Firewall Cookie Flood Connection - Printable Version
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Server (https://sampforum.blast.hk/forumdisplay.php?fid=6)
+--- Forum: Server Support (https://sampforum.blast.hk/forumdisplay.php?fid=19)
+--- Thread: Firewall Cookie Flood Connection (/showthread.php?tid=639962)
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Server (https://sampforum.blast.hk/forumdisplay.php?fid=6)
+--- Forum: Server Support (https://sampforum.blast.hk/forumdisplay.php?fid=19)
+--- Thread: Firewall Cookie Flood Connection (/showthread.php?tid=639962)
Pages:
1
2
Re: Firewall Cookie Flood Connection - JernejL - 29.08.2017
Let me step in and explain a few things going on here.
--hex-string '|081e77da|
This is a match on port 7777's packet for cookie request, this will work well for all servers that are on port 7777, other servers need to adjust this.
--hex-string '|53414d50a772c94a611e63|'
--hex-string '|53414d50a772c94a611e72|'
--hex-string '|53414d50a772c94a611e69|'
This is actually the SAMP query packet match:
https://sampwiki.blast.hk/wiki/Query_Mechanism
EVERYONE will need to make changes on this:
53414d50 "SAMP"
a772c94a server ip (YOUR bind'd server ip)
611e <- PORT
63 / 72 / 69 - matches various query packets.
You can get your proper packet by running tcpdump -t -n -v -XX -i eth1 udp dst port 7777 and '(udp[8:4]=0x53414d50)' (change port to proper port and eth1 to your real ethernet interface in use)
Yellow: "SAMP" text
RED: Server IP
Green: port
adjust the .sh file of RDM accordingly and only then use this.
More efficient filtering could be done, instead of hex-string match at any position you can adapt this to use u32 fast byte match, sure u32 causes brains to rot when you use it, but will work better, especially in vps's:
Examples (DO NOT ADD THIS TO YOUR IPTABLES, THIS IS JUST AN EXAMPLE):
Match SAMP udp packets:
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50" -j DROP
Match samp R rules packet
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x72" -j DROP
match other two query packet types:
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x63" -j DROP
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x69" -j DROP
Re: Firewall Cookie Flood Connection - RDM - 29.08.2017
Quote:
|
Originally Posted by JernejL
 Let me step in and explain a few things going on here.
--hex-string '|081e77da| This is a match on port 7777's packet for cookie request, this will work well for all servers that are on port 7777, other servers need to adjust this. --hex-string '|53414d50a772c94a611e63|' --hex-string '|53414d50a772c94a611e72|' --hex-string '|53414d50a772c94a611e69|' This is actually the SAMP query packet match: https://sampwiki.blast.hk/wiki/Query_Mechanism EVERYONE will need to make changes on this: 53414d50 "SAMP" a772c94a server ip (YOUR bind'd server ip) 611e <- PORT 63 / 72 / 69 - matches various query packets. You can get your proper packet by running tcpdump -t -n -v -XX -i eth1 udp dst port 7777 and '(udp[8:4]=0x53414d50)' (change port to proper port and eth1 to your real ethernet interface in use) Yellow: "SAMP" text RED: Server IP Green: port adjust the .sh file of RDM accordingly and only then use this. More efficient filtering could be done, instead of hex-string match at any position you can adapt this to use u32 fast byte match, sure u32 causes brains to rot when you use it, but will work better, especially in vps's: Examples (DO NOT ADD THIS TO YOUR IPTABLES, THIS IS JUST AN EXAMPLE): Match SAMP udp packets: iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50" -j DROP Match samp R rules packet iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x72" -j DROP match other two query packet types: iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x63" -j DROP iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x69" -j DROP |
Problem Solved ! Firewall running for all sA: mp servers that use port 7777
I'm sorry for the mistake ! I'm so sorry !
Re: Respuesta: Firewall Cookie Flood Connection - RDM - 29.08.2017
Quote:
|
Originally Posted by adri1
not working for me
|
Respuesta: Firewall Cookie Flood Connection - adri1 - 29.08.2017
My Server is closed now, but i will check, thanks you
Re: Firewall Cookie Flood Connection - Peek - 29.08.2017
Still not working for me.
Re: Firewall Cookie Flood Connection - RDM - 29.08.2017
Quote:
|
Originally Posted by Peek
Still not working for me.
|
Re: Firewall Cookie Flood Connection - Kaperstone - 29.08.2017
63 69 72 are the codes for the digits after 611e I guess. (because Jernal posted 6300 and I guess 00 can be omitted (?))
My server has 7065, which is completely different.
Re: Firewall Cookie Flood Connection - RDM - 29.08.2017
Quote:
|
Originally Posted by Kaperstone
63 69 72 are the codes for the digits after 611e I guess. (because Jernal posted 6300 and I guess 00 can be omitted (?))
My server has 7065, which is completely different. |
7065 ?
Are you sure this is a package query?
I believe it's the answer from the server to the query!
I changed the script now works for all servers running on port 7777!
If your server runs in another port you can send me a Pm! I'll help you!
Re: Firewall Cookie Flood Connection - Kaperstone - 29.08.2017
Quote:
|
Originally Posted by RDM
Yes 00 can be ignored!
7065 ? Are you sure this is a package query? I believe it's the answer from the server to the query! I changed the script now works for all servers running on port 7777! If your server runs in another port you can send me a Pm! I'll help you! |
EDIT: @RDM I can send the full dump if needed.
Re: Firewall Cookie Flood Connection - RDM - 29.08.2017
Quote:
|
Originally Posted by Kaperstone
yeah, I ran `tcpdump -t -n -v -XX udp dst port 7777`, I went one by one and saw that its not 6300 but 7063
EDIT: @RDM I can send the full dump if needed. |
Re: Firewall Cookie Flood Connection - PrettyDiamond - 02.09.2017
You should to go to your folder /lib/modules/....and look here the real filename for this file where you have xxxx and change it to the correct module name
Re: Firewall Cookie Flood Connection - Chaprnks - 02.09.2017
Quote:
|
Originally Posted by PrettyDiamond
You should to go to your folder /lib/modules/....and look here the real filename for this file where you have xxxx and change it to the correct module name
|
Thanks for the help
Re: Firewall Cookie Flood Connection - PrettyDiamond - 02.09.2017
Quote:
|
Originally Posted by Chaprnks
It was actually more complicated than that.. at some point I half-ass upgraded the linux kernel, but still had grub thinking it was the old one.. Thankfully got it all settled without having to reformat *phew*
Thanks for the help |
Re: Firewall Cookie Flood Connection - Astralis - 02.09.2017
Well, your host is probably very bad. Get a decent one.
Either a game server from http://samp4you.com (which is working properly against any attacks) or a VPS.
Re: Firewall Cookie Flood Connection - Astralis - 02.09.2017
Quote:
|
Originally Posted by PrettyDiamond
LoL...i'm my own host...pls dont come here and talk shit...you mean really ppl are so stupid and cannt distinguish between what is a good or bad host? After running a server free of problems, over years?
Why God some ppl here never read with attention then, after that think, then count some sheeps(like 100), then write!? |
Re: Firewall Cookie Flood Connection - RDM - 02.09.2017
Quote:
|
Originally Posted by PrettyDiamond
Im in same Boat as you my friend....my Debian was unmounted at all....and im still at Null Progress by all. My IP still flooded, my server still offline. I was thinking about change it to Windows, because @iLearner SV looks are working, but sometimes it is offline too, idk if he fixed at all the flood problem. IDK what more i can do, but i will search out, until i find the way to run my server again. Its funny, if i start it, in same minute some old players join it, then i look at SV CPU usage, goes to 100%, ping get high, packet loss, and finally timeout for all. So sad...nothing helps for me, i used the last Update from Kalcor, iptables rules, nothing works for me?
|
but for being a software alternative, if the attack is greater than the amount of mbps available on your vps / dedicated server, the firewall will not help unfortunately,
and the same goes for the hardware, cpu and ram!
I recommend hiring a dedicated game on ovh, or hiring a vps from companies that sell. !
I have several Dedicated on ovh, the firewall game seems to support well, and would be the cheapest solution for now.
since hiring a dedicated and a hardware firewall apart in the ovh is much more expensive than a dedicated server game.
about 10 servers in my network suffer from such attacks and none went offline since the beginning of this attack!
Re: Firewall Cookie Flood Connection - SlowARG - 31.01.2019
Yeah... bumping topics.
Few guys asked to me how to update "samp_prot" plugin, actually is quite easy.
Look at this Pseudo code generated by IDA Pro:
Code:
char __stdcall Load(int (__cdecl **a1)(_DWORD))
{
int v1; // eax
DWORD flOldProtect; // [esp+0h] [ebp-8h]
dword_10012164 = *a1;
dword_10012164("### samp_prot by Ubinoob loaded (ver 2)");
dword_10012164("### Professional game hosting: https://LiveServer.pl");
v1 = strcmp((const char *)0x4B5508, "0.3.7-R2");
if ( v1 )
v1 = -(v1 < 0) | 1;
if ( v1 )
{
dword_10012164("### Invalid server version. Please install 0.3.7-R2-1 (linux) 0.3.7-R2-1-1 (windows).");
}
else
{
VirtualProtect((LPVOID)0x497CC8, 1u, 0x40u, &flOldProtect);
VirtualProtect((LPVOID)0x497C74, 1u, 0x40u, &flOldProtect);
dword_10012164("### Memory segments unprotected");
MEMORY[0x497CC8] = -1869574000; // unk1 ---> i query limit
MEMORY[0x497CCC] = -28528; // unk2 ---> +04
MEMORY[0x497C74] = -1869574000; // unk3 ---> p query limit
MEMORY[0x497C78] = -28528; // unk4 ---> +04
dword_10012164("### Query system patched");
MEMORY[0x4E58B8] = 0; // same as "cookielogging 0"
dword_10012164("### Cookie logging disabled");
MEMORY[0x4F5FD4] = 0; // same as "logqueries 0"
dword_10012164("### Query logging disabled");
}
return 1;
}
Some signatures/patterns for Windows ONLY at the moment:
Code:
unk1 0F 85 80 06 00 00 8B 0D BC 5F 4F 00 68 08 97 4B 00 E8 ?? 37 FF FF 89 44 unk2 00 00 8B 0D BC 5F 4F 00 68 ?? ?? 4B 00 E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? unk3 0F 85 D4 06 00 00 83 FF 0F 0F 85 CB 06 00 00 6A 10 68 08 5D 51 00 50 8B unk4 00 00 83 FF 0F 0F 85 CB 06 00 00 6A 10 68 08 5D 51 00 50 8B 44 24 54 57
