Raised This Month: $115 Target: $400
 28% 

[Linux] [PoC] DDoS Protection - Kernel redirection!


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
spumer
Senior Member
Join Date: Aug 2011
Old 05-09-2017 , 03:54   [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #1

Proof of Concept

Basically Source game-servers works in one thread and can't use more than one core for in-game logic. For example - Left 4 Dead 2.
Yes, you can use SourceMod to offload calculations (use threading), but we talking about common game logic.

You can try use DoS Protection extension, but caching is not fast solution, cause server spent time to receiving and sending answer from cache.

So, we just need redirect some packets to proxy service (e.g. SourceQueryCacheMono).

IPTables (or any NAT) can't help!


If you use IPTables (NAT) to redirect queries to proxy, this rule will be remembered in routing table and if client try to connect - connection will be redirected to proxy too.


Linux Kernel module

It works!
Just register packet handler and move on top (set specific priority), at this moment packet placed in RAW routing table and no one rule applied before. Now we change destination port, calculate new checksum and let him go further! In next step packet will be matched and redirected according to the NAT rules and go to our Proxy service. Answers from service will be translated by same logic.
For ease of use port mapping hardcoded:
27015 -> 27915
27016 -> 27916
...

As a result, all requests coming to the required ports in accordance with the rules are sent to the service, which knows to which port for which server the request is being made.


Solution


Requirements
  • Linux, or KVM virtualization (OVZ not allowed custom modules)
  • Kernel version >= 3.3 or 4.x, check your by command: uname -r
  • linux headers: sudo apt-get install linux-headers-$(uname -r); or google "install linux headers" for your system
  • gcc and make

Build module:
PHP Code:
make 
If no errors occurred you should see poc.ko file.

Install:

You can load module manually:
PHP Code:
insmod poc.ko 
or install module to system

PHP Code:
# copy module to system folder
cp poc.ko /lib/modules/`uname -r`

# make module visible to `modprobe` command
depmod -a

# add module to autoload
echo "poc" >> /etc/modules

# load module now
modprobe poc 
Manually unload
PHP Code:
rmmod poc 
Troubleshooting

Problem: When load module servers appearing offline.
Solution: Try to disable checksum offload

PHP Code:
# determine main interface  (e.g. eth0)
ifconfig -a

# disable offloading
ethtool --offload  eth0  rx off  tx off 
Attached Files
File Type: gz poc.tar.gz (1.9 KB, 207 views)
__________________

Last edited by spumer; 01-30-2018 at 11:46.
spumer is offline
controlsuz123
Member
Join Date: Nov 2009
Old 05-09-2017 , 23:20   Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #2

this is really great idea, thank you very much for this...

I did everything for modules and it wasn't any error, so how can I understand is it working or not ?
controlsuz123 is offline
nistnesus
New Member
Join Date: May 2017
Old 05-09-2017 , 23:29   Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #3

hey, long time reader of alliedmods.net. just registered to reply to this topic

when i try to build it on my system i get a few errors:

https://www.hastebin.com/apolufacoq.coffeescript
nistnesus is offline
spumer
Senior Member
Join Date: Aug 2011
Old 05-09-2017 , 23:49   Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #4

Quote:
Originally Posted by controlsuz123 View Post
this is really great idea, thank you very much for this...

I did everything for modules and it wasn't any error, so how can I understand is it working or not ?
Do you build and run SourceQueryCache too? After module loaded and SQC startup you can check your server by HLSW or analogue (https://forums.alliedmods.net/showthread.php?t=289370)
Or use simple utility in attachment (Python3.4 or above required): python3 test_a2sinfo.py


Quote:
Originally Posted by nistnesus View Post
hey, long time reader of alliedmods.net. just registered to reply to this topic

when i try to build it on my system i get a few errors:

https://www.hastebin.com/apolufacoq.coffeescript
What is your gcc version?
PHP Code:
gcc --version 
Attached Files
File Type: gz test_a2sinfo.py.gz (1,020 Bytes, 207 views)
__________________

