomes impossible to play. However, other game servers running on the same physical server can work in normal mode.
Consider one of the ways to deal with this type of vandalism.
Hereinafter it is assumed that the work will be carried out with game servers running on a linux server.
The fact that the server receives data packets leading to its "thoughtful" state can be found by looking at the tcpdump log:
')
Working data packets must be larger than 32 bytes, so we add rules to iptables:
Now, if UDP packets of less than 32 bytes are detected, ports coming in the range 27000-29999 (there may be several game and SourceTV servers), these packets are ignored, and information about this fact is logged in / var / log / message in order to then I used fail2ban to temporarily block the IP address from which such packets originate.
Next, in /etc/fail2ban/filter.d, we create a srcds-ddos.conf filter with the contents:
Consider one of the ways to deal with this type of vandalism.
Hereinafter it is assumed that the work will be carried out with game servers running on a linux server.
The fact that the server receives data packets leading to its "thoughtful" state can be found by looking at the tcpdump log:
')
01:29:54.215279 IP 96.19.63.51.64928 > 66.135.40.174.27015: UDP, length 18
01:29:54.215281 IP 96.19.63.51.64928 > 66.135.40.174.27015: UDP, length 0
01:29:54.229257 IP 96.19.63.51.64928 > 66.135.40.174.27015: UDP, length 18
01:29:54.233254 IP 96.19.63.51.64928 > 66.135.40.174.27015: UDP, length 0
Working data packets must be larger than 32 bytes, so we add rules to iptables:
-N logattacker
-A logattacker -j LOG --log-prefix " SRCDS:ATTACK: " --log-ip-options
-A logattacker -j DROP
-A INPUT -p udp -m udp -m limit -m length --dport 27000:29999 --limit 2/second -j logattacker --length 0:32
Now, if UDP packets of less than 32 bytes are detected, ports coming in the range 27000-29999 (there may be several game and SourceTV servers), these packets are ignored, and information about this fact is logged in / var / log / message in order to then I used fail2ban to temporarily block the IP address from which such packets originate.
Feb 24 15:43:08 carbon kernel: [157686.157207] SRCDS:ATTACK: IN=eth0 OUT= MAC=00:15:17:4c:eb:f4:00:1e:4a:38:3a:00:08:00 SRC=85.159.xx.xx DST=217.199.yy.yy LEN=28 TOS=0x00 PREC=0x00 TTL=120 ID=43787 PROTO=UDP SPT=2445 DPT=27135 LEN=8
Next, in /etc/fail2ban/filter.d, we create a srcds-ddos.conf filter with the contents:
[Definition]
failregex = SRCDS:ATTACK: IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC= DST=([0-9]{1,3}\.?){4} LEN=28
/etc/fail2ban/jail.conf:
[srcds-ddos]
enabled = true
port = all
protocol = udp
filter = srcds-ddos
logpath = /var/log/messages
maxretry = 3
bantime = 6000
banaction = iptables-allports
fail2ban iptables .
RCON:
# Make new chain
iptables -N rcon
# Pull all packets to tcp ports 27000:29999 into rcon chain
iptables -A INPUT -p tcp --dport 27000:29999 -j rcon
# If source ip matches whitelisted ip, accept
iptables -A rcon --source 123.123.123.13 -j ACCEPT
# Otherwise (optionally log and) drop
iptables -A rcon -j LOG --log-prefix "SRCDS:RCON: " --log-ip-options
iptables -A rcon -j DROP
PS , , .Source: https://habr.com/ru/post/85647/
All Articles