AlliedModders - [A2S]Attacks on my server CS:GO

AlliedModders (https://forums.alliedmods.net/index.php)

- Source Servers (SRCDS) (https://forums.alliedmods.net/forumdisplay.php?f=130)

- - [A2S]Attacks on my server CS:GO (https://forums.alliedmods.net/showthread.php?t=341724)

[A2S]Attacks on my server CS:GO

Hello, I have been struggling with attacks on my CS:GO server for 5 days. Attack flies on A2S server status. You can't see his status or connect to him. I have a CS:GO server on my dedicated server with OVH GAME.

Port CS:GO: 27015

This is what I see in the server console:

IP rate limit under distributed packet load (145 buckets, 101 global count), rejecting 77.253.78.14:36398."
"IP rate limit sustained 606 distributed packets at 60.6 pps (0 buckets)."
"IP rate limit under distributed packet load (50 buckets, 101 global count), rejecting 89.65.61.181:27005.

I entered a rule into IPTables:

iptables -N Filter-DROP
iptables -N Filter-GAME
iptables -A INPUT -p udp -m udp --dport 27015 -m recent --update --seconds 30 --hitcount 5 --name vse --mask 255.255.255.255 --rsource -j DROP
iptables -A INPUT -p udp -m udp --dport 27015 -m string --hex-string "|ffffffff71|" --algo kmp --to 65535 -j Filter-GAME
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 27015 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 27015 -j ACCEPT
iptables -A Filter-DROP -p udp -m udp -m recent --set --name vse --mask 255.255.255.255 --rsource -j DROP
iptables -A Filter-GAME -p udp -m udp --sport 0:27015 -j Filter-DROP
iptables -A Filter-GAME -p udp -m udp -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name StopDoS --hashlimit-htable-expire 30000 -j Filter-DROP
iptables -A Filter-GAME -p udp -m udp -j RETURN

After entering the rules to iptables, I start to see the server, but most players have problems connecting to it.

I tried to enable it -> https://github.com/sqproxy/sqproxy but I can't configure it, I get errors.

I would like to configure it -> https://github.com/gnif/SteamQueryProxy but I can't, can anyone help me?

4x file - tcpdump: https://fastupload.io/TItuOJ8WjkH3WLF/file

My hands are really falling off... Please help me.

Re: [A2S]Attacks on my server CS:GO

// Server Queries
sv_max_queries_sec_global 500 // Maximum queries per second to respond to from anywhere
sv_max_queries_sec 160 // Maximum queries per second to respond to from a single IP address
sv_max_queries_window 80 // Maximum queries per second to respond to from anywhere

Re: [A2S]Attacks on my server CS:GO

Unfortunately, this solution did not help, I still have problems connecting to the server. Now I can't see him anymore.

IP rate limit sustained 104023 distributed packets at 1300.3 pps (5002 buckets).
IP rate limit under distributed packet load (5000 buckets, 40001 global count), rejecting 89.79.99.57:28544.
IP rate limit sustained 104025 distributed packets at 1300.3 pps (4999 buckets).
IP rate limit under distributed packet load (5000 buckets, 40001 global count), rejecting 79.190.51.28:35938.
IP rate limit sustained 104026 distributed packets at 1300.3 pps (4999 buckets).
IP rate limit under distributed packet load (5001 buckets, 40001 global count), rejecting 77.114.101.43:28645.

Re: [A2S]Attacks on my server CS:GO

Quote:

Originally Posted by bladynack (Post 2799214)

Can anyone help?

Hi whenn you well i can help you

Re: [A2S]Attacks on my server CS:GO

the server is ignoring ip now, this is telling you. you can ignore it or get something like fail2ban and block the ip forever if you keep seeing repeating IPs

Re: [A2S]Attacks on my server CS:GO

Quote:

Originally Posted by hamilton5 (Post 2799313)

the server is ignoring ip now, this is telling you. you can ignore it or get something like fail2ban and block the ip forever if you keep seeing repeating IPs

You can't solve this with fail2ban. I bought this attack for 1 year as a company. Even voxility protection can't see it. The only solution for this is to either install a local firewall in the datacenter or do some operations on the server.

