SA-MP Forums

SA-MP Forums (https://forum.sa-mp.com/index.php)
-   Server Support (https://forum.sa-mp.com/forumdisplay.php?f=19)
-   -   Servers are getting attacked (https://forum.sa-mp.com/showthread.php?t=665016)

Variable™ 19/03/2019 12:31 PM

Servers are getting attacked
 
Hello, what is this?
http://monitor.sacnr.com/server-1799831.html
http://monitor.sacnr.com/server-1807615.html
http://monitor.sacnr.com/server-1808632.html
Even my own server is attacked. Look at the 24h graphs in each server they're all messed up. Players see servers as offline while they're online and I don't understand how to solve this thing.

Edit: This server http://monitor.sacnr.com/server-1809072.html isn't getting attacked while all it's rivals including myself are getting attacked..

Logic_ 19/03/2019 12:54 PM

Re: Servers are getting attacked
 
This server needs to get blacklisted.

MustangV10 19/03/2019 01:08 PM

Re: Servers are getting attacked
 
Yes, there appears to be a query flood attack targeting all(?) servers. I saw someone made a post about it on the SA:MP forum yesterday, but it was deleted. I can only assume unaffected servers are filtering it in some way.

Hazon 19/03/2019 01:50 PM

Re: Servers are getting attacked
 
I've even see they have bots on the server you shown below. We got some jelaous bastards.

NeXTGoD 19/03/2019 02:38 PM

Re: Servers are getting attacked
 
the server that I play everyday is involved with this unfortunately (ง'̀-'́)ง

ColorHost-Kevin 19/03/2019 02:41 PM

Re: Servers are getting attacked
 
Yeah this seems to be happening quite frequently as of late from what i can tell. Very unfortunate but blockable.

Variable™ 19/03/2019 04:51 PM

Re: Servers are getting attacked
 
The masterlist was down some minutes ago.

nickdodd25 19/03/2019 05:29 PM

Re: Servers are getting attacked
 
Quote:

Originally Posted by ColorHost-Kevin (Post 4089574)
Very unfortunate but blockable.

How do you block such a wide range of spoofed ips??

Kalcor 20/03/2019 09:59 AM

Re: Servers are getting attacked
 
I've been trying to bait the attacker in to attacking my server, but it seems he is using a static list.

Try setting this in the server.cfg
Code:

sleep 1
Then restart the server. That will increase the speed of the raknet thread, which may help deal with the packet flood.

denNorske 20/03/2019 10:59 AM

Re: Servers are getting attacked
 
Quote:

Originally Posted by Kalcor (Post 4089708)
I've been trying to bait the attacker in to attacking my server, but it seems he is using a static list.

Try setting this in the server.cfg
Code:

sleep 1
Then restart the server. That will increase the speed of the raknet thread, which may help deal with the packet flood.

Let me know if you need any furhter logs or so.

Wouldn't lowering the sleep value (assuming it's higher as default) causing the server to send out UDP packets at a higher rate - such as we can see in reflection-attacks? We are basically responding to hosts that never asked for packets.

Idk much about thresholds for host providers, assuming they catch up on this.

EDIT: Readers; enabled the setting in the config; noticeable higher CPU load (+10-15%) but no noticable effect on the querying unfortunately. Combine this with my proxy which I'll release later and hope we can increase the responsiveness.

MustangV10 20/03/2019 11:06 AM

Re: Servers are getting attacked
 
Quote:

Originally Posted by Kalcor (Post 4089708)
I've been trying to bait the attacker in to attacking my server, but it seems he is using a static list.

Try setting this in the server.cfg
Code:

sleep 1
Then restart the server. That will increase the speed of the raknet thread, which may help deal with the packet flood.

I just gave this a go, but it doesn't seem to have helped, querying is still slow (noticeably more so than before the attacks). Implemented the change on multiple servers on the hosted list (at different hosting providers, with different OS').

Just like denNorske, if any info (i.e. udp dumps, query logs, etc) would help, feel free to ask.

Kalcor 20/03/2019 11:20 AM

Re: Servers are getting attacked
 
Well, I know the attacker is using mostly spoofed South American ranges etc 170.,180.,181.,190.,200.,201.

Potentially they could spoof any range, but if the attack source is from within South America, they may find they have better outbound range if they spoof from there.

If you don't have many South American players, you could potentially just iptable those ranges. You don't have to block every fake query - just enough so the flood control doesn't trigger the query mechanism to shut down.

I don't really want to lower the flood control further because it could then become a reflection attack vector.

