Raised This Month: $51 Target: $400
 12% 

[Linux] [PoC] DDoS Protection - Kernel redirection!


Post New Thread Reply   
 
Thread Tools Display Modes
spumer
Senior Member
Join Date: Aug 2011
Old 09-28-2019 , 14:52   Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #41

For connect you should use only server port.
Proxy port it's internal and only for caching logic purposes.

For example:
27015 - server/game port
27915 - proxy port (where caching service is running and waiting queries)

How it works?
Kernel module will redirect INFO queries sended to 27015 port to 27915. And redirect answer back (27915 -> 27015), transparently.
Other game traffic will be passed as is.

In that case you and anyone should connect only to 27015 (server/game port). Always.
__________________

Last edited by spumer; 09-28-2019 at 14:53.
spumer is offline
djvx
Junior Member
Join Date: Sep 2019
Old 10-01-2019 , 01:49   Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #42

Quote:
Originally Posted by spumer View Post
For connect you should use only server port.
Proxy port it's internal and only for caching logic purposes.

For example:
27015 - server/game port
27915 - proxy port (where caching service is running and waiting queries)

How it works?
Kernel module will redirect INFO queries sended to 27015 port to 27915. And redirect answer back (27915 -> 27015), transparently.
Other game traffic will be passed as is.

In that case you and anyone should connect only to 27015 (server/game port). Always.
I see. So with this, I do not need to use the iptables solution as mentioned in the earlier part of the thread?

Also, whenever I set modprobe to the file mentioned, my server sends a timeout via hlsw; am I missing something?
And for the config.json server-addr and bind-addr, is it external and internal ip respectively?

Last edited by djvx; 10-01-2019 at 02:11.
djvx is offline
spumer
Senior Member
Join Date: Aug 2011
Old 10-07-2019 , 04:31   Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #43

Quote:
Originally Posted by djvx View Post
I see. So with this, I do not need to use the iptables solution as mentioned in the earlier part of the thread?

Also, whenever I set modprobe to the file mentioned, my server sends a timeout via hlsw; am I missing something?
And for the config.json server-addr and bind-addr, is it external and internal ip respectively?
Yes, you don't use iptables.

If server send you timeout then you missing something in configuration.

server-addr - address used to send queries from cache-proxy to gameserver (yes, it's gameserver address)
bind-addr - address used to listening incoming packets

In common setup cache-proxy installed on the same host and "server-addr" and "bind-addr" will be the same.

Use address of your main network interface.
For NATed network it can looks like 192.168.*.*
For direct connection to Internet interface has public IP
__________________

Last edited by spumer; 10-07-2019 at 04:31.
spumer is offline
insanedude
Junior Member
Join Date: Mar 2009
Old 10-08-2019 , 15:51   Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #44

Does this work for GoldSRC based games?
Also, what happens if there are multiple servers with port 27015/27016 on 1 VPS (aka. the VPS has multiple IPs)?
Will the module correctly FW the traffic to the correct IP : Port?

Edit: Tried installing the module on Debian 10.1 (Kernel 4.19.0.6-amd64):

Code:
make -C /lib/modules/`uname -r`/build M=$PWD modules
make[1]: Entering directory '/usr/src/linux-headers-4.19.0-6-amd64'
  CC [M]  /home/downloads/poc/poc.o
/home/downloads/poc/poc.c: In function ‘init_module’:
/home/downloads/poc/poc.c:200:2: error: implicit declaration of function ‘nf_register_hook’; did you mean ‘nf_register_net_hook’? [-Werror=implicit-function-declaration]
  nf_register_hook(&pre_hook);
  ^~~~~~~~~~~~~~~~
  nf_register_net_hook
/home/downloads/poc/poc.c: In function ‘cleanup_module’:
/home/downloads/poc/poc.c:215:2: error: implicit declaration of function ‘nf_unregister_hook’; did you mean ‘nf_unregister_net_hook’? [-Werror=implicit-function-declaration]
  nf_unregister_hook(&pre_hook);
  ^~~~~~~~~~~~~~~~~~
  nf_unregister_net_hook
cc1: some warnings being treated as errors
make[4]: *** [/usr/src/linux-headers-4.19.0-6-common/scripts/Makefile.build:315: /home/downloads/poc/poc.o] Error 1
make[3]: *** [/usr/src/linux-headers-4.19.0-6-common/Makefile:1534: _module_/home/downloads/poc] Error 2
make[2]: *** [Makefile:146: sub-make] Error 2
make[1]: *** [Makefile:8: all] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.19.0-6-amd64'
make: *** [Makefile:8: default] Error 2
Edit2: Ok.. works on debian 9 However, is an update for a newer kernel planned?
However, after some initial testing, there does seem to be issues with server queries from sites such as GameTracker.com. It does tend to show the server as offline and it took me 5-6 attempts to actually add it there. While it is reported as online, it does not show online players.

Edit50: Disabling checksum offload resolved the above.

Edit51: Is there a way to bind this module on a per IP : Port basis?
I have a VM with 4 IPs and i don't want to run the module on all of them.
Ex. I have servers with 1.1.1.1:27015, 1.1.1.1:27016, 2.2.2.2:27015, 2.2.2.2:27016, 3.3.3.3:27015, 3.3.3.3:27016, etc, and I only need to run it on 3.3.3.3:27015 and 1.1.1.1:27016 (for example).

Another Edit: The SourceQueryCacheMono keeps crashing for me. I tried both with the compiled .exe you provided and compiled it myself, but no luck. Since that is not really working properly, this module becomes unusable :\
Crash error:
Code:
Unhandled Exception:
System.NullReferenceException: Object reference not set to an instance of an object
  at QueryCache.MainClass.Main (System.String[] args) [0x003d3] in <33c391ceb45944cfb17c055999dca527>:0
[ERROR] FATAL UNHANDLED EXCEPTION: System.NullReferenceException: Object reference not set to an instance of an object
  at QueryCache.MainClass.Main (System.String[] args) [0x003d3] in <33c391ceb45944cfb17c055999dca527>:0

Last edited by insanedude; 10-16-2019 at 04:51.
insanedude is offline
MAGNAT2645
Senior Member
Join Date: Nov 2015
Location: AlliedMods.net
Old 11-02-2019 , 06:01   Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #45

I got this error:
Code:
make -C /lib/modules/`uname -r`/build M=$PWD modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-65-generic'
  CC [M]  /home/poc/poc.o
/home/poc/poc.c:1:0: error: code model kernel does not support PIC mode
 #include <linux/module.h>
 ^
scripts/Makefile.build:337: recipe for target '/home/poc/poc.o' failed
make[2]: *** [/home/poc/poc.o] Error 1
Makefile:1571: recipe for target '_module_/home/poc' failed
make[1]: *** [_module_/home/poc] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-65-generic'
Makefile:8: recipe for target 'default' failed
make: *** [default] Error 2
Found that i can patch that by recompiling Kernel but i'm noob at Linux so is there any alternative way to fix this?
__________________
MAGNAT2645 is offline
djvx
Junior Member
Join Date: Sep 2019
Old 11-02-2019 , 12:47   Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #46

I'm having issues with the install.sh after moving to ubuntu 19.10 with a custom kernel. Any idea why this is happening?

Code:
/root/sqpkernel/hooks.h:110:1: note: in expansion of macro ‘HOOK’
  110 | HOOK(post_hook)
      | ^~~~
/root/sqpkernel/sqproxy_redirect.c: In function ‘init_module’:
/root/sqpkernel/sqproxy_redirect.c:44:1: error: ‘-mindirect-branch’ and ‘-fcf-protection’ are not compatible
   44 | {
      | ^
/root/sqpkernel/sqproxy_redirect.c: In function ‘cleanup_module’:
/root/sqpkernel/sqproxy_redirect.c:65:1: error: ‘-mindirect-branch’ and ‘-fcf-protection’ are not compatible
   65 | {
      | ^
make[2]: *** [scripts/Makefile.build:285: /root/sqpkernel/sqproxy_redirect.o] Error 1
make[1]: *** [Makefile:1597: _module_/root/sqpkernel] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-5.2.14-rt7'
make: *** [Makefile:8: default] Error 2
Can't found sqproxy_redirect.ko after build
Just a gist of the code, there's more that says similar things. I have make and gcc installed.
djvx is offline
spumer
Senior Member
Join Date: Aug 2011
Old 11-21-2019 , 08:21   Re: [Linux] [PoC] DDoS Protection - Kernel redirection!
Reply With Quote #47

Quote:
Originally Posted by insanedude View Post
Does this work for GoldSRC based games?

Another Edit: The SourceQueryCacheMono keeps crashing for me. I tried both with the compiled .exe you provided and compiled it myself, but no luck. Since that is not really working properly, this module becomes unusable :\
Crash error:
Code:
Unhandled Exception:
System.NullReferenceException: Object reference not set to an instance of an object
  at QueryCache.MainClass.Main (System.String[] args) [0x003d3] in <33c391ceb45944cfb17c055999dca527>:0
[ERROR] FATAL UNHANDLED EXCEPTION: System.NullReferenceException: Object reference not set to an instance of an object
  at QueryCache.MainClass.Main (System.String[] args) [0x003d3] in <33c391ceb45944cfb17c055999dca527>:0
You can try to use my proxy server: https://github.com/spumer/source-query-proxy

About the Kernel module.
Now i'm working on new version which will be independent from kernel version and don't require manual compilation.
I plan to end this work till 2020
__________________
spumer is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 00:15.


Powered by vBulletin®
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Theme made by Freecode