Last edited by spumer; 05-09-2017 at 23:50.
spumer is offline
nistnesus
New Member
Join Date: May 2017
Old 05-09-2017 , 23:59   Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #5

gcc (Debian 4.9.2-10) 4.9.2
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
nistnesus is offline
spumer
Senior Member
Join Date: Aug 2011
Old 05-10-2017 , 04:47   Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #6

Setup SourceQueryCacheMono

Install mono
Ubuntu


Build SQC
PHP Code:
cd SourceQueryCacheMono
xbuild 
/p:Configuration=Release QueryCache.sln 
Now we have QueryCache.exe in QueryCache/bin/Release subfolder

Check SQC
PHP Code:
cd QueryCache/bin/Release

# start listening on 27915 and proxy requests to 216.52.148.47:27015
mono QueryCache.exe 27915 216.52.148.47 27015 
Now we can test SQC with some requester.

test_a2sinfo.py


Final steps
1. Setup SQC to your servers (setup should be done on same host)
2. Enable Kernel module

If you use different ports, you should manually change theirs in poc.c before compilation.

In attachment you can found compiled QueryCache.exe. All credits and source code can be found here: https://github.com/blastehh/SourceQueryCacheMono
Attached Files
File Type: gz QueryCache.exe.gz (3.5 KB, 264 views)
__________________

Last edited by spumer; 05-10-2017 at 04:48.
spumer is offline
controlsuz123
Member
Join Date: Nov 2009
Old 05-10-2017 , 07:08   Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #7

hi again spumer, I did everything very well.

1. Enable Kernel module
2. I did my iptables this rule

iptables -t nat -I PREROUTING -p udp -d 185.87.120.87 --dport 27015 -m u32 --u32 '0>>22&[email protected]=0xFFFFFFFF && 0>>22&[email protected]=0x54536F75 && 0>>22&[email protected]=0x72636520 && 0>>22&[email protected]=0x456E6769 && 0>>22&[email protected]=0x6E652051 && 0>>22&[email protected]=0x75657279' -j
REDIRECT --to-port 27915

3. I started mono QueryCache.exe 27915 185.87.120.87 27015

4. I'm checking with python3 test_a2sinfo.py


Quote:
[email protected]:~# python3 test_a2sinfo.py
Got response, len=206
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x06\x13\x05dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01128,aim,deathmatch,dm,ffa,warmup,wasp,HLst atsX:CE,secure\x00\xda\x02\x00\x00\x00\x00\x0 0\x00'
Got response, len=206
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x06\x13\x05dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01128,aim,deathmatch,dm,ffa,warmup,wasp,HLst atsX:CE,secure\x00\xda\x02\x00\x00\x00\x00\x0 0\x00'
Got response, len=206
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x06\x13\x05dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01128,aim,deathmatch,dm,ffa,warmup,wasp,HLst atsX:CE,secure\x00\xda\x02\x00\x00\x00\x00\x0 0\x00'
Got response, len=206
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x06\x13\x05dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01128,aim,deathmatch,dm,ffa,warmup,wasp,HLst atsX:CE,secure\x00\xda\x02\x00\x00\x00\x00\x0 0\x00'
Got response, len=206
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x07\x13\x05dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01128,aim,deathmatch,dm,ffa,warmup,wasp,HLst atsX:CE,secure\x00\xda\x02\x00\x00\x00\x00\x0 0\x00'
Got response, len=206
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x06\x13\x05dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01128,aim,deathmatch,dm,ffa,warmup,wasp,HLst atsX:CE,secure\x00\xda\x02\x00\x00\x00\x00\x0 0\x00'
Got response, len=206
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x06\x13\x05dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01128,aim,deathmatch,dm,ffa,warmup,wasp,HLst atsX:CE,secure\x00\xda\x02\x00\x00\x00\x00\x0 0\x00'
Got response, len=206
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x06\x13\x05dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01128,aim,deathmatch,dm,ffa,warmup,wasp,HLst atsX:CE,secure\x00\xda\x02\x00\x00\x00\x00\x0 0\x00'
Got response, len=212
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x00\x13\x00dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01empty,128,aim,deathmatch,dm,ffa,warmup,was p,HLstatsX:CE,secure\x00\xda\x02\x00\x00\x00\ x00\x00\x00'
Got response, len=212
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x00\x13\x00dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01empty,128,aim,deathmatch,dm,ffa,warmup,was p,HLstatsX:CE,secure\x00\xda\x02\x00\x00\x00\ x00\x00\x00'
Got response, len=212
b'\xff\xff\xff\xffI\x11[TR] WASP\xe2\x84\xa2 #1 \xe2\x98\x85DM\xe2\x98\x85 [D2/Mir/cach][FFA][128 TK] - PRO\x00de_dust2\x00csgo\x00Counter-Strike: Global Offensive\x00\xda\x02\x00\x13\x00dl\x00\x011. 35.7.8\x00\xb1\x87i\xbb\xbf\x0e\x00\x00\x000\ x01empty,128,aim,deathmatch,dm,ffa,warmup,was p,HLstatsX:CE,secure\x00\xda\x02\x00\x00\x00\ x00\x00\x00'
controlsuz123 is offline
spumer
Senior Member
Join Date: Aug 2011
Old 05-10-2017 , 07:42   Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #8

