SA-MP Forums

Go Back   SA-MP Forums > SA-MP Server > Server Support

Reply
 
Thread Tools Display Modes
Old 29/08/2017, 09:14 AM   #21
JernejL
Beta Tester
 
JernejL's Avatar
 
Join Date: Jan 2006
Location: Slovenia
Posts: 581
Reputation: 418
Default Re: Firewall Cookie Flood Connection

Let me step in and explain a few things going on here.

--hex-string '|081e77da|

This is a match on port 7777's packet for cookie request, this will work well for all servers that are on port 7777, other servers need to adjust this.

--hex-string '|53414d50a772c94a611e63|'
--hex-string '|53414d50a772c94a611e72|'
--hex-string '|53414d50a772c94a611e69|'

This is actually the SAMP query packet match:

http://wiki.sa-mp.com/wiki/Query_Mechanism

EVERYONE will need to make changes on this:

53414d50 "SAMP"
a772c94a server ip (YOUR bind'd server ip)
611e <- PORT
63 / 72 / 69 - matches various query packets.

You can get your proper packet by running tcpdump -t -n -v -XX -i eth1 udp dst port 7777 and '(udp[8:4]=0x53414d50)' (change port to proper port and eth1 to your real ethernet interface in use)



Yellow: "SAMP" text
RED: Server IP
Green: port

adjust the .sh file of RDM accordingly and only then use this.

More efficient filtering could be done, instead of hex-string match at any position you can adapt this to use u32 fast byte match, sure u32 causes brains to rot when you use it, but will work better, especially in vps's:

Examples (DO NOT ADD THIS TO YOUR IPTABLES, THIS IS JUST AN EXAMPLE):
Match SAMP udp packets:
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50" -j DROP

Match samp R rules packet
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x72" -j DROP
match other two query packet types:
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x63" -j DROP
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x69" -j DROP
__________________
Please, do no message me anymore, i'm no longer part of sa-mp scene.

I will not reply to private messages.
JernejL is offline   Reply With Quote
Old 29/08/2017, 11:04 AM   #22
RDM
Huge Clucker
 
Join Date: Apr 2014
Location: my github: https://github.com/Edresson
Posts: 236
Reputation: 36
Default Re: Firewall Cookie Flood Connection

Quote:
Originally Posted by JernejL View Post
Let me step in and explain a few things going on here.

--hex-string '|081e77da|

This is a match on port 7777's packet for cookie request, this will work well for all servers that are on port 7777, other servers need to adjust this.

--hex-string '|53414d50a772c94a611e63|'
--hex-string '|53414d50a772c94a611e72|'
--hex-string '|53414d50a772c94a611e69|'

This is actually the SAMP query packet match:

http://wiki.sa-mp.com/wiki/Query_Mechanism

EVERYONE will need to make changes on this:

53414d50 "SAMP"
a772c94a server ip (YOUR bind'd server ip)
611e <- PORT
63 / 72 / 69 - matches various query packets.

You can get your proper packet by running tcpdump -t -n -v -XX -i eth1 udp dst port 7777 and '(udp[8:4]=0x53414d50)' (change port to proper port and eth1 to your real ethernet interface in use)



Yellow: "SAMP" text
RED: Server IP
Green: port

adjust the .sh file of RDM accordingly and only then use this.

More efficient filtering could be done, instead of hex-string match at any position you can adapt this to use u32 fast byte match, sure u32 causes brains to rot when you use it, but will work better, especially in vps's:

Examples (DO NOT ADD THIS TO YOUR IPTABLES, THIS IS JUST AN EXAMPLE):
Match SAMP udp packets:
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50" -j DROP

Match samp R rules packet
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x72" -j DROP
match other two query packet types:
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x63" -j DROP
iptables -A INPUT -p udp --destination-port 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x69" -j DROP
Did not know that querys packages are changed by ip! Thank you very much!
Problem Solved ! Firewall running for all sA: mp servers that use port 7777

I'm sorry for the mistake ! I'm so sorry !