They must be doing about 1 million spoofed pps to perform the current attack. The longer it goes on, the more likely they'll get shut down.

denNorske 20/03/2019 11:45 AM

Re: Servers are getting attacked
 
Quote:

Originally Posted by Kalcor (Post 4089717)
Well, I know the attacker is using mostly spoofed South American ranges etc 170.,180.,181.,190.,200.,201.

Potentially they could spoof any range, but if the attack source is from within South America, they may find they have better outbound range if they spoof from there.

If you don't have many South American players, you could potentially just iptable those ranges. You don't have to block every fake query - just enough so the flood control doesn't trigger the query mechanism to shut down.

I don't really want to lower the flood control further because it could then become a reflection attack vector.

They must be doing about 1 million spoofed pps to perform the current attack. The longer it goes on, the more likely they'll get shut down.

I didn't notice a pattern here, but this is actually a great idea to start out with.

Thanks for your help

EDIT: Kalcor, in regards of my first message in this topic, is the two port bytes checked upon request with UDP? OR are they not checked at all (can be anything?)

Romz 20/03/2019 06:37 PM

Re: Servers are getting attacked
 
@Kalkor, my server is also suffering from this, what should I do about it? I use [sleep 1]

164.132.204.15:7777

http://files.2al.ru/image/ScreenShot00051.jpg

http://files.2al.ru/image/ScreenShot00052.jpg

iggiz 20/03/2019 07:05 PM

Re: Servers are getting attacked
 
Quote:

Originally Posted by Kalcor (Post 4089717)
Well, I know the attacker is using mostly spoofed South American ranges etc 170.,180.,181.,190.,200.,201.

Potentially they could spoof any range, but if the attack source is from within South America, they may find they have better outbound range if they spoof from there.

If you don't have many South American players, you could potentially just iptable those ranges. You don't have to block every fake query - just enough so the flood control doesn't trigger the query mechanism to shut down.

I don't really want to lower the flood control further because it could then become a reflection attack vector.

They must be doing about 1 million spoofed pps to perform the current attack. The longer it goes on, the more likely they'll get shut down.

What I get for just 1 second:
Code:

[21:48:41] [connection] 130.230.235.219:37118 requests connection cookie.
[21:48:41] [connection] 195.8.150.18:49903 requests connection cookie.
[21:48:41] [connection] 195.8.150.18:49903 requests connection cookie.
[21:48:41] [connection] 93.151.42.130:24214 requests connection cookie.
[21:48:41] [connection] 82.176.224.249:59827 requests connection cookie.
[21:48:41] [connection] 92.206.197.61:58032 requests connection cookie.
[21:48:41] [connection] 113.130.247.253:35093 requests connection cookie.
[21:48:41] [connection] 59.7.163.33:22818 requests connection cookie.
[21:48:41] [connection] 124.48.112.173:26064 requests connection cookie.
[21:48:41] [connection] 79.83.230.14:43319 requests connection cookie.
[21:48:41] [connection] 185.29.120.62:52264 requests connection cookie.
[21:48:41] [connection] 197.136.196.73:48237 requests connection cookie.
[21:48:41] [connection] 197.136.196.73:48237 requests connection cookie.
[21:48:41] [connection] 80.169.56.136:57676 requests connection cookie.
[21:48:41] [connection] 124.60.48.54:36803 requests connection cookie.
[21:48:41] [connection] 143.121.211.224:53731 requests connection cookie.
[21:48:41] [connection] 178.207.64.215:49302 requests connection cookie.
[21:48:41] [connection] 213.174.94.246:40893 requests connection cookie.
[21:48:41] [connection] 213.174.94.246:40893 requests connection cookie.
[21:48:41] [connection] 91.37.70.236:55758 requests connection cookie.
[21:48:41] [connection] 91.37.70.236:55758 requests connection cookie.
[21:48:41] [connection] 146.179.106.26:42553 requests connection cookie.
[21:48:41] [connection] 90.59.51.116:32828 requests connection cookie.
[21:48:41] [connection] 90.59.51.116:32828 requests connection cookie.
[21:48:41] [connection] 5.139.118.186:31496 requests connection cookie.
[21:48:41] [connection] 212.217.37.91:43813 requests connection cookie.
[21:48:41] [connection] 212.217.37.91:43813 requests connection cookie.
[21:48:41] [connection] 182.199.71.233:39651 requests connection cookie.
[21:48:41] [connection] 182.199.71.233:39651 requests connection cookie.
[21:48:41] [connection] 82.77.9.235:27887 requests connection cookie.
[21:48:41] [connection] 147.175.118.129:53111 requests connection cookie.
[21:48:41] [connection] 80.175.199.43:22416 requests connection cookie.
[21:48:41] [connection] 80.175.199.43:22416 requests connection cookie.
[21:48:41] [connection] 195.64.193.166:52493 requests connection cookie.
[21:48:41] [connection] 77.136.19.164:49039 requests connection cookie.
[21:48:41] [connection] 77.136.19.164:49039 requests connection cookie.
[21:48:41] [connection] 95.83.169.227:45895 requests connection cookie.
[21:48:41] [connection] 105.78.21.11:32242 requests connection cookie.
[21:48:41] [connection] 105.78.21.11:32242 requests connection cookie.
[21:48:41] [connection] 57.238.182.103:53409 requests connection cookie.
[21:48:41] [connection] 85.237.97.11:54911 requests connection cookie.
[21:48:41] [connection] 37.33.24.246:55433 requests connection cookie.
[21:48:41] [connection] 201.192.249.31:58731 requests connection cookie.
[21:48:41] [connection] 201.192.249.31:58731 requests connection cookie.
[21:48:41] [connection] 93.177.236.228:38236 requests connection cookie.
[21:48:41] [connection] 14.34.237.237:39039 requests connection cookie.
[21:48:41] [connection] 59.15.146.91:23480 requests connection cookie.
[21:48:41] [connection] 90.229.215.236:50924 requests connection cookie.
[21:48:41] [connection] 79.215.32.149:56012 requests connection cookie.
[21:48:41] [connection] 57.33.38.230:27318 requests connection cookie.
[21:48:41] [connection] 46.191.53.234:32325 requests connection cookie.
[21:48:41] [connection] 46.191.53.234:32325 requests connection cookie.
[21:48:41] [connection] 223.57.202.221:53345 requests connection cookie.
[21:48:41] [connection] 83.127.153.89:39205 requests connection cookie.
[21:48:41] [connection] 81.178.113.151:32282 requests connection cookie.
[21:48:41] [connection] 46.207.90.197:27557 requests connection cookie.
[21:48:41] [connection] 46.207.90.197:27557 requests connection cookie.
[21:48:41] [connection] 192.83.24.138:55977 requests connection cookie.
[21:48:41] [connection] 90.194.3.148:23299 requests connection cookie.
[21:48:41] [connection] 176.127.20.30:47174 requests connection cookie.
[21:48:41] [connection] 176.127.20.30:47174 requests connection cookie.
[21:48:41] [connection] 52.213.34.249:31951 requests connection cookie.
[21:48:41] [connection] 95.254.221.118:31606 requests connection cookie.
[21:48:41] [connection] 95.254.221.118:31606 requests connection cookie.
[21:48:41] [connection] 213.74.178.111:26754 requests connection cookie.
[21:48:41] [connection] 213.74.178.111:26754 requests connection cookie.
[21:48:41] [connection] 89.254.109.63:27840 requests connection cookie.
[21:48:41] [connection] 79.64.229.149:42257 requests connection cookie.
[21:48:41] [connection] 77.159.54.186:30534 requests connection cookie.
[21:48:41] [connection] 37.254.222.94:43227 requests connection cookie.
[21:48:41] [connection] 220.66.248.35:58386 requests connection cookie.
[21:48:41] [connection] 220.66.248.35:58386 requests connection cookie.
[21:48:41] [connection] 176.86.135.153:40366 requests connection cookie.
[21:48:41] [connection] 82.242.215.228:22488 requests connection cookie.
[21:48:41] [connection] 109.170.114.33:20849 requests connection cookie.
[21:48:41] [connection] 84.243.161.73:40785 requests connection cookie.
[21:48:41] [connection] 213.240.68.7:52982 requests connection cookie.
[21:48:41] [connection] 213.240.68.7:52982 requests connection cookie.
[21:48:41] [connection] 213.182.147.22:46201 requests connection cookie.
[21:48:41] [connection] 87.210.201.197:22155 requests connection cookie.
[21:48:41] [connection] 53.217.199.87:27461 requests connection cookie.
[21:48:41] [connection] 57.16.134.99:24286 requests connection cookie.
[21:48:41] [connection] 94.119.123.172:57048 requests connection cookie.
[21:48:41] [connection] 94.119.123.172:57048 requests connection cookie.
[21:48:41] [connection] 121.162.155.159:51463 requests connection cookie.
[21:48:41] [connection] 158.38.107.110:22394 requests connection cookie.
[21:48:41] [connection] 88.38.178.98:30699 requests connection cookie.
[21:48:41] [connection] 88.38.178.98:30699 requests connection cookie.
[21:48:41] [connection] 223.56.224.203:31570 requests connection cookie.
[21:48:41] [connection] 223.56.224.203:31570 requests connection cookie.
[21:48:41] [connection] 93.94.33.191:50195 requests connection cookie.
[21:48:41] [connection] 175.214.230.104:42519 requests connection cookie.
[21:48:41] [connection] 175.214.230.104:42519 requests connection cookie.
[21:48:41] [connection] 78.69.17.91:52283 requests connection cookie.
[21:48:41] [connection] 145.146.123.20:35066 requests connection cookie.
[21:48:41] [connection] 89.132.96.166:22226 requests connection cookie.
[21:48:41] [connection] 82.39.69.167:53266 requests connection cookie.
[21:48:41] [connection] 82.39.69.167:53266 requests connection cookie.
[21:48:41] [connection] 49.162.33.72:58735 requests connection cookie.
[21:48:41] [connection] 49.162.33.72:58735 requests connection cookie.
[21:48:41] [connection] 197.215.8.119:49187 requests connection cookie.
[21:48:41] [connection] 197.215.8.119:49187 requests connection cookie.
[21:48:41] [connection] 58.121.126.228:29440 requests connection cookie.
[21:48:41] [connection] 113.210.149.213:36447 requests connection cookie.
[21:48:41] [connection] 223.35.190.13:53218 requests connection cookie.
[21:48:41] [connection] 112.178.169.53:38398 requests connection cookie.
[21:48:41] [connection] 157.181.144.234:43608 requests connection cookie.
[21:48:41] [connection] 78.63.205.4:44871 requests connection cookie.
[21:48:41] [connection] 110.12.145.171:49324 requests connection cookie.
[21:48:41] [connection] 110.12.145.171:49324 requests connection cookie.
[21:48:41] [connection] 93.195.126.124:21565 requests connection cookie.
[21:48:41] [connection] 93.195.126.124:21565 requests connection cookie.
[21:48:41] [connection] 195.22.233.27:39248 requests connection cookie.
[21:48:41] [connection] 85.34.117.106:59651 requests connection cookie.
[21:48:41] [connection] 5.175.98.140:20317 requests connection cookie.
[21:48:41] [connection] 81.92.245.21:37728 requests connection cookie.
[21:48:41] [connection] 89.186.212.126:43797 requests connection cookie.
[21:48:41] [connection] 213.213.1.7:53695 requests connection cookie.
[21:48:41] [connection] 183.171.155.21:58296 requests connection cookie.
[21:48:41] [connection] 87.97.144.113:45332 requests connection cookie.
[21:48:41] [connection] 212.145.72.26:46434 requests connection cookie.
[21:48:41] [connection] 182.192.234.211:54386 requests connection cookie.
[21:48:41] [connection] 182.192.234.211:54386 requests connection cookie.
[21:48:41] [connection] 95.46.228.123:34014 requests connection cookie.
[21:48:41] [connection] 82.146.207.127:23708 requests connection cookie.
[21:48:41] [connection] 53.37.234.31:20764 requests connection cookie.
[21:48:41] [connection] 53.37.234.31:20764 requests connection cookie.
[21:48:41] [connection] 93.103.217.52:54740 requests connection cookie.
[21:48:41] [connection] 93.103.217.52:54740 requests connection cookie.
[21:48:41] [connection] 61.110.126.144:42251 requests connection cookie.
[21:48:41] [connection] 61.110.126.144:42251 requests connection cookie.
[21:48:41] [connection] 161.116.189.223:45751 requests connection cookie.
[21:48:41] [connection] 129.175.247.161:33561 requests connection cookie.
[21:48:41] [connection] 129.175.247.161:33561 requests connection cookie.
[21:48:41] [connection] 37.73.141.163:50938 requests connection cookie.
[21:48:41] [connection] 37.73.141.163:50938 requests connection cookie.
[21:48:41] [connection] 80.30.36.44:39873 requests connection cookie.
[21:48:41] [connection] 5.37.12.168:46363 requests connection cookie.
[21:48:41] [connection] 5.37.12.168:46363 requests connection cookie.
[21:48:41] [connection] 176.21.136.229:23727 requests connection cookie.
[21:48:41] [connection] 176.21.136.229:23727 requests connection cookie.
[21:48:41] [connection] 145.117.75.18:40625 requests connection cookie.
[21:48:41] [connection] 104.83.223.14:40998 requests connection cookie.
[21:48:41] [connection] 87.122.96.125:49961 requests connection cookie.
[21:48:41] [connection] 87.122.96.125:49961 requests connection cookie.
[21:48:41] [connection] 176.117.115.96:55024 requests connection cookie.
[21:48:41] [connection] 91.96.191.167:26099 requests connection cookie.
[21:48:41] [connection] 91.96.191.167:26099 requests connection cookie.
[21:48:41] [connection] 77.215.156.52:42911 requests connection cookie.
[21:48:41] [connection] 53.145.154.114:32566 requests connection cookie.
[21:48:41] [connection] 196.222.249.71:57698 requests connection cookie.
[21:48:41] [connection] 158.174.87.65:24050 requests connection cookie.
[21:48:41] [connection] 158.174.87.65:24050 requests connection cookie.
[21:48:41] [connection] 57.61.61.107:33150 requests connection cookie.
[21:48:41] [connection] 141.96.147.9:46742 requests connection cookie.
[21:48:41] [connection] 46.12.154.3:41291 requests connection cookie.
[21:48:41] [connection] 46.12.154.3:41291 requests connection cookie.
[21:48:41] [connection] 37.185.20.234:49489 requests connection cookie.
[21:48:41] [connection] 132.252.23.9:21234 requests connection cookie.
[21:48:41] [connection] 196.77.2.70:23582 requests connection cookie.
[21:48:41] [connection] 77.178.88.219:45009 requests connection cookie.
[21:48:41] [connection] 109.3.70.174:55200 requests connection cookie.
[21:48:41] [connection] 90.241.95.68:46252 requests connection cookie.
[21:48:41] [connection] 148.198.151.202:28855 requests connection cookie.
[21:48:41] [connection] 61.40.238.252:44245 requests connection cookie.
[21:48:41] [connection] 61.40.238.252:44245 requests connection cookie.
[21:48:41] [connection] 141.10.49.150:52086 requests connection cookie.
[21:48:41] [connection] 95.149.68.252:40968 requests connection cookie.
[21:48:41] [connection] 95.149.68.252:40968 requests connection cookie.
[21:48:41] [connection] 211.54.63.192:49169 requests connection cookie.
[21:48:41] [connection] 88.101.130.127:38886 requests connection cookie.
[21:48:41] [connection] 80.64.217.137:49953 requests connection cookie.
[21:48:41] [connection] 139.107.57.64:58812 requests connection cookie.
[21:48:41] [connection] 139.107.57.64:58812 requests connection cookie.
[21:48:41] [connection] 213.164.36.165:25130 requests connection cookie.
[21:48:41] [connection] 109.147.28.151:38839 requests connection cookie.
[21:48:41] [connection] 109.147.28.151:38839 requests connection cookie.
[21:48:41] [connection] 81.125.17.234:36070 requests connection cookie.
[21:48:41] [connection] 81.125.17.234:36070 requests connection cookie.
[21:48:41] [connection] 14.82.67.79:22271 requests connection cookie.
[21:48:41] [connection] 14.82.67.79:22271 requests connection cookie.
[21:48:41] [connection] 212.138.26.200:47326 requests connection cookie.
[21:48:41] [connection] 80.218.196.27:21318 requests connection cookie.
[21:48:41] [connection] 80.218.196.27:21318 requests connection cookie.
[21:48:41] [connection] 5.136.50.201:48145 requests connection cookie.
[21:48:41] [connection] 51.159.35.206:34375 requests connection cookie.
[21:48:41] [connection] 80.179.141.29:33725 requests connection cookie.
[21:48:41] [connection] 176.177.1.101:59991 requests connection cookie.
[21:48:41] [connection] 147.89.239.34:21448 requests connection cookie.
[21:48:41] [connection] 31.180.21.110:33780 requests connection cookie.
[21:48:41] [connection] 176.161.157.117:29159 requests connection cookie.
[21:48:41] [connection] 41.89.121.38:43889 requests connection cookie.
[21:48:41] [connection] 41.89.121.38:43889 requests connection cookie.
[21:48:41] [connection] 171.4.203.51:43681 requests connection cookie.
[21:48:41] [connection] 62.135.201.217:49855 requests connection cookie.
[21:48:41] [connection] 94.111.148.148:59035 requests connection cookie.
[21:48:41] [connection] 62.93.174.28:39936 requests connection cookie.
[21:48:41] [connection] 62.93.174.28:39936 requests connection cookie.
[21:48:41] [connection] 31.173.6.79:34034 requests connection cookie.
[21:48:41] [connection] 31.173.6.79:34034 requests connection cookie.
[21:48:41] [connection] 88.220.34.89:46160 requests connection cookie.
[21:48:41] [connection] 197.218.34.51:57241 requests connection cookie.
[21:48:41] [connection] 95.2.221.148:45890 requests connection cookie.
[21:48:41] [connection] 94.3.222.158:49860 requests connection cookie.
[21:48:41] [connection] 94.3.222.158:49860 requests connection cookie.
[21:48:41] [connection] 89.211.94.76:24909 requests connection cookie.
[21:48:41] [connection] 116.126.2.220:55328 requests connection cookie.
[21:48:41] [connection] 31.54.134.165:58530 requests connection cookie.
[21:48:41] [connection] 94.132.252.198:32737 requests connection cookie.
[21:48:41] [connection] 94.132.252.198:32737 requests connection cookie.
[21:48:41] [connection] 37.201.47.97:37173 requests connection cookie.
[21:48:41] [connection] 53.46.77.157:58653 requests connection cookie.
[21:48:41] [connection] 188.69.77.8:22349 requests connection cookie.
[21:48:41] [connection] 61.254.73.109:57174 requests connection cookie.
[21:48:41] [connection] 57.248.244.104:42599 requests connection cookie.

