Files

CS2D

Lua Scripts

Null-packet Protection

Files overview CS2D overview Lua Scripts overview

Null-packet Protection

37 comments like

15 like it!6 kb, 700 Downloads

Null-packet Protection

Lee
Moderator Off

Offline

27.02.16 02:53:16 am

If you're running a linux dedicated server and you don't have root access to set up iptable rules to mitigate these recent DoS attacks, you can now fix this from within Lua.

Just drop patch.so into sys/lua/patch.so and add

require 'sys.lua.patch'

into server.lua.

IMG:https://i.imgur.com/E37R9hE.png

Notice how the server is still processing new packets after null-packets are sent into it.

Approved by Yates (27.02.16 02:56 am)

Download

6 kb, 700 Downloads

Comments

37 comments

1 2

Log in!

You need to log in to be able to write comments!Log in

Lee
Moderator Off

Offline

01.03.16 07:55:21 pm

mrc: That seems like something that's outside of the control of CS2D servers. What's the characteristic of the attack? Do you have any logs? Does the CS2D software crash or does your server go down? Part of the process is to play cat-and-mouse with the attacker; at the end of the day, it's far easier for you to mitigate something than for the other side to reverse-engineer what you're doing.

If the attacker really is using a stress-testing tool, there's very little maneuverability on his end. Log the traffic, find the pattern, drop those packets, rinse and repeat. At some other point in the future, he'll do it again, generalize the pattern and drop the new packets. Since there's a finite set of options the attacker can vary, and since each attack combinatorially reduces that option-space, it'll eventually get to a point where it becomes prohibitively expensive for him to keep on adapting to your changes.

GeoB99
Moderator Off

Offline

01.03.16 06:57:29 pm

mrc: There are two things that rely to this problem. The first one is how you set up / configure the iptables correctly. Setting up few iptable settings isn't enough to have your server protected from DoS attacks (unless those aren't huge in terms of their request payload).

Another thing that relies to this problem is how powerful is your machine. This can't be solved though (or not in a clean / easy way). The main concept in the realm of DoS is basically this: eating computer resources as much as you can. When someone tries to launch DoS or (D)DoS attacks - by botnets, all the wave of packet requests floods the victim's machine sucking all the rest of computing resources until the machine cannot respond any more. There's a possibility if your machine is more powerful and with a big bandwidth it may resist to such attacks but you can't be sure 100%.

What can I do anyway?: Set up the iptables at correct configuration and other preventive modules as much as possible. Whenever in case if your server gets down, use a restart script for this. This won't protect your server but at least it restarts the server if it is down. There aren't other alternatives.

I like it!

mrc
User

Offline

01.03.16 05:59:40 pm

I already have iptables, people use websites like ipstresser to crash servers. Its easy and free, thats why its a huge problem.

TopNotch
User Off

Offline

01.03.16 11:34:18 am

mrc Yes, unless you already had the iptables configured on your machine.

I like it!

Mami Tomoe
User Off

Offline

01.03.16 07:23:44 am

mrc: only for null (empty) attacks

mrc
User

Offline

01.03.16 02:09:41 am

Let me get this straight, this script causes dedicated to continue working after the attack? And without it the dedicated stops working after the attack?

DC
Admin

Offline

29.02.16 06:35:50 pm

mrc: There is no efficient protection against real DDoS attacks and there will never be one unless the entire internet changes completely. This script protects your server from empty package attacks which are a well known way to make CS2D servers unreachable.

user

Lee provided me with very helpful information on how to possibly fix this issue (thank you very much again!) in the actual CS2D software so hopefully I'm able to fix it with the next release. Until then it's very advisable to either use this protection script or to completely block all empty UDP packets with firewall rules as described on http://www.cs2d.com/security.php

Lee
Moderator Off

Offline

29.02.16 01:16:13 am

No, it shouldn't crash from null-packets anymore

edit: I don't want to just make empty promises, so here's an experiment I did on myself to see if I can take myself offline.

IMG:https://i.imgur.com/Hyf8gR9.png?1

The server is at 45.33.108.162, I don't have iptable rules configured for the null packet (if I did, the server log wouldn't have caught it), and as you can see, subsequent join requests are processed as normal and Rickamonster is still doing fine.

edited 1×, last 29.02.16 04:42:53 am

mrc
User

Offline

29.02.16 12:43:41 am

I mean, with this script the server won't crash anymore (DDoS attacks)?

Lee
Moderator Off

Offline

28.02.16 09:30:25 pm

@mrc, this should prevent crashes, what's your use-case? I made this specifically after seeing your thread.

BcY
Reviewer Off

Offline

28.02.16 09:19:34 pm

Thanks so much,i dont have an exact word to say that how useful it will be for me.

I like it!

mrc
User

Offline

28.02.16 12:00:48 am

This prevent crashes?

edited 1×, last 29.02.16 12:43:04 am

THEMUD
User Off

Offline

27.02.16 09:57:39 am

Cool and useful, good job!

I like it!

GeoB99
Moderator Off

Offline

27.02.16 06:27:32 am

Pretty useful, I can say.

I like it!

Lee
Moderator Off

Offline

27.02.16 05:49:05 am

DC is fixing it, this is meant to be a temporary patch until the problem is fixed.

VADemon
User Off

Offline

27.02.16 05:10:30 am

Too bad CS2D doesn't handle it internally and the patch cannot be used across different versions.

Current version: 1.0.0.1 ONLY!

I like it!

Yates
Reviewer Off

Offline

27.02.16 02:56:48 am

Very useful for those who are not or cannot into Linux.

I like it!

1 2