You don't need iptables rule when kernel module loaded.
Kernel module should be used instead iptables.

After all you should check server out of host (e.g. from local computer)

So, today with xlenonz we found some problems with Fedora. Previously all tested on Gentoo and Ubuntu systems with different backend.
I try to solve this and publish feedback.
__________________

Last edited by spumer; 05-10-2017 at 07:43.
spumer is offline
controlsuz123
Member
Join Date: Nov 2009
Old 05-10-2017 , 07:52   Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #9

Quote:
Originally Posted by spumer View Post
You don't need iptables rule when kernel module loaded.
Kernel module should be used instead iptables.

After all you should check server out of host (e.g. from local computer)

So, today with xlenonz we found some problems with Fedora. Previously all tested on Gentoo and Ubuntu systems with different backend.
I try to solve this and publish feedback.
ok I'm waiting your answers,

Quote:
IP rate limit sustained 46354 distributed packets at 1545.1 pps (2071 buckets).
IP rate limit under distributed packet load (2498 buckets, 15001 global count), rejecting 95.3.114.5:27015.
IP rate limit sustained 47292 distributed packets at 1576.4 pps (2049 buckets).
IP rate limit under distributed packet load (2498 buckets, 15352 global count), rejecting 78.165.89.156:27015.
IP rate limit sustained 48406 distributed packets at 1613.5 pps (2032 buckets).
IP rate limit under distributed packet load (2498 buckets, 15482 global count), rejecting 81.215.112.125:27015.
IP rate limit sustained 48089 distributed packets at 1603.0 pps (2050 buckets).
IP rate limit under distributed packet load (2498 buckets, 15382 global count), rejecting 95.11.64.66:27015.
IP rate limit sustained 46724 distributed packets at 1557.5 pps (2039 buckets).
IP rate limit under distributed packet load (2500 buckets, 15001 global count), rejecting 78.173.223.113:27015.
IP rate limit sustained 45429 distributed packets at 1514.3 pps (2072 buckets).
IP rate limit under distributed packet load (2498 buckets, 15001 global count), rejecting 95.1.40.82:50335.
IP rate limit sustained 46003 distributed packets at 1533.4 pps (2061 buckets).
IP rate limit under distributed packet load (2498 buckets, 15001 global count), rejecting 95.11.9.119:54904.
IP rate limit sustained 45879 distributed packets at 1529.3 pps (2076 buckets).
attack coming like this still..
controlsuz123 is offline
spumer
Senior Member
Join Date: Aug 2011
Old 05-11-2017 , 07:38   Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #10

First post updated. Fixed version uploaded.

Quote:
Originally Posted by nistnesus View Post
gcc (Debian 4.9.2-10) 4.9.2
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Try upgrade gcc version to 5.x or 6.x
__________________

Last edited by spumer; 05-11-2017 at 10:28.
spumer is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 02:26.


Powered by vBulletin®
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Theme made by Freecode