Connection flood

Quote:
Originally Posted by fr0stG
Посмотреть сообщение
I believe CentOS 6.x+ started enabling SYN cookies by default. This is a fresh CentOS 7 minimal install and it has it on already:
PHP код:
[root@ce5 sysctl.d]# sysctl net.ipv4.tcp_syncookies
net.ipv4.tcp_syncookies 
Not sure about other distros like Ubuntu, they'll probably have it disabled still.
Im recently upgraded to Debian Stretch - last thuesday, where my server was attacked the first time.

Default sysctl.conf:

Код:
net.ipv4.tcp_syncookies=1
its enabled

Im working around with all possible things to mitigate this, i have tested the firewall rules posted here - it works but after few time the server connection is timed out, CPU usage varies between 100 and 102%(wtf?), and
the same result i have with the plugin posted by Ubi.

Im reading and testing around Suricata, BindGuard, Nftables(Debian 9 new Firewall), im not a security expert,
but perhaps there is a solution?

I will append here my sysctl for any study purposes.

I'm still under attack.

Best Regards
Reply

Guy above, change your server port temporarily, that's the only solution for now.
Reply

Quote:
Originally Posted by iLearner
Посмотреть сообщение
Guy above, change your server port temporarily, that's the only solution for now.
If you pay more attention for that what ppl write, you had not written that now, because I have already reported few days ago that I have my server also run on other ports, and that brings purely nothing.
Reply

Quote:
Originally Posted by PrettyDiamond
Посмотреть сообщение
If you pay more attention for that what ppl write, you had not written that now, because I have already reported few days ago that I have my server also run on other ports, and that brings purely nothing.
I can confirm this - changing ports doesn't work for everyone
Reply

This can be a "solution" for someone. Blocks all countries excepts the country where your players are.

GeoIP Installation
Код:
apt-get install xtables-addons-common
mkdir /usr/share/xt_geoip
cd /usr/share/xt_geoip
apt-get install libtext-csv-xs-perl unzip
/usr/lib/xtables-addons/xt_geoip_dl
/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv
Rules (this example will only accept connections from Spain and Chile)
Код:
#Reset FW
iptables -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#FW
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s YOUR_IP_HERE -j ACCEPT

iptables -A INPUT -m geoip --src-cc ES -j ACCEPT
iptables -A INPUT -m geoip --src-cc CL -j ACCEPT


iptables -P INPUT DROP
Reply

Quote:
Originally Posted by PrettyDiamond
Посмотреть сообщение
Im recently upgraded to Debian Stretch - last thuesday, where my server was attacked the first time.

Default sysctl.conf:

Код:
net.ipv4.tcp_syncookies=1
its enabled

Im working around with all possible things to mitigate this, i have tested the firewall rules posted here - it works but after few time the server connection is timed out, CPU usage varies between 100 and 102%(wtf?), and
the same result i have with the plugin posted by Ubi.

Im reading and testing around Suricata, BindGuard, Nftables(Debian 9 new Firewall), im not a security expert,
but perhaps there is a solution?

I will append here my sysctl for any study purposes.

I'm still under attack.

Best Regards
problem solved ! The firewall only worked for a specific ip!

Now the firewall works for all servers that use port 7777

Thanks for: JernejL Beta Tester

test Please: http://forum.sa-mp.com/showthread.ph...28#post3919228
Reply

If you use NFO servers, this works:

Change your server port (yes, I know this sucks.)

Then go to your ACP on NFO's site, go to the "firewall" page and block all incoming to the port :7777.
Should look like this:
https://puu.sh/xmwIh/c9d9d974db.png

Press save, and it should update within seconds.


If you're using any other Windows Server:
If you're having problems with Windows servers, you can block connections to the :7777 port, or any other port in the firewall settings.

Just go to "Windows Firewall with Advanced Security", go to "Inbound Rules", top right corner, "New Rule"
Then specify "port", press next, choose UDP, and write in the port you want to block, and press next, and chose the "block all connections" option at the bottom.

Start the server on a new port, and advertise it to your players on your forums or w.e. - and you'll have no lag and no problems.


This should remove all the lag, the incoming connections are causing.

What can I say, except you're welcome.
Reply

The attacker has just changed the IP Now it's affecting the whole hosted-tab servers, There are only 60 servers showing in hosted-tab right now.
EDIT: servers from hosted-tab are disappearing when you don't join any server what the hell is going?
SA-MP Client is crashing!!! This might be somekind of exploit of the samp client and not DDoS some weird shits happening to client right now.
Reply

Quote:
Originally Posted by blackgangs
Посмотреть сообщение
The attacker has just changed the IP Now it's affecting the whole hosted-tab servers, There are only 60 servers showing in hosted-tab right now.
EDIT: servers from hosted-tab are disappearing when you don't join any server what the hell is going?
SA-MP Client is crashing!!! This might be somekind of exploit of the samp client and not DDoS some weird shits happening to client right now.
No this is not client exploration!

The client sends the packets but they are not answered! This is due to the fact that the network is totally conquested by the servers!
Reply

The attacker is so fucking sick, His objective is to destroy SA-MP It's been 6 days, But we're still being attacked.
Reply

About "servers from hosted-tab are disappearing": Someone is sniffing the hosted tab and using it to spoof fake packets back to the SA-MP client.

