Smiley face
 
  Forum Index    Search    Usergroups    Edit your profile    Members    Arcade    Ranks

 Reputation    Medals    Staff    Statistics    Board Rules    Forum FAQ    Private MessagesLogin, Check Messages    Log in 

Search for at
Soldier Of Fortune 2 Advanced Search



Post new topicReply to topicprinter-friendly view
   Soldier Of Fortune 2 Forum Index » Linux Talk » What is a DRDoS attack?
 View previous topic :: View next topic  
Author Message
Teo
Owner
Owner
Administrator
Administrator


In Game: Teo

Joined: Sep 21, 2009
Last Visit: Aug 21, 2017
Age: 36
Posts: 1117
Location: Milan
Italy.png 
Reputation: 4592
votes: 6
Medals: 6 (View more...)
Website Founder (Amount: 1)

Status: Offline
PostPosted: Tue Oct 28, 2014 3:15 pm
PostPost subject: No icon What is a DRDoS attack?
Reply with quote

A DRDoS ("Distributed Reflected Denial of Service") attack is a special type of DDoS (which we describe in general here: viewtopic.php?f=25&t=4931). In a DRDoS, the target is not attacked directly; instead, the attacker sends faked (spoofed) traffic to a set of other IPs, which then respond to that traffic to the IP that was spoofed, and in doing so flood the victim offline. By sending packets that elicit a much larger response, the DRDoS initiator can generate a very large attack with a very small amount of traffic.

This type of attack has become very common lately. Here's a more specific example:

The attacker decides to target IP address 127.0.0.1:27015, which is a CS:S server that he has been banned from.
The attacker connects to a machine that he had previously compromised and uses a traffic generator tool to send simple query packets to a large number of other game servers, specifying a (fake) source of 127.0.0.1:27015. Each query packet is less than 50 bytes, so the attacker can send many thousands of these per second without using much bandwidth; even a very low-end machine can do it.
These game servers ("reflectors") respond to 127.0.0.1:27015 with much larger packets, often 500+ bytes long, containing lists of their rules and connected players.
The CS:S server at 127.0.0.1:27015, upon receiving the huge wave of attack traffic from thousands of different IPs, is overwhelmed. It is unable to serve legitimate clients or respond to queries itself, causing a denial of service.

Many ISPs have "reverse path filtering" in place, which (for the most part) prevents customers from pretending to be IPs that they are not, also preventing them from being used to launch attacks like this. Unfortunately, not every provider can or does.

Commonly, DRDoS attacks use Quake3, Wolfenstein:ET, CoD* servers, and other old Quake3-engine-based games as the reflectors. These games don't have facilities to limit query response rates and send large response packets, making them ideal for this purpose.

If you were linked to this post because you are being used as a reflector in order to attack an IP here, please understand that we are not actually sending the queries -- we are the victim that is being hit with responses from servers like yours. Your primary course of action should be to block that spoofed traffic from reaching your servers via an ACL. You could also try to find out the true source of this traffic by contacting your upstream and asking them to track down where the spoofed packets are coming from (and having them do the same with that provider). Most ISPs won't do this unless large sums and the FBI are involved, but it doesn't hurt to try.

If you run Q3/ET/CoD*/etc servers (any version) on Windows, this patch is one workaround: http://files.nfoe.net/cod4/CoD4_Getstatus_Flood_Fix.zip

If you run CoD4 servers (1.7) on Linux, the latest beta version of CoD4 is the way to go: http://treefort.icculus.org/cod/cod4-ln ... st.tar.bz2

If you run other Q3-engine games on Linux, and you have the "string", "hashlimit", and "recent" iptables kernel modules available, you can filter the traffic with rules like these:
Code:
# add a host to the banlist and then drop the packet.
iptables -N QUERY-BLOCK
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP

# is this a query packet? if so, block commonly attacked ports outright,
# then see if it's a known attacking IP, then see if it is sending at a high
# rate and should be added to the list of known attacking IPs.
iptables -N QUERY-CHECK
iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo bm --from 32 --to 41 -j RETURN
iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP
iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP
iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP
iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP
iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP
iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP
# is it already blocked? continue blocking it and update the counter so it
# gets blocked for at least another 30 seconds.
iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30 --hitcount 1 -j DROP
# check to see if it exceeds our rate threshold,
# and add it to the list if it does.
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit-above 2/second -j QUERY-BLOCK

# look at all the packets going to q3/cod*/et/etc servers
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK

If you were linked to this post because you saw a flood of game query responses, some of which came from our IP addresses, please understand that our servers are not the ones launching an attack. They are simply replying to seemingly-legitimate queries (there's no way for them to tell that they are not legitimate). If you contact us, we can attempt to block traffic specifically to your IP, but this won't do much for you, because your attack is likely being reflected by thousands of other IPs, as well. There are two primary ways that you can address such an attack on your end -- and usually both are needed:

- By calling your upstream and having them apply an ACL to filter some of the source ports for you (a range from 27960-29000 to block common Q3-engine attacks, for instance).
- By using a Linux firewall on your side to block the remaining traffic, through the use of the "string" iptables module. Use a rule like this on the target machine:

Code:
iptables -A INPUT -p udp -m string --string "statusResponse" --algo bm --from 32 --to 33 -j DROP


Since we also have the patches mentioned in the prior section applied to all our servers, attacks reflected through our IPs should be rare.


Game Hosting: www.proclanservers.com
Back to top
View user's profile Send private message Send e-mail Visit poster's website Visit member's Facebook: http://www.facebook.com/ricordalo
Sponsor
Smiley face
Display posts from previous:
Post new topicReply to topic printer-friendly view
Soldier Of Fortune 2 Forum Index »  Linux Talk
 
Page 1 of 1
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Related topics
 Topics   Replies   Author   Views   Last Post 
No new posts SOF2MODDING Tutorial.14 - Making Weapon Skins 0 Punisher 793 Wed Oct 21, 2015 7:46 pm
Punisher View latest post
No new posts Making Flag Skins for SoF2 CTF 5 Teo 2927 Wed Feb 06, 2013 3:33 pm
dvd6431 View latest post
No new posts Making Weapon Skins for SoF2 4 Teo 2825 Fri Jan 25, 2013 10:03 pm
Teo View latest post
No new posts Where to download sof2 full in one file and installation?! 11 badass 7585 Sun Oct 07, 2012 11:12 pm
lasenmahav View latest post
No new posts The complete guide to making your own character skins 0 Teo 1605 Wed Mar 30, 2011 4:56 pm
Teo View latest post
 




Back to Top

SOF2.ORG Multiplayer Community © 2017 All times are UTC + 2 Hours [DST enabled]
 

Copyright ©