Re: Request connection cookie flood -
donB - 24.08.2017
Quote:
Originally Posted by Pizzy
My server is running fine with no speed or lag, it's perfect once you connect - but the whole querying of the server on the client looks as if the server is lagging or not responding - but connecting is perfectly fine.
|
True. I'm not able to query the server using 3rd party Android apps as well.
Re: Request connection cookie flood -
Whale - 25.08.2017
Quote:
Originally Posted by .03
Seeing the same thing on a server I manage.
Attack involves around 1700 IPs. I've just temporarily blocked the following:
Code:
180.0.0.0/8
181.0.0.0/8
186.0.0.0/8
190.0.0.0/8
200.0.0.0/8
201.0.0.0/8
And then I've added a few exceptions here and there for legit players trying to join. It's not ideal but it's better than the whole server being down. Hopefully they'll get bored soon.
|
I have been receiving attack since yesterday from same ips. I have blocked These ranges it seems to work.
Re: Connection flood -
soul225 - 25.08.2017
how can i block this IPs in Kerio Winroute Firewall?
Re: Request connection cookie flood -
WarZ - 25.08.2017
the attack start again today .-.
Re: Connection flood -
WarZ - 25.08.2017
the attack start again today .-.
Re: Connection flood - adri[4]Life - 25.08.2017
So i've wasted all this time for a dying mod, so much time on coding Bo3 so much time administrating
And so much time advertising and searching for who can provide us hosted tab
Finally due to lack of updates, My community is fucked up.
Thanks kalcor
Re: Request connection cookie flood -
denNorske - 25.08.2017
Those IP's were the same for me, the block did the job, however as WarZ stated above, there's a bunch of new IP's today.
Blocking 100 million IP's each time is not going to solve this in a clean way. We might end up blocking out way too many players/users at some point if this continues.
Any firewall mthods available to limit the UDP/TCP packets from repeating IP's ?
Also, in order to save some hard-drive space i suggest you guys disable cookie logging in the server log by doing:
PHP Code:
//server.cfg
cookielogging 0
conncookies 1
The logs were about 800 mb in 30 minutes when the attacks started..
Re: Connection flood -
SWAT4 - 25.08.2017
Quote:
Originally Posted by adrianlouise
So i've wasted all this time for a dying mod, so much time on coding Bo3 so much time administrating
And so much time advertising and searching for who can provide us hosted tab
Finally due to lack of updates, My community is fucked up.
Thanks kalcor
|
you, missed the point, its not a 'lack' of update, its the miss-optimisation you've got there...
if you think you'd do something to solve that in the new update, then i tell you , you're totally mistaken, i bet that you're not even using 10% of the current version's benefits, and if you can't handle to moderate at least a temporary solution for an attack on your "community", then i'd tell you , you aren't ready for this... so stop lying to yourself, and start working with what you have.
put in mind that many servers stood upon the attack, and yeah, they are using the same version as you, its just the skill, and they never requested another update...
Re: Connection flood - adri[4]Life - 25.08.2017
Quote:
Originally Posted by SWAT4
you, missed the point, its not a 'lack' of update, its the miss-optimisation you've got there...
if you think you'd do something to solve that in the new update, then i tell you , you're totally mistaken, i bet that you're not even using 10% of the current version's benefits, and if you can't handle to moderate at least a temporary solution for an attack on your "community", then i'd tell you , you aren't ready for this... so stop lying to yourself, and start working with what you have.
put in mind that many servers stood upon the attack, and yeah, they are using the same version as you, its just the skill, and they never requested another update...
|
Lying? We stopped this once but we can't block million ranges daily, SA-MP features won't helpme stopping this attack
I Am not asking for any new feature But for a solution, Cookielogging doesn't even effect just few lines in log that's all
Firewall is just temp for few hours then you have to block more Ranges so a fix is necessary but if they don't
then it's SA-MP's death. People like you who are not playing/managing a SA-MP server better stop talking about this.
