Raised This Month: $12 Target: $400
 3% 

[A2S]Attacks on my server CS:GO


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
bladynack
New Member
Join Date: Aug 2011
Old 02-08-2023 , 13:38   [A2S]Attacks on my server CS:GO
Reply With Quote #1

Hello, I have been struggling with attacks on my CS:GO server for 5 days. Attack flies on A2S server status. You can't see his status or connect to him. I have a CS:GO server on my dedicated server with OVH GAME.

Port CS:GO: 27015

This is what I see in the server console:

IP rate limit under distributed packet load (145 buckets, 101 global count), rejecting 77.253.78.146398."
"IP rate limit sustained 606 distributed packets at 60.6 pps (0 buckets)."
"IP rate limit under distributed packet load (50 buckets, 101 global count), rejecting 89.65.61.181:27005.

I entered a rule into IPTables:

iptables -N Filter-DROP
iptables -N Filter-GAME
iptables -A INPUT -p udp -m udp --dport 27015 -m recent --update --seconds 30 --hitcount 5 --name vse --mask 255.255.255.255 --rsource -j DROP
iptables -A INPUT -p udp -m udp --dport 27015 -m string --hex-string "|ffffffff71|" --algo kmp --to 65535 -j Filter-GAME
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 27015 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 27015 -j ACCEPT
iptables -A Filter-DROP -p udp -m udp -m recent --set --name vse --mask 255.255.255.255 --rsource -j DROP
iptables -A Filter-GAME -p udp -m udp --sport 0:27015 -j Filter-DROP
iptables -A Filter-GAME -p udp -m udp -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name StopDoS --hashlimit-htable-expire 30000 -j Filter-DROP
iptables -A Filter-GAME -p udp -m udp -j RETURN


After entering the rules to iptables, I start to see the server, but most players have problems connecting to it.

I tried to enable it -> https://github.com/sqproxy/sqproxy but I can't configure it, I get errors.

I would like to configure it -> https://github.com/gnif/SteamQueryProxy but I can't, can anyone help me?

4x file - tcpdump: https://fastupload.io/TItuOJ8WjkH3WLF/file

My hands are really falling off... Please help me.
bladynack is offline
oqyh
Senior Member
Join Date: May 2019
Location: United Arab Emirates
Old 02-08-2023 , 19:48   Re: [A2S]Attacks on my server CS:GO
Reply With Quote #2

// Server Queries
sv_max_queries_sec_global 500 // Maximum queries per second to respond to from anywhere
sv_max_queries_sec 160 // Maximum queries per second to respond to from a single IP address
sv_max_queries_window 80 // Maximum queries per second to respond to from anywhere
__________________
.:[ >> My Plugins << ]:.

My discord : oqyh
oqyh is offline
bladynack
New Member
Join Date: Aug 2011
Old 02-09-2023 , 01:56   Re: [A2S]Attacks on my server CS:GO
Reply With Quote #3

Unfortunately, this solution did not help, I still have problems connecting to the server. Now I can't see him anymore.

IP rate limit sustained 104023 distributed packets at 1300.3 pps (5002 buckets).
IP rate limit under distributed packet load (5000 buckets, 40001 global count), rejecting 89.79.99.57:28544.
IP rate limit sustained 104025 distributed packets at 1300.3 pps (4999 buckets).
IP rate limit under distributed packet load (5000 buckets, 40001 global count), rejecting 79.190.51.285938.
IP rate limit sustained 104026 distributed packets at 1300.3 pps (4999 buckets).
IP rate limit under distributed packet load (5001 buckets, 40001 global count), rejecting 77.114.101.43:28645.
bladynack is offline
bladynack
New Member
Join Date: Aug 2011
Old 02-10-2023 , 06:14   Re: [A2S]Attacks on my server CS:GO
Reply With Quote #4

