[Linux] Source Query Proxy: DDoS Protection - Kernel redirection!
Source Query Proxy
Motivation Basically Source game-servers works in one thread and can't use more than one core for in-game logic. For example - Left 4 Dead 2. Yes, you can use SourceMod to offload calculations (use threading), but we talking about common game logic. You can try use DoS Protection extension, but caching is not fast solution, cause server spent time to receiving and sending answer from cache. So, we just need redirect some packets to proxy service IPTables (or any NAT) can't help! If you use IPTables (NAT) to redirect queries to proxy, this rule will be remembered in routing table and if client try to connect - connection will be redirected to proxy too. Linux Kernel filter It works! Just register packet handler and move on top (set specific priority), at this moment packet placed in RAW routing table and no one rule applied before. Now we change destination port, calculate new checksum and let him go further! In next step packet will be matched and redirected according to the NAT rules and go to our Proxy service. Answers from service will be translated by same logic. For example incoming: 27015 -> 27915 27016 -> 27916 ... and outgoing handler change port back: 27915 -> 27015 27916 -> 27016 ... Solution Python cache backend: https://github.com/sqproxy/sqproxy Kernel redirection to that backend: https://github.com/sqproxy/sqredirect Troubleshooting See the issues on github. Problem or solution can be presented before Follow new releases on github |
Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
this is really great idea, thank you very much for this...
I did everything for modules and it wasn't any error, so how can I understand is it working or not ? |
Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
hey, long time reader of alliedmods.net. just registered to reply to this topic :)
when i try to build it on my system i get a few errors: https://www.hastebin.com/apolufacoq.coffeescript |
Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
1 Attachment(s)
Quote:
Or use simple utility in attachment (Python3.4 or above required): python3 test_a2sinfo.py Quote:
PHP Code:
|
Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
gcc (Debian 4.9.2-10) 4.9.2
Copyright (C) 2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
1 Attachment(s)
Setup SourceQueryCacheMono
Install mono
Ubuntu
Build SQC PHP Code:
Check SQC PHP Code:
test_a2sinfo.py
Final steps 1. Setup SQC to your servers (setup should be done on same host) 2. Enable Kernel module If you use different ports, you should manually change theirs in poc.c before compilation. In attachment you can found compiled QueryCache.exe. All credits and source code can be found here: https://github.com/blastehh/SourceQueryCacheMono |
Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
hi again spumer, I did everything very well.
1. Enable Kernel module 2. I did my iptables this rule iptables -t nat -I PREROUTING -p udp -d 185.87.120.87 --dport 27015 -m u32 --u32 '0>>22&0x3C@8=0xFFFFFFFF && 0>>22&0x3C@12=0x54536F75 && 0>>22&0x3C@16=0x72636520 && 0>>22&0x3C@20=0x456E6769 && 0>>22&0x3C@24=0x6E652051 && 0>>22&0x3C@28=0x75657279' -j REDIRECT --to-port 27915 3. I started mono QueryCache.exe 27915 185.87.120.87 27015 4. I'm checking with python3 test_a2sinfo.py Quote:
|
Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
You don't need iptables rule when kernel module loaded.
Kernel module should be used instead iptables. After all you should check server out of host (e.g. from local computer) So, today with xlenonz we found some problems with Fedora. Previously all tested on Gentoo and Ubuntu systems with different backend. I try to solve this and publish feedback. |
Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Quote:
Quote:
|
Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
First post updated. Fixed version uploaded.
Quote:
|
All times are GMT -4. The time now is 18:06. |
Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.