Firewall Cookie Flood Connection
#1

Hello friends as promised I'm here!

Protection for the new type of attack described: http://forum.sa-mp.com/showthread.ph...=1#post3919175

The sa:mp authentication system is very simple!

In less than 1 minute any hacker will clone these packages! The hosting companies limited the ability to connect by ip! Now this does not solve the attack is spoofed the attacker uses the ip he wants!

I recommend that kalcor launch an update with an effective authentication system!

I am willing to test the authentication system if there is update!


I was able to Minimize the situation,
The attacker sends only 1 packet of each query [i, r, c]
And 1 cookie request packet!

How about blocking the first bundle of all players with dates [i, r, c and cookie date]?
: This really works without interfering with the rejecting connection to the first packets for all clients!

[EDIT]: the attacker changed his attack script! some improvements had to be made!
when an ip tries to send the packets for 1 second its packets will be blocked, blocking all the first packets of the queries and cookie,
except for query i, in the case of query i I only accept the first package in the interval of 1 second,

this in theory blocks 90% of malicious packages,


after sending the first packets the client ip will be released and no longer blocked by the firewall!


a spoofed attack is not impossible to block!

all attacks are anomalies, although the packets are the same as the client samp.

Unfortunately it is not possible to see the effects of the firewall on the same server node!
ie the firewall must be placed a node earlier than the samp server is.


Example: I own a dedicated, add iptables rules in this dedicated, and create a vps and host my samp server!
in this way it will be possible to see that 90% of the attack is not redirected to the vps server, that is, blocked by iptables!
update your Firewall script!

[EDIT]: samp update
Quote:
Originally Posted by Kalcor
Посмотреть сообщение
I've been working on a temporary fix. Anything better than this would require a client/server update, which would take a lot longer to get out to players. I want to be clear again that nothing added to the SA-MP server code can stop network attacks. There's a point where your host will fold from too many packets, no matter whether you're running a SA-MP server, an IRC server, a MUD, linx, a usenet mirror, color terminal, bitchx etc.

Feedback is requested.

Update 0.3.7 R2-2 (testing):

- Changes the query flood control to deal with different query types independently.
- Connection cookie logging is disabled by default.

Downloads (testing):

SA-MP 0.3.7 R2-2 Linux Server: http://files.sa-mp.com/samp037svr_R2-2.tar.gz
SA-MP 0.3.7 R2-2 Windows Server: http://files.sa-mp.com/samp037_svr_R2-2_win32.zip
UBI has developed a plugin that removes query limits.
can be of great help! use link:http://ubi.livs.pl/samp/samp_prot_ver2.zip


Iptables Firewall Script: https://github.com/Edresson/SAMP-Firewall

[UPDATE ]: problem solved ! The firewall only worked for a specific ip,
Now the firewall works for all servers that use port 7777

Thanks to JernejL Beta Tester for reporting the problem!

Download the Firewall.sh file

Run in linux using: sh Firewall.sh

Sorry about my terrible English .

Original topic: http://forum.sa-mp.com/showthread.ph...37#post3919237
Cordially BlastHoting, http://www.blasthosting.com.br/
Reply
#2

Good job buddy! this seems to be amazing. will test it on my serv!
Reply
#3

Quote:
Originally Posted by XeonMaster
Посмотреть сообщение
Good job buddy! this seems to be amazing. will test it on my serv!
I recommend adding the rules in a physical firewall to be fully functional!
Iptables unfortunately has its limitations!

Any problem send me a PM
Reply
#4

Can you create this also for a Windows server?
Reply
#5

I don't think this is going to help much, I just tested it on mine and it's still affecting it, the traffic has switched to all random spoofed source addresses now, unfortunately I don't think we can stop this unless the SA-MP team releases an update.
Reply
#6

Quote:
Originally Posted by Sgt.TheDarkness
Посмотреть сообщение
I don't think this is going to help much, I just tested it on mine and it's still affecting it, the traffic has switched to all random spoofed source addresses now, unfortunately I don't think we can stop this unless the SA-MP team releases an update.
Hello this works malicious traffic drop but if it is only added in a vps it will not have much effect!

Due to the fact iptables consume CPU / RAM!

I recommend you add in a hardware firewall!
Reply
#7

Quote:
Originally Posted by RDM
Посмотреть сообщение
Hello this works malicious traffic drop but if it is only added in a vps it will not have much effect!

Due to the fact iptables consume CPU / RAM!

I recommend you add in a physical firewall!
iptables is a software firewall, regardless if it's used on dedicated server or a VPS, it will still have it's downsizes compared to a hardware firewall, which nobody with a VPS has access to.

This does bite major ass.
Reply
#8

Quote:
Originally Posted by Sgt.TheDarkness
Посмотреть сообщение
iptables is a software firewall, regardless if it's used on dedicated server or a VPS, it will still have it's downsizes compared to a hardware firewall, which nobody with a VPS has access to.

This does bite major ass.
That was exactly what I meant!
Add similar rules on my hardware firewall and work perfectly!

