SA-MP Forums

Go Back   SA-MP Forums > SA-MP Server > Server Support

Reply
 
Thread Tools Display Modes
Old 21/03/2019, 02:53 AM   #21
connork
Gangsta
 
connork's Avatar
 
Join Date: May 2013
Posts: 562
Reputation: 46
Default Re: Servers are getting attacked

First consider don't answer the packets with wrong UDP datagram for query mechanism, I mean the packets with wrong bytes for IP and port, the SA-MP Server responds to every 39-43 packet where is written "SAMP" and the opcode.

A handshake to work with established connection should be cool, but will work properly with previously versions for SA-MP?

Do a database to cache the hosted list servers in a HTTP server, the client can download info from SA-MP lists domain, it's a minor update and can be applied only to the client version. Game-MP already query all servers to get server info, so it's shouldn't be hard to do.

Work to enchant the protection against reflection attacks, maybe use per IP limits, maybe impact the overall resource usage (new cpu thread?).
__________________
HeavyHost
SA-MP | MTA | VPS Windows | VPS Linux |Hospedagem de Sites | Minecraft | Streaming | VPS Anti-DDoS
360Gbps DDoS Protection in CA & Layer 7 Mitigation
40Gbps DDoS Protection in USA & Layer 7 Mitigation
connork is offline   Reply With Quote
Old 21/03/2019, 03:18 AM   #22
Kalcor
SA-MP Developer
 
Join Date: Apr 2005
Posts: 1,170
Reputation: 2849
Default Re: Servers are getting attacked

These types of attacks have been going on for 10+ years. There's already code in the server browser to load a static list of servers.

But then both the internet list and hosted list load instantly. There's no incentive to buy a hosted listing anymore.

The best I could do right now is make a new server update with a switch to disable the query flood protection. But the better thing is for server owners to find some firewall/iptable rules to block it, so it's not generating more junk traffic on the internet.

We'll give it a few more days. If server owners can't block it, I'll add more control over the query flood protection.
Kalcor is offline   Reply With Quote
Old 21/03/2019, 03:52 AM   #23
connork
Gangsta
 
connork's Avatar
 
Join Date: May 2013
Posts: 562
Reputation: 46
Default Re: Servers are getting attacked

Steam query was used to amplification attacks, I saw ISPs fully blocking the source port range in some situations.

Quote:
Originally Posted by Kalcor View Post
These types of attacks have been going on for 10+ years. There's already code in the server browser to load a static list of servers.
Insert in this static list the the cache for server info (opcode I only), it can help in some way. Use last response time to show up the servers according their uptime.

Quote:
Originally Posted by Kalcor View Post
We'll give it a few more days. If server owners can't block it, I'll add more control over the query flood protection.
Most server owners will keep doing nothing to handle with that attack, just saying "it's a SA-MP fault" when it's not.
__________________
HeavyHost
SA-MP | MTA | VPS Windows | VPS Linux |Hospedagem de Sites | Minecraft | Streaming | VPS Anti-DDoS
360Gbps DDoS Protection in CA & Layer 7 Mitigation
40Gbps DDoS Protection in USA & Layer 7 Mitigation
connork is offline   Reply With Quote
Old 21/03/2019, 09:28 AM   #24
D1eSeL
Big Clucker
 
D1eSeL's Avatar
 
Join Date: Oct 2013
Location: Ukraine, Kiev
Posts: 66
Reputation: 15
Default Re: Servers are getting attacked

I think only security inside the client and server will help here. This is repeated over several years.

Currently only 120 servers are displayed.

On behalf of React hosting:
"For our part we fixed the problem."
__________________
REACT.SU - The Best AntiDDoS Solution
(Samp-Rp.ru, Arizona RolePlay, Trinity, Grand RolePlay, Evolve RolePlay)


__________________
DIESEL-COMMUNITY.COM - We give life to SA-MP projects


__________________
In the SA-MP community since 2006
D1eSeL is offline   Reply With Quote
Old 21/03/2019, 10:42 AM   #25
BigETI
Banned
 
Join Date: Mar 2010
Location: Germany
Posts: 1,048
Reputation: 359
Default Re: Servers are getting attacked

There is already a third party solution for cached server lists and clients which can load these type of server lists.

Last edited by BigETI; 21/03/2019 at 11:25 AM.
BigETI is offline   Reply With Quote
Old 21/03/2019, 04:35 PM   #26
ConcernedCitizen
Little Clucker
 
Join Date: Aug 2017
Posts: 4
Reputation: 0
Default Re: Servers are getting attacked

Quote:
Originally Posted by D1eSeL View Post
I think only security inside the client and server will help here. This is repeated over several years.

