Hello,
Today, our server's been under a DDoS attack. The events log identified it as a UDP Source A2S_PLAYER request flood and filtered it for one hour, which instantly resolved the issue! That was great, but the filter expired after 60 minutes and the attack resumed, until the filter went back up 10 minutes later, once again, for an hour, etc. Rinse and repeat a good 6-7 times by now.
I'm not very experienced technically and while I'd love to follow the support agent's suggestion to set the same filter in our OS' firewall, I don't actually know how.
We used to be with another dedicated server hosting service and their control panel offered you the ability to manually trigger that same filter that is otherwise automatically triggered, and choose the duration of the filter (3, 6, 12, 24 hours, etc.). Since NFO's automated filter is working magic on this attack, I'm a bit bummed I can't simply tell it "hey, whatever it is you're doing - keep doing it for 24 hours!"
I understand the complexity of battling DDoS attacks and am not asking for a magical solution, just wondering why it isn't an option for non-tech savvy folk like myself to extend an already existing, but automated and time-limited service. Maybe even, if I'm super lucky, someone can guide me towards enacting similar filters in our dedicated box's OS. We're using Windows though.
Thank you for reading & have a good week-end.
Manually filtering A2S_PLAYER request flood attacks?
-
- New to forums
- Posts: 2
- https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
- Joined: Fri Jun 22, 2018 8:56 pm
Re: Manually filtering A2S_PLAYER request flood attacks?
If you were running a version of Linux, you could use a line like this to do the same as the "a UDP Source A2S_PLAYER request flood" filter:
(That wouldn't be recommended if you are running a Source-based game, of course!)
Windows does not have a very capable firewall and there isn't a way the same thing on a Windows OS. If you have persistent problems with this type of attack, you'd need to ask for escalation of your concern so that I could look at it directly.
Allowing customers to request that filters be implemented on our router is something that we can consider, but it would have performance ramifications on our end (every rule on the router hurts the overall forwarding performance of the router) and would need to have strict limits because of that. In our experience, many customers, when they get a VDS, immediately fill the Firewall page with unnecessary rules, and that's not something we could allow on the router.
Code: Select all
iptables -I INPUT -p udp -m length --length 37 -m u32 --u32 "28=0xFFFFFFFF&&29=0xFFFFFF55"
Windows does not have a very capable firewall and there isn't a way the same thing on a Windows OS. If you have persistent problems with this type of attack, you'd need to ask for escalation of your concern so that I could look at it directly.
Allowing customers to request that filters be implemented on our router is something that we can consider, but it would have performance ramifications on our end (every rule on the router hurts the overall forwarding performance of the router) and would need to have strict limits because of that. In our experience, many customers, when they get a VDS, immediately fill the Firewall page with unnecessary rules, and that's not something we could allow on the router.
Re: Manually filtering A2S_PLAYER request flood attacks?
Hi Edge,
Thank you for your response. Unfortunately, the OS we're running is Windows and the game server a Source engine game.
I didn't know filters had a performance effect on the hardware. Perhaps the feature could be enabled on a need to have basis?
I'm glad to know that at least, I have the option of requesting escalation so that you may assist with the issue if it becomes problematic.
Thank you for your response & best regards.
Thank you for your response. Unfortunately, the OS we're running is Windows and the game server a Source engine game.
I didn't know filters had a performance effect on the hardware. Perhaps the feature could be enabled on a need to have basis?
I'm glad to know that at least, I have the option of requesting escalation so that you may assist with the issue if it becomes problematic.
Thank you for your response & best regards.
Re: Manually filtering A2S_PLAYER request flood attacks?
You can try setting sv_max_queries_sec_global in the server.cfg(server won't be visible on master server list while attack is in progress).Also can try this plugin https://forums.alliedmods.net/showthread.php?t=135543.
Re: Manually filtering A2S_PLAYER request flood attacks?
Karl, yes, we are able to implement rules for customers manually on our end, though it doesn't use the same anti-DDoS system (so there isn't a simple extension button for staff). This is something that I can work on with the escalation, as needed. I would want to start by examining the attack in depth to see if there's a more precise way of blocking it than what the automatic rule was doing.