Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DdoS / Query Flood Waiting Reunion devs #427

Open
Raiz3n1312 opened this issue Apr 9, 2017 · 17 comments
Open

DdoS / Query Flood Waiting Reunion devs #427

Raiz3n1312 opened this issue Apr 9, 2017 · 17 comments

Comments

@Raiz3n1312
Copy link

Raiz3n1312 commented Apr 9, 2017

REUNION]: Query flood blocking: 1006 pps (0.201 mbps) from 64+ IPs
[REUNION]: Query flood blocking: 1004 pps (0.201 mbps) from 64+ IPs
[REUNION]: Query flood blocking: 1004 pps (0.201 mbps) from 64+ IPs
[REUNION]: Query flood blocking: 991 pps (0.198 mbps) from 64+ IPs
[REUNION]: Query flood blocking: 988 pps (0.198 mbps) from 64+ IPs
[REUNION]: Query flood blocking: 1007 pps (0.201 mbps) from 64+ IPs
[REUNION]: Query flood blocking: 1004 pps (0.201 mbps) from 64+ IPs

The Server is freezing because somebody flooding query... Reunion cant block all of attack... And the server cpu was going 100% How can i block Query Flood. Ip tables or plugin?

Second:

NET_QueuePacket: Oversize packet from 59.36.100.146:19
NET_QueuePacket: Oversize packet from 96.84.166.42:19
NET_QueuePacket: Oversize packet from 216.228.85.32:19
NET_QueuePacket: Oversize packet from 218.65.86.45:19
NET_QueuePacket: Oversize packet from 80.248.5.108:19
NET_QueuePacket: Oversize packet from 103.48.64.138:19
NET_QueuePacket: Oversize packet from 218.65.86.45:19
NET_QueuePacket: Oversize packet from 23.254.132.162:19
NET_QueuePacket: Oversize packet from 210.245.32.44:19
NET_QueuePacket: Oversize packet from 202.151.10.243:19
NET_QueuePacket: Oversize packet from 219.145.167.2:19
NET_QueuePacket: Oversize packet from 218.77.11.251:19
NET_QueuePacket: Oversize packet from 85.113.188.44:19
NET_QueuePacket: Oversize packet from 61.233.147.145:19
NET_QueuePacket: Oversize packet from 168.243.48.40:19
NET_QueuePacket: Oversize packet from 200.27.182.58:19
NET_QueuePacket: Oversize packet from 112.74.87.5:19
NET_QueuePacket: Oversize packet from 101.100.176.127:19
NET_QueuePacket: Oversize packet from 31.168.170.67:19
NET_QueuePacket: Oversize packet from 220.247.185.66:19
NET_QueuePacket: Oversize packet from 218.22.238.66:19
NET_QueuePacket: Oversize packet from 190.145.128.146:19
NET_QueuePacket: Oversize packet from 59.37.161.225:7841
NET_QueuePacket: Oversize packet from 121.88.200.143:19
NET_QueuePacket: Oversize packet from 220.176.211.119:19
NET_QueuePacket: Oversize packet from 192.231.63.92:19
NET_QueuePacket: Oversize packet from 103.195.142.61:19
NET_QueuePacket: Oversize packet from 183.129.154.218:19
NET_QueuePacket: Oversize packet from 202.151.10.243:19
NET_QueuePacket: Oversize packet from 217.195.206.32:19
NET_QueuePacket: Oversize packet from 80.248.5.108:19

On normal hlds is fixed whit a simple plugin. But that plugin needed orpheu... No orpheu on rehlds.
This attack can be fixed a little plugin. But this plugin just checking the port connection... So when attack coming from another port can't block it.

#include amxmodx
public client_connect(id) {
new ip[32]; get_user_ip(id, ip, charsmax(ip), 0);
if(contain(ip, ":19") != -1) {
server_cmd("addip 0.0 ^"%s^", ip);
}

@In-line
Copy link
Collaborator

In-line commented Apr 9, 2017

It's unrelated to rehlds. Report to the reunion devs. Official topic.

@Raiz3n1312
Copy link
Author

Raiz3n1312 commented Apr 9, 2017

It's Ok. But the Secondary Problem? How can i kill oversize packet sending on rehlds without orpheu? I have a plugin for this attack. But that need orpheu...

@In-line
Copy link
Collaborator

In-line commented Apr 9, 2017

Plugin that you wrote is useless, you need to​ send the original Orpheu plugin source code.
I really doubt that problem is in rehlds, it's connected to reunion.

@Raiz3n1312
Copy link
Author

Raiz3n1312 commented Apr 9, 2017

It's a simple dos attack maybe i have a problem without reunion.

https://github.com/Arkshine/Orpheu/releases Here u can find the orpheu source code...

@In-line
Copy link
Collaborator

In-line commented Apr 9, 2017

I want plugin source code, not module.

