SA-MP Forums

SA-MP Forums (https://forum.sa-mp.com/index.php)
-   Server Support (https://forum.sa-mp.com/forumdisplay.php?f=19)
-   -   Servers are getting attacked (https://forum.sa-mp.com/showthread.php?t=665016)

connork 21/03/2019 01:53 AM

Re: Servers are getting attacked
 
First consider don't answer the packets with wrong UDP datagram for query mechanism, I mean the packets with wrong bytes for IP and port, the SA-MP Server responds to every 39-43 packet where is written "SAMP" and the opcode.

A handshake to work with established connection should be cool, but will work properly with previously versions for SA-MP?

Do a database to cache the hosted list servers in a HTTP server, the client can download info from SA-MP lists domain, it's a minor update and can be applied only to the client version. Game-MP already query all servers to get server info, so it's shouldn't be hard to do.

Work to enchant the protection against reflection attacks, maybe use per IP limits, maybe impact the overall resource usage (new cpu thread?).

Kalcor 21/03/2019 02:18 AM

Re: Servers are getting attacked
 
These types of attacks have been going on for 10+ years. There's already code in the server browser to load a static list of servers.

But then both the internet list and hosted list load instantly. There's no incentive to buy a hosted listing anymore.

The best I could do right now is make a new server update with a switch to disable the query flood protection. But the better thing is for server owners to find some firewall/iptable rules to block it, so it's not generating more junk traffic on the internet.

We'll give it a few more days. If server owners can't block it, I'll add more control over the query flood protection.

connork 21/03/2019 02:52 AM

Re: Servers are getting attacked
 
Steam query was used to amplification attacks, I saw ISPs fully blocking the source port range in some situations.

Quote:

Originally Posted by Kalcor (Post 4089818)
These types of attacks have been going on for 10+ years. There's already code in the server browser to load a static list of servers.

Insert in this static list the the cache for server info (opcode I only), it can help in some way. Use last response time to show up the servers according their uptime.

Quote:

Originally Posted by Kalcor (Post 4089818)
We'll give it a few more days. If server owners can't block it, I'll add more control over the query flood protection.

Most server owners will keep doing nothing to handle with that attack, just saying "it's a SA-MP fault" when it's not.

D1eSeL 21/03/2019 08:28 AM

Re: Servers are getting attacked
 
I think only security inside the client and server will help here. This is repeated over several years.

Currently only 120 servers are displayed.

On behalf of React hosting:
"For our part we fixed the problem."

BigETI 21/03/2019 09:42 AM

Re: Servers are getting attacked
 
There is already a third party solution for cached server lists and clients which can load these type of server lists.

ConcernedCitizen 21/03/2019 03:35 PM

Re: Servers are getting attacked
 
Quote:

Originally Posted by D1eSeL (Post 4089832)
I think only security inside the client and server will help here. This is repeated over several years.

Currently only 120 servers are displayed.

On behalf of React hosting:
"For our part we fixed the problem."

Wow your hosting knows how to use iptables

denNorske 21/03/2019 04:21 PM

Re: Servers are getting attacked
 
Quote:

Originally Posted by connork (Post 4089816)
First consider don't answer the packets with wrong UDP datagram for query mechanism, I mean the packets with wrong bytes for IP and port, the SA-MP Server responds to every 39-43 packet where is written "SAMP" and the opcode.

the port is confirmed to be random in the payload, part of the announcement when R2 came out.
(https://forum.sa-mp.com/showthread.php?t=642085)

What do you mean by 39-43 here?
Four first bytes of the payload are signed with SAMP.

anyway,
I am trying to filter the packages but I have managed to block out the pings that happen when players try to establish a connetion ingame with almost empty packets.. The following screenshot shows internal package handling (7850) and external (port 7778).
http://i.imgur.com/ncFy5K1.png
Seems like the pings start with Port bytes here (+ something else which i am not sure what is for)

So I'll go ahead and adjust so the code only blocks packets that are containing "SAMP" so i don't catch all other sorts of packages which i can't find documentation on.

Also, I can rate-limit requests to not pass through my python UDP proxy faster than x ms per spoofed IP, lowering the amounts of requests by _alot_ towards the server. Even disabling certain OP-codes could help for a start.

If someone is good with python, and could contribute for the community, hit me up. I'll put it on Git when done under the WTFPL license.

Variable™ 21/03/2019 07:06 PM

Re: Servers are getting attacked
 
My host kinda got it sorted out by caching queries which has some disadvantages though the server doesn't get flooded anymore.

Romz 23/03/2019 08:50 AM

Re: Servers are getting attacked
 
Quote:

Originally Posted by Kalcor (Post 4089818)
The best I could do right now is make a new server update with a switch to disable the query flood protection.

Is there any news about this? Many servers still suffer from this problem, so we are waiting for the update.

t4dgcom 23/03/2019 02:37 PM

Re: Servers are getting attacked
 
Easiest solution for this - is to download and install the .dll + .so plugin that just removes the internal query limit, as the packets that are created by this attack are almost identical (or 1/1 identical) it is very hard to filter.
Attack however is only 800kbps or 1mbps in size, and can be easily just "taken in".

http://ubi.livs.pl/samp/samp_prot_ver2.zip - Plugin, developed by UBI back in 2017.
There's also one solution on the forums, as Python script released few days ago, however I didn't test it, this plugin I tested and attack now doesn't impact the server, even though I still see the attack on traffic monitor.
https://i.imgur.com/LIKomJj.png

As far as our "internal hosting investigation" went, we see that it is impossible to filter this using DPI or any other software, as blocking any payload of the packet will block regular player from pinging the server as well. Without any stupid limitations as restricting some IP's to access the server, or by caching query, or anything else that actually reflect on real player - it is impossible to block, and the most adequate is to allow packets to come in, that doesn't affect the server at all due to that attack is so small, as well as it doesn't restrict any access or influence any real players.


All times are GMT. The time now is 09:10 PM.

Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.