Servers are getting attacked
#1

Hello, what is this?
http://monitor.sacnr.com/server-1799831.html
http://monitor.sacnr.com/server-1807615.html
http://monitor.sacnr.com/server-1808632.html
Even my own server is attacked. Look at the 24h graphs in each server they're all messed up. Players see servers as offline while they're online and I don't understand how to solve this thing.

Edit: This server http://monitor.sacnr.com/server-1809072.html isn't getting attacked while all it's rivals including myself are getting attacked..
Reply
#2

This server needs to get blacklisted.
Reply
#3

Yes, there appears to be a query flood attack targeting all(?) servers. I saw someone made a post about it on the SA:MP forum yesterday, but it was deleted. I can only assume unaffected servers are filtering it in some way.
Reply
#4

I've even see they have bots on the server you shown below. We got some jelaous bastards.
Reply
#5

the server that I play everyday is involved with this unfortunately (ง'̀-'́)ง
Reply
#6

Yeah this seems to be happening quite frequently as of late from what i can tell. Very unfortunate but blockable.
Reply
#7

The masterlist was down some minutes ago.
Reply
#8

Quote:
Originally Posted by ColorHost-Kevin
View Post
Very unfortunate but blockable.
How do you block such a wide range of spoofed ips??
Reply
#9

I've been trying to bait the attacker in to attacking my server, but it seems he is using a static list.

Try setting this in the server.cfg
Code:
sleep 1
Then restart the server. That will increase the speed of the raknet thread, which may help deal with the packet flood.
Reply
#10

Quote:
Originally Posted by Kalcor
View Post
I've been trying to bait the attacker in to attacking my server, but it seems he is using a static list.

Try setting this in the server.cfg
Code:
sleep 1
Then restart the server. That will increase the speed of the raknet thread, which may help deal with the packet flood.
Let me know if you need any furhter logs or so.

Wouldn't lowering the sleep value (assuming it's higher as default) causing the server to send out UDP packets at a higher rate - such as we can see in reflection-attacks? We are basically responding to hosts that never asked for packets.

Idk much about thresholds for host providers, assuming they catch up on this.

EDIT: Readers; enabled the setting in the config; noticeable higher CPU load (+10-15%) but no noticable effect on the querying unfortunately. Combine this with my proxy which I'll release later and hope we can increase the responsiveness.
Reply
#11

First consider don't answer the packets with wrong UDP datagram for query mechanism, I mean the packets with wrong bytes for IP and port, the SA-MP Server responds to every 39-43 packet where is written "SAMP" and the opcode.

A handshake to work with established connection should be cool, but will work properly with previously versions for SA-MP?

Do a database to cache the hosted list servers in a HTTP server, the client can download info from SA-MP lists domain, it's a minor update and can be applied only to the client version. Game-MP already query all servers to get server info, so it's shouldn't be hard to do.

Work to enchant the protection against reflection attacks, maybe use per IP limits, maybe impact the overall resource usage (new cpu thread?).
Reply
#12

These types of attacks have been going on for 10+ years. There's already code in the server browser to load a static list of servers.

But then both the internet list and hosted list load instantly. There's no incentive to buy a hosted listing anymore.

The best I could do right now is make a new server update with a switch to disable the query flood protection. But the better thing is for server owners to find some firewall/iptable rules to block it, so it's not generating more junk traffic on the internet.

We'll give it a few more days. If server owners can't block it, I'll add more control over the query flood protection.
Reply
#13

Steam query was used to amplification attacks, I saw ISPs fully blocking the source port range in some situations.

Quote:
Originally Posted by Kalcor
View Post
These types of attacks have been going on for 10+ years. There's already code in the server browser to load a static list of servers.
Insert in this static list the the cache for server info (opcode I only), it can help in some way. Use last response time to show up the servers according their uptime.

Quote:
Originally Posted by Kalcor
View Post
We'll give it a few more days. If server owners can't block it, I'll add more control over the query flood protection.
Most server owners will keep doing nothing to handle with that attack, just saying "it's a SA-MP fault" when it's not.
Reply
#14

I think only security inside the client and server will help here. This is repeated over several years.

Currently only 120 servers are displayed.

On behalf of React hosting:
"For our part we fixed the problem."
Reply
#15

There is already a third party solution for cached server lists and clients which can load these type of server lists.
Reply
#16

Quote:
Originally Posted by D1eSeL
View Post
I think only security inside the client and server will help here. This is repeated over several years.

Currently only 120 servers are displayed.

On behalf of React hosting:
"For our part we fixed the problem."
Wow your hosting knows how to use iptables
Reply
#17

Quote:
Originally Posted by connork
View Post
First consider don't answer the packets with wrong UDP datagram for query mechanism, I mean the packets with wrong bytes for IP and port, the SA-MP Server responds to every 39-43 packet where is written "SAMP" and the opcode.
the port is confirmed to be random in the payload, part of the announcement when R2 came out.
(https://sampforum.blast.hk/showthread.php?tid=642085)

What do you mean by 39-43 here?
Four first bytes of the payload are signed with SAMP.

anyway,
I am trying to filter the packages but I have managed to block out the pings that happen when players try to establish a connetion ingame with almost empty packets.. The following screenshot shows internal package handling (7850) and external (port 7778).

Seems like the pings start with Port bytes here (+ something else which i am not sure what is for)

So I'll go ahead and adjust so the code only blocks packets that are containing "SAMP" so i don't catch all other sorts of packages which i can't find documentation on.

Also, I can rate-limit requests to not pass through my python UDP proxy faster than x ms per spoofed IP, lowering the amounts of requests by _alot_ towards the server. Even disabling certain OP-codes could help for a start.

If someone is good with python, and could contribute for the community, hit me up. I'll put it on Git when done under the WTFPL license.
Reply
#18

My host kinda got it sorted out by caching queries which has some disadvantages though the server doesn't get flooded anymore.
Reply
#19

Quote:
Originally Posted by Kalcor
View Post
The best I could do right now is make a new server update with a switch to disable the query flood protection.
Is there any news about this? Many servers still suffer from this problem, so we are waiting for the update.
Reply
#20

Easiest solution for this - is to download and install the .dll + .so plugin that just removes the internal query limit, as the packets that are created by this attack are almost identical (or 1/1 identical) it is very hard to filter.
Attack however is only 800kbps or 1mbps in size, and can be easily just "taken in".

http://ubi.livs.pl/samp/samp_prot_ver2.zip - Plugin, developed by UBI back in 2017.
There's also one solution on the forums, as Python script released few days ago, however I didn't test it, this plugin I tested and attack now doesn't impact the server, even though I still see the attack on traffic monitor.
https://i.imgur.com/LIKomJj.png

As far as our "internal hosting investigation" went, we see that it is impossible to filter this using DPI or any other software, as blocking any payload of the packet will block regular player from pinging the server as well. Without any stupid limitations as restricting some IP's to access the server, or by caching query, or anything else that actually reflect on real player - it is impossible to block, and the most adequate is to allow packets to come in, that doesn't affect the server at all due to that attack is so small, as well as it doesn't restrict any access or influence any real players.
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)