Firewall Cookie Flood Connection
#21

Let me step in and explain a few things going on here.

--hex-string '|081e77da|

This is a match on port 7777's packet for cookie request, this will work well for all servers that are on port 7777, other servers need to adjust this.

--hex-string '|53414d50a772c94a611e63|'
--hex-string '|53414d50a772c94a611e72|'
--hex-string '|53414d50a772c94a611e69|'

This is actually the SAMP query packet match:

https://sampwiki.blast.hk/wiki/Query_Mechanism

EVERYONE will need to make changes on this:

53414d50 "SAMP"
a772c94a server ip (YOUR bind'd server ip)
611e <- PORT
63 / 72 / 69 - matches various query packets.

You can get your proper packet by running tcpdump -t -n -v -XX -i eth1 udp dst port 7777 and '(udp[8:4]=0x53414d50)' (change port to proper port and eth1 to your real ethernet interface in use)



Yellow: "SAMP" text
RED: Server IP
Green: port

adjust the .sh file of RDM accordingly and only then use this.

More efficient filtering could be done, instead of hex-string match at any position you can adapt this to use u32 fast byte match, sure u32 causes brains to rot when you use it, but will work better, especially in vps's:

Examples (DO NOT ADD THIS TO YOUR IPTABLES, THIS IS JUST AN EXAMPLE):
Match SAMP udp packets:
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50" -j DROP

Match samp R rules packet
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x72" -j DROP
match other two query packet types:
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x63" -j DROP
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x69" -j DROP
Reply
#22

Quote:
Originally Posted by JernejL
View Post
Let me step in and explain a few things going on here.

--hex-string '|081e77da|

This is a match on port 7777's packet for cookie request, this will work well for all servers that are on port 7777, other servers need to adjust this.

--hex-string '|53414d50a772c94a611e63|'
--hex-string '|53414d50a772c94a611e72|'
--hex-string '|53414d50a772c94a611e69|'

This is actually the SAMP query packet match:

https://sampwiki.blast.hk/wiki/Query_Mechanism

EVERYONE will need to make changes on this:

53414d50 "SAMP"
a772c94a server ip (YOUR bind'd server ip)
611e <- PORT
63 / 72 / 69 - matches various query packets.

You can get your proper packet by running tcpdump -t -n -v -XX -i eth1 udp dst port 7777 and '(udp[8:4]=0x53414d50)' (change port to proper port and eth1 to your real ethernet interface in use)



Yellow: "SAMP" text
RED: Server IP
Green: port

adjust the .sh file of RDM accordingly and only then use this.

More efficient filtering could be done, instead of hex-string match at any position you can adapt this to use u32 fast byte match, sure u32 causes brains to rot when you use it, but will work better, especially in vps's:

Examples (DO NOT ADD THIS TO YOUR IPTABLES, THIS IS JUST AN EXAMPLE):
Match SAMP udp packets:
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50" -j DROP

Match samp R rules packet
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x72" -j DROP
match other two query packet types:
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x63" -j DROP
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x69" -j DROP
Did not know that querys packages are changed by ip! Thank you very much!
Problem Solved ! Firewall running for all sA: mp servers that use port 7777

I'm sorry for the mistake ! I'm so sorry !
Reply
#23

Quote:
Originally Posted by adri1
View Post
not working for me
I just did the correction! Make sure it works for you now
Reply
#24

My Server is closed now, but i will check, thanks you
Reply
#25

Still not working for me.
Reply
#26

Quote:
Originally Posted by Peek
View Post
Still not working for me.
What ip of your server?
Reply
#27

63 69 72 are the codes for the digits after 611e I guess. (because Jernal posted 6300 and I guess 00 can be omitted (?))
My server has 7065, which is completely different.
Reply
#28

Quote:
Originally Posted by Kaperstone
View Post
63 69 72 are the codes for the digits after 611e I guess. (because Jernal posted 6300 and I guess 00 can be omitted (?))
My server has 7065, which is completely different.
Yes 00 can be ignored!
7065 ?
Are you sure this is a package query?

I believe it's the answer from the server to the query!

I changed the script now works for all servers running on port 7777!

If your server runs in another port you can send me a Pm! I'll help you!
Reply
#29

Quote:
Originally Posted by RDM
View Post
Yes 00 can be ignored!
7065 ?
Are you sure this is a package query?

I believe it's the answer from the server to the query!

I changed the script now works for all servers running on port 7777!

If your server runs in another port you can send me a Pm! I'll help you!
yeah, I ran `tcpdump -t -n -v -XX udp dst port 7777`, I went one by one and saw that its not 6300 but 7063

EDIT: @RDM I can send the full dump if needed.
Reply
#30

Quote:
Originally Posted by Kaperstone
View Post
yeah, I ran `tcpdump -t -n -v -XX udp dst port 7777`, I went one by one and saw that its not 6300 but 7063

EDIT: @RDM I can send the full dump if needed.
send me
Reply
#31

You should to go to your folder /lib/modules/....and look here the real filename for this file where you have xxxx and change it to the correct module name
Reply
#32

Quote:
Originally Posted by PrettyDiamond
View Post
You should to go to your folder /lib/modules/....and look here the real filename for this file where you have xxxx and change it to the correct module name
It was actually more complicated than that.. at some point I half-ass upgraded the linux kernel, but still had grub thinking it was the old one.. Thankfully got it all settled without having to reformat *phew*

