SA-MP Forums

Go Back   SA-MP Forums > SA-MP Server > Server Support

Reply
 
Thread Tools Display Modes
Old 24/08/2017, 10:08 PM   #101
Fungi
Big Clucker
 
Join Date: Dec 2014
Location: USA
Posts: 49
Reputation: 41
Default Re: Connection flood

stop suggesting to disable cookie logging. this is just a horrible idea
SA-MP really needs an update or at least let us know if it has been abandoned
Fungi is offline   Reply With Quote
Old 24/08/2017, 10:19 PM   #102
-Shifty-
Huge Clucker
 
Join Date: Sep 2012
Posts: 323
Reputation: 39
Default Re: Request connection cookie flood

Quote:
Originally Posted by donB View Post
Already a lot of threads started coming up on this. In fact, even my server log reads the similar IPs connection cookie flood. Seems to be an organised flood attack on all the SA-MP servers of hosted tab (Not sure if they would like to obtain all SA-MP servers list from SACNR Monitor). I see many posts of owners and even others stating that Firewall Ban of those specific IP ranges would temporarily fix the issue. Ofcourse, that is a good solution for now.

Please correct me if I'm wrong, but I observed that not all servers are getting affected in terms of lag, heavy player time-outs, inability of players to connect, etc. Most of the DDoS protected servers seem to be free from any sort of affects.
Yes, about 30% (30 players) could still connect before I blocked the ranges. My playerbase increased to 105 within 30 minutes when I blocked the ranges.
__________________
-Shifty- is offline   Reply With Quote
Old 24/08/2017, 10:19 PM   #103
TommyB
Banned
 
Join Date: Sep 2010
Location: Texas, USA.
Posts: 192
Reputation: 228
Default Re: Connection flood

Quote:
Originally Posted by Fungi View Post
stop suggesting to disable cookie logging. this is just a horrible idea
SA-MP really needs an update or at least let us know if it has been abandoned
Why is it a horrible idea? Knowing whether or not someone has requested a connection cookie is fucking useless, especially when there's a flurry of spoofed connections coming from multiple different IPs. The logging of these connections lag the SA-MP server if there's too many of them, so turning off logging is an incredibly viable solution. Of course, if you're running your server off shitty hardware and a weak connection you'll still be effected whether you have logging disabled or not, but there's still no reason to keep them enabled if they're lagging your server. I have had cookie logging disabled for over a year and guess what? My server has never fallen victim to these attacks, weird isn't it?

SA-MP does need an update, sure. I'd love to see SA-MP's multitude of bugs and exploits fixed, but SA-MP's release pattern has absolutely nothing to do with these attacks.
TommyB is offline   Reply With Quote
Old 24/08/2017, 10:23 PM   #104
-Shifty-
Huge Clucker
 
Join Date: Sep 2012
Posts: 323
Reputation: 39
Default Re: Attack | requests connection cookie.

Quote:
Originally Posted by WarZ View Post
eeh ? that will fix problem ?.
and he must be vps owner (i guess)
Yes, it will block the ranges of the attacking IP addresses. You however might need to manually allow a few IP addresses from players. The lines can be removed once the attacks are over.
__________________
-Shifty- is offline   Reply With Quote
Old 24/08/2017, 10:54 PM   #105
donB
Huge Clucker
 
donB's Avatar
 
Join Date: Nov 2010
Location: Down the Street!
Posts: 361
Reputation: 60
Default Re: Request connection cookie flood

Quote:
Originally Posted by Pizzy View Post
My server is running fine with no speed or lag, it's perfect once you connect - but the whole querying of the server on the client looks as if the server is lagging or not responding - but connecting is perfectly fine.
True. I'm not able to query the server using 3rd party Android apps as well.
__________________


Las Venturas Cops & Robbers (LVCNR)



donB is offline   Reply With Quote
Old 25/08/2017, 12:32 AM   #106
TommyB
Banned
 
Join Date: Sep 2010
Location: Texas, USA.
Posts: 192
Reputation: 228
Default Re: Attack | requests connection cookie.

Quote:
Originally Posted by Pizzy View Post
That doesn't fix or help the attack. That makes it so you just can't see that an attack is happening in your server console.
Logging cookies when there's a spam of connections like in the OP's log causes a bottleneck within the SA-MP server due to how many messages are being printed at once. Disabling said logging helps tremendously with that, however if your server's network can't handle the many connections at once, you're obviously going to experience issues.
TommyB is offline   Reply With Quote
Old 25/08/2017, 01:08 AM   #107
Pizzy
Huge Clucker
 
Join Date: May 2012
Posts: 357
Reputation: 115
Default Re: Attack | requests connection cookie.

Quote:
Originally Posted by TommyB View Post
Logging cookies when there's a spam of connections like in the OP's log causes a bottleneck within the SA-MP server due to how many messages are being printed at once. Disabling said logging helps tremendously with that, however if your server's network can't handle the many connections at once, you're obviously going to experience issues.
Sure, it'll help the smallest possible bit - you won't even notice the difference it makes by turning it off.

Just saying some people may look at this thread, see a comment saying 'turn cookie logging off' and think they've fixed it - definitely not the case.
Pizzy is offline   Reply With Quote
Old 25/08/2017, 02:56 AM   #108
TommyB
Banned
 
Join Date: Sep 2010
Location: Texas, USA.
Posts: 192
Reputation: 228
Default Re: Attack | requests connection cookie.

Quote:
Originally Posted by Pizzy View Post
Sure, it'll help the smallest possible bit - you won't even notice the difference it makes by turning it off.

Just saying some people may look at this thread, see a comment saying 'turn cookie logging off' and think they've fixed it - definitely not the case.
Sure, more information could be given instead of just telling people to disable cookie logging along with why it can and can't work. I think you're underestimating how well turning logging off actually works if that's the only issue. (e.g, your server's connection can handle the constant connections)

About a year ago, I was hit with a flood of connections and it ended up freezing my server up while it was populated with around 150 players. Through trial and error I figured out that disabling the logging of said cookies completely eliminated the issue. My server has ample hardware and a great connection as well, which is why the issue went away without a hitch.

If your server isn't powerful enough to handle a multitude of connections at a time, it won't run properly. Shocker. Disabling the logging won't do jack shit if that's the case, but if the SA-MP server is the only bottleneck then turning cookie logging off will fix it.
TommyB is offline   Reply With Quote
Old 25/08/2017, 03:14 AM   #109
fr0stG
Little Clucker
 
fr0stG's Avatar
 
Join Date: Jun 2017
Posts: 9
Reputation: 3
Default Re: Attack | requests connection cookie.

Quote:
Originally Posted by -Shifty- View Post
Temporarily block the following ranges from your server:

180.0.0.0/8
181.0.0.0/8
186.0.0.0/8
190.0.0.0/8
200.0.0.0/8
201.0.0.0/8

Usage:
Code:
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='180.0.0.0/8' reject"
firewall-cmd --reload
Do any of you people realize what you are doing when you're blocking these IP's? A /8 CIDR prefix consists of 16million IP addresses. And it spans from 180.0.0.0 -> 180.255.255.255

So in laymans terms: You're blocking EVERY single IP address that begins with 180, 181, 186, 190, 200, 201. That means you're likely going to block legitimate users as well.

Not only that, you're wasting time by blocking these, SA-MP uses UDP which doesn't have a 2 or 3 way handshake to verify IP address sources. (like TCP does) Meaning: These IP's are probably not even real, probably spoofed from a network that allows IPv4 header forgery.

When our server was under this type of attack, I saw attacks coming from IP's that could not possibly be legitimate. e.g US Department of Defense. So most of the time these IP's aren't even real.

Instead, actually look at what TommyB has posted to mitigate the problem. The issue stems from the fact that you're overloading a single threaded x86 process by forcing it to write to disk/file hundreds of times a second.

If you're on decent hardware, this should mitigate the problem entirely. We (RC-RP) faced this problem almost a year ago and we mitigated it using that technique. We're also not affected by it and we're on the hosted list too.


On the offchance these IP's are real (which I doubt they are, some belong to NTT communications and they're not responding to ICMP nor any other service), here's a better list to block that doesn't block 100 million IP's:


