Thread: [A2S]Attacks on my server CS:GO
View Single Post
fragnichtnach
AlliedModders Donor
Join Date: Oct 2008
Old 02-27-2023 , 04:32   Re: [A2S]Attacks on my server CS:GO
Reply With Quote #9
That's really helpful! Thank you for sharing!

I've got a few questions:
Why are you using -recent? The size is only 100 and it's linear search. On a real DDoS attack this isn't helpful at all I believe.

Are we able to increase the size of the tables behind hashlimit. It didn't found the way with google.
Code:
/proc/sys/net/netfilter/nf_conntrack_hashsize
isn't available in my system.

Quote:
Originally Posted by pimpmyname View Post
Last year there was a update that messed up A2S queries and i found a fix for it:

Create chains:

iptables -N Filter-DROP
iptables -N Filter-GAME

(EDIT)
# Appends update rule and check if vse name is contained, lets drop VSE attack for 30 seconds. If IP continues then reset the timer. Make sure this is in the top of the iptables:
-A INPUT -p udp -m udp -m recent --dport SERVERPORT --update --seconds 30 --hitcount 5 --name vse --mask 255.255.255.255 --rsource -j DROP

# String Tsource Engine Query(A2S INFO) has passed, lets filter it:
-A INPUT -p udp -m udp -m string --dport SERVERPORT --hex-string "|ffffffff54|" --algo kmp -j Filter-GAME

# Block service ports:
-A Filter-GAME -p udp -m udp --sport 0:1023 -j Filter-DROP

# A2S attack prevention. If you are running a single server then change "--hashlimit-mode srcip,dstip,dstport" to "--hashlimit-mode srcip
-A Filter-GAME -p udp -m udp -m hashlimit --hashlimit-name StopDoS --hashlimit-mode srcip,dstport --hashlimit-above 8/sec --hashlimit-burst 16/sec -j Filter-DROP

# Exit Filter-GAME Chain
-A Filter-GAME -p udp -m udp -j RETURN

# Set recent name vse and go to "Matched VSE drop" rule:
-A Filter-DROP -p udp -m udp -m recent--set --name vse -j DROP

# After the serverport is filtered, lets open the serverport
-A INPUT -p udp -m udp --dport SERVERPORT -j ACCEPT



And try these aswell:
sv_max_queries_sec 5
sv_max_queries_sec_global 10
sv_max_queries_window 10


The hashlimit is the main cause with the issues you're experiencing. If it didnt work, then try changing:
--hashlimit-above 8/sec --hashlimit-burst 16/sec to lower values like:
--hashlimit-above 7/sec --hashlimit-burst 14/sec
--hashlimit-above 6/sec --hashlimit-burst 12/sec
--hashlimit-above 5/sec --hashlimit-burst 10/sec

But just remember.. If you lower the values keep an eye on the server and see if people's connection times out. You can monitor dropped traffic with "watch -n1 iptables -vnL".
fragnichtnach is offline