1. SA-MP Forums Archive
  2. SA-MP Server
  3. Server Support

Linear Mode
DOS/DDOS-like attack but only for SAMP server?
Westingham
Little Clucker
**
Posts: 42
Threads: 6
Joined: Oct 2011
Reputation: 0
#5

31.07.2012, 02:37
Quote:
Originally Posted by Silentfood
View Post
I've not had a good reputation with you, but I'll try and help out.

If you're running on Windows Server 2008, you should be able to enable network logging and view it through the Event Logs, make sure you're logging the correct network adapter that your server is using for SA:MP.
If you're running on Linux, you can netstat for current connections.

Both logging methods will show connections to the adapter, even if it's not going through the handshake with the server application.

If you're able to get into the server's window, try doing some basic RCON commands to see if the process is hanging or it's a network attack. It's most likely not to be a DDoS/DoS attack if only one process is hanging though it could be many connections that don't cause network load but it'll act as fake connected players.

If that's the case, there's many includes you can put into a filterscript or gamemode to stop any "incoming connection" attacks but I'm afraid I'm unable to find a link to a thread.

If nothing works, contact the datacenter/host for a complete network log list from a time range and they'll happily try and grab one from a junction network adapter.
Some very useful information in here, thank you.

After doing some analysis of our incoming traffic (thank you Network Monitor), I've discovered what's happening. The person who is attacking us is using a tool to send UDP requests to COD4 servers around the world but with our IP address spoofed as the originating address. All the COD4 servers are quite happy to help with "our" request and send us much larger UDP packets in return.

You can find information on the attack here: http://web.archiveorange.com/archive...2mZz2Fdi4cdw7B

This sort of thing is going to be quite difficult to beat. You could attempt to block every COD4 that is sending you information, but there's something like 7000+ COD4 servers out on the internet and they usually have high capacity internet links. Packet inspection would work, dropping anything that's headed to your SAMP server with the phrase "punkbuster" or "statusResponse" in it, but if you're doing that on the actual hardware the SAMP server resides on, it's already too late. The filtering or inspection is going to have to happen at the host level somewhere.

Short of changing the port of our SAMP server, and changing it again when the attacker finds out, there's not a lot to right now. I don't think any filterscripts or any scripting of any sort for that matter is going to help because the attacking connections never get into the SAMP server itself.
Find
Reply
« Next Oldest | Next Newest »


Messages In This Thread
DOS/DDOS-like attack but only for SAMP server? - by Westingham - 30.07.2012, 13:28
Re: DOS/DDOS-like attack but only for SAMP server? - by Silentfood - 30.07.2012, 13:50
Re: DOS/DDOS-like attack but only for SAMP server? - by CrossUSAAF - 30.07.2012, 13:51
Re: DOS/DDOS-like attack but only for SAMP server? - by Akira297 - 31.07.2012, 01:01
Re: DOS/DDOS-like attack but only for SAMP server? - by Westingham - 31.07.2012, 02:37

Forum Jump:


Users browsing this thread: 6 Guest(s)
  1. SA-MP Forums Archive
  2. SA-MP Server
  3. Server Support