DRDoS
Server used as reflector fro DRDoS
#211
Posted 09 March 2012 - 08:52 PM
32GB DDR4 3800MHz CL16 · 2x 1TB Samsung NVMe RAID 0 · 16GB Radeon RX 6900XT Liquid Cooled
#213
Posted 09 March 2012 - 10:07 PM
32GB DDR4 3800MHz CL16 · 2x 1TB Samsung NVMe RAID 0 · 16GB Radeon RX 6900XT Liquid Cooled
#214
Posted 09 March 2012 - 10:37 PM
OK guys I added a little special logic to my latest patch. This is of course still in the newer ioquake3-UrT-server-4.1 branch.
Once an IP address makes it into the "temp ban list", I keep a count of how many more requests come in from that IP address. Once 180 requests come in, I "renew" the ban.
So if an IP keeps spamming getstatus'es, it will stay in the ban list as long as it keeps getting spammed, without ever triggering a response.
I also improved the debug (a.k.a. developer) logging, so you can do "developer 1" in your console and you will no longer get thousands of lines of "SV packet" lines during a DRDoS attack. In fact the developer logging will tell you exactly when a ban is being renewed after reaching count 180.
This post has been edited by Rambetter: 09 March 2012 - 10:38 PM
#215
Posted 09 March 2012 - 11:39 PM
Rambetter, on 09 March 2012 - 10:37 PM, said:
So if an IP keeps spamming getstatus'es, it will stay in the ban list as long as it keeps getting spammed, without ever triggering a response.
patch keeps getting better :) nice work
#216
Posted 10 March 2012 - 02:42 AM
This time, I'm giving players a "second chance".
If you get into the temp ban list but then try to getstatus after 3 seconds, the server will unban you from that list if you haven't sent more than 5 requests in those 3 seconds.
So if you spam the "refresh" button in your client you actually will never get banned for more than 3 seconds.
#218
Posted 10 March 2012 - 03:05 PM
sorry for the awkward question (especially if it was already discussed - I've only read the last 2-3 pages); why don't just change the protocol and force a handshake (syn/ack for example), then?
If gametracker, the master list etc. are some of the main reasons, add a whitelist with trusted IPs that works without it, as a temporary solution until everyone updates their trackers (although this would make them one of the few possible targets).
This post has been edited by SailorMon: 10 March 2012 - 03:08 PM
#219
Posted 10 March 2012 - 08:01 PM
SailorMon, on 10 March 2012 - 03:05 PM, said:
sorry for the awkward question (especially if it was already discussed - I've only read the last 2-3 pages); why don't just change the protocol and force a handshake (syn/ack for example), then?
If gametracker, the master list etc. are some of the main reasons, add a whitelist with trusted IPs that works without it, as a temporary solution until everyone updates their trackers (although this would make them one of the few possible targets).
It would required coding a new system into the client game and releasing a new version/update to the game.
Servers would need to be updated with the new system too.
then the master servers would be required to have this new functionality added to them aswell.
Its not simple work, especially when your also trying to release a new version of the game too.
then there is the question of getting everyone updated: there are still many servers that still run 4.1 rather than 4.1.1 and it was released months ago.
32GB DDR4 3800MHz CL16 · 2x 1TB Samsung NVMe RAID 0 · 16GB Radeon RX 6900XT Liquid Cooled
#220
Posted 11 March 2012 - 10:41 AM
NITRO, on 10 March 2012 - 08:01 PM, said:
Servers would need to be updated with the new system too.
then the master servers would be required to have this new functionality added to them aswell.
Its not simple work, especially when your also trying to release a new version of the game too.
then there is the question of getting everyone updated: there are still many servers that still run 4.1 rather than 4.1.1 and it was released months ago.
You are correct, it is a lot of work - but it's much better than ignoring the right solution. Until now, the fixes are trying to detect and slow down an attack that is already running, instead of updating the protocol to something secure that stops it altogether.
Are you sure that clients need to be updated, too? Aren't they getting the info from the master server, or just a list of IPs that they proceed to query themselves? Because if the getstatus command is issued only in-game, then the server must only check if the sender is on the server.
The master severs are under FS, if I'm not mistaken. So they're easily patchable. As for the other servers - FS already saidt they will de-list the ones which haven't updated to the latest version, so they could do that again.
Alternatively, if this isn't an option, just publish a list of secure IPs (master servers, well-known trackers) and block everything else via iptables...