Re: [A2S]Attacks on my server CS:GO

Last year there was a update that messed up A2S queries and i found a fix for it:

Create chains:

iptables -N Filter-DROP
iptables -N Filter-GAME

(EDIT)
# Appends update rule and check if vse name is contained, lets drop VSE attack for 30 seconds. If IP continues then reset the timer. Make sure this is in the top of the iptables:
-A INPUT -p udp -m udp -m recent --dport SERVERPORT --update --seconds 30 --hitcount 5 --name vse --mask 255.255.255.255 --rsource -j DROP

# String Tsource Engine Query(A2S INFO) has passed, lets filter it:
-A INPUT -p udp -m udp -m string --dport SERVERPORT --hex-string "|ffffffff54|" --algo kmp -j Filter-GAME

# Block service ports:
-A Filter-GAME -p udp -m udp --sport 0:1023 -j Filter-DROP

# A2S attack prevention. If you are running a single server then change "--hashlimit-mode srcip,dstip,dstport" to "--hashlimit-mode srcip
-A Filter-GAME -p udp -m udp -m hashlimit --hashlimit-name StopDoS --hashlimit-mode srcip,dstport --hashlimit-above 8/sec --hashlimit-burst 16/sec -j Filter-DROP

# Exit Filter-GAME Chain
-A Filter-GAME -p udp -m udp -j RETURN

# Set recent name vse and go to "Matched VSE drop" rule:
-A Filter-DROP -p udp -m udp -m recent--set --name vse -j DROP

# After the serverport is filtered, lets open the serverport
-A INPUT -p udp -m udp --dport SERVERPORT -j ACCEPT

And try these aswell:
sv_max_queries_sec 5
sv_max_queries_sec_global 10
sv_max_queries_window 10

The hashlimit is the main cause with the issues you're experiencing. If it didnt work, then try changing:
--hashlimit-above 8/sec --hashlimit-burst 16/sec to lower values like:
--hashlimit-above 7/sec --hashlimit-burst 14/sec
--hashlimit-above 6/sec --hashlimit-burst 12/sec
--hashlimit-above 5/sec --hashlimit-burst 10/sec

But just remember.. If you lower the values keep an eye on the server and see if people's connection times out. You can monitor dropped traffic with "watch -n1 iptables -vnL".

Re: [A2S]Attacks on my server CS:GO

That's really helpful! Thank you for sharing!

I've got a few questions:
Why are you using -recent? The size is only 100 and it's linear search. On a real DDoS attack this isn't helpful at all I believe.

Are we able to increase the size of the tables behind hashlimit. It didn't found the way with google.

Code:

/proc/sys/net/netfilter/nf_conntrack_hashsize

isn't available in my system.

Quote:

Originally Posted by pimpmyname (Post 2800293)

Re: [A2S]Attacks on my server CS:GO

Quote:

Originally Posted by fragnichtnach (Post 2800343)

Code:

/proc/sys/net/netfilter/nf_conntrack_hashsize

isn't available in my system.

The -recent module "remembers" this:
-A Filter-DROP -p udp -m udp -m recent--set --name vse -j DROP

So if the "--name vse" matches(this have to be on the top of your iptables):
-A INPUT -p udp -m udp -m recent --dport SERVERPORT --update --seconds 30 --hitcount 5 --name vse --mask 255.255.255.255 --rsource -j DROP

It will drop the connection for 30 seconds over and over so the attack doesnt hit your serverport. But if you're experiencing a real DDoS attack i think it could handle some of it but it depends on PPS. Contact me over Discord: p!mp#8718 then i can try help hardening your iptables even more.