TSource query engine DDoS

Сообщения
18
Реакции
3
Ошибка
No error. Server offline in favourites, HLSW and gametracker
ОС
Linux
Amx Mod X
AMX Mod X 1.10.0.5245 (http://www.amxmodx.org)
Билд
ReHLDS version: 3.4.0.668-dev
ReGamedll
ReGameDLL version: 5.7.0.321-dev
Версия Metamod
Metamod-r v1.3.0.128
Список метамодулей
[ 1] SafeNameAndChat  RUN   -    SafeNameAndChat.so          v1.1            ini  ANY   ANY  
[ 2] Reunion RUN - reunion_mm_i386.so v0.1.0.133 ini Start Never
[ 3] AMX Mod X RUN - amxmodx_mm_i386.so v1.10.0.5245 ini Start ANY
[ 4] WHBlocker RUN - whblocker_mm_i386.so v1.5.696 ini Chlvl ANY
[ 5] Revoice RUN - revoice_mm_i386.so v0.1.0.32 ini Start Never
[ 6] ReAuthCheck RUN - reauthcheck_mm_i386.so v0.1.6 ini Start Never
[ 7] ReSemiclip RUN - resemiclip_mm_i386.so v2.3.9 ini Chlvl ANY
[ 8] Rechecker RUN - rechecker_mm_i386.so v2.5 ini Chlvl ANY
[ 9] Fun RUN - fun_amxx_i386.so v1.10.0.5245 pl3 ANY ANY
[10] Engine RUN - engine_amxx_i386.so v1.10.0.5245 pl3 ANY ANY
[11] FakeMeta RUN - fakemeta_amxx_i386.so v1.10.0.5245 pl3 ANY ANY
[12] GeoIP RUN - geoip_amxx_i386.so v1.10.0.5245 pl3 ANY ANY
[13] CStrike RUN - cstrike_amxx_i386.so v1.10.0.5245 pl3 ANY ANY
[14] CSX RUN - csx_amxx_i386.so v1.10.0.5245 pl3 ANY ANY
[15] Ham Sandwich RUN - hamsandwich_amxx_i386.so v1.10.0.5245 pl3 ANY ANY
[16] hackdetector RUN - hackdetector_amxx_i386.so v0.15.328.lite pl3 ANY ANY
[17] ReAimDetector RUN - reaimdetector_amxx_i386.so v0.2.2 pl3 ANY Never
[18] ReAPI RUN - reapi_amxx_i386.so v5.8.0.165-dev pl3 ANY Never
Список плагинов
Not relevant
Hi,

For the past couple of days my server is being attacked with HLDS amplification attack.
I have a VPS rented with debian 9 on it.
I have bought the module by Fire/Asmodai and applied the iptables rules, but the attacks are still successful.

tcpdump shows the following:

Код:
    129.138.114.195.19232 > x.x.x.x.27016: [udp sum ok] UDP, length 25

        0x0000:  d4be d9b6 efa2 0027 0dfd b540 0800 45e0  .......'[email protected].

        0x0010:  0035 7003 0000 7011 75e5 818a 72c3 5d7b  .5p...p.u...r.]{

        0x0020:  1227 4b20 6989 0021 2859 ffff ffff 5453  .'K.i..!(Y....TS

        0x0030:  6f75 7263 6520 456e 6769 6e65 2051 7565  ource.Engine.Que^C

        0x0040:  7279 00                                  ry.
Код:
    89.40.233.58.27015 > x.x.x.x.27016: [udp sum ok] UDP, length 116
        0x0000:  d4be d9b6 efa2 0027 0dfd b540 0800 45e0  .......'[email protected].
        0x0010:  0090 4fba 0000 f611 c1bd 5928 e93a 5d7b  ..O.......Y(.:]{
        0x0020:  1227 6987 6989 007c b4ae ffff ffff 4930  .'i.i..|......I0
        0x0030:  4d69 7831 2e4c 614c 6561 6761 6e65 2e52  Mix1.LaLeagane.R
        0x0040:  6f20 2320 5473 2e4c 616c 6561 6761 6e65  o.#.Ts.Laleagane
        0x0050:  2e52 6f00 6465 5f64 7573 7432 0063 7374  .Ro.de_dust2.cst
        0x0060:  7269 6b65 0043 6f75 6e74 6572 2d53 7472  rike.Counter-Str^C
        0x0070:  696b 6500 0a00 000e 0064 6c00 0131 2e31  ike......dl..1.1
        0x0080:  2e32 2e37 2f53 7464 696f 0091 8769 08fc  .2.7/Stdio...i..
        0x0090:  33fa 9d2e 4001 0a00 0000 0000 0000       3...@.........
Iptables packets accepted/dropped:

Код:
   36492  2120910 ACCEPT     udp  --               0.0.0.0/0            0.0.0.0/0            udp dpts:27015:27016cs 1.6 packet

  965376 40239110 DROP       udp  --               0.0.0.0/0            0.0.0.0/0            udp dpts:27015:27016
Is there a new kind of attack? The module from Fire should be able to mitigate this? I have pm'd him but he's not online.
EnableQueryLimiter = 1 in reunion doesn't stop the attack.
 
Сообщения
18
Реакции
3
Any ideas?
Tried various way to filter them via iptables but none work. The server still goes offline in favorites/gametracker.

Код:
    pkts      bytes target     prot opt in     out     source               destination
     145     7685 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0         udp dpt:27016 STRING match  "TSource" ALGO name bm TO 65535 limit: avg 5/sec burst 25
   34130  1808890 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0         udp dpt:27016 STRING match  "TSource" ALGO name bm TO 65535
Код:
[REUNION]: Blocking query flood from a lot of spoofed addresses: 2039 pps
[REUNION]: Blocking query flood from a lot of spoofed addresses: 3858 pps
[REUNION]: Blocking query flood from a lot of spoofed addresses: 3737 pps
[REUNION]: Blocking query flood from a lot of spoofed addresses: 3716 pps
Fire not responding :\
 
Сообщения
2,491
Реакции
2,794
Помог
61 раз(а)
insanse, there is no 100% guaranteed solution. All that you can cache and filter TSource packets. All DDOS filters MUST BE before your own machine where hosting provider is as liability area. Also query can be a valid request from monitorings or WEB panels (CS:Bans for example)
23 Апр 2019
No error. Server offline in favourites, HLSW and gametracker
I think you blocked all queries including valid request from you or GT. And there aren't any DDOS.
 
Сообщения
18
Реакции
3
Hi fantom,

Thanks for replying.

Yes, I'm aware of that.
I am also speaking with the Datacenter security team.. I've provided them tcpdumps, but because it's hard to differentiate legitimate traffic from the DDoS traffic, they still can't filter out only the illegitimate traffic.
I'm not sure what I can suggest to them, so that they can put the correct rules in place.
 
Сообщения
2,491
Реакции
2,794
Помог
61 раз(а)
insanse, best of all is to create whitelist of IPs which are allowed to make queries
 

Пользователи, просматривающие эту тему

Сейчас на форуме нет ни одного пользователя.
Сверху Снизу