We all know that we have much to do with SA-MP we can script so many stuffs but no we can't script anything in a mod attacked by infinity bots
Re: Connection flood -
dugi - 25.08.2017
Quote:
Originally Posted by adrianlouise
So i've wasted all this time for a dying mod, so much time on coding Bo3 so much time administrating
And so much time advertising and searching for who can provide us hosted tab
Finally due to lack of updates, My community is fucked up.
Thanks kalcor
|
An update won't fix ddos attacks, this sort of spoofed IP flood attacks have been happening for years.
Re: Connection flood - adri[4]Life - 25.08.2017
Quote:
Originally Posted by dugi
An update won't fix ddos attacks, this sort of spoofed IP flood attacks have been happening for years.
|
Is there any solution? Firewall became useless
Re: Connection flood -
oMa37 - 25.08.2017
Quote:
Originally Posted by adrianlouise
Is there any solution? Firewall became useless
|
cookielogging 0 in server.cfg got it working for me.
Re: Request connection cookie flood -
denNorske - 25.08.2017
Quote:
Originally Posted by [HLF]Southclaw
The masterlist 2.0 server is showing about 50% of the servers refusing queries so I've lowered the request time to a 3 minute period just to ease the load a bit (at first I was worried the service scaled to more nodes and was inadvertently DDoSing the entire community!)
For more mitigation methods, take a look at rate limiting UDP packets - it's not so common as TCP as it's usually used in the microservices/API scenarios but iptables and hardware firewalls should support it.
|
What could a useable limit be in this case?
The rates are around 100 per second, which is not that much, but still problematic.
Re: Connection flood - adri[4]Life - 25.08.2017
Quote:
Originally Posted by oMa37
cookielogging 0 in server.cfg got it working for me.
|
All it does is stop spamming the requests in server log, My server still appears offline
Re: Request connection cookie flood -
blackgangs - 25.08.2017
Looks like they changed the ip we can't block it anymore
Re: Connection flood -
Mark™ - 25.08.2017
You need DDoS mitigating hardware at the server end which analyzes and filters network traffic, otherwise there's hardly anything you can do about it.
Re: Connection flood -
Morpheus1992 - 25.08.2017
Quote:
Originally Posted by dugi
An update won't fix ddos attacks, this sort of spoofed IP flood attacks have been happening for years.
|
Ofc a Update would fix this, a new Callback or a a new Config Var to limit the querys per player at query info and then with exec plugin ban with iptables would fix this for everyone
Respuesta: Connection flood -
Dance94 - 25.08.2017
I don't understand why they continue with the same stupidity of block ip's in the firewall if everyone is aware that those ip's are false and the attacker can replace them with other false, this problem is not kalcor it's yours.
Kalcor cannot manage the security of your virtual server where you have stayed your server sa-mp.
Sorry if i don't understand, my native language is spanish
Re: Respuesta: Connection flood - adri[4]Life - 25.08.2017
Quote:
Originally Posted by Dance94
I don't understand why they continue with the same stupidity of block ip's in the firewall if everyone is aware that those ip's are false and the attacker can replace them with other false, this problem is not kalcor it's yours.
Kalcor cannot manage the security of your virtual server where you have stayed your server sa-mp.
Sorry if i don't understand, my native language is spanish
|
The question is: How could the attacker get the whole SA-MP servers IP? how could he attack all servers?
Re: Connection flood -
RDM - 25.08.2017
It is kalcor's obligation to launch a new update the vulnerability is layer 7 and it has been reported for more than 1 year!
I am afraid that it is necessary to change the way of altenticaзгo of the samp is very simple to falsify packages!
It is impossible to block such attacks via firewall, since the packets are identical to those of the clients! Impossible in the right way respecting good practices, and not blocking any legitimate customer!
I spent 5 hours analyzing the traffic of this attack!
The attack is totally spoofed, the ips never repeat !!!!
Do not try to block the ips that flood, adding them to a blacklist, the amount of ips is giant, if you make your memory / cpu will run out quickly,