Original response: https://image.prntscr.com/image/52r5...TZ4SZAcQww.png
Fake response: https://image.prntscr.com/image/ZDEw...2KwvVkWD3Q.png

(I think*) This is possible because the SA-MP Client are sending queries to all servers with the same source-port, maybe a client update can help us with this problem, or just remove the sniff server from hosted-tab.
I didn't read the sv-spoof script already, but I'll do soon.



About the query and cookies attack, it's not a new attack, we received it in 0.3z and now again on 0.3.7. I don't see big problems to block it. My services are stable and users can query it as well. I see servers being attacked with query packets since 0.3a.
Reply

Quote:
Originally Posted by connork
Посмотреть сообщение
About "servers from hosted-tab are disappearing": Someone is sniffing the hosted tab and using it to spoof fake packets back to the SA-MP client.

Original response: https://image.prntscr.com/image/52r5...TZ4SZAcQww.png
Fake response: https://image.prntscr.com/image/ZDEw...2KwvVkWD3Q.png

(I think*) This is possible because the SA-MP Client are sending queries to all servers with the same source-port, maybe a client update can help us with this problem, or just remove the sniff server from hosted-tab.
I didn't read the sv-spoof script already, but I'll do soon.



About the query and cookies attack, it's not a new attack, we received it in 0.3z and now again on 0.3.7. I don't see big problems to block it. My services are stable and users can query it as well. I see servers being attacked with query packets since 0.3a.
I do not understand how the servers are falling!
My network is stable

I disabled my hardware firewall rules, and tested the iptables script I developed link: https://sampforum.blast.hk/showthread.php?tid=639962

And the script is enough to block the attack! Although I have to consider that the ovh drop a part of the attack!


Do what you can to help others, but it seems their problem is that the attack is flooding the network of servers! This way iptables can not help!
Reply

First of all the reason why half the Hosted List is down is not because "the Hosted List is being attacked by some impossible futuristic attack". It's down because the servers in it are receiving so much requests, that when YOU download the hosted list and query all the servers, most of them can't respond soon enough so they are considered down. They can't answer soon enough because they have a immense queue of request to answer first before yours (That's a DDOS basically). When the server is down it's not shown in your list and not counted. So it says 150-200 servers instead of 360.

I just wanted to clarify that, because people seemed to think that some Main SAMP server that was working with the Hosted List has been compromised for the first time. That is not the case, the Hosted Tab List is not attacked, only servers in it.

Thank you,
rt-2
Reply

Quote:
Originally Posted by Ubi
Посмотреть сообщение
Please don't combine regular volumetric DDoS attacks with connection flood (cookie) and query flood in this thread.



It's up to you. I understand your fears.



I don't think they will do anything like that, but if someone from beta team is ready to recompile it, then I can provide him source. This plugin is very simple, but it affects internal SA-MP code. I don't want to ruin Kalcor's work by removing his limit and publishing source to everyone.. This can lead to massive attack bounces and self-ddoses.



This code is not for windows. You can't just "recompile" it. It should be ported first.

===================
As promised. I've finished Windows version. Again.. Please read README.txt.
http://ubi.livs.pl/samp/samp_prot_ver2.zip
Tested on:
Linux Debian 8 - SAMP 0.3.7-R2-1
Windows 10 Pro 64bit - SAMP 0.3.7-R2-1-1

Enjoy. That's all.
There seem to be a CPU leak in this
Thank you,
rt-2
Reply

Is it possible to block incoming port range from 1 to 49152?
Reply

Quote:
Originally Posted by shourya
Посмотреть сообщение
Is it possible to block incoming port range from 1 to 49152?
Yeah sure, then you wouldn't be able to ssh into your server and it would be completely offline!
Reply

Quote:
Originally Posted by [HLF]Southclaw
Посмотреть сообщение
Yeah sure, then you wouldn't be able to ssh into your server and it would be completely offline!
lmao cracked me up.

Anyone came up with a way to block this?
Reply

Quote:
Originally Posted by [HLF]Southclaw
Посмотреть сообщение
Yeah sure, then you wouldn't be able to ssh into your server and it would be completely offline!
Any solution?
Reply

Quote:
Originally Posted by rt-2
Посмотреть сообщение
There seem to be a CPU leak in this
Thank you,
rt-2
It's not CPU leak. Please read README. Responding to each packet (without limits) may increase CPU usage. Someone released plugin which disables query limit and redirects it to special callback (I wouldn't recommend this, due to AMX low performance) so I'm going to pack and release the source soon.
Reply

Quote:
Originally Posted by Ubi
Посмотреть сообщение
It's not CPU leak. Please read README. Responding to each packet (without limits) may increase CPU usage. Someone released plugin which disables query limit and redirects it to special callback (I wouldn't recommend this, due to AMX low performance) so I'm going to pack and release the source soon.
There is a CPU leak but it is not only your plugin, Honestly if you keep perfmon.exe (Performance Monitor) opened, there will be an increase in CPU usage over days (since this plugin).
So the problem is not really in your plugin, but once in use, perfmon should be closed. My cpu is normally at 10-20% ax, at first it was at 30% all the time and after 3-4 days was at 50-60% continuously, closing perfmon fixed the issue instantly.
Reply


Forum Jump:


Users browsing this thread: 11 Guest(s)