Massive botnet/Spoofed IPs making a Cookie flood, any help? -
Graber - 14.05.2017
Well, I was going to check my server as usual, and I got to see that the query got fucked up, it didin't respond as always. I went and check the server logs, and just seeing the size I knew something funny was happening. A week with 30 playerbase got like 60 megs, and today it made the jump from 100 to 600 mb in less than an hour!
I got to see the server log, it was a massive botnet making cookie floods. What do I mean?:
https://pastebin.com/d3hcnnxS
Tons of "[20:43:24] [connection] [zombie IP] requests connection cookie."
Full server log with all the IP addreses involved in the attack.
http://vps128854.vps.ovh.ca/loga.txt
I don't know how a 3,50 OVH VPS can handle that, heh, but well, it's fucking up the server with lag and I would like someone to help me with this issue, please.
Respuesta: Massive botnet making a Cookie flood, any help? -
Graber - 14.05.2017
I just restarted 10 minutes ago and even without the server fully restarting I get the cookie requests flood.
vps128854.vps.ovh.ca/server_log.txt
Time is GMT -4 AFAIK
Re: Massive botnet making a Cookie flood, any help? -
TommyB - 14.05.2017
I had similar issues before. I found that keeping connection cookies on but disabling logging helps a lot. You can do this by adding/replacing these options in your server.cfg file.
PHP код:
cookielogging 0
conncookies 1
Re: Massive botnet making a Cookie flood, any help? -
Graber - 14.05.2017
Well that does help a lot, but the situation is that this attack is lagging the server. People on the Spanish forums got me a very decent solution that should work, that is dropping with iptables the packets of the attacker, which I found out he was using only specific lenghts. But somehow it doesn't work and the packets get through.
Re: Massive botnet making a Cookie flood, any help? -
TommyB - 14.05.2017
That is because the requests you're seeing are usually spoofed. They're not actually originating from those IP addresses.
UDP (unlike TCP) does not perform a handshake with the client to verify the source IP is correct. So the IP's you're seeing in the log probably aren't real, so blocking them is ineffective.
UDP spoofing is rare in this age, but possible. Most modern routers and network equipment prevents spoofed UDP packets from being sent out, but dodgy networks/hosting providers (e.g Ecatel) do not perform these checks (atleast last I saw)
Sadly there's no mitigation besides what I've posted above. To add further to the above point, even if you think the IP's aren't spoofed, it's not a good idea to go blocking these. You might unintentionally block a user who got their cookie request backlogged and shows up alongside the malicious requests.
Re: Massive botnet making a Cookie flood, any help? -
Graber - 14.05.2017
Just to clarify, I wasn't blocking the IPs but rather blocking the attackers spoofed UDP packets by lenght (he sent 11, 15 and 4 lenght packets) but still the packets still get through.
You did gave me an idea, I will see if activating permanent mitigation in OVH works..
Re: Massive botnet making a Cookie flood, any help? -
DobbysGamertag - 18.05.2017
Would using
OnIncomingConnection along with
BlockIPAddress stop this for a while? It would mean traffic actually getting through but you'd be disconnecting them.