AlliedModders

AlliedModders (https://forums.alliedmods.net/index.php)
-   Snippets and Tutorials (https://forums.alliedmods.net/forumdisplay.php?f=112)
-   -   [Linux] Source Query Proxy: DDoS Protection - Kernel redirection! (https://forums.alliedmods.net/showthread.php?t=297237)

spumer 05-09-2017 03:54

[Linux] Source Query Proxy: DDoS Protection - Kernel redirection!
 
Source Query Proxy

Motivation

Basically Source game-servers works in one thread and can't use more than one core for in-game logic. For example - Left 4 Dead 2.
Yes, you can use SourceMod to offload calculations (use threading), but we talking about common game logic.

You can try use DoS Protection extension, but caching is not fast solution, cause server spent time to receiving and sending answer from cache.

So, we just need redirect some packets to proxy service

IPTables (or any NAT) can't help!


If you use IPTables (NAT) to redirect queries to proxy, this rule will be remembered in routing table and if client try to connect - connection will be redirected to proxy too.


Linux Kernel filter

It works!
Just register packet handler and move on top (set specific priority), at this moment packet placed in RAW routing table and no one rule applied before. Now we change destination port, calculate new checksum and let him go further! In next step packet will be matched and redirected according to the NAT rules and go to our Proxy service. Answers from service will be translated by same logic.
For example incoming:
27015 -> 27915
27016 -> 27916
...
and outgoing handler change port back:
27915 -> 27015
27916 -> 27016
...



Solution


Python cache backend: https://github.com/sqproxy/sqproxy
Kernel redirection to that backend: https://github.com/sqproxy/sqredirect

Troubleshooting
See the issues on github. Problem or solution can be presented before

Follow new releases on github

controlsuz123 05-09-2017 23:20

Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
 
this is really great idea, thank you very much for this...

I did everything for modules and it wasn't any error, so how can I understand is it working or not ?

nistnesus 05-09-2017 23:29

Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
 
hey, long time reader of alliedmods.net. just registered to reply to this topic :)

when i try to build it on my system i get a few errors:

https://www.hastebin.com/apolufacoq.coffeescript

spumer 05-09-2017 23:49

Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
 
1 Attachment(s)
Quote:

Originally Posted by controlsuz123 (Post 2519469)
this is really great idea, thank you very much for this...

I did everything for modules and it wasn't any error, so how can I understand is it working or not ?

Do you build and run SourceQueryCache too? After module loaded and SQC startup you can check your server by HLSW or analogue (https://forums.alliedmods.net/showthread.php?t=289370)
Or use simple utility in attachment (Python3.4 or above required): python3 test_a2sinfo.py


Quote:

Originally Posted by nistnesus (Post 2519472)
hey, long time reader of alliedmods.net. just registered to reply to this topic :)

when i try to build it on my system i get a few errors:

https://www.hastebin.com/apolufacoq.coffeescript

What is your gcc version?
PHP Code:

gcc --version 


nistnesus 05-09-2017 23:59

Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
 
gcc (Debian 4.9.2-10) 4.9.2
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

spumer 05-10-2017 04:47

Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
 
1 Attachment(s)
Setup SourceQueryCacheMono

Install mono
Ubuntu


Build SQC
PHP Code:

cd SourceQueryCacheMono
xbuild 
/p:Configuration=Release QueryCache.sln 

Now we have QueryCache.exe in QueryCache/bin/Release subfolder

Check SQC
PHP Code:

cd QueryCache/bin/Release

# start listening on 27915 and proxy requests to 216.52.148.47:27015
mono QueryCache.exe 27915 216.52.148.47 27015 

Now we can test SQC with some requester.

test_a2sinfo.py


Final steps
1. Setup SQC to your servers (setup should be done on same host)
2. Enable Kernel module

If you use different ports, you should manually change theirs in poc.c before compilation.

In attachment you can found compiled QueryCache.exe. All credits and source code can be found here: https://github.com/blastehh/SourceQueryCacheMono

controlsuz123 05-10-2017 07:08

Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
 
hi again spumer, I did everything very well.

1. Enable Kernel module
2. I did my iptables this rule

iptables -t nat -I PREROUTING -p udp -d 185.87.120.87 --dport 27015 -m u32 --u32 '0>>22&0x3C@8=0xFFFFFFFF && 0>>22&0x3C@12=0x54536F75 && 0>>22&0x3C@16=0x72636520 && 0>>22&0x3C@20=0x456E6769 && 0>>22&0x3C@24=0x6E652051 && 0>>22&0x3C@28=0x75657279' -j
REDIRECT --to-port 27915

3. I started mono QueryCache.exe 27915 185.87.120.87 27015

4. I'm checking with python3 test_a2sinfo.py


Quote:

root@cs:~# python3 test_a2sinfo.py
Got response, len=206
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x06\x13\x05dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01128,aim,deathmatch,dm,ffa,warmup,wasp,HLst atsX:CE,secure\x00\xda\x02\x00\x00\x00\x00\x0 0\x00'
Got response, len=206
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x06\x13\x05dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01128,aim,deathmatch,dm,ffa,warmup,wasp,HLst atsX:CE,secure\x00\xda\x02\x00\x00\x00\x00\x0 0\x00'
Got response, len=206
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x06\x13\x05dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01128,aim,deathmatch,dm,ffa,warmup,wasp,HLst atsX:CE,secure\x00\xda\x02\x00\x00\x00\x00\x0 0\x00'
Got response, len=206
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x06\x13\x05dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01128,aim,deathmatch,dm,ffa,warmup,wasp,HLst atsX:CE,secure\x00\xda\x02\x00\x00\x00\x00\x0 0\x00'
Got response, len=206
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x07\x13\x05dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01128,aim,deathmatch,dm,ffa,warmup,wasp,HLst atsX:CE,secure\x00\xda\x02\x00\x00\x00\x00\x0 0\x00'
Got response, len=206
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x06\x13\x05dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01128,aim,deathmatch,dm,ffa,warmup,wasp,HLst atsX:CE,secure\x00\xda\x02\x00\x00\x00\x00\x0 0\x00'
Got response, len=206
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x06\x13\x05dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01128,aim,deathmatch,dm,ffa,warmup,wasp,HLst atsX:CE,secure\x00\xda\x02\x00\x00\x00\x00\x0 0\x00'
Got response, len=206
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x06\x13\x05dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01128,aim,deathmatch,dm,ffa,warmup,wasp,HLst atsX:CE,secure\x00\xda\x02\x00\x00\x00\x00\x0 0\x00'
Got response, len=212
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x00\x13\x00dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01empty,128,aim,deathmatch,dm,ffa,warmup,was p,HLstatsX:CE,secure\x00\xda\x02\x00\x00\x00\ x00\x00\x00'
Got response, len=212
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x00\x13\x00dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01empty,128,aim,deathmatch,dm,ffa,warmup,was p,HLstatsX:CE,secure\x00\xda\x02\x00\x00\x00\ x00\x00\x00'
Got response, len=212
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x00\x13\x00dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01empty,128,aim,deathmatch,dm,ffa,warmup,was p,HLstatsX:CE,secure\x00\xda\x02\x00\x00\x00\ x00\x00\x00'

spumer 05-10-2017 07:42

Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
 
You don't need iptables rule when kernel module loaded.
Kernel module should be used instead iptables.

After all you should check server out of host (e.g. from local computer)

So, today with xlenonz we found some problems with Fedora. Previously all tested on Gentoo and Ubuntu systems with different backend.
I try to solve this and publish feedback.

controlsuz123 05-10-2017 07:52

Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
 
Quote:

Originally Posted by spumer (Post 2519530)
You don't need iptables rule when kernel module loaded.
Kernel module should be used instead iptables.

After all you should check server out of host (e.g. from local computer)

So, today with xlenonz we found some problems with Fedora. Previously all tested on Gentoo and Ubuntu systems with different backend.
I try to solve this and publish feedback.

ok I'm waiting your answers,

Quote:

IP rate limit sustained 46354 distributed packets at 1545.1 pps (2071 buckets).
IP rate limit under distributed packet load (2498 buckets, 15001 global count), rejecting 95.3.114.5:27015.
IP rate limit sustained 47292 distributed packets at 1576.4 pps (2049 buckets).
IP rate limit under distributed packet load (2498 buckets, 15352 global count), rejecting 78.165.89.156:27015.
IP rate limit sustained 48406 distributed packets at 1613.5 pps (2032 buckets).
IP rate limit under distributed packet load (2498 buckets, 15482 global count), rejecting 81.215.112.125:27015.
IP rate limit sustained 48089 distributed packets at 1603.0 pps (2050 buckets).
IP rate limit under distributed packet load (2498 buckets, 15382 global count), rejecting 95.11.64.66:27015.
IP rate limit sustained 46724 distributed packets at 1557.5 pps (2039 buckets).
IP rate limit under distributed packet load (2500 buckets, 15001 global count), rejecting 78.173.223.113:27015.
IP rate limit sustained 45429 distributed packets at 1514.3 pps (2072 buckets).
IP rate limit under distributed packet load (2498 buckets, 15001 global count), rejecting 95.1.40.82:50335.
IP rate limit sustained 46003 distributed packets at 1533.4 pps (2061 buckets).
IP rate limit under distributed packet load (2498 buckets, 15001 global count), rejecting 95.11.9.119:54904.
IP rate limit sustained 45879 distributed packets at 1529.3 pps (2076 buckets).
attack coming like this still..

spumer 05-11-2017 07:38

Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
 
First post updated. Fixed version uploaded.

Quote:

Originally Posted by nistnesus (Post 2519476)
gcc (Debian 4.9.2-10) 4.9.2
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Try upgrade gcc version to 5.x or 6.x


All times are GMT -4. The time now is 15:45.

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.