Source query status ddos.

[Sam86]

So, I'm coming here to ask for some help.

So I'm currently being hit with around 30kpps ddos. IP's are spoofed and source ports are randomized.

Code: Select all

12:27:41.963072 IP (tos 0x0, ttl 78, id 23131, offset 0, flags [none], proto UDP (17), length 53) 80.171.194.108.23239 > 74.91.116.247.27015: UDP, length 25
0x0000: 4500 0035 5a5b 0000 4e11 3ff3 50ab c26c E..5Z[..N.?.P..l
0x0010: 4a5b 74f7 5ac7 6987 0021 aa39 ffff ffff J[t.Z.i..!.9....
0x0020: 5453 6f75 7263 6520 456e 6769 6e65 2051 TSource.Engine.Q
0x0030: 7565 7279 00 uery.

I can't think of a way to block these types of attacks, I cannot block the packet length or the source of the attack. Can't block on the string or hex data so im pretty clueless.

I can't find a way to filter against it at all really, so any ideas would be appreciated.

I've tried serversecure2/DAF but both of them simply can't handle that amount of packets. I've also set max queries per sec global to 1 but it doesn't seem to help.

[kraze]

Try installing this;

http://www.nfoservers.com/forums/viewto ... =18&t=6655 (Second link)

[Sam86]

I'll give QueryCache a go now, but I can't really find much info as to what it does.

It's a shame the firewall can't filter by packets per seconds. If > 5kpps then activate rule 9 for example. The only real way I can think of that would let players join but also stop this attack is:

If I had a way of forwarding packets on my machine I could find a solution, but I'm not really code savy enough to make it.

Cache status packets on port x.x.x.x:12121
Forward status packets to port x.x.x.x:12121
Limit program to forwarding only 100 packets a second.

Then you could block status requests with a firewall rule to the real IP, it would cause some minor complications when people try to join via friends though as they would see the real port which would display as server offline.

[kraze]

You installed the "spoofed query" plugin?

http://forums.alliedmods.net/showthread.php?t=134373

[Edge100x]

If you have a managed VDS or managed Linux dedicated machine, please open a support request, and I can enable a whitelisting system that would help you. An external caching system could also potentially work, but that's more complicated and not something that we have support for.

The game itself is supposed to rate-limit queries, but it doesn't seem to do a good job with it.

[Sam86]

If you have a managed VDS or managed Linux dedicated machine, please open a support request, and I can enable a whitelisting system that would help you. An external caching system could also potentially work, but that's more complicated and not something that we have support for.

The game itself is supposed to rate-limit queries, but it doesn't seem to do a good job with it.

Tickets already open ID 833394. By whitelist you mean a whitelist for connecting IP's? If so then I'm not sure that would be viable.

Kraze, Yes I have. However the plugin is broken. It does it's job but it also spits out unicode and force locks the server. Causes clients to get 3rd party mod errors etc.

[Edge100x]

Tickets already open ID 833394. By whitelist you mean a whitelist for connecting IP's? If so then I'm not sure that would be viable.

Kind of, but the dynamic whitelisting system does not just use a static list of IPs. It's much more developed than that.

[Sam86]

Tickets already open ID 833394. By whitelist you mean a whitelist for connecting IP's? If so then I'm not sure that would be viable.

Kind of, but the dynamic whitelisting system does not just use a static list of IPs. It's much more developed than that.

Oh, then sure let's give it a shot.

[Mrkrabz]

You are in luck as they are A2S_INFO (FFFF FFFF 54) packets, they are easily blockable with that plugin. Thankfully your not being hit with other queries similar to A2S_INFO but are actually part of the whole query process. I attempted filtering them but you end up just blocking legit queries.

Hope that plugin worked out for you.

[Sam86]

You are in luck as they are A2S_INFO (FFFF FFFF 54) packets, they are easily blockable with that plugin. Thankfully your not being hit with other queries similar to A2S_INFO but are actually part of the whole query process. I attempted filtering them but you end up just blocking legit queries.

Hope that plugin worked out for you.

The plugin is broken, afaik it's outdated.

[Edge100x]

I have added a rate-limit option to the Firewall page now to help you with this. Setting it to rate-limit to something like 100 per second and either block on a length of 53 or the string "Source Engine Query" will likely work for you as a stop-gap, though regular players will be unable to query your server during an attack if you do this.

[Sam86]

Thanks Edge, I've done so and all is calm currently.

I've set it to 500 though as we have over 70k unique players and around 6k regulars across the bored.
And the modules for srcds should be able to handle the 500 a second.

[Edge100x]

You should never see 500 queries per second under legitimate circumstances. You will rarely see more than 10, legitimately.

[soja]

If you have a managed VDS or managed Linux dedicated machine, please open a support request, and I can enable a whitelisting system that would help you. An external caching system could also potentially work, but that's more complicated and not something that we have support for.

The game itself is supposed to rate-limit queries, but it doesn't seem to do a good job with it.

Sorry about the necro, but can you still do this John? I have a list of our players IP addresses for the past few months(this list is well over 1k IPs). If so please let me know and I can open a request. We have had a steady source engine query attack for over 5 hours now on many of our servers.

Thanks

[Edge100x]

The auto-whitelisting system was scuttled a long time ago because the attackers just worked around it. We also found that it hurt router performance significantly, so if I were to look at it again, it would only apply to VDSes and managed Linux machines, where it could be run locally.

With a VDS, unmanaged service, or Linux managed machine, you can enter thousands of IPs directly into the control panel's Firewall page, if you need to do that, either to ban or whitelist.

The best option here would be a proxy to compensate for the serious performance issue with the game, but I don't know of one that works well.