PHP Code:
[root@eu ~]# cat list | awk '{print $5}' | awk -F ':' '{print $1}' | sort | uniq | awk -F "." '{print $1"."$2"."$3"."0"/24"}'
180.101.94.0/24
180.102.201.0
/24
180.104.15.0
/24
180.109.213.0
/24
180.114.149.0
/24
180.116.195.0
/24
180.116.203.0
/24
180.118.153.0
/24
180.119.170.0
/24
180.122.60.0
/24
180.146.179.0
/24
180.149.150.0
/24
180.149.174.0
/24
180.149.193.0
/24
180.149.91.0
/24
180.161.243.0
/24
180.161.71.0
/24
180.16.175.0
/24
180.161.82.0
/24
180.16.98.0
/24
180.170.147.0
/24
180.17.207.0
/24
180.172.67.0
/24
180.176.230.0
/24
180.198.85.0
/24
180.200.59.0
/24
180.201.122.0
/24
180.206.240.0
/24
180.212.206.0
/24
180.213.185.0
/24
180.217.34.0
/24
180.218.106.0
/24
180.219.53.0
/24
180.221.204.0
/24
180.22.138.0
/24
180.226.7.0
/24
180.228.191.0
/24
180.230.145.0
/24
180.243.46.0
/24
180.244.145.0
/24
180.247.72.0
/24
180.251.48.0
/24
180.2.62.0
/24
180.3.103.0
/24
180.36.209.0
/24
180.38.141.0
/24
180.45.7.0
/24
180.48.32.0
/24
180.50.150.0
/24
180.50.7.0
/24
180.55.21.0
/24
180.60.23.0
/24
180.61.12.0
/24
180.61.176.0
/24
180.64.198.0
/24
180.68.4.0
/24
180.71.124.0
/24
180.77.52.0
/24
180.81.123.0
/24
180.93.167.0
/24
180.93.245.0
/24
180.94.140.0
/24
181.125.10.0
/24
181.126.131.0
/24
181.133.149.0
/24
181.140.210.0
/24
181.151.244.0
/24
181.154.125.0
/24
181.163.46.0
/24
181.166.253.0
/24
181.191.241.0
/24
181.196.34.0
/24
181.200.252.0
/24
181.204.13.0
/24
181.210.27.0
/24
181.21.116.0
/24
181.212.196.0
/24
181.224.179.0
/24
181.227.77.0
/24
181.231.219.0
/24
181.234.31.0
/24
181.29.41.0
/24
181.4.140.0
/24
181.49.171.0
/24
181.52.47.0
/24
181.52.76.0
/24
181.73.65.0
/24
181.77.162.0
/24
181.8.51.0
/24
181.87.140.0
/24
181.90.133.0
/24
181.92.206.0
/24
186.107.58.0
/24
186.108.102.0
/24
186.115.124.0
/24
186.118.249.0
/24
186.121.200.0
/24
186.123.127.0
/24
186.142.43.0
/24
186.145.186.0
/24
186.148.95.0
/24
186.161.206.0
/24
186.177.185.0
/24
186.200.54.0
/24
186.210.128.0
/24
186.210.136.0
/24
186.21.128.0
/24
186.214.33.0
/24
186.221.68.0
/24
186.229.108.0
/24
186.50.5.0
/24
186.5.249.0
/24
186.67.18.0
/24
186.71.146.0
/24
186.73.63.0
/24
186.94.38.0
/24
186.95.213.0
/24
190.101.62.0
/24
190.12.129.0
/24
190.124.46.0
/24
190.125.8.0
/24
190.126.29.0
/24
190.127.48.0
/24
190.147.107.0
/24
190.149.175.0
/24
190.187.27.0
/24
190.200.147.0
/24
190.218.133.0
/24
190.221.113.0
/24
190.233.122.0
/24
190.234.60.0
/24
190.235.39.0
/24
190.26.146.0
/24
190.26.69.0
/24
190.52.77.0
/24
190.72.95.0
/24
190.92.63.0
/24
190.93.107.0
/24
200.127.170.0
/24
200.163.98.0
/24
200.172.238.0
/24
200.212.169.0
/24
200.214.102.0
/24
200.217.136.0
/24
200.24.90.0
/24
200.252.39.0
/24
200.43.5.0
/24
200.57.100.0
/24
200.69.145.0
/24
200.82.239.0
/24
200.87.98.0
/24
201.131.16.0
/24
201.133.211.0
/24
201.143.13.0
/24
201.150.52.0
/24
201.166.178.0
/24
201.166.26.0
/24
201.215.20.0
/24
201.23.83.0
/24
201.27.3.0
/24
201.34.24.0
/24
201.56.224.0
/24
201.59.204.0
/24
201.6.148.0
/24
201.87.3.0
/24
201.9.153.0
/24
201.9.55.0
/24 

Last edited by fr0stG; 25/08/2017 at 03:50 AM.
fr0stG is offline   Reply With Quote
Old 25/08/2017, 03:59 AM   #110
cuber
Gangsta
 
cuber's Avatar
 
Join Date: Oct 2016
Posts: 849
Reputation: 213
Default Re: Attack | requests connection cookie.

Well said TommyB and fr0st.
__________________


A new Heavy Roleplay server.

Forums | Discord

cuber is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
I need help for Attacking NPC (+REP ) MarkNelson Scripting Help 13 07/07/2016 03:49 PM
Help | With Attacking Bot itay_h7 Scripting Help 7 26/08/2011 11:50 AM
Hmm,npc attacking the other NPC instead me. SkizzoTrick Help Archive 4 31/05/2011 04:21 PM
attacking npc help nathanael21 Help Archive 3 16/01/2011 03:52 PM
Attacking NPC Giotis11 Help Archive 1 06/08/2010 08:22 AM


All times are GMT. The time now is 02:25 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.