sleep 1 already

Increasing the delay in the CheckQueryFlood may help?

Variable™ 20/03/2019 10:52 PM

Re: Servers are getting attacked
 
The servers that are being attacked delay more than the other ones, like if you refresh a regular server it updates ping/players fast but if you refresh a server that's being attacked it takes more time for the client to retrieve the information and the same is happening on the hosted tab, my server is getting attacked while my rival isn't, my rival shows on tab every time I refresh master list but I show on tab when I refresh the master list 14 times.

I tried the same on other servers all the attacked servers aren't properly monitored by SACNR monitor, barely appear on the hosted list and query pretty slow.

Kalcor 21/03/2019 12:44 AM

Re: Servers are getting attacked
 
If you don't need South American players, this should fend off most of the attack
Code:

/sbin/iptables -A INPUT -s 180.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 181.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 190.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 200.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 201.0.0.0/8 -j DROP

How to track queries in the server log? Add this to server.cfg
Code:

logqueries 1
You can monitor the server queries by tailing the server log
Code:

user@host:~/samp03$ tail -f server_log.txt | grep "query"

Kalcor 21/03/2019 01:18 AM

Re: Servers are getting attacked
 
It'd be much slower if it was TCP. The SA-MP 'i' and 'p' packets are so small, I consider it better to just respond with the data than try set up a 3-way handshake.

The reason SA-MP's query is rate limited is to prevent a reflection attack vector. You can perform a reflection attack with TCP. If you send spoofed TCP SYN to a closed port, it'll respond with TCP RST. TCP RST just isn't a very juicy target compared to UDP services like NTP.

Ultimately the problem of IP spoofing is something that needs to be solved by ISPs. I think any host allowing spoofed source addresses should be depeered from the internet.

Some countries have really poorly configured networks. I suspect now that net neutrality is gone, the situation will slowly improve.

Ruhoster 21/03/2019 01:27 AM

Re: Servers are getting attacked
 
Quote:

Originally Posted by ****** (Post 4089804)
Could you make queries TCP? Those are much harder to IP spoof, which means that only legitimate clients could make them. Then for regular connections you can refuse connections from IPs that haven't made a recent valid TCP request to the server. Clicking on a server will query it before you can click connect, so anyone joining through the official client will have made a recent request by default.

TCP does not help. TCP-SYN flood is 10 times more popular, so more affordable and cheaper.

It may be better to add information to the master list, such as the server name, the number of players (cached). In this case, the players will at least display all 260 servers from Hosted. And not 100, as it is now.

Variable™ 21/03/2019 01:51 AM

Re: Servers are getting attacked
 
If TCP becomes worse than UDP it'd be a waste of time imo, I'd say do something better.

You can simply make it so instead of client > server, make it client > samp > server. That way queries are checked by samp before sending it to the servers. In case it gets flooded, it's easy to prevent the attack that way. Fixing 300+ holes (servers) is harder to control than fixing just one (if samp gets attacked).

Right now any attack affects all the servers so you can't actually control it as clients deal with servers directly, you don't add any sort of verification to prevent malicious users from attacking servers. Besides this issue, more issues can come out so please consider sending queries to samp before servers.

connork 21/03/2019 01:53 AM

Re: Servers are getting attacked
 
First consider don't answer the packets with wrong UDP datagram for query mechanism, I mean the packets with wrong bytes for IP and port, the SA-MP Server responds to every 39-43 packet where is written "SAMP" and the opcode.

A handshake to work with established connection should be cool, but will work properly with previously versions for SA-MP?

Do a database to cache the hosted list servers in a HTTP server, the client can download info from SA-MP lists domain, it's a minor update and can be applied only to the client version. Game-MP already query all servers to get server info, so it's shouldn't be hard to do.

Work to enchant the protection against reflection attacks, maybe use per IP limits, maybe impact the overall resource usage (new cpu thread?).

Kalcor 21/03/2019 02:18 AM

Re: Servers are getting attacked
 
These types of attacks have been going on for 10+ years. There's already code in the server browser to load a static list of servers.

But then both the internet list and hosted list load instantly. There's no incentive to buy a hosted listing anymore.

The best I could do right now is make a new server update with a switch to disable the query flood protection. But the better thing is for server owners to find some firewall/iptable rules to block it, so it's not generating more junk traffic on the internet.

We'll give it a few more days. If server owners can't block it, I'll add more control over the query flood protection.

connork 21/03/2019 02:52 AM

Re: Servers are getting attacked
 
Steam query was used to amplification attacks, I saw ISPs fully blocking the source port range in some situations.

Quote:

Originally Posted by Kalcor (Post 4089818)
These types of attacks have been going on for 10+ years. There's already code in the server browser to load a static list of servers.

Insert in this static list the the cache for server info (opcode I only), it can help in some way. Use last response time to show up the servers according their uptime.

Quote:

Originally Posted by Kalcor (Post 4089818)
We'll give it a few more days. If server owners can't block it, I'll add more control over the query flood protection.

Most server owners will keep doing nothing to handle with that attack, just saying "it's a SA-MP fault" when it's not.

D1eSeL 21/03/2019 08:28 AM

Re: Servers are getting attacked
 
I think only security inside the client and server will help here. This is repeated over several years.

Currently only 120 servers are displayed.

On behalf of React hosting:
"For our part we fixed the problem."

BigETI 21/03/2019 09:42 AM

Re: Servers are getting attacked
 
There is already a third party solution for cached server lists and clients which can load these type of server lists.

ConcernedCitizen 21/03/2019 03:35 PM

Re: Servers are getting attacked
 
Quote:

Originally Posted by D1eSeL (Post 4089832)
I think only security inside the client and server will help here. This is repeated over several years.

Currently only 120 servers are displayed.

On behalf of React hosting:
"For our part we fixed the problem."

Wow your hosting knows how to use iptables

denNorske 21/03/2019 04:21 PM

Re: Servers are getting attacked
 
Quote:

Originally Posted by connork (Post 4089816)
First consider don't answer the packets with wrong UDP datagram for query mechanism, I mean the packets with wrong bytes for IP and port, the SA-MP Server responds to every 39-43 packet where is written "SAMP" and the opcode.

the port is confirmed to be random in the payload, part of the announcement when R2 came out.
(https://forum.sa-mp.com/showthread.php?t=642085)

What do you mean by 39-43 here?
Four first bytes of the payload are signed with SAMP.

anyway,
I am trying to filter the packages but I have managed to block out the pings that happen when players try to establish a connetion ingame with almost empty packets.. The following screenshot shows internal package handling (7850) and external (port 7778).
http://i.imgur.com/ncFy5K1.png
Seems like the pings start with Port bytes here (+ something else which i am not sure what is for)

So I'll go ahead and adjust so the code only blocks packets that are containing "SAMP" so i don't catch all other sorts of packages which i can't find documentation on.

Also, I can rate-limit requests to not pass through my python UDP proxy faster than x ms per spoofed IP, lowering the amounts of requests by _alot_ towards the server. Even disabling certain OP-codes could help for a start.

If someone is good with python, and could contribute for the community, hit me up. I'll put it on Git when done under the WTFPL license.

Variable™ 21/03/2019 07:06 PM

Re: Servers are getting attacked
 
My host kinda got it sorted out by caching queries which has some disadvantages though the server doesn't get flooded anymore.

Romz 23/03/2019 08:50 AM

Re: Servers are getting attacked
 
Quote:

Originally Posted by Kalcor (Post 4089818)
The best I could do right now is make a new server update with a switch to disable the query flood protection.

Is there any news about this? Many servers still suffer from this problem, so we are waiting for the update.

t4dgcom 23/03/2019 02:37 PM

Re: Servers are getting attacked
 
Easiest solution for this - is to download and install the .dll + .so plugin that just removes the internal query limit, as the packets that are created by this attack are almost identical (or 1/1 identical) it is very hard to filter.
Attack however is only 800kbps or 1mbps in size, and can be easily just "taken in".

http://ubi.livs.pl/samp/samp_prot_ver2.zip - Plugin, developed by UBI back in 2017.
There's also one solution on the forums, as Python script released few days ago, however I didn't test it, this plugin I tested and attack now doesn't impact the server, even though I still see the attack on traffic monitor.
https://i.imgur.com/LIKomJj.png

As far as our "internal hosting investigation" went, we see that it is impossible to filter this using DPI or any other software, as blocking any payload of the packet will block regular player from pinging the server as well. Without any stupid limitations as restricting some IP's to access the server, or by caching query, or anything else that actually reflect on real player - it is impossible to block, and the most adequate is to allow packets to come in, that doesn't affect the server at all due to that attack is so small, as well as it doesn't restrict any access or influence any real players.

Variable™ 23/03/2019 08:50 PM

Re: Servers are getting attacked
 
You're great! The plugin is pretty useful thanks.

Quote:

Originally Posted by t4dgcom (Post 4090203)
Easiest solution for this - is to download and install the .dll + .so plugin that just removes the internal query limit, as the packets that are created by this attack are almost identical (or 1/1 identical) it is very hard to filter.
Attack however is only 800kbps or 1mbps in size, and can be easily just "taken in".

http://ubi.livs.pl/samp/samp_prot_ver2.zip - Plugin, developed by UBI back in 2017.
There's also one solution on the forums, as Python script released few days ago, however I didn't test it, this plugin I tested and attack now doesn't impact the server, even though I still see the attack on traffic monitor.
https://i.imgur.com/LIKomJj.png

As far as our "internal hosting investigation" went, we see that it is impossible to filter this using DPI or any other software, as blocking any payload of the packet will block regular player from pinging the server as well. Without any stupid limitations as restricting some IP's to access the server, or by caching query, or anything else that actually reflect on real player - it is impossible to block, and the most adequate is to allow packets to come in, that doesn't affect the server at all due to that attack is so small, as well as it doesn't restrict any access or influence any real players.


Ubi 23/03/2019 11:39 PM

Re: Servers are getting attacked
 
Here is the source code: https://ubi.livs.pl/samp/samp_prot_ver2_s.zip

nbx2000 24/03/2019 05:36 AM

Re: Servers are getting attacked
 
Quote:

Originally Posted by Ubi (Post 4090293)

is compatible 0 3 x and 0 3 z ?

Romz 24/03/2019 05:58 AM

Re: Servers are getting attacked
 
Quote:

Originally Posted by nbx2000 (Post 4090322)
is compatible 0 3 x and 0 3 z ?

This is a very old and irrelevant version, please upgrade to 0.3.7.

Ubi 24/03/2019 11:19 PM

Re: Servers are getting attacked
 
0.3.7 R2-2 version: https://ubi.livs.pl/samp/samp_prot_ver3_s.zip

labiyebu 25/03/2019 09:41 AM

Re: Servers are getting attacked
 
Quote:

Originally Posted by Ubi (Post 4090456)

it not working

t4dgcom 25/03/2019 11:47 AM

Re: Servers are getting attacked
 
Quote:

Originally Posted by labiyebu (Post 4090485)
it not working

http://ubi.livs.pl/samp/samp_prot_ver2.zip
Try to install this version.

Doddinger 25/03/2019 04:28 PM

Hey hello!

I thought I could help here but you have to configure it by yourself so this is not a tutorial :)
I give you a tip: Don't route the address ranges of the RFC1918. That will solve your flooding issues. No Bogon-Filtering or something similar. How can I proof that it's working? Why the mastertable was down is not a matter of my since I didn't have access or time for it to think about it (I'm just inquisitive now, time to put that back into the cache and think/inform about it later again, whenever).
I'm only able to help you out with that little useful information!
Please also don't throw this tip away. I really didn't get much time but I got this message from a samp member and that it had affected more than only one samp members. I thought about it and this was my result for you. I also had opened my server log and network logs and I scrolled 10 days back and checked their contents. That's a work of 30 minutes approx. and that's much currently.

Have a nice day!

-Doddinger.

(I think I mentioned the RFC1918 once already in a thread)

Ah and I forgot one thing: I don't question the other solutions! It's just a support from my side!

Gettopro 25/03/2019 06:08 PM

Re: Servers are getting attacked
 
Quote:

Originally Posted by labiyebu (Post 4090485)
it not working

it work,judging by the log
Quote:

[21:02:03] Loading plugin: samp_prot.so
[21:02:03] ### samp_prot by Ubinoob loaded (ver 3)
[21:02:03] ### Professional game hosting: https://LiveServer.pl
[21:02:03] ### Memory segments unprotected
[21:02:03] ### Query system patched
[21:02:03] ### Cookie logging disabled
[21:02:03] ### Query logging disabled
[21:02:03] Loaded
but nothing has changed.
still not visible.
Need plugin settings? (****** translate sorry)

t4dgcom 25/03/2019 08:24 PM

Re: Servers are getting attacked
 
Quote:

Originally Posted by Gettopro (Post 4090553)
it work,judging by the log


but nothing has changed.
still not visible.
Need plugin settings? (****** translate sorry)

And again, try to install http://ubi.livs.pl/samp/samp_prot_ver2.zip rather than last version.
This works fine.


All times are GMT. The time now is 08:51 PM.

Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.