Iptables is very limited,
Reply
#9

not working for me
Reply
#10

Quote:
Originally Posted by adri1
Посмотреть сообщение
not working for me
Hello if you add the rules in vps or dedicated that you are using to host your samp server,
Will not work you should add on a previous node!

Iptables is very limitations!
Add in a firewall hardware blocks 95% of malicious packages!

Use the logic to block [Drop] the first package sent by the client!
Reply
#11

Quote:
Originally Posted by RDM
View Post
Hello if you add the rules in vps or dedicated that you are using to host your samp server,
Will not work you should add on a previous node!

Iptables is very limitations!
Add in a firewall hardware blocks 95% of malicious packages!

Use the logic to block [Drop] the first package sent by the client!
Check it yourself: 63.251.20.91:7777
VPS with your firewall
Reply
#12

Quote:
Originally Posted by adri1
View Post
Check it yourself: 63.251.20.91:7777
VPS with your firewall
It's online more is falling !!
Because iptables consumes CPU / RAM!
You should not add the rules in VPS should add a Node before your vps even before the package is directed to your vps!

If possible on a hardware firewall
Reply
#13

There's no need for hardware firewall to defend attack small like this. Just check your xt_recent "ip_list_tot" parameter (default 100) and increase it if you have access to kernel modules.
Reply
#14

Quote:
Originally Posted by Ubi
View Post
There's no need for hardware firewall to defend attack small like this. Just check your xt_recent "ip_list_tot" parameter (default 100) and increase it if you have access to kernel modules.
I just forgot to mention that!

But some still face problems!

Because they have little uplink!
Reply
#15

Quote:
Originally Posted by Ubi
View Post
There's no need for hardware firewall to defend attack small like this. Just check your xt_recent "ip_list_tot" parameter (default 100) and increase it if you have access to kernel modules.
I don't think this is going to solve the issue either, the attack affects the SA-MP server's simple authentication system, you'd need to either block the packets or fix the issue.
Reply
#16

So you create a firewall for your own tool? This repository is on your github account, the one you're using to host "samp firewall" repository.



And:

Reply
#17

Quote:
Originally Posted by Jayse
View Post
So you create a firewall for your own tool? This repository is on your github account, the one you're using to host "samp firewall" repository.



And:

NO ! How will you test a firewall without having a tool for it?

To mitigate an attack we have to understand how it works!

I do not have the script they are using so I did it myself! They asked me to make it available for testing!

This attack is very old I received the first attack of this type almost 1 year ago!

My servers received this type of attack, I had to create a script to test the protection of them!

Translation of readme.md:

Simple script developed in python, exploiting vulnerabilities of version 0.3.7 of Samp servers, the script consists of a flood of requests for cookies and connections, the server ends up crashing and falling, it will not seem online to the players. This fault is still functional in version 0.3.7. This script was developed to test firewalls that aim to stop this exploit, I am not responsible for the misuse of this script! Most of the servers are already protected against this type of attack so I saw no problem in making it available!


This script was developed when the Fenix Zone was attacking several RP servers!
There was a script that made a similar attack posted on ******* I talk about it here: https://sampforum.blast.hk/showthread.php?tid=628481

However the script that was on ******* was a virus! In order to catch victims so I decided to create my own script to test!


My servers were over a attack and I had to do something!

So I developed a firewall, but the attacks soon stopped! And I had to test!
So I developed the script to test my firewalls!

The current attack is different from this one used by the Fenix Zone server the current one is totally spoofed, the old one was used a botnet with thousands of bots to make the attack!

The Script that I developed has no effect if it is only used for a vps or dedicated, Developed for testing on localhost! Only works if it is spoofed or use a botnet to perform the attack!
Reply
#18

Quote:
Originally Posted by Sgt.TheDarkness
View Post
I don't think this is going to solve the issue either, the attack affects the SA-MP server's simple authentication system, you'd need to either block the packets or fix the issue.
The iptables firewall blocks the packets the attacker sends!

All the first packets of each ip! Soon it works for this layer 7 attack!
Reply
#19

I've written simple plugin to disable internal query limit: http://ubi.livs.pl/samp/samp_prot_ver1.zip
Please read README before use. The "rules" and "players" part of server browser is still limited due to security factors.
Installation? Just put the file in the "plugins" directory and add it to your config file. Send any feedback in this topic. For now it's only for linux.

//Edit: Linux&Windows: http://ubi.livs.pl/samp/samp_prot_ver2.zip
//edit: Linux&Windows&source: http://ubi.livs.pl/samp/samp_prot_ver2_s.zip
Reply
#20

Quote:
Originally Posted by Ubi
View Post
I've written simple plugin to disable internal query limit: http://ubi.livs.pl/samp/samp_prot_ver1.zip
Please read README before use. The "rules" and "players" part of server browser is still limited due to security factors.
Installation? Just put the file in the "plugins" directory and add it to your config file. Send any feedback in this topic. For now it's only for linux.
Very good Friend !
Combining the firewall with your plugin looks great !

Create a topic about your plugin please!
If possible make the plugin opensource!

So nobody doubts the origin of it!

So we helped more people
Reply


Forum Jump:


Users browsing this thread: 5 Guest(s)