@Raiz3n1312
Copy link
Author

#include <amxmodx>
#include <orpheu>

new OrpheuFunction:HandleFuncNETQueuePacket;
new OrpheuFunction:HandleFuncConPrintf;

new OrpheuHook:HandleHookConPrintf;

public plugin_init()
{
    register_plugin( "Ban NET Packet Spammer", "1.0.1", "Arkshine" );
    
    HandleFuncNETQueuePacket = OrpheuGetFunction( "NET_QueuePacket" );
    HandleFuncConPrintf      = OrpheuGetFunction( "Con_Printf" );
    
    OrpheuRegisterHook( HandleFuncNETQueuePacket, "NET_QueuePacket_Pre", OrpheuHookPre );
    OrpheuRegisterHook( HandleFuncNETQueuePacket, "NET_QueuePacket_Post", OrpheuHookPost );
}   

public NET_QueuePacket_Pre()
{
    HandleHookConPrintf = OrpheuRegisterHook( HandleFuncConPrintf, "Con_Printf" );
}

public Con_Printf( const fmt[], const arg[] )
{
    static const message[] = "Oversize packet from ";
    
    if( contain( fmt, message ) >= 0 )
    {
        new ip[ 16 ], i, c;
        
        while( i < charsmax( ip ) && ( c = fmt[ i + charsmax( message ) ] ) && c != ':' ) 
        { 
            ip[ i++ ] = c; 
        }   
        
        ip[ i ] = EOS;

        log_to_file( "NET_Packet_Spammer.log", "Blocking %s", ip );
        
        server_cmd( "addip 0 ^"%s^"", ip );
        server_exec();
    }
}

public NET_QueuePacket_Post()
{
    OrpheuUnregisterHook( HandleHookConPrintf );
}

@In-line
Copy link
Collaborator

In-line commented Apr 9, 2017

On GitHub you can edit and delete messages.
It's easy to rewrite for ReAPI, but we need to wait until reunion devs will write here or you can contact them directly.
If it's good way to deal with problem it will be probably integrated in reunion.

@Raiz3n1312
Copy link
Author

Where can i contact with him fastest?

@Raiz3n1312 Raiz3n1312 changed the title DdoS / Query Flood DdoS / Query Flood Waiting Reunion devs Apr 14, 2017
@di57inct
Copy link

@In-line can you rescript it for ReAPI until the ReUnion devs do something about it please?

@raheem-cs
Copy link

If you captured some UDP packets during attack using tcpdump then paste them here i'll be able to analyze them to help in this situation. And furthermore we can block data if it contains something like Oversize packet from or any other thing that will help us block these attacks using u32 module in IPTables.

@WaLkZa
Copy link
Contributor

WaLkZa commented Aug 13, 2017

The method to punish NET Packet Spammers is easy and efficient. It will be good to be added in the engine with new cvar. For example sv_rehlds_netpacket_spammer_punish // Time in minutes for which the net packet spammer will be banned (0 - Permanent, -1 - kick, -2 - turn off). Default: 0
The problem with this kind of spammers that cause server lagging still exists

@WPMGPRoSToTeMa
Copy link
Contributor

WPMGPRoSToTeMa commented Aug 18, 2017

We can add PreprocessPacket hookchain to ReAPI if you need it.

@WaLkZa
Copy link
Contributor

WaLkZa commented Aug 18, 2017

Will be better to add needed hookchains in ReAPI and to rewrite Arkshine's plugin, because i'm not very familiar

@ish12321
Copy link

Bump

@ish12321
Copy link

sv_rehlds_netpacket_spammer_punish
This shall be added :/

@aron9forever
Copy link

aron9forever commented Oct 20, 2017

It's useless to implement such protection in application layer, if the packet count is high enough the process will go 99% and freeze regardless of the implementation.

If you have access to the OS and are on Linux, install CSF and add a port flood limit. (max 5 in 10 seconds with 10 second ban works fine for me, set only for UDP). CSF runs on iptables, but makes everything much easier and adds protection against lots of small crap automatically.
If your server is hosted by a game host provider and you have this problem, consider switching.
If you are on windows, tough luck. Search for alternatives, I don't know them.

@WPMGPRoSToTeMa please do so, it is useful for other cases as well

@raheem-cs
Copy link

raheem-cs commented Jul 8, 2018

ish12321, What works for me is to stick with good hosting provider that provide a UDP protection for games. Right now i'm using OVH and i never get attacks with them.

I tried to block using IPTables but it's too late to handle the attack in most cases.

I'm not sure if i simulate same packet as legit one, it will pass through OVH anit-ddos system or not. Soon i'll try this.

Resellers: If you need cheap vps with OVH anti-ddos game: Extra-VM, Infinity-Hosting and you can search for more.

If someone search for OVH anti-ddos game vps in asia read this: https://www.lowendtalk.com/discussion/124436/vps-with-anti-ddos-for-games-in-asia

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants