Massive botnet making a Cookie flood, any help?
#1

Well, I was going to check my server as usual, and I got to see that the query got fucked up, it didin't respond as always. I went and check the server logs, and just seeing the size I knew something funny was happening. A week with 30 playerbase got like 60 megs, and today it made the jump from 100 to 600 mb in less than an hour!

I got to see the server log, it was a massive botnet making cookie floods. What do I mean?:

https://pastebin.com/d3hcnnxS

Tons of "[20:43:24] [connection] [zombie IP] requests connection cookie."

Full server log with all the IP addreses involved in the attack.

http://vps128854.vps.ovh.ca/loga.txt

I don't know how a 3,50 OVH VPS can handle that, heh, but well, it's fucking up the server with lag and I would like someone to help me with this issue, please.
Reply
#2

I just restarted 10 minutes ago and even without the server fully restarting I get the cookie requests flood.

vps128854.vps.ovh.ca/server_log.txt

Time is GMT -4 AFAIK
Reply
#3

I had similar issues before. I found that keeping connection cookies on but disabling logging helps a lot. You can do this by adding/replacing these options in your server.cfg file.

PHP код:
cookielogging 0
conncookies 1 
Reply
#4

Well that does help a lot, but the situation is that this attack is lagging the server. People on the Spanish forums got me a very decent solution that should work, that is dropping with iptables the packets of the attacker, which I found out he was using only specific lenghts. But somehow it doesn't work and the packets get through.
Reply
#5

That is because the requests you're seeing are usually spoofed. They're not actually originating from those IP addresses.

UDP (unlike TCP) does not perform a handshake with the client to verify the source IP is correct. So the IP's you're seeing in the log probably aren't real, so blocking them is ineffective.

UDP spoofing is rare in this age, but possible. Most modern routers and network equipment prevents spoofed UDP packets from being sent out, but dodgy networks/hosting providers (e.g Ecatel) do not perform these checks (atleast last I saw)

Sadly there's no mitigation besides what I've posted above. To add further to the above point, even if you think the IP's aren't spoofed, it's not a good idea to go blocking these. You might unintentionally block a user who got their cookie request backlogged and shows up alongside the malicious requests.
Reply
#6

Just to clarify, I wasn't blocking the IPs but rather blocking the attackers spoofed UDP packets by lenght (he sent 11, 15 and 4 lenght packets) but still the packets still get through.

You did gave me an idea, I will see if activating permanent mitigation in OVH works..
Reply
#7

Would using OnIncomingConnection along with BlockIPAddress stop this for a while? It would mean traffic actually getting through but you'd be disconnecting them.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)