SRCDS Windows Firewall Security / Hardening - Page 2

nomy · 08-01-2012 , 18:39 Re: SRCDS Windows Firewall Security / Hardening

Anyone knows how to stop ddos flood such as this:
http://pastebin.com/uqa91DrP

Those messages are spammed on server console.

Thanks.

C0nw0nk · *Last edited by C0nw0nk; 08-01-2012 at 20:31.*

Did a bit of research it could be a number of things due to configurations with your host at network adapters causing packet loss another thing it could be is Windows Packet Scheduler, It has hard to figure out with the little information you have provided what windows server version are you running ?

Another thing that could help determine the cause is perhaps a addon / plugin you have installed could be a error or conflict.

Also one of the first things i did state is if you are under any form of DDoS (Distributed denial of service) what is a completely different attack to a DoS (Denial of service). You should contact your hosting provider because it is really an attack that should be handled before it even reaches the server and be blocked at a network level by the routers.

//UPDATED : I updated the original post explaining the difference between DDoS and DoS adding in a F.A.Q area. To answer allot of questions about the massive difference between a distributed attack and denial of service attack.

nomy · 08-02-2012 , 01:50 Re: SRCDS Windows Firewall Security / Hardening

Using Windows Server 2008 R2 SP1 x64.

Its definitely some sort of flood. As soon as I restarted server it continued. I had to stop the server for sometime and check if the spam had stopped. It eventually stopped.

I called it DDoS because I saw multiple server IPs in that console spam i think most were cs1.6 servers from Russia. Of course IPs can be spoofed under UDP packets.

I don't have a hardware firewall, it costs too much to setup from datacenter and not planing for one either.

C0nw0nk · *Last edited by C0nw0nk; 08-02-2012 at 04:56.*

Quote:

Originally Posted by nomy

Using Windows Server 2008 R2 SP1 x64.

Its definitely some sort of flood. As soon as I restarted server it continued. I had to stop the server for sometime and check if the spam had stopped. It eventually stopped.

I called it DDoS because I saw multiple server IPs in that console spam i think most were cs1.6 servers from Russia. Of course IPs can be spoofed under UDP packets.

I don't have a hardware firewall, it costs too much to setup from datacenter and not planing for one either.

Then yes you are definitely under a form of DDoS I also cross referenced the IP addresses in your log they are infact other game servers Have you instaled any of the recommended plugins ?

Quote:

Originally Posted by C0nw0nk

Stage 4 :
Recommended plugins / Addons to fight hackers, laggers and malicious people who connect to your server :

Drunken_F00l's | DAF (Dos Attack Fixer) Blocks exploits with specific "A2S" Packets in SRCDS.
http://www.sourceop.com/modules.php?...p=getit&lid=37

asherkin | ServerSecure (Files only) - Server protection against the Upload / Download exploit.
http://forums.alliedmods.net/showthread.php?t=142249

GoD-Tony | SourceMod Anti-Cheat - Prevents Hackers scripters spammers and cheaters.
http://forums.alliedmods.net/showthread.php?p=1637640

Liam | HPK High Ping Kicker Lite Edition - Enforce a maximum ping upon players to prevent server lag.
http://forums.alliedmods.net/showthread.php?p=701420

devicenull | Rcon Locker / Exploit Fixer (only works with "rcon_password" enabled)
http://forums.alliedmods.net/showthread.php?p=841590

Forlix | Flood Checker - Prevents flooding / spamming of console chat and the server itself.
http://forums.alliedmods.net/showthread.php?p=779851

Dr. McKay | How to get -autoupdate to work on Windows (Keeping your srcds server up to date)
http://forums.alliedmods.net/showthread.php?t=173487

KyleS | Create Edict Fixer
http://forums.alliedmods.net/showthread.php?t=186830

Query Caching protecting the server from A2S_INFO DoS attacks
Metamod version (ivailosp) | http://forums.alliedmods.net/showthread.php?t=135543
Sourcemod version (Zephyrus) | http://forums.alliedmods.net/showpos...&postcount=110

If you instal some of them especialy the DoS fixers it could help decrease the potential impact of the attack the other thing is to follow the windows firewall settings and block all the packet types you are not using other than TCP and UDP, As shown in Stage 1, Step 3.

You can also download the .zip file i added what has some tools init for your windows registry to prevent flooding of packet types.

nomy · 08-04-2012 , 18:50 Re: SRCDS Windows Firewall Security / Hardening

I had DAF, ServerSecure (Files only), SourceMod Anti-Cheat, Create Edict Fixer during the flood.

If this happens next time, I'll capture some packets.

yhya2oo8 · 08-11-2012 , 00:54 Re: SRCDS Windows Firewall Security / Hardening

Thanks for this solution ,, Are There any good monitor for capture DDOS attack ?

and there same solution for Linux ... ?

Mavrick4283 · 08-11-2012 , 02:20 Re: SRCDS Windows Firewall Security / Hardening

tcpdump // wireshark

C0nw0nk · 08-11-2012 , 11:13 Re: SRCDS Windows Firewall Security / Hardening

Quote:

Originally Posted by yhya2oo8

Thanks for this solution ,, Are There any good monitor for capture DDOS attack ?

and there same solution for Linux ... ?

I have actualy used this in the past but it is only for windows server 2003 http://www.fortguard.com/ddosmonitor.html

But it works like a charm.

C0nw0nk · 08-26-2012 , 14:18 Re: SRCDS Windows Firewall Security / Hardening

Quote:

Originally Posted by C0nw0nk

Downloadable Tools to help improve server performance, stability and security :
CCleaner - Brilliant tool for cleaning up system files and fixing registry issues compatible with windows server | http://www.piriform.com/ccleaner
TCP Optimizer - Optimizing windows registry for security and perfomance against DDOS | http://forums.alliedmods.net/attachm...1&d=1341550118
DrTCP - Setting TCP Connection settings | http://www.dslreports.com/drtcp

Updated the original post added Windows server tools for improving security and performance will be adding to the list of other tools recommended for servers

C0nw0nk · 11-21-2012 , 18:22 Re: SRCDS Windows Firewall Security / Hardening

I recived a PM from a user a couple of days ago but this is my first revisit since then but i decided to post it here incase anyone else had the question and wanted my command.

Question :

Can you allow access to rcon for specific ip addresses only ?

Answer :

Quote:

Originally Posted by C0nw0nk

It is very easy under my post in Stage 1 - Step 4, Use either the command line or right click on the TCP firewall properties for that server and instead of blocking leave it as allow but under the "Scope" tab set the ip address(s) you wish to accept all other ip addresses shall be blocked.

I have writen the command line here for you anyway. (Go to run type "CMD") to open your command prompt (Do it as administrator if need be)

Code:

netsh advfirewall firewall add rule name="srcds Accept RCON IP"  protocol=TCP dir=in action=allow new remoteip="192.168.0.1"  program="C:\srcds\srcds.exe"

Seperate each ip address rule with a ,