Game server under attack
I run a gaming server on Centos. It's the most popular server in my game, and some people who don't like that have been attacking it daily. It's being done by spoofing or spamming some kind of packet to the server.
The game server process continues to run on the Centos server, but it no longer appears on the game list and players can not connect to it. I have no idea where to begin figuring out how this is being done and how to stop it. Any ideas? [REMOVED] Thanks for any guidance you can provide. I've been dealing with this for months and it's starting to drive me crazy (and ruin my server). |
you should have iptables firewall up and running to allow only the ports the server needs for your 'game'
check your LOG files (/var/log/httpd etc.) post the results post your "iptables -L" or "cat /etc/sysconfig/iptables" |
I'm curious why you wrote 'game' instead of game, lol. If you're actually interested I could PM you the server info and you can check it out. Anyway, thank you for your help so far.
I looked in the /var/log/httpd folder and there are a few files there. I'm not sure exactly what I'm looking for though. Sorry - could you be more specific please (I'm an admitted noob)? This is what I get when I do "iptables -L" (I assume it's default since I've never touched it): Code:
Chain INPUT (policy ACCEPT) Code:
# Load additional iptables modules (nat helpers) |
First off, welcome to LQ Security. The output of those two commands shows that you are not running any sort of firewall on your system. In terms of administering a public facing server, running a game or 'game' server is tantamount to putting a bulls-eye target on yourself as they are frequently targeted for all sort of ill activity, including DOS (Denial of Service) type attacks. As an admitted noob, you will face extra, but not insurmountable, challenges in dealing with it.
The first order of business will be to determine the type of attack you are being exposed to. You mentioned that some form of packet is being spammed or spoofed to your server. Could you please be more specific? How did you determine you were being attacked, what do these packets look like, what effect are they having, are they coming from one particular source or multiple sources, etc. Please be verbose in your description and provide as much detailed information as you possibly can. LQ Security has some extremely knowledgeable people and we can certainly help you with this problem, but we prefer and will need to deal with facts. To that end, as much specific information as you can provide will be helpful. |
I'll try to answer all of your questions.
I know I'm under attack because these same people have been attacking my server for about a year now. Originally it was a chat flood, where they used a little script to spam in-game chat messages fast enough to make the game server crash (not the centos server, but the "game server" running on it... not sure if there is better terminology for that distinction). This is an independently developed game, so I have access to the developer and was able to get him to patch that. Then they proceeded to start "spoofing" other players' in-game logins, and since those credentials are used to assign administrative rights to certain players, spoofing those players allowed them to do all sorts of things like mass banning players, changing server settings to the point of crippling the game and making it unplayable, etc. The developer was able to patch this also. As far as the current attack, I'm less clear on exactly how they're doing it. The effect is that my server is unresponsive to the main-gameserver-tracking-server-the-developer-owns, so it disappears from the in-game server list, and it also becomes unresponsive to players who try to play on it or join it. However, the process continues running on centos. I do know that it's this same group with another attack, based on forum chatter and "the grapevine", and I say that they are doing it by sending packets for a few reasons. 1- I'm hearing that it's done via a winsock application. 2- I'm also hearing that these same people have been DOSing other servers (not sure whether that conflicts with #1). 3- The game logs (not the centos logs, which I'm pretty unfamiliar with, but the mediocre game server logs that document the in-game action and minor game server stuff) don't really show anything, unlike the previous chat spam attacks that were visible in the logs. I don't know what the packets look like per se. I also don't know whether they're coming from one source or multiple sources. Since I don't use this server for anything but gaming, what I'd really like to do is completely lock down everything else on the server... so that it basically ignores any packets that aren't sent to this specific application, but also logs any packets that are spammed at this application in case that's what is happening. I also want to make sure nobody can connect to the server in any way except for the game... meaning email services, http stuff, cron, anything that would allow my server to be controlled remotely (again, not that familiar with centos yet), and any possibility of other users or accounts existing on the system. Of course, I don't know what I'm talking about in the slightest, but a complete lockdown sounds really good right now, and like I said, I'm not using any of that stuff. EDIT: I should have also mentioned that I'm running centos on a VPS, since that might matter. |
If you have a gui installed (something like a windows desktop) you should be able to use the system-config-firewall to get you started with locking down the system. Just remember to make sure you don't block the remote desktop port you're using! (Made that mistake a number of times myself.) If it's not installed just do a
Code:
yum -y install system-config-firewall |
Quote:
Anyway, I've received some more information indicating that this is being done with a UDP dos attack, presumably on the port from which the game is running on my server. Does anyone know how I can log and stop this type of attack? |
Quote:
Code:
netstat -ntