TSource query engine DDoS

[insanse]

Ошибка

No error. Server offline in favourites, HLSW and gametracker

ОС

Linux

Amx Mod X

AMX Mod X 1.10.0.5245 (http://www.amxmodx.org)

Билд

ReHLDS version: 3.4.0.668-dev

ReGamedll

ReGameDLL version: 5.7.0.321-dev

Версия Metamod

Metamod-r v1.3.0.128

Список метамодулей

[ 1] SafeNameAndChat  RUN   -    SafeNameAndChat.so          v1.1            ini  ANY   ANY  

 [ 2] Reunion          RUN   -    reunion_mm_i386.so          v0.1.0.133      ini  Start Never

 [ 3] AMX Mod X        RUN   -    amxmodx_mm_i386.so          v1.10.0.5245    ini  Start ANY  

 [ 4] WHBlocker        RUN   -    whblocker_mm_i386.so        v1.5.696        ini  Chlvl ANY  

 [ 5] Revoice          RUN   -    revoice_mm_i386.so          v0.1.0.32       ini  Start Never

 [ 6] ReAuthCheck      RUN   -    reauthcheck_mm_i386.so      v0.1.6          ini  Start Never

 [ 7] ReSemiclip       RUN   -    resemiclip_mm_i386.so       v2.3.9          ini  Chlvl ANY  

 [ 8] Rechecker        RUN   -    rechecker_mm_i386.so        v2.5            ini  Chlvl ANY  

 [ 9] Fun              RUN   -    fun_amxx_i386.so            v1.10.0.5245    pl3  ANY   ANY  

 [10] Engine           RUN   -    engine_amxx_i386.so         v1.10.0.5245    pl3  ANY   ANY  

 [11] FakeMeta         RUN   -    fakemeta_amxx_i386.so       v1.10.0.5245    pl3  ANY   ANY  

 [12] GeoIP            RUN   -    geoip_amxx_i386.so          v1.10.0.5245    pl3  ANY   ANY  

 [13] CStrike          RUN   -    cstrike_amxx_i386.so        v1.10.0.5245    pl3  ANY   ANY  

 [14] CSX              RUN   -    csx_amxx_i386.so            v1.10.0.5245    pl3  ANY   ANY  

 [15] Ham Sandwich     RUN   -    hamsandwich_amxx_i386.so    v1.10.0.5245    pl3  ANY   ANY  

 [16] hackdetector     RUN   -    hackdetector_amxx_i386.so   v0.15.328.lite  pl3  ANY   ANY  

 [17] ReAimDetector    RUN   -    reaimdetector_amxx_i386.so  v0.2.2          pl3  ANY   Never

 [18] ReAPI            RUN   -    reapi_amxx_i386.so          v5.8.0.165-dev  pl3  ANY   Never

Список плагинов

Not relevant

Hi,

For the past couple of days my server is being attacked with HLDS amplification attack.
I have a VPS rented with debian 9 on it.
I have bought the module by Fire/Asmodai and applied the iptables rules, but the attacks are still successful.

tcpdump shows the following:

    129.138.114.195.19232 > x.x.x.x.27016: [udp sum ok] UDP, length 25

        0x0000:  d4be d9b6 efa2 0027 0dfd b540 0800 45e0  .......'[email protected].

        0x0010:  0035 7003 0000 7011 75e5 818a 72c3 5d7b  .5p...p.u...r.]{

        0x0020:  1227 4b20 6989 0021 2859 ffff ffff 5453  .'K.i..!(Y....TS

        0x0030:  6f75 7263 6520 456e 6769 6e65 2051 7565  ource.Engine.Que^C

        0x0040:  7279 00                                  ry.

    89.40.233.58.27015 > x.x.x.x.27016: [udp sum ok] UDP, length 116
        0x0000:  d4be d9b6 efa2 0027 0dfd b540 0800 45e0  .......'[email protected].
        0x0010:  0090 4fba 0000 f611 c1bd 5928 e93a 5d7b  ..O.......Y(.:]{
        0x0020:  1227 6987 6989 007c b4ae ffff ffff 4930  .'i.i..|......I0
        0x0030:  4d69 7831 2e4c 614c 6561 6761 6e65 2e52  Mix1.LaLeagane.R
        0x0040:  6f20 2320 5473 2e4c 616c 6561 6761 6e65  o.#.Ts.Laleagane
        0x0050:  2e52 6f00 6465 5f64 7573 7432 0063 7374  .Ro.de_dust2.cst
        0x0060:  7269 6b65 0043 6f75 6e74 6572 2d53 7472  rike.Counter-Str^C
        0x0070:  696b 6500 0a00 000e 0064 6c00 0131 2e31  ike......dl..1.1
        0x0080:  2e32 2e37 2f53 7464 696f 0091 8769 08fc  .2.7/Stdio...i..
        0x0090:  33fa 9d2e 4001 0a00 0000 0000 0000       3...@.........

Iptables packets accepted/dropped:

   36492  2120910 ACCEPT     udp  --               0.0.0.0/0            0.0.0.0/0            udp dpts:27015:27016cs 1.6 packet

  965376 40239110 DROP       udp  --               0.0.0.0/0            0.0.0.0/0            udp dpts:27015:27016

Is there a new kind of attack? The module from Fire should be able to mitigate this? I have pm'd him but he's not online.
EnableQueryLimiter = 1 in reunion doesn't stop the attack.

 

[insanse]

Any ideas?
Tried various way to filter them via iptables but none work. The server still goes offline in favorites/gametracker.

    pkts      bytes target     prot opt in     out     source               destination
     145     7685 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0         udp dpt:27016 STRING match  "TSource" ALGO name bm TO 65535 limit: avg 5/sec burst 25
   34130  1808890 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0         udp dpt:27016 STRING match  "TSource" ALGO name bm TO 65535

[REUNION]: Blocking query flood from a lot of spoofed addresses: 2039 pps
[REUNION]: Blocking query flood from a lot of spoofed addresses: 3858 pps
[REUNION]: Blocking query flood from a lot of spoofed addresses: 3737 pps
[REUNION]: Blocking query flood from a lot of spoofed addresses: 3716 pps

Fire not responding :\

 

[insanse]

Soo.. no ideas from anybody?

 

[fantom]

insanse, there is no 100% guaranteed solution. All that you can cache and filter TSource packets. All DDOS filters MUST BE before your own machine where hosting provider is as liability area. Also query can be a valid request from monitorings or WEB panels (CS:Bans for example)

23 Апр 2019

No error. Server offline in favourites, HLSW and gametracker

I think you blocked all queries including valid request from you or GT. And there aren't any DDOS.

 

[insanse]

Hi fantom,

Thanks for replying.

Yes, I'm aware of that.
I am also speaking with the Datacenter security team.. I've provided them tcpdumps, but because it's hard to differentiate legitimate traffic from the DDoS traffic, they still can't filter out only the illegitimate traffic.
I'm not sure what I can suggest to them, so that they can put the correct rules in place.

 

[fantom]

insanse, best of all is to create whitelist of IPs which are allowed to make queries