Can anyone help?
bladynack is offline
LaRoVV66
Senior Member
Join Date: Jul 2015
Old 02-11-2023 , 09:25   Re: [A2S]Attacks on my server CS:GO
Reply With Quote #5

Quote:
Originally Posted by bladynack View Post
Can anyone help?
Hi whenn you well i can help you
LaRoVV66 is offline
hamilton5
Veteran Member
Join Date: Oct 2012
Location: USA
Old 02-11-2023 , 12:50   Re: [A2S]Attacks on my server CS:GO
Reply With Quote #6

the server is ignoring ip now, this is telling you. you can ignore it or get something like fail2ban and block the ip forever if you keep seeing repeating IPs
hamilton5 is offline
LaRoVV66
Senior Member
Join Date: Jul 2015
Old 02-12-2023 , 05:28   Re: [A2S]Attacks on my server CS:GO
Reply With Quote #7

Quote:
Originally Posted by hamilton5 View Post
the server is ignoring ip now, this is telling you. you can ignore it or get something like fail2ban and block the ip forever if you keep seeing repeating IPs
You can't solve this with fail2ban. I bought this attack for 1 year as a company. Even voxility protection can't see it. The only solution for this is to either install a local firewall in the datacenter or do some operations on the server.
LaRoVV66 is offline
pimpmyname
Junior Member
Join Date: Jul 2021
Old 02-26-2023 , 08:52   Re: [A2S]Attacks on my server CS:GO
Reply With Quote #8

Last year there was a update that messed up A2S queries and i found a fix for it:

Create chains:

iptables -N Filter-DROP
iptables -N Filter-GAME

(EDIT)
# Appends update rule and check if vse name is contained, lets drop VSE attack for 30 seconds. If IP continues then reset the timer. Make sure this is in the top of the iptables:
-A INPUT -p udp -m udp -m recent --dport SERVERPORT --update --seconds 30 --hitcount 5 --name vse --mask 255.255.255.255 --rsource -j DROP

# String Tsource Engine Query(A2S INFO) has passed, lets filter it:
-A INPUT -p udp -m udp -m string --dport SERVERPORT --hex-string "|ffffffff54|" --algo kmp -j Filter-GAME

# Block service ports:
-A Filter-GAME -p udp -m udp --sport 0:1023 -j Filter-DROP

# A2S attack prevention. If you are running a single server then change "--hashlimit-mode srcip,dstip,dstport" to "--hashlimit-mode srcip
-A Filter-GAME -p udp -m udp -m hashlimit --hashlimit-name StopDoS --hashlimit-mode srcip,dstport --hashlimit-above 8/sec --hashlimit-burst 16/sec -j Filter-DROP

# Exit Filter-GAME Chain
-A Filter-GAME -p udp -m udp -j RETURN

# Set recent name vse and go to "Matched VSE drop" rule:
-A Filter-DROP -p udp -m udp -m recent--set --name vse -j DROP

# After the serverport is filtered, lets open the serverport
-A INPUT -p udp -m udp --dport SERVERPORT -j ACCEPT



And try these aswell:
sv_max_queries_sec 5
sv_max_queries_sec_global 10
sv_max_queries_window 10


The hashlimit is the main cause with the issues you're experiencing. If it didnt work, then try changing:
--hashlimit-above 8/sec --hashlimit-burst 16/sec to lower values like:
--hashlimit-above 7/sec --hashlimit-burst 14/sec
--hashlimit-above 6/sec --hashlimit-burst 12/sec
--hashlimit-above 5/sec --hashlimit-burst 10/sec

But just remember.. If you lower the values keep an eye on the server and see if people's connection times out. You can monitor dropped traffic with "watch -n1 iptables -vnL".

Last edited by pimpmyname; 02-27-2023 at 02:16. Reason: mistake
pimpmyname is offline
fragnichtnach
AlliedModders Donor
Join Date: Oct 2008
Old 02-27-2023 , 04:32   Re: [A2S]Attacks on my server CS:GO
Reply With Quote #9

That's really helpful! Thank you for sharing!

