Being attacked (DoS)

So I found this thread: http://forum.facepunch.com/showthread.php?t=1337532&p=43288622&viewfull=1#post43288622

But that type of attack is different from the one I’m getting hit with. Here is a pastebin of the attack that is hitting 5 of my servers: http://pastebin.com/8QWJNTvE

Any ideas on how I could block these? The IPs & Ports are all spoofed.

You could just link the packet capture to NFO support, they’re fairly helpful with this kinda thing.

Are you running on a VDS or just a purchased game server? I’m just curious with the windump.exe part.

Anyway, I took a quick glance and unless I missed something obvious I don’t see a repeat pattern and it’s just empty data. For a single game server you shouldn’t be getting those size packets very often, so you can just block 37-45 packet sizes.
Only add a small rate buffer, encase any legitimate requests happen after the attacks.

http://share.bybservers.co.uk/2014-04-27_20-53-59.png

if UDP inbound
from any ip / any port
to any ip / 27015
length 37-45
over 50 per second - This means it will allow the first 50 a second in, during an attack this will do nothing to effect your server, simple safety net for legitimate traffic in this range for after the attack.

I have been in contact with their support and their response is basically “Spoofed attacks are nearly impossible to block since the source of the attack can not be determined.”

But I’ll try the packet size filter.

[editline]27th April 2014[/editline]

Wouldnt blocking packets between 37-45 bytes restrict a lot of legit traffic?

Very weird, my NFO server is being Ddos’d aswell

http://razrvenom.com/is/(D)Dos.png

No, packets of that size contain no information and are not used often(not sure if even used) for gmod.
I just took a 5 second sample with 45 players and had no packets that would match that rule.
Just give it a try and see what happens.

[editline]27th April 2014[/editline]

This attack is not the same, but as an fyi you should have some of the preset rules active to prevent them. TCP SYN being the primary one.

You’re paying the premium for NFO, might as well use there unique services :wink:

When idle in a server, I get the following packets sent:

14:40:08.316655 IP (tos 0x0, ttl 54, id 29288, len 44) <filtered>.27005 > <filtered>.27015: [udp sum ok] udp, payload 16
0x0000 4500 002c 7268 0000 3611 36d8 4800 b7c3 E…,rh…6.6.H…
0x0010 c0df 1ade 697d 6987 0018 b264 0200 0000 …i}i…d…
0x0020 0700 0000 2026 d501 a1cb fedf …&…

That length is only 44.

Hence the 50 packets a second buffer for legitimate traffic. Put it up to 100 if you think it’s to ‘risky’.
You WILL get some legit traffic in that range, but you shouldn’t be getting over 50 a second for a single GarrysMod server… If you want to play it safer change the ranges to 37-42 and you won’t hit the 43-44 legitimate packets.

It will either work, or it won’t… which btw it will work. Just try the damned thing and see if it helps before complaining it won’t.

-edit

You said 5 servers? Are these 5 separate rented servers or are you running these 5 on a Windows VDS? If so I highly recommend you swap to Linux. I’d love someone to do a proper performance test between them to get some proper stats, but I was so insanely surprised at the lag reductions when moving to Linux.

Eh, (D)Dos didn’t come close to being effective.

So it doesn’t matter what rules you set up in your firewall. The payload is not the problem, it can change at any time so all you’re doing is playing a cat and mouse game. You change your rules, the attacker realizes this and changes the payload. But again, the payload isn’t the issue here. Its taking advantage of a weakness in the source engine. If anyone know of a fix for this, please let me know.

It’s not really a weakness, flood a network application with data to go through and it’s going to fuck up.

There’s no real solution if they are truly changing the sizes constantly, apart from adapt as they adapt, learn and continue.

Except the data is roughly 500KB/s. You could do this out of your house. Actual legit packet data is much larger than what they’re sending.

You seem to not get the point.

It’s data that is being directed direct to an application, this application has to sort through the data. How else does it know what is legitimate and what isn’t? It has to trawl through it all, it’s not a bug nor an exploit.

I understand how it works. All 5 of my servers have been down since Sunday morning. NFO has pretty much given me a “lets hope the guy stops attacking you”. And to answer your question, they’re all separate servers. Not 5 servers on 1 VDS. I got 2 in LA, 1 in Seattle, 1 in Chicago and 1 in New York.

It definitely appears to be a layer 7 attack taking advantage of an exploit in the code, as it is not a high rate attack at all, and uses very little bandwidth. I do believe we are not dealing with a layer 4 attack here, and that either Valve or Garry should issue a fix for this.

I applied these rules and ill let you guys know if they have any effect.