Manually filtering A2S_PLAYER request flood attacks?

This is used for general discussion that is not necessarily server-related.
Post Reply
Karl
New to forums
New to forums
Posts: 2
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
Joined: Fri Jun 22, 2018 8:56 pm

Manually filtering A2S_PLAYER request flood attacks?

Post by Karl »

Hello,

Today, our server's been under a DDoS attack. The events log identified it as a UDP Source A2S_PLAYER request flood and filtered it for one hour, which instantly resolved the issue! That was great, but the filter expired after 60 minutes and the attack resumed, until the filter went back up 10 minutes later, once again, for an hour, etc. Rinse and repeat a good 6-7 times by now.

I'm not very experienced technically and while I'd love to follow the support agent's suggestion to set the same filter in our OS' firewall, I don't actually know how.

We used to be with another dedicated server hosting service and their control panel offered you the ability to manually trigger that same filter that is otherwise automatically triggered, and choose the duration of the filter (3, 6, 12, 24 hours, etc.). Since NFO's automated filter is working magic on this attack, I'm a bit bummed I can't simply tell it "hey, whatever it is you're doing - keep doing it for 24 hours!"

I understand the complexity of battling DDoS attacks and am not asking for a magical solution, just wondering why it isn't an option for non-tech savvy folk like myself to extend an already existing, but automated and time-limited service. Maybe even, if I'm super lucky, someone can guide me towards enacting similar filters in our dedicated box's OS. We're using Windows though.

Thank you for reading & have a good week-end.
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Manually filtering A2S_PLAYER request flood attacks?

Post by Edge100x »

If you were running a version of Linux, you could use a line like this to do the same as the "a UDP Source A2S_PLAYER request flood" filter:

Code: Select all

iptables -I INPUT -p udp -m length --length 37 -m u32 --u32 "28=0xFFFFFFFF&&29=0xFFFFFF55"
(That wouldn't be recommended if you are running a Source-based game, of course!)

Windows does not have a very capable firewall and there isn't a way the same thing on a Windows OS. If you have persistent problems with this type of attack, you'd need to ask for escalation of your concern so that I could look at it directly.

Allowing customers to request that filters be implemented on our router is something that we can consider, but it would have performance ramifications on our end (every rule on the router hurts the overall forwarding performance of the router) and would need to have strict limits because of that. In our experience, many customers, when they get a VDS, immediately fill the Firewall page with unnecessary rules, and that's not something we could allow on the router.
Karl
New to forums
New to forums
Posts: 2
Joined: Fri Jun 22, 2018 8:56 pm

Re: Manually filtering A2S_PLAYER request flood attacks?

Post by Karl »

Hi Edge,

Thank you for your response. Unfortunately, the OS we're running is Windows and the game server a Source engine game.

I didn't know filters had a performance effect on the hardware. Perhaps the feature could be enabled on a need to have basis?

I'm glad to know that at least, I have the option of requesting escalation so that you may assist with the issue if it becomes problematic.

Thank you for your response & best regards.
LittleB
This is my homepage
This is my homepage
Posts: 160
Joined: Mon Feb 06, 2012 4:14 am
Location: US
Contact:

Re: Manually filtering A2S_PLAYER request flood attacks?

Post by LittleB »

You can try setting sv_max_queries_sec_global in the server.cfg(server won't be visible on master server list while attack is in progress).Also can try this plugin https://forums.alliedmods.net/showthread.php?t=135543.
Image
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Manually filtering A2S_PLAYER request flood attacks?

Post by Edge100x »

Karl, yes, we are able to implement rules for customers manually on our end, though it doesn't use the same anti-DDoS system (so there isn't a simple extension button for staff). This is something that I can work on with the escalation, as needed. I would want to start by examining the attack in depth to see if there's a more precise way of blocking it than what the automatic rule was doing.
Post Reply