Thanks for the help
Reply
#33

Quote:
Originally Posted by Chaprnks
View Post
It was actually more complicated than that.. at some point I half-ass upgraded the linux kernel, but still had grub thinking it was the old one.. Thankfully got it all settled without having to reformat *phew*

Thanks for the help
Im in same Boat as you my friend....my Debian was unmounted at all....and im still at Null Progress by all. My IP still flooded, my server still offline. I was thinking about change it to Windows, because @iLearner SV looks are working, but sometimes it is offline too, idk if he fixed at all the flood problem. IDK what more i can do, but i will search out, until i find the way to run my server again. Its funny, if i start it, in same minute some old players join it, then i look at SV CPU usage, goes to 100%, ping get high, packet loss, and finally timeout for all. So sad...nothing helps for me, i used the last Update from Kalcor, iptables rules, nothing works for me?
Reply
#34

Well, your host is probably very bad. Get a decent one.

Either a game server from http://samp4you.com (which is working properly against any attacks) or a VPS.
Reply
#35

Quote:
Originally Posted by PrettyDiamond
View Post
LoL...i'm my own host...pls dont come here and talk shit...you mean really ppl are so stupid and cannt distinguish between what is a good or bad host? After running a server free of problems, over years?

Why God some ppl here never read with attention then, after that think, then count some sheeps(like 100), then write!?
Then you don't know shit about how to manage your server. Think before talking.
Reply
#36

Quote:
Originally Posted by PrettyDiamond
View Post
Im in same Boat as you my friend....my Debian was unmounted at all....and im still at Null Progress by all. My IP still flooded, my server still offline. I was thinking about change it to Windows, because @iLearner SV looks are working, but sometimes it is offline too, idk if he fixed at all the flood problem. IDK what more i can do, but i will search out, until i find the way to run my server again. Its funny, if i start it, in same minute some old players join it, then i look at SV CPU usage, goes to 100%, ping get high, packet loss, and finally timeout for all. So sad...nothing helps for me, i used the last Update from Kalcor, iptables rules, nothing works for me?
As I mentioned the firewall works will drop 90% of the malicious packages!
but for being a software alternative, if the attack is greater than the amount of mbps available on your vps / dedicated server, the firewall will not help unfortunately,
and the same goes for the hardware, cpu and ram!

I recommend hiring a dedicated game on ovh, or hiring a vps from companies that sell. !

I have several Dedicated on ovh, the firewall game seems to support well, and would be the cheapest solution for now.


since hiring a dedicated and a hardware firewall apart in the ovh is much more expensive than a dedicated server game.


about 10 servers in my network suffer from such attacks and none went offline since the beginning of this attack!
Reply
#37

Yeah... bumping topics.

Few guys asked to me how to update "samp_prot" plugin, actually is quite easy.

Look at this Pseudo code generated by IDA Pro:

Code:
char __stdcall Load(int (__cdecl **a1)(_DWORD))
{
  int v1; // eax
  DWORD flOldProtect; // [esp+0h] [ebp-8h]

  dword_10012164 = *a1;
  dword_10012164("### samp_prot by Ubinoob loaded (ver 2)");
  dword_10012164("### Professional game hosting: https://LiveServer.pl");
  v1 = strcmp((const char *)0x4B5508, "0.3.7-R2");
  if ( v1 )
    v1 = -(v1 < 0) | 1;
  if ( v1 )
  {
    dword_10012164("### Invalid server version. Please install 0.3.7-R2-1 (linux) 0.3.7-R2-1-1 (windows).");
  }
  else
  {
    VirtualProtect((LPVOID)0x497CC8, 1u, 0x40u, &flOldProtect);
    VirtualProtect((LPVOID)0x497C74, 1u, 0x40u, &flOldProtect);
    dword_10012164("### Memory segments unprotected");
    MEMORY[0x497CC8] = -1869574000;  // unk1 ---> i query limit
    MEMORY[0x497CCC] = -28528;          // unk2 ---> +04
    MEMORY[0x497C74] = -1869574000;  // unk3 ---> p query limit
    MEMORY[0x497C78] = -28528;          // unk4 ---> +04
    dword_10012164("### Query system patched");
    MEMORY[0x4E58B8] = 0; // same as "cookielogging 0"
    dword_10012164("### Cookie logging disabled");
    MEMORY[0x4F5FD4] = 0; // same as "logqueries 0"
    dword_10012164("### Query logging disabled");
  }
  return 1;
}
We need to update all memory addresses being readed/writed. It can be easily done with IDA Pro or Cheat Engine (yeah, the old-known cheat engine).

Some signatures/patterns for Windows ONLY at the moment:

Code:
unk1		0F 85 80 06 00 00 8B 0D BC 5F 4F 00 68 08 97 4B 00 E8 ?? 37 FF FF 89 44
unk2		00 00 8B 0D BC 5F 4F 00 68 ?? ?? 4B 00 E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
unk3		0F 85 D4 06 00 00 83 FF 0F 0F 85 CB 06 00 00 6A 10 68 08 5D 51 00 50 8B
unk4		00 00 83 FF 0F 0F 85 CB 06 00 00 6A 10 68 08 5D 51 00 50 8B 44 24 54 57
Some convars such as cookielogging and logqueries can be searched easily with cheat engine (cookielogging 100, and search for 100, cookielogging 999 and search for 999, and so on). Do ur homework
Reply


Forum Jump:


Users browsing this thread: 7 Guest(s)