[A2S]Attacks on my server CS:GO
Hello, I have been struggling with attacks on my CS:GO server for 5 days. Attack flies on A2S server status. You can't see his status or connect to him. I have a CS:GO server on my dedicated server with OVH GAME.
Port CS:GO: 27015 This is what I see in the server console: IP rate limit under distributed packet load (145 buckets, 101 global count), rejecting 77.253.78.14:36398." "IP rate limit sustained 606 distributed packets at 60.6 pps (0 buckets)." "IP rate limit under distributed packet load (50 buckets, 101 global count), rejecting 89.65.61.181:27005. I entered a rule into IPTables: iptables -N Filter-DROP iptables -N Filter-GAME iptables -A INPUT -p udp -m udp --dport 27015 -m recent --update --seconds 30 --hitcount 5 --name vse --mask 255.255.255.255 --rsource -j DROP iptables -A INPUT -p udp -m udp --dport 27015 -m string --hex-string "|ffffffff71|" --algo kmp --to 65535 -j Filter-GAME iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 27015 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 27015 -j ACCEPT iptables -A Filter-DROP -p udp -m udp -m recent --set --name vse --mask 255.255.255.255 --rsource -j DROP iptables -A Filter-GAME -p udp -m udp --sport 0:27015 -j Filter-DROP iptables -A Filter-GAME -p udp -m udp -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name StopDoS --hashlimit-htable-expire 30000 -j Filter-DROP iptables -A Filter-GAME -p udp -m udp -j RETURN After entering the rules to iptables, I start to see the server, but most players have problems connecting to it. I tried to enable it -> https://github.com/sqproxy/sqproxy but I can't configure it, I get errors. I would like to configure it -> https://github.com/gnif/SteamQueryProxy but I can't, can anyone help me? 4x file - tcpdump: https://fastupload.io/TItuOJ8WjkH3WLF/file My hands are really falling off... Please help me. |
Re: [A2S]Attacks on my server CS:GO
// Server Queries
sv_max_queries_sec_global 500 // Maximum queries per second to respond to from anywhere sv_max_queries_sec 160 // Maximum queries per second to respond to from a single IP address sv_max_queries_window 80 // Maximum queries per second to respond to from anywhere |
Re: [A2S]Attacks on my server CS:GO
Unfortunately, this solution did not help, I still have problems connecting to the server. Now I can't see him anymore.
IP rate limit sustained 104023 distributed packets at 1300.3 pps (5002 buckets). IP rate limit under distributed packet load (5000 buckets, 40001 global count), rejecting 89.79.99.57:28544. IP rate limit sustained 104025 distributed packets at 1300.3 pps (4999 buckets). IP rate limit under distributed packet load (5000 buckets, 40001 global count), rejecting 79.190.51.28:35938. IP rate limit sustained 104026 distributed packets at 1300.3 pps (4999 buckets). IP rate limit under distributed packet load (5001 buckets, 40001 global count), rejecting 77.114.101.43:28645. |
Re: [A2S]Attacks on my server CS:GO
Can anyone help?
|
Re: [A2S]Attacks on my server CS:GO
Quote:
|
Re: [A2S]Attacks on my server CS:GO
the server is ignoring ip now, this is telling you. you can ignore it or get something like fail2ban and block the ip forever if you keep seeing repeating IPs
|
Re: [A2S]Attacks on my server CS:GO
Quote:
|
Re: [A2S]Attacks on my server CS:GO
Last year there was a update that messed up A2S queries and i found a fix for it:
Create chains: iptables -N Filter-DROP iptables -N Filter-GAME (EDIT) # Appends update rule and check if vse name is contained, lets drop VSE attack for 30 seconds. If IP continues then reset the timer. Make sure this is in the top of the iptables: -A INPUT -p udp -m udp -m recent --dport SERVERPORT --update --seconds 30 --hitcount 5 --name vse --mask 255.255.255.255 --rsource -j DROP # String Tsource Engine Query(A2S INFO) has passed, lets filter it: -A INPUT -p udp -m udp -m string --dport SERVERPORT --hex-string "|ffffffff54|" --algo kmp -j Filter-GAME # Block service ports: -A Filter-GAME -p udp -m udp --sport 0:1023 -j Filter-DROP # A2S attack prevention. If you are running a single server then change "--hashlimit-mode srcip,dstip,dstport" to "--hashlimit-mode srcip -A Filter-GAME -p udp -m udp -m hashlimit --hashlimit-name StopDoS --hashlimit-mode srcip,dstport --hashlimit-above 8/sec --hashlimit-burst 16/sec -j Filter-DROP # Exit Filter-GAME Chain -A Filter-GAME -p udp -m udp -j RETURN # Set recent name vse and go to "Matched VSE drop" rule: -A Filter-DROP -p udp -m udp -m recent--set --name vse -j DROP # After the serverport is filtered, lets open the serverport -A INPUT -p udp -m udp --dport SERVERPORT -j ACCEPT And try these aswell: sv_max_queries_sec 5 sv_max_queries_sec_global 10 sv_max_queries_window 10 The hashlimit is the main cause with the issues you're experiencing. If it didnt work, then try changing: --hashlimit-above 8/sec --hashlimit-burst 16/sec to lower values like: --hashlimit-above 7/sec --hashlimit-burst 14/sec --hashlimit-above 6/sec --hashlimit-burst 12/sec --hashlimit-above 5/sec --hashlimit-burst 10/sec But just remember.. If you lower the values keep an eye on the server and see if people's connection times out. You can monitor dropped traffic with "watch -n1 iptables -vnL". |
Re: [A2S]Attacks on my server CS:GO
That's really helpful! Thank you for sharing!
I've got a few questions: Why are you using -recent? The size is only 100 and it's linear search. On a real DDoS attack this isn't helpful at all I believe. Are we able to increase the size of the tables behind hashlimit. It didn't found the way with google. Code:
/proc/sys/net/netfilter/nf_conntrack_hashsize Quote:
|
Re: [A2S]Attacks on my server CS:GO
Quote:
-A Filter-DROP -p udp -m udp -m recent--set --name vse -j DROP So if the "--name vse" matches(this have to be on the top of your iptables): -A INPUT -p udp -m udp -m recent --dport SERVERPORT --update --seconds 30 --hitcount 5 --name vse --mask 255.255.255.255 --rsource -j DROP It will drop the connection for 30 seconds over and over so the attack doesnt hit your serverport. But if you're experiencing a real DDoS attack i think it could handle some of it but it depends on PPS. Contact me over Discord: p!mp#8718 then i can try help hardening your iptables even more. |
All times are GMT -4. The time now is 13:21. |
Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.