[|P|Nitro]

ItsMe, on 02 January 2012 - 02:31 PM, said:

PS. my d*ck is longer than yours and my kung-fu stronger :p

PPS. I forgot to say, last Saturday i used to play on your Lil PWNY CTF and it was lagy as Hell - are you sure your iptables are working well? ;)
--
ItsMe

This topic is here to help everyone - there isn't any need for the harsh comments, and the blatently untrue slander is not needed either - blocking every getstatus packet would not impose any latency issues at all with clients currently connected to the server as they dont need getstatus perhaps your internet connection wasnt up to scratch on saturday.

If you cant keep your rude opinions to yourself why bother to post here to try and help in the first place, I am only trying to do my bit to help other admins in this community, which you seem set to cause havoc with. I also said many times that there are multiple games based on the q3 engine that run on different ports between 27k and 29k, sure the whitelist probably doesnt need that however its was just a simple solution.

[|U`u|Derfull]

@ItsMe
It's a more elegant way than our bunch of rules.
But the attackers also use the expression defined in the first rule.

We can use the string "getstatus" instead of the hexadecimal form you used and drop packets if it reach the hit count limit
no need to accept anything a regular client doesn't do more than 5 query to obtain the state of a server

Maybe we can merge our point of view ;)

This post has been edited by Derfull: 02 January 2012 - 09:55 PM

[bc`ItsMe]

@nitro

nitro, on 02 January 2012 - 07:41 PM, said:

This topic is here to help everyone - there isn't any need for the harsh comments, and the blatently untrue slander is not needed either - blocking every getstatus packet would not impose any latency issues at all with clients currently connected to the server as they dont need getstatus perhaps your internet connection wasnt up to scratch on saturday.

You really should adjust your Ironies detectors...

Quote

If you cant keep your rude opinions to yourself why bother to post here to try and help in the first place, I am only trying to do my bit to help other admins in this community, which you seem set to cause havoc with. I also said many times that there

Mhhhh - I've replied to you because my intend was to _help_ to. You're Settings in the Post of that I've answered in the _first place_ will cause Problems on many servers out there.

Quote

are multiple games based on the q3 engine that run on different ports between 27k and 29k, sure the whitelist probably doesnt need that however its was just a simple solution.

I do not disavow that. My Settings will protect Q3A and other games based on that engine to. But why talking here about other games - I kind of thought that this is the UrT Forum. And who the Heck uses _2000_ Gameservers on _one_ Machine? Maybe Gamehosters but not on _one_ box that much.

To Bring it to an end:
Maybe I was rude, the reason for that was that you claim that the _Settings_ in your Solution are _the_ right ones and they aren't - that easy.
Your iptables ruleset will work for sure but your _harsh Settings_ will cause problems
Just because it will work on _your_ server means not it will work on _all_ Servers.

@Derfull

Quote

It's a more elegant way than our bunch of rules.

Thank you :)

Quote

But the attackers also use the expression defined in the first rule.

They surely have to, because the Server expects _0x1c=0xffffffff_ as begin of every "conversation" with him.
So you can talk with _every_ Server out there based on the Q3A engine. Try this:

printf '\xFF\xFF\xFF\xFFgetstatus\n' | nc -u -n -w 1 188.40.128.151 47960

That will bring the getstatus reply of my Playground to your console.

<jokemode>
If you replace getstatus with getchallenge and you can give the right answers you can play it on your console. HARHARHAR
</jokemode>

I do not want to explain the whole rcon protocoll here, ask the guys from FS or ioquake to get more infos about it :)

Quote

We can use the string "getstatus" instead of the hexadecimal form you used and drop packets if it reach the hit count limit

That happens here:

iptables -A urt_drdos -m u32 --u32 "0x20=0x67657473&&0x24=0x74617475&&0x25&0xff=0x73" -m recent --name getstatus --set

Quote

Maybe we can merge our point of view ;)

We can for sure!
I would love to see that all admins out there that search for a solution will find it in this thread.
As I said in all my Replys: -> Your Settings will work for sure <-
The only reason why I replied was that a Hitcount of 3/ sec is to harsh - it will cause problems.

And in other way than nitro I do not claim that my solution is the best one and insist like a child: On my server it worked well, all is good, I make the things harsher than before because I'm _the_ admin.
I hope both of you get my point of view in the right way.

@nitro again:
I do Networking stuff for more than 20 years now (omg I'm old o.O) and host since Q3A the one or other gameserver - after that long time you become _automaticly_ rude.
Greetings from BOFH :)

I wrote it 2 times before -> EOD (EndOfDiscussion)

PS.
When you are interested we can talk in IRC, Mail or PM to get the best of the best of the best SIR! out of all Solutions and how to get the world domination (but be aware that I'm Brain)

--
ItsMe

[|U`u|Derfull]

Quote

They surely have to, because the Server expects _0x1c=0xffffffff_ as begin of every "conversation" with him.

Ok !
so i have misread the tcpdump result :)

[|it|Nexu]

As all your reply's and solutions posted are appreciated. Please refrain from insulting each others; even if your point of view might vary.

Consider this a reminder.

[rfx]

I want to thank rambetter for his dedicated work on the server patches. I just received a phone call about an hour ago about a very increased traffic spike from my virtual server and it was pinpointed to the UrT game servers. Thanks to this forum and thread (sticky rocks!) I updated the sources from Rambetters repository and have the drdos-fix included:

Possible DRDoS attack to address 173.236.98.69, ignoring getinfo/getstatus connectionless packet

Btw, is there a way to disable these messages? As in; I know they're there anyway?
Nevermind, I read from the sources that there's no way and it doesn't really matter anyway.

This is how the network graph looks; it seems the attack started around the sixth/seventh of January:


I wasn't able to spot any anomaly regarding the CPU usage:


Thanks again, man.

This post has been edited by rfx: 10 January 2012 - 02:16 PM

[Rambetter]

Sure you can disable the logging. The code is this in code/server/sv_main.c:

        if (globalCount == MAX_INFO_RECEIPTS) { // All receipts happened in last 2 seconds.                                                          
                if (lastGlobalLogTime + 1000 <= svs.time && // Limit one log every second.                                                           
                                svs.time > 2000) { // Avoid warning messages when server first starts up.                                            
                        Com_Printf("Detected flood of getinfo/getstatus connectionless packets\n");
                        lastGlobalLogTime = svs.time;
                }
                return qtrue;
        }
        if (specificCount >= 3) { // Already sent 3 to this IP in last 2 seconds.                                                                    
                if (lastSpecificLogTime + 1000 <= svs.time) { // Limit one log every second.                                                         
                        Com_Printf("Possible DRDoS attack to address %i.%i.%i.%i, ignoring getinfo/getstatus connectionless packet\n",
                                        exactFrom.ip[0], exactFrom.ip[1], exactFrom.ip[2], exactFrom.ip[3]);
                        lastSpecificLogTime = svs.time;
                }
                return qtrue;
        }

Just comment out the Com_Printf's.

[siyman]

Guys,

Today my hoster wrote me a mail that my server was shut down due to security issues relating to the quake game server component. After some research I found this thread but to be honest: why isn't this in the news? I was looking for some stuff two days ago and all this messing up with my server could have been prevented if someone would have posted something on the frontpage. I beg you: summarize this thread, write one to three lines for server admins and make it public.

Besides I want to thank you for givin' us a fast and reliable patch.

This post has been edited by siyman: 11 January 2012 - 11:03 AM

[Creation]

Personally i can only hope for a patch to be released really soon because i`m sure that not all server admins where able to use the workaround found on another topic.

[Liquid]

Thank you for this posts, its helpful.