English Null-packet Protection icon

37 comments
27.02.16 02:53:16 am
like 15 like it!
6 kb, 526 Downloads
Lee
Moderator
Offline Off
If you're running a linux dedicated server and you don't have root access to set up iptable rules to mitigate these recent DoS attacks, you can now fix this from within Lua.

Just drop patch.so into sys/lua/patch.so and add
Code:
1
require 'sys.lua.patch'


into server.lua.

IMG:http://i.imgur.com/E37R9hE.png


Notice how the server is still processing new packets after null-packets are sent into it.
image
ok This file has been reviewed and approved by Yates (27.02.16 02:56:13 am)

Comments

37 comments
Goto Page
To the start Previous 1 2 Next To the start

Log in!

You need to log in to be able to write comments!Log in
01.03.16 07:55:21 pm
Up
Lee
Moderator
Offline Off
@user mrc: That seems like something that's outside of the control of CS2D servers. What's the characteristic of the attack? Do you have any logs? Does the CS2D software crash or does your server go down? Part of the process is to play cat-and-mouse with the attacker; at the end of the day, it's far easier for you to mitigate something than for the other side to reverse-engineer what you're doing.

If the attacker really is using a stress-testing tool, there's very little maneuverability on his end. Log the traffic, find the pattern, drop those packets, rinse and repeat. At some other point in the future, he'll do it again, generalize the pattern and drop the new packets. Since there's a finite set of options the attacker can vary, and since each attack combinatorially reduces that option-space, it'll eventually get to a point where it becomes prohibitively expensive for him to keep on adapting to your changes.
01.03.16 06:57:29 pm
like I like it!
Up
GeoB99
Moderator
Offline Off
@user mrc: There are two things that rely to this problem. The first one is how you set up / configure the iptables correctly. Setting up few iptable settings isn't enough to have your server protected from DoS attacks (unless those aren't huge in terms of their request payload).

Another thing that relies to this problem is how powerful is your machine. This can't be solved though (or not in a clean / easy way). The main concept in the realm of DoS is basically this: eating computer resources as much as you can. When someone tries to launch DoS or (D)DoS attacks - by botnets, all the wave of packet requests floods the victim's machine sucking all the rest of computing resources until the machine cannot respond any more. There's a possibility if your machine is more powerful and with a big bandwidth it may resist to such attacks but you can't be sure 100%.

What can I do anyway?: Set up the iptables at correct configuration and other preventive modules as much as possible. Whenever in case if your server gets down, use a restart script for this. This won't protect your server but at least it restarts the server if it is down. There aren't other alternatives.
01.03.16 05:59:40 pm
Up
mrc
User
Offline Off
I already have iptables, people use websites like ipstresser to crash servers. Its easy and free, thats why its a huge problem.
01.03.16 11:34:18 am
like I like it!
Up
TopNotch
User
Offline Off
@user mrc Yes, unless you already had the iptables configured on your machine.
01.03.16 07:23:44 am
Up
Mami Tomoe
User
Offline Off
@user mrc: only for null (empty) attacks
01.03.16 02:09:41 am
Up
mrc
User
Offline Off
Let me get this straight, this script causes dedicated to continue working after the attack? And without it the dedicated stops working after the attack?
29.02.16 06:35:50 pm
Up
DC
Admin
Offline Off
@user mrc: There is no efficient protection against real DDoS attacks and there will never be one unless the entire internet changes completely. This script protects your server from empty package attacks which are a well known way to make CS2D servers unreachable.

user Lee provided me with very helpful information on how to possibly fix this issue (thank you very much again!) in the actual CS2D software so hopefully I'm able to fix it with the next release. Until then it's very advisable to either use this protection script or to completely block all empty UDP packets with firewall rules as described on http://www.cs2d.com/security.php
29.02.16 01:16:13 am
Up
Lee
Moderator
Offline Off
No, it shouldn't crash from null-packets anymore

edit: I don't want to just make empty promises, so here's an experiment I did on myself to see if I can take myself offline.

IMG:http://i.imgur.com/Hyf8gR9.png?1


The server is at 45.33.108.162, I don't have iptable rules configured for the null packet (if I did, the server log wouldn't have caught it), and as you can see, subsequent join requests are processed as normal and Rickamonster is still doing fine.
edited 1×, last 29.02.16 04:42:53 am
29.02.16 12:43:41 am
Up
mrc
User
Offline Off
I mean, with this script the server won't crash anymore (DDoS attacks)?
28.02.16 09:30:25 pm
Up
Lee
Moderator
Offline Off
@mrc, this should prevent crashes, what's your use-case? I made this specifically after seeing your thread.
28.02.16 09:19:34 pm
like I like it!
Up
BcY
Reviewer
Offline Off
Thanks so much,i dont have an exact word to say that how useful it will be for me.
28.02.16 12:00:48 am
Up
mrc
User
Offline Off
This prevent crashes?
edited 1×, last 29.02.16 12:43:04 am
27.02.16 09:57:39 am
like I like it!
Up
THEMUD
User
Offline Off
Cool and useful, good job!
27.02.16 06:27:32 am
like I like it!
Up
GeoB99
Moderator
Offline Off
Pretty useful, I can say.
27.02.16 05:49:05 am
Up
Lee
Moderator
Offline Off
DC is fixing it, this is meant to be a temporary patch until the problem is fixed.
27.02.16 05:10:30 am
like I like it!
Up
VADemon
User
Offline Off
Too bad CS2D doesn't handle it internally and the patch cannot be used across different versions.

Current version: 1.0.0.1 ONLY!
27.02.16 02:56:48 am
like I like it!
Up
Yates
Reviewer
Offline Off
Very useful for those who are not or cannot into Linux.
To the start Previous 1 2 Next To the start