DOS/DDOS-like attack but only for SAMP server? - Printable Version

+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Server (https://sampforum.blast.hk/forumdisplay.php?fid=6)
+--- Forum: Server Support (https://sampforum.blast.hk/forumdisplay.php?fid=19)
+--- Thread: DOS/DDOS-like attack but only for SAMP server? (/showthread.php?tid=364335)

---

DOS/DDOS-like attack but only for SAMP server? - Westingham - 30.07.2012

Has anybody had any experience with a DOS/DDOS-like attack that only affects a SAMP server?

Currently we host SAMP, Minecraft and TeamSpeak servers. Occasionally we'll get hit with an attack that makes everything inaccessible for 5-10 minutes while our firewall adapts, but you can tell it's happening because absolutely everything is unavailable.

This current attack, however, doesn't affect anything but our SAMP server. Anybody trying to connect to it receives a message stating the SAMP server didn't respond and anybody online at the time of the attack is kicked out and receives a message stating that SAMP server is restarting. Meanwhile, TeamSpeak and Minecraft continue merrily along.

Any time I restart the SAMP server and watch the server list in the SAMP client, I can see the ping instantly shoot through the roof and then the SAMP server stops responding.

I don't see anything in the log files and there's no connections coming through to reveal an IP address that I could potentially block.

My guess here is that somebody is using some sort of program or tool that opens thousands of connections to the SAMP server that never get past the first part of the handshake. This keeps any potential valid player connections from getting through and it also causes the SAMP server to freak out and restart.

If anybody has any advice or suggestions, I would greatly appreciate them.

---

Re: DOS/DDOS-like attack but only for SAMP server? - Silentfood - 30.07.2012

I've not had a good reputation with you, but I'll try and help out.

If you're running on Windows Server 2008, you should be able to enable network logging and view it through the Event Logs, make sure you're logging the correct network adapter that your server is using for SA:MP.
If you're running on Linux, you can netstat for current connections.

Both logging methods will show connections to the adapter, even if it's not going through the handshake with the server application.

If you're able to get into the server's window, try doing some basic RCON commands to see if the process is hanging or it's a network attack. It's most likely not to be a DDoS/DoS attack if only one process is hanging though it could be many connections that don't cause network load but it'll act as fake connected players.

If that's the case, there's many includes you can put into a filterscript or gamemode to stop any "incoming connection" attacks but I'm afraid I'm unable to find a link to a thread.

If nothing works, contact the datacenter/host for a complete network log list from a time range and they'll happily try and grab one from a junction network adapter.

---

Re: DOS/DDOS-like attack but only for SAMP server? - CrossUSAAF - 30.07.2012

Hello!

Do you know DDOS attack memory transfers? If it's 1 GB, or more, it's strong attack. You should contact your host provider, if you are hosting somewhere and you think it's DDOS. If you are running these all services in one VPS, or computer, then I Understand your problems.

I Hope you get all working again!

Thank you.

---

Re: DOS/DDOS-like attack but only for SAMP server? - Akira297 - 31.07.2012

People DDoS SA:MP Server's due to they never got what they wanted, or the owners ban them for some reason and the player is to upset to do anything ( i.e post a ban appeal. ) so they decide to attack the server so other player(s) don't have fun either. That is just my opinion.

---

Re: DOS/DDOS-like attack but only for SAMP server? - Westingham - 31.07.2012

Some very useful information in here, thank you.

After doing some analysis of our incoming traffic (thank you Network Monitor), I've discovered what's happening. The person who is attacking us is using a tool to send UDP requests to COD4 servers around the world but with our IP address spoofed as the originating address. All the COD4 servers are quite happy to help with "our" request and send us much larger UDP packets in return.

You can find information on the attack here: http://web.archiveorange.com/archive...2mZz2Fdi4cdw7B

This sort of thing is going to be quite difficult to beat. You could attempt to block every COD4 that is sending you information, but there's something like 7000+ COD4 servers out on the internet and they usually have high capacity internet links. Packet inspection would work, dropping anything that's headed to your SAMP server with the phrase "punkbuster" or "statusResponse" in it, but if you're doing that on the actual hardware the SAMP server resides on, it's already too late. The filtering or inspection is going to have to happen at the host level somewhere.

Short of changing the port of our SAMP server, and changing it again when the attacker finds out, there's not a lot to right now. I don't think any filterscripts or any scripting of any sort for that matter is going to help because the attacking connections never get into the SAMP server itself.

---