Raised This Month: $12 Target: $400
 3% 

A new flood attack,need help.


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
anewbug
New Member
Join Date: Sep 2020
Old 09-02-2020 , 00:23   A new flood attack,need help.
Reply With Quote #1

The packet of the attack is "....getchallenge valve"

About 2000 Attack IP, sending 10 queries per second, deliberately low-speed queries, causing HLDS to be very lag and freeze, the version is the latest 8308.
I tried banning the IP segment, but it no effect, because the attacking IP changes dynamically.
Is there any way to deal with this new attack?

ps:
Broadband are very sufficient, but hlds process is directly frozen when the query attack comes,in the same time, the CPU share of HLDS process is very high.
The attack traffic is very small. An attack IP is only 1KB / s, but when 2000 Attack IP comes, HLDS will be stuck

Hope to get help fix, thank very much!
Attached Thumbnails
Click image for larger version

Name:	qq.png
Views:	571
Size:	95.8 KB
ID:	183505  

Last edited by anewbug; 09-02-2020 at 00:31.
anewbug is offline
Rivotril
Senior Member
Join Date: Feb 2014
Location: Argentina
Old 09-03-2020 , 18:16   Re: A new flood attack,need help.
Reply With Quote #2

Have you tried switching to ReHLDS?
Rivotril is offline
DJEarthQuake
Veteran Member
Join Date: Jan 2014
Location: Astral planes
Old 10-07-2020 , 10:44   Re: A new flood attack,need help.
Reply With Quote #3

Quote:
Originally Posted by DJEarthQuake View Post
Fail2ban helps. Malformed packets can be tagged for later control.

server.cfg
Default hlds settings.
//max_queries_sec : 3
//max_queries_sec_global : 30
//max_queries_window : 60


More sensitive
max_queries_sec 2
max_queries_sec_global 15
max_queries_window 30

Easy test.
Refresh server a bunch of times one will see "...was blocked for exceeding rate limits"


/etc/fail2ban/filter.d/gearbox.conf
Code:
# Fail2Ban filter for ddos for GoldSrc
#
#

[Definition]

failregex = : Traffic from <HOST>:(\d{1,5}) was blocked for exceeding rate limits

ignoreregex =

[Init]

datepattern = %%m/%%d/%%Y - %%H:%%M:%%S

# Author: SPiNX March 2020

jail.local
Code:
[hlds-ddos]
enabled = true
maxretry = 50
findtime  = 100
bantime = 900
logpath = /var/log/messages
tcpport = 27005,27015,27016,27017,27018,27019,27020.27030
udpport = 27005,27015,27016,27017,27018,27019,27020,27030
action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

[gearbox]
enabled = true
maxretry = 2
bantime = 1800
findtime  = 10
logpath = /home/TUT/Steam/steamapps/common/Half-Life/cstrike/qconsole.log
		  /home/TUT/Steam/steamapps/common/Half-Life/dod/qconsole.log
		  /home/TUT/Steam/steamapps/common/Half-Life/gearbox/qconsole.log

banaction = %(banaction_allports)s
Be sure to pay attention to or rotate qconsole.log it gets big fast.
https://developer.valvesoftware.com/...d_Line_Options
-condebug - Stores console output to "Half-Life\qconsole.log".

fail2ban-client status
Code:
Status
|- Number of jail:	6
`- Jail list:	gearbox, hlds-ddos, nginx-botsearch, nginx-http-auth, nginx-limit-req, sshd
Nobody even bothers anymore. Earlier this year it was very active banning bad guys.

fail2ban-client status hlds-ddos
Code:
Status for the jail: hlds-ddos
|- Filter
|  |- Currently failed:	3
|  |- Total failed:	18841
|  `- File list:	/var/log/messages
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:
__________________

Last edited by DJEarthQuake; 10-09-2020 at 17:32. Reason: Found what I was looking for.
DJEarthQuake is offline
Th3822
Member
Join Date: Jan 2013
Location: Venezuela
Old 10-10-2020 , 23:23   Re: A new flood attack,need help.
Reply With Quote #4

iirc "getchallenge valve" is used on old clients, because it's "getchallenge steam" now

You can discard those packets directly at firewall level with iptables (as those old clients shouldn't be allowed), here is a rule for it:
Code:
iptables -A INPUT -p udp -m udp --dport 11111 -m length --length 50 -m u32 --u32 "0x1c&0xffffffff=0xffffffff&&0x20&0xffffffff=0x67657463&&0x2a&0xffffffff=0x67652076" -j DROP
that rule is checking for the packet length (50 bytes) and matching part of the contents, more specifically, the red parts:
Quote:
ffffffff6765746368616c6c656e67652076616c766500
....getchallenge valve
if you have more servers on the same machine you can protect them too by changing
Code:
-m udp --dport 11111
with
Code:
-m multiport --dports 11111,27015,27016
with your server's ports


btw, why port 11111?

-- Edit --
This iptables rule is only for blocking the packet mentioned on the OP, it may not work in your case as those (D)DoS methods and payloads vary.

Also, please do not DM me for iptables advisory, i'm not experienced enough for that.

Last edited by Th3822; 10-19-2020 at 15:39. Reason: Added note
Th3822 is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 21:16.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode