February 26, 2010 at 10:17Protecting the Source Dedicated Server game server from attacks with small UDP packets
- Transfer
There are a number of exploits that Valve for some reason has not yet fixed, and amateur hackers are trying to use them to create an uncomfortable game for players on the server. As a result of using these attacks, ping on a separate game server increases sharply and it becomes impossible to play. At the same time, other game servers running on the same physical server can work in normal mode.
Consider one of the ways to combat this type of vandalism.
Hereinafter, it is understood that work will be carried out with game servers running on a linux server.
You can find out about the fact that data packets are arriving at the server, leading it into a “thoughtful” state by looking at the tcpdump log: Working data packets must be larger than 32 bytes, so we add rules to iptables:
Now, if UDP packets less than 32 bytes in size are detected, they arrive on ports in the range 27000-29999 (there may be several game and SourceTV servers there), these packets are ignored, and information about this fact is logged in / var / log / message so that it then I used fail2ban to temporarily block the IP address from which such packets are coming. Next, in /etc/fail2ban/filter.d, create the srcds-ddos.conf filter with the contents:
Consider one of the ways to combat this type of vandalism.
Hereinafter, it is understood that work will be carried out with game servers running on a linux server.
You can find out about the fact that data packets are arriving at the server, leading it into a “thoughtful” state by looking at the tcpdump log: Working data packets must be larger than 32 bytes, so we add rules to iptables:
01:29:54.215279 IP 96.19.63.51.64928 > 66.135.40.174.27015: UDP, length 18
01:29:54.215281 IP 96.19.63.51.64928 > 66.135.40.174.27015: UDP, length 0
01:29:54.229257 IP 96.19.63.51.64928 > 66.135.40.174.27015: UDP, length 18
01:29:54.233254 IP 96.19.63.51.64928 > 66.135.40.174.27015: UDP, length 0
-N logattacker
-A logattacker -j LOG --log-prefix " SRCDS:ATTACK: " --log-ip-options
-A logattacker -j DROP
-A INPUT -p udp -m udp -m limit -m length --dport 27000:29999 --limit 2/second -j logattacker --length 0:32
Now, if UDP packets less than 32 bytes in size are detected, they arrive on ports in the range 27000-29999 (there may be several game and SourceTV servers there), these packets are ignored, and information about this fact is logged in / var / log / message so that it then I used fail2ban to temporarily block the IP address from which such packets are coming. Next, in /etc/fail2ban/filter.d, create the srcds-ddos.conf filter with the contents:
Feb 24 15:43:08 carbon kernel: [157686.157207] SRCDS:ATTACK: IN=eth0 OUT= MAC=00:15:17:4c:eb:f4:00:1e:4a:38:3a:00:08:00 SRC=85.159.xx.xx DST=217.199.yy.yy LEN=28 TOS=0x00 PREC=0x00 TTL=120 ID=43787 PROTO=UDP SPT=2445 DPT=27135 LEN=8
[Definition]
failregex = SRCDS:ATTACK: IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC= DST=([0-9]{1,3}\.?){4} LEN=28
Регистрируем его в /etc/fail2ban/jail.conf:
[srcds-ddos]
enabled = true
port = all
protocol = udp
filter = srcds-ddos
logpath = /var/log/messages
maxretry = 3
bantime = 6000
banaction = iptables-allports
Перезапускаем fail2ban и iptables чтобы изменения вступили в силу.
Также можно ограничить доступ к RCON:
# Make new chain
iptables -N rcon
# Pull all packets to tcp ports 27000:29999 into rcon chain
iptables -A INPUT -p tcp --dport 27000:29999 -j rcon
# If source ip matches whitelisted ip, accept
iptables -A rcon --source 123.123.123.13 -j ACCEPT
# Otherwise (optionally log and) drop
iptables -A rcon -j LOG --log-prefix "SRCDS:RCON: " --log-ip-options
iptables -A rcon -j DROP
PS Перевод сделан не дословный, по мотивам, с собственными добавлениями и уточнениями.