Currently only 120 servers are displayed.

On behalf of React hosting:
"For our part we fixed the problem."
Wow your hosting knows how to use iptables
ConcernedCitizen is offline   Reply With Quote
Old 21/03/2019, 05:21 PM   #27
denNorske
Gangsta
 
denNorske's Avatar
 
Join Date: Nov 2011
Location: Oslo, Norway
Posts: 787
Reputation: 95
Thumbs up Re: Servers are getting attacked

Quote:
Originally Posted by connork View Post
First consider don't answer the packets with wrong UDP datagram for query mechanism, I mean the packets with wrong bytes for IP and port, the SA-MP Server responds to every 39-43 packet where is written "SAMP" and the opcode.
the port is confirmed to be random in the payload, part of the announcement when R2 came out.
(https://forum.sa-mp.com/showthread.php?t=642085)

What do you mean by 39-43 here?
Four first bytes of the payload are signed with SAMP.

anyway,
I am trying to filter the packages but I have managed to block out the pings that happen when players try to establish a connetion ingame with almost empty packets.. The following screenshot shows internal package handling (7850) and external (port 7778).

Seems like the pings start with Port bytes here (+ something else which i am not sure what is for)

So I'll go ahead and adjust so the code only blocks packets that are containing "SAMP" so i don't catch all other sorts of packages which i can't find documentation on.

Also, I can rate-limit requests to not pass through my python UDP proxy faster than x ms per spoofed IP, lowering the amounts of requests by _alot_ towards the server. Even disabling certain OP-codes could help for a start.

If someone is good with python, and could contribute for the community, hit me up. I'll put it on Git when done under the WTFPL license.

Last edited by denNorske; 21/03/2019 at 07:46 PM.
denNorske is offline   Reply With Quote
Old 21/03/2019, 08:06 PM   #28
Variable™
Gangsta
 
Join Date: Jul 2015
Posts: 801
Reputation: 175
Default Re: Servers are getting attacked

My host kinda got it sorted out by caching queries which has some disadvantages though the server doesn't get flooded anymore.
__________________
Discord | Website
Variable™ is offline   Reply With Quote
Old 23/03/2019, 09:50 AM   #29
Romz
Banned
 
Join Date: Jun 2013
Location: Ukraine
Posts: 1,044
Reputation: 64
Default Re: Servers are getting attacked

Quote:
Originally Posted by Kalcor View Post
The best I could do right now is make a new server update with a switch to disable the query flood protection.
Is there any news about this? Many servers still suffer from this problem, so we are waiting for the update.
Romz is offline   Reply With Quote
Old 23/03/2019, 03:37 PM   #30
t4dgcom
Little Clucker
 
Join Date: Mar 2019
Location: https://t4dg.com/
Posts: 3
Reputation: 2
Default Re: Servers are getting attacked

Easiest solution for this - is to download and install the .dll + .so plugin that just removes the internal query limit, as the packets that are created by this attack are almost identical (or 1/1 identical) it is very hard to filter.
Attack however is only 800kbps or 1mbps in size, and can be easily just "taken in".

http://ubi.livs.pl/samp/samp_prot_ver2.zip - Plugin, developed by UBI back in 2017.
There's also one solution on the forums, as Python script released few days ago, however I didn't test it, this plugin I tested and attack now doesn't impact the server, even though I still see the attack on traffic monitor.
https://i.imgur.com/LIKomJj.png

As far as our "internal hosting investigation" went, we see that it is impossible to filter this using DPI or any other software, as blocking any payload of the packet will block regular player from pinging the server as well. Without any stupid limitations as restricting some IP's to access the server, or by caching query, or anything else that actually reflect on real player - it is impossible to block, and the most adequate is to allow packets to come in, that doesn't affect the server at all due to that attack is so small, as well as it doesn't restrict any access or influence any real players.
t4dgcom is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting attacked, any help? Sjn Server Support 5 30/03/2017 10:57 PM
Servers being attacked pls help me Arjanz Server Support 14 04/05/2014 09:48 AM
servers getting attacked !! cvnr0 Server Support 7 07/01/2014 03:51 PM
Bad RCON attempts - servers getting 'attacked' by the same IP Jstylezzz Server Support 18 15/05/2013 09:35 AM
Who attacked Doman Help Archive 0 28/03/2010 09:43 PM


All times are GMT. The time now is 08:55 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.