I've got a few questions:
Why are you using -recent? The size is only 100 and it's linear search. On a real DDoS attack this isn't helpful at all I believe.

Are we able to increase the size of the tables behind hashlimit. It didn't found the way with google.
Code:
/proc/sys/net/netfilter/nf_conntrack_hashsize
isn't available in my system.

Quote:
Originally Posted by pimpmyname View Post
Last year there was a update that messed up A2S queries and i found a fix for it:

Create chains:

iptables -N Filter-DROP
iptables -N Filter-GAME

(EDIT)
# Appends update rule and check if vse name is contained, lets drop VSE attack for 30 seconds. If IP continues then reset the timer. Make sure this is in the top of the iptables:
-A INPUT -p udp -m udp -m recent --dport SERVERPORT --update --seconds 30 --hitcount 5 --name vse --mask 255.255.255.255 --rsource -j DROP

# String Tsource Engine Query(A2S INFO) has passed, lets filter it:
-A INPUT -p udp -m udp -m string --dport SERVERPORT --hex-string "|ffffffff54|" --algo kmp -j Filter-GAME

# Block service ports:
-A Filter-GAME -p udp -m udp --sport 0:1023 -j Filter-DROP

# A2S attack prevention. If you are running a single server then change "--hashlimit-mode srcip,dstip,dstport" to "--hashlimit-mode srcip
-A Filter-GAME -p udp -m udp -m hashlimit --hashlimit-name StopDoS --hashlimit-mode srcip,dstport --hashlimit-above 8/sec --hashlimit-burst 16/sec -j Filter-DROP

# Exit Filter-GAME Chain
-A Filter-GAME -p udp -m udp -j RETURN

# Set recent name vse and go to "Matched VSE drop" rule:
-A Filter-DROP -p udp -m udp -m recent--set --name vse -j DROP

# After the serverport is filtered, lets open the serverport
-A INPUT -p udp -m udp --dport SERVERPORT -j ACCEPT



And try these aswell:
sv_max_queries_sec 5
sv_max_queries_sec_global 10
sv_max_queries_window 10


The hashlimit is the main cause with the issues you're experiencing. If it didnt work, then try changing:
--hashlimit-above 8/sec --hashlimit-burst 16/sec to lower values like:
--hashlimit-above 7/sec --hashlimit-burst 14/sec
--hashlimit-above 6/sec --hashlimit-burst 12/sec
--hashlimit-above 5/sec --hashlimit-burst 10/sec

But just remember.. If you lower the values keep an eye on the server and see if people's connection times out. You can monitor dropped traffic with "watch -n1 iptables -vnL".
fragnichtnach is offline
pimpmyname
Junior Member
Join Date: Jul 2021
Old 02-28-2023 , 01:59   Re: [A2S]Attacks on my server CS:GO
Reply With Quote #10

Quote:
Originally Posted by fragnichtnach View Post
That's really helpful! Thank you for sharing!

I've got a few questions:
Why are you using -recent? The size is only 100 and it's linear search. On a real DDoS attack this isn't helpful at all I believe.

Are we able to increase the size of the tables behind hashlimit. It didn't found the way with google.
Code:
/proc/sys/net/netfilter/nf_conntrack_hashsize
isn't available in my system.
The -recent module "remembers" this:
-A Filter-DROP -p udp -m udp -m recent--set --name vse -j DROP

So if the "--name vse" matches(this have to be on the top of your iptables):
-A INPUT -p udp -m udp -m recent --dport SERVERPORT --update --seconds 30 --hitcount 5 --name vse --mask 255.255.255.255 --rsource -j DROP

It will drop the connection for 30 seconds over and over so the attack doesnt hit your serverport. But if you're experiencing a real DDoS attack i think it could handle some of it but it depends on PPS. Contact me over Discord: p!mp#8718 then i can try help hardening your iptables even more.
pimpmyname is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 11:21.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode