[SilentBr]

Hi mates

All my 5 CSGO servers are under attacks, I don't know what else to, I've tried everything that I know/searched.

A hacker is able to lag the servers and disconnect all players, but the server itself doesn't lag, I mean, there is no high traffic. I did check iftop and was everything ok, while all players were being disconnected, I stayed connect with another player (don't know why).

Since there is no high traffic, I think it's some exploits like the old and known CSS Exploit.

Here some things I do as protection:

-Allow rcon port only to trusted IPs
-Using smac plugins
-qchache_mm running
-Some iptables rules but I need improve it.

I'm so tired of those problems, months and months being attacked.

If someone know how protect servers against lags, exploits, disconnects and everything, please let me know. I will appreciate so much...

Thank you in advance.

[sneaK]

In for answers as well. I wish there was a mega thread for securing servers well.

[SilentBr]

Quote:

Originally Posted by blackhawk74 In for answers as well. I wish there was a mega thread for securing servers well.

There is a thread with a lot of iptables rules to protect the server, I can't search now because I'm at work, but all of those rules don't solve my problem, still disconnecting all players.

I am wondering if there is a dosp or another extension/plugin that protect the server against exploits.

[irepz]

Have you triied to sniff network packets sent from your attacker ?

[SilentBr]

Quote:

Originally Posted by irepz Have you triied to sniff network packets sent from your attacker ?

I have 12 servers running in my dedicated server. Those attacks doesn't generate high traffic, thats why I think is an exploit or something. So, it's impossible find his IP using iftop.

How can I know witch IP is from the attacker?

[Puppetmaster]

I would probably code a plugin that adds all the players IP's, steam ids, server host and a timestamp to a database table each time they connect and use deductive reasoning to work out who is doing it.

I would use GetClientIP with a threaded query called in the OnClientPostAdminCheck event imo. If they arent crashing your server outright you should end up with a large number of client join logs and if X player is always joining Y server right before it is attacked you can probably narrow it down to a small handful of players quickly.

If there is no relation then the attack is probably either done from a large number of distinct accounts or a side channel attack like using hping to flood the game servers buffer on Z port or something similar. You might also try whitelisting players IPs from a website form? Personally I would use wireshark dumps and a small php/c program to get a breakdown of all the incoming packet source IPs and correlate them with the players in the actual game. If there is an outlier with a large number of packets who does not have a connection (yes, I know udp is connectionless) to your game you can *probably* add them to the iptables.

EDIT:
Upon further thought is it possible that the attacker is simply sending correctly formatted rst packets to the client connection port of the csgo server while spoofing IP? It would be fairly simple to craft such packets in either C or with almost any modern network accessing dev kit such as an arduino or raspberry pi. The only trouble would be finding the players IPs, having no knowledge of the CSGO server binaries network stack I cannot comment further on this line of thought

[Nolongerinthegame]

Quote:

Originally Posted by SilentBr There is a thread with a lot of iptables rules to protect the server, I can't search now because I'm at work, but all of those rules don't solve my problem, still disconnecting all players. I am wondering if there is a dosp or another extension/plugin that protect the server against exploits.

And unfortunately that was mostly for Linux servers.

[SilentBr]

Quote:

Originally Posted by Puppetmaster I would probably code a plugin that adds all the players IP's, steam ids, server host and a timestamp to a database table each time they connect and use deductive reasoning to work out who is doing it. I would use GetClientIP with a threaded query called in the OnClientPostAdminCheck event imo. If they arent crashing your server outright you should end up with a large number of client join logs and if X player is always joining Y server right before it is attacked you can probably narrow it down to a small handful of players quickly. If there is no relation then the attack is probably either done from a large number of distinct accounts or a side channel attack like using hping to flood the game servers buffer on Z port or something similar. You might also try whitelisting players IPs from a website form? Personally I would use wireshark dumps and a small php/c program to get a breakdown of all the incoming packet source IPs and correlate them with the players in the actual game. If there is an outlier with a large number of packets who does not have a connection (yes, I know udp is connectionless) to your game you can *probably* add them to the iptables. EDIT: Upon further thought is it possible that the attacker is simply sending correctly formatted rst packets to the client connection port of the csgo server while spoofing IP? It would be fairly simple to craft such packets in either C or with almost any modern network accessing dev kit such as an arduino or raspberry pi. The only trouble would be finding the players IPs, having no knowledge of the CSGO server binaries network stack I cannot comment further on this line of thought

My knowledge is limited, I would not know how to do that. Those informations you said are so advanced *-*

Quote:

Originally Posted by nelioneil And unfortunately that was mostly for Linux servers.

My servers are under linux ubuntu.

[Puppetmaster]

Quote:

Originally Posted by SilentBr My knowledge is limited, I would not know how to do that. Those informations you said are so advanced *-* My servers are under linux ubuntu.

Give me a while, Ill sort something out for you.

[Puppetmaster]

Ok, Ive thrown a small plugin together for detecting when (by default) 8+ players timeout/dc during a single round. Its probably super unstable at the moment, Ill revise it when I get home.

https://forums.alliedmods.net/showthread.php?t=275511