Last edited by RDM; 29/08/2017 at 12:16 PM.
RDM is offline   Reply With Quote
Old 29/08/2017, 12:19 PM   #23
RDM
Huge Clucker
 
Join Date: Apr 2014
Location: my github: https://github.com/Edresson
Posts: 236
Reputation: 36
Default Re: Respuesta: Firewall Cookie Flood Connection

Quote:
Originally Posted by adri1 View Post
not working for me
I just did the correction! Make sure it works for you now
RDM is offline   Reply With Quote
Old 29/08/2017, 12:37 PM   #24
adri1
Banned
 
Join Date: Oct 2010
Posts: 1,779
Reputation: 965
Default Respuesta: Firewall Cookie Flood Connection

My Server is closed now, but i will check, thanks you
adri1 is offline   Reply With Quote
Old 29/08/2017, 01:57 PM   #25
Peek
Little Clucker
 
Join Date: Dec 2013
Posts: 6
Reputation: 7
Default Re: Firewall Cookie Flood Connection

Still not working for me.
Peek is offline   Reply With Quote
Old 29/08/2017, 03:59 PM   #26
RDM
Huge Clucker
 
Join Date: Apr 2014
Location: my github: https://github.com/Edresson
Posts: 236
Reputation: 36
Default Re: Firewall Cookie Flood Connection

Quote:
Originally Posted by Peek View Post
Still not working for me.
What ip of your server?
RDM is offline   Reply With Quote
Old 29/08/2017, 10:33 PM   #27
Kaperstone
Banned
 
Join Date: May 2011
Location: Russia
Posts: 3,011
Reputation: 824
Default Re: Firewall Cookie Flood Connection

63 69 72 are the codes for the digits after 611e I guess. (because Jernal posted 6300 and I guess 00 can be omitted (?))
My server has 7065, which is completely different.
Kaperstone is offline   Reply With Quote
Old 29/08/2017, 10:55 PM   #28
RDM
Huge Clucker
 
Join Date: Apr 2014
Location: my github: https://github.com/Edresson
Posts: 236
Reputation: 36
Default Re: Firewall Cookie Flood Connection

Quote:
Originally Posted by Kaperstone View Post
63 69 72 are the codes for the digits after 611e I guess. (because Jernal posted 6300 and I guess 00 can be omitted (?))
My server has 7065, which is completely different.
Yes 00 can be ignored!
7065 ?
Are you sure this is a package query?

I believe it's the answer from the server to the query!

I changed the script now works for all servers running on port 7777!

If your server runs in another port you can send me a Pm! I'll help you!
RDM is offline   Reply With Quote
Old 29/08/2017, 11:05 PM   #29
Kaperstone
Banned
 
Join Date: May 2011
Location: Russia
Posts: 3,011
Reputation: 824
Default Re: Firewall Cookie Flood Connection

Quote:
Originally Posted by RDM View Post
Yes 00 can be ignored!
7065 ?
Are you sure this is a package query?

I believe it's the answer from the server to the query!

I changed the script now works for all servers running on port 7777!

If your server runs in another port you can send me a Pm! I'll help you!
yeah, I ran `tcpdump -t -n -v -XX udp dst port 7777`, I went one by one and saw that its not 6300 but 7063

EDIT: @RDM I can send the full dump if needed.
Kaperstone is offline   Reply With Quote
Old 29/08/2017, 11:13 PM   #30
RDM
Huge Clucker
 
Join Date: Apr 2014
Location: my github: https://github.com/Edresson
Posts: 236
Reputation: 36
Default Re: Firewall Cookie Flood Connection

Quote:
Originally Posted by Kaperstone View Post
yeah, I ran `tcpdump -t -n -v -XX udp dst port 7777`, I went one by one and saw that its not 6300 but 7063

EDIT: @RDM I can send the full dump if needed.
send me
RDM is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[Tool/Web/Other] Nobody's Firewall - Protection against query/cookie flood. SlowARG Tools and Files 18 30/10/2018 04:37 PM
[Firewall] Proteção contra novo ataque Cookie flood! RDM Português/Portuguese 3 26/08/2017 10:01 AM
Flood requests connection cookie. RDM Server Support 4 28/05/2015 04:29 PM


All times are GMT. The time now is 03:53 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.