[EXTENSION] Query Cache (AS2_INFO DoS protection) - Page 8

Cooltad · 02-23-2010 , 15:58 Re: [EXTENSION] Query Cache (AS2_INFO DoS protection)

There should be a plugin made that intelligently blocks large pockets of packets if the data in them is too similar. This would also allow for normal gameplay as the packets sent by normal clients would obviously be different each..
The plugin should also poll for too many different ip's connecting within a single minute, and have it so it blocks it if it goes past 100, as that should also cover any possibilities with normal clients simply connecting a lot.

I believe that type of plugin is possible, it definitely is. It would take good coding, but It can be done if it blocks based on the above variables and thresholds I've listed above.

recon0 · *Last edited by recon0; 02-23-2010 at 18:44.*

Quote:

Originally Posted by Alters

So is there no way to make the server ignore these spoofed IP's with empty packets? My server hosting company says this is what is eventually causing the crashes (and not causing a crash dump with it). Although, at this point I don't believe much they say.

About this " blocking on packet content that the attacker could change." - I'm going to take a guess and assume this is something someone with my knowledge would be unable to do? Not fully understanding what you mean by blocking packet content the attacker could change, if their just empty.

Nope. Thank Valve for using UDP (the TCP handshake makes IP spoofing much more difficult). A decent network server wouldn't allow this to happen, even on UDP (Valve was stupid enough to not check to see if source IPs are even in the server before responding).

They aren't exactly empty, but I won't discuss any of the details publicly.

Quote:

Originally Posted by Cooltad

There should be a plugin made that intelligently blocks large pockets of packets if the data in them is too similar. This would also allow for normal gameplay as the packets sent by normal clients would obviously be different each..
The plugin should also poll for too many different ip's connecting within a single minute, and have it so it blocks it if it goes past 100, as that should also cover any possibilities with normal clients simply connecting a lot.

I believe that type of plugin is possible, it definitely is. It would take good coding, but It can be done if it blocks based on the above variables and thresholds I've listed above.

It's probably not possible with any type of server plugin.

If you were running Linux, iptables or Snort could work. However, there's a reason that most IPS systems are sold as dedicated, inline appliances: Performance (deep packet inspection is very expensive).

Cooltad · 02-23-2010 , 23:51 Re: [EXTENSION] Query Cache (AS2_INFO DoS protection)

Ah. So, couldn't you mod the extension that checks for if the player is in the server?

recon0 · 02-24-2010 , 00:57 Re: [EXTENSION] Query Cache (AS2_INFO DoS protection)

Quote:

Originally Posted by Cooltad

Ah. So, couldn't you mod the extension that checks for if the player is in the server?

You'd still run into a performance issue with the number of packets (and you can't thread it). Like I said before, iptables, Snort or an IPS appliance is your best bet at this point.

devicenull · 02-24-2010 , 01:57 Re: [EXTENSION] Query Cache (AS2_INFO DoS protection)

It's definitely possible to prevent large packets except from connected clients, but it would require either:
a) a plugin running on the game server communicating with the firewall (I doubt any GSP is going to want this)
b) a complete understanding of the source net protocol (valve doesn't want to give us this)

If you had b, it would be possible to write a sort of proxy that filters these out. It shouldn't add much to the ping, but it's also hard to get the complete specs of the protocol.

Cooltad · 02-24-2010 , 10:59 Re: [EXTENSION] Query Cache (AS2_INFO DoS protection)

Is there any such iptables equivalent for windows based servers?

recon0 · *Last edited by recon0; 02-24-2010 at 16:18.*

Quote:

Originally Posted by devicenull

It's definitely possible to prevent large packets except from connected clients, but it would require either:
a) a plugin running on the game server communicating with the firewall (I doubt any GSP is going to want this)
b) a complete understanding of the source net protocol (valve doesn't want to give us this)

If you had b, it would be possible to write a sort of proxy that filters these out. It shouldn't add much to the ping, but it's also hard to get the complete specs of the protocol.

a) I don't think that'll work. You'd need some way to allow the initial connection packets (which would involve matching a protocol that isn't publicly speced).

b) You'd still need a firewall of some kind (unless matching empty packets was fast enough to run while blocking recvfrom).

Quote:

Originally Posted by Cooltad

Is there any such iptables equivalent for windows based servers?

Short answer: no. Long answer: wipfw doesn't offer the kind of filtering needed to block these packets (DPI).

Cooltad · 03-01-2010 , 02:37 Re: [EXTENSION] Query Cache (AS2_INFO DoS protection)

So does this work again?

JetBoom · *Last edited by JetBoom; 03-02-2010 at 14:31.*

Any chance of getting this to work with gmod? It just crashes on load.

Code:

Missing shutdown function for Sys_InitAuthentication() : Sys_ShutdownAuthentication()
Missing shutdown function for S_Init() : S_Shutdown()
Missing shutdown function for Decal_Init() : Decal_Shutdown()
Missing shutdown function for InitStudioRender() : ShutdownStudioRender()
Missing shutdown function for StaticPropMgr()->Init() : StaticPropMgr()->Shutdown()
Missing shutdown function for modelloader->Init() : modelloader->Shutdown()
Missing shutdown function for InitMaterialSystem() : ShutdownMaterialSystem()
Missing shutdown function for HLTV_Init() : HLTV_Shutdown()
Missing shutdown function for g_Log.Init() : g_Log.Shutdown()
Missing shutdown function for master->Init() : master->Shutdown()
Missing shutdown function for Steam3Client().Activate() : Steam3Client().Shutdown()
Missing shutdown function for sv.Init( bDedicated ) : sv.Shutdown()
Missing shutdown function for g_GameEventManager.Init() : g_GameEventManager.Shutdown()
Missing shutdown function for NET_Init( bDedicated ) : NET_Shutdown()
Missing shutdown function for Key_Init() : Key_Shutdown()
Missing shutdown function for Filter_Init() : Filter_Shutdown()
Missing shutdown function for saverestore->Init() : saverestore->Shutdown()
Missing shutdown function for COM_Init() : COM_Shutdown()
Missing shutdown function for V_Init() : V_Shutdown()
Missing shutdown function for g_pCVar->Init() : g_pCVar->Shutdown()
Missing shutdown function for Cmd_Init() : Cmd_Shutdown()
Missing shutdown function for Cbuf_Init() : Cbuf_Shutdown()
Missing shutdown function for Con_Init() : Con_Shutdown()
Missing shutdown function for Memory_Init() : Memory_Shutdown()
Missing shutdown function for Host_Init( s_bIsDedicated ) : Host_Shutdown()
Missing shutdown function for Sys_InitMemory() : Sys_ShutdownMemory()
Missing shutdown function for Sys_Init() : Sys_Shutdown()
Missing shutdown function for COM_InitFilesystem( info.m_pInitialMod ) : COM_ShutdownFileSystem()

recon0 · 03-02-2010 , 18:13 Re: [EXTENSION] Query Cache (AS2_INFO DoS protection)

Quote:

Originally Posted by Cooltad

So does this work again?

Use revision 30 (about the 3rd time I've said to).

@JetBoom,

It's currently running on a GMOD server. Where did those errors come from exactly?