Null-packet Protection 
37 comments If you're running a linux dedicated server and you don't have root access to set up iptable rules to mitigate these recent DoS attacks, you can now fix this from within Lua.
Just drop patch.so into sys/lua/patch.so and add
into server.lua.

Notice how the server is still processing new packets after null-packets are sent into it.
Just drop patch.so into sys/lua/patch.so and add
Code:
1
require 'sys.lua.patch'
into server.lua.

Notice how the server is still processing new packets after null-packets are sent into it.

Comments
37 commentsLog in!
You need to log in to be able to write comments!Log in
@
mrc: That seems like something that's outside of the control of CS2D servers. What's the characteristic of the attack? Do you have any logs? Does the CS2D software crash or does your server go down? Part of the process is to play cat-and-mouse with the attacker; at the end of the day, it's far easier for you to mitigate something than for the other side to reverse-engineer what you're doing.
If the attacker really is using a stress-testing tool, there's very little maneuverability on his end. Log the traffic, find the pattern, drop those packets, rinse and repeat. At some other point in the future, he'll do it again, generalize the pattern and drop the new packets. Since there's a finite set of options the attacker can vary, and since each attack combinatorially reduces that option-space, it'll eventually get to a point where it becomes prohibitively expensive for him to keep on adapting to your changes.

If the attacker really is using a stress-testing tool, there's very little maneuverability on his end. Log the traffic, find the pattern, drop those packets, rinse and repeat. At some other point in the future, he'll do it again, generalize the pattern and drop the new packets. Since there's a finite set of options the attacker can vary, and since each attack combinatorially reduces that option-space, it'll eventually get to a point where it becomes prohibitively expensive for him to keep on adapting to your changes.

@
mrc: There are two things that rely to this problem. The first one is how you set up / configure the iptables correctly. Setting up few iptable settings isn't enough to have your server protected from DoS attacks (unless those aren't huge in terms of their request payload).
Another thing that relies to this problem is how powerful is your machine. This can't be solved though (or not in a clean / easy way). The main concept in the realm of DoS is basically this: eating computer resources as much as you can. When someone tries to launch DoS or (D)DoS attacks - by botnets, all the wave of packet requests floods the victim's machine sucking all the rest of computing resources until the machine cannot respond any more. There's a possibility if your machine is more powerful and with a big bandwidth it may resist to such attacks but you can't be sure 100%.
What can I do anyway?: Set up the iptables at correct configuration and other preventive modules as much as possible. Whenever in case if your server gets down, use a restart script for this. This won't protect your server but at least it restarts the server if it is down. There aren't other alternatives.

Another thing that relies to this problem is how powerful is your machine. This can't be solved though (or not in a clean / easy way). The main concept in the realm of DoS is basically this: eating computer resources as much as you can. When someone tries to launch DoS or (D)DoS attacks - by botnets, all the wave of packet requests floods the victim's machine sucking all the rest of computing resources until the machine cannot respond any more. There's a possibility if your machine is more powerful and with a big bandwidth it may resist to such attacks but you can't be sure 100%.
What can I do anyway?: Set up the iptables at correct configuration and other preventive modules as much as possible. Whenever in case if your server gets down, use a restart script for this. This won't protect your server but at least it restarts the server if it is down. There aren't other alternatives.
I already have iptables, people use websites like ipstresser to crash servers. Its easy and free, thats why its a huge problem.
Let me get this straight, this script causes dedicated to continue working after the attack? And without it the dedicated stops working after the attack?
@
mrc: There is no efficient protection against real DDoS attacks and there will never be one unless the entire internet changes completely. This script protects your server from empty package attacks which are a well known way to make CS2D servers unreachable.
Lee provided me with very helpful information on how to possibly fix this issue (thank you very much again!) in the actual CS2D software so hopefully I'm able to fix it with the next release. Until then it's very advisable to either use this protection script or to completely block all empty UDP packets with firewall rules as described on http://www.cs2d.com/security.php


No, it shouldn't crash from null-packets anymore
edit: I don't want to just make empty promises, so here's an experiment I did on myself to see if I can take myself offline.

The server is at 45.33.108.162, I don't have iptable rules configured for the null packet (if I did, the server log wouldn't have caught it), and as you can see, subsequent join requests are processed as normal and Rickamonster is still doing fine.
edit: I don't want to just make empty promises, so here's an experiment I did on myself to see if I can take myself offline.

The server is at 45.33.108.162, I don't have iptable rules configured for the null packet (if I did, the server log wouldn't have caught it), and as you can see, subsequent join requests are processed as normal and Rickamonster is still doing fine.
edited 1×, last 29.02.16 04:42:53 am
@mrc, this should prevent crashes, what's your use-case? I made this specifically after seeing your thread.

Too bad CS2D doesn't handle it internally and the patch cannot be used across different versions.
Current version: 1.0.0.1 ONLY!
Current version: 1.0.0.1 ONLY!