Need help blocking DoS attack

Martijn79 · **Author**

I was wondering if someone could help my find the right iptables rules to block off this attack I'm getting. It seems like a typical denial of service attack.

When the attack takes place (usually when the server is full) the CPU load of the srcds_linux goes to 100% causing the server to go down. tcpdump shows the output posted below.

I'm already dropping invalid length UDP packets with these rules:

iptables -A INPUT -p udp --dport 27015:27020 -m length --length 0

2 -j DROP
iptables -A INPUT -p udp --dport 27015:27020 -m length --length 2521:65535 -j DROP

Another symptom with this attack is the traffic. When the attack takes place I have about 5000 kB/s incoming, but also outgoing traffic of about the same amount.

Any idea how to fix this?

Thanks!

Code:

07:36:31.749765 IP 115.200.44.28.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749797 IP 191.115.63.28.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749847 IP 137.193.4.220.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749857 IP 137.251.75.56.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749875 IP 91.95.183.239.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749886 IP 202.128.240.177.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749897 IP 155.15.174.228.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749909 IP 121.177.212.64.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749929 IP 91.80.76.254.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749978 IP 214.173.228.78.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749982 IP 76.116.11.169.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749986 IP 218.211.77.118.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750012 IP 76.101.176.114.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750016 IP 128.171.113.141.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750027 IP 16.92.57.133.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750038 IP 71.191.150.107.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750064 IP 91.227.192.251.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750078 IP 106.131.150.109.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750081 IP 152.96.183.123.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750085 IP 64.217.207.219.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750093 IP 58.150.136.57.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750115 IP 192.14.121.249.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750136 IP 200.14.33.44.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750140 IP 7.209.209.38.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750150 IP 148.160.190.132.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750162 IP 205.81.45.132.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750167 IP 141.216.141.190.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750172 IP 100.165.185.107.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750202 IP 52.236.116.151.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750259 IP 77.219.206.182.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750263 IP 38.133.203.72.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750271 IP 13.66.244.111.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750310 IP 3.42.73.82.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750353 IP 84.153.117.155.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750358 IP 174.253.253.20.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749760 IP 72.179.15.167.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749765 IP 115.200.44.28.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749797 IP 191.115.63.28.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749847 IP 137.193.4.220.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749857 IP 137.251.75.56.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749875 IP 91.95.183.239.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749886 IP 202.128.240.177.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749897 IP 155.15.174.228.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749909 IP 121.177.212.64.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749929 IP 91.80.76.254.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749978 IP 214.173.228.78.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749982 IP 76.116.11.169.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.749986 IP 218.211.77.118.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750012 IP 76.101.176.114.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750016 IP 128.171.113.141.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750027 IP 16.92.57.133.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750038 IP 71.191.150.107.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750064 IP 91.227.192.251.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750078 IP 106.131.150.109.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750081 IP 152.96.183.123.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750085 IP 64.217.207.219.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750093 IP 58.150.136.57.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750115 IP 192.14.121.249.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750136 IP 200.14.33.44.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750140 IP 7.209.209.38.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750150 IP 148.160.190.132.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750162 IP 205.81.45.132.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750167 IP 141.216.141.190.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750172 IP 100.165.185.107.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750202 IP 52.236.116.151.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750259 IP 77.219.206.182.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750263 IP 38.133.203.72.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750271 IP 13.66.244.111.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750310 IP 3.42.73.82.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750353 IP 84.153.117.155.27015 > 1.1.1.1.27015: UDP, length 25
07:36:31.750358 IP 174.253.253.20.27015 > 1.1.1.1.27015: UDP, length 25

Mike_BoG · 11-03-2013 , 12:40 Re: Need help blocking DoS attack

Can you post a tcpdump of the attack in progress? It would be much easier to help you if we can see the attack.

Martijn79 · 11-03-2013 , 12:43 Re: Need help blocking DoS attack

Quote:

Originally Posted by Mike_BoG

Can you post a tcpdump of the attack in progress? It would be much easier to help you if we can see the attack.

I posted that?

That's an output of tcpdump -nn during the attack.

Mike_BoG · 11-03-2013 , 16:54 Re: Need help blocking DoS attack

Quote:

Originally Posted by Martijn79

I posted that?

That's an output of tcpdump -nn during the attack.

You can get more specific output if you dump to a file, then inspect it using something like Wireshark.

Martijn79 · 11-05-2013 , 16:47 Re: Need help blocking DoS attack

Thanks Mike, I did that and it seems that I get hit thousands of times each second with the command:

TSource Engine Query.

Any idea?

Thanks!

Martijn79 · *Last edited by Martijn79; 11-05-2013 at 18:16.*

Ok I think I needed this plugin:

http://forums.alliedmods.net/showthread.php?p=1273708

Re-compiled and installed it, I'll report back if it works.

I uploaded it if someone needs it as well:

http://forums.alliedmods.net/showpos...6&postcount=39

Martijn79 · 11-07-2013 , 13:48 Re: Need help blocking DoS attack

Well, that extension helped with the CPU load which doesn't spike to 100% any longer but the server still goes down.

Here's a captured tcpdump while the attack was going on: http://www.mediafire.com/?8xe7cvx33dlgwxx

I would appreciate if someone could look at it and knows how to block this attack.

Thanks!

Martijn79 · 11-07-2013 , 14:32 Re: Need help blocking DoS attack

Ok I think I have solved it (hopefully). It seems that the attack origins from port 27015 as well (and destination is UDP 27015). I just found out that my game servers running on port 27015 are the only ones affected, the ones running on 27016 and higher have no issue with this type of attack. So I changed all standard port numbers to something higher than 27015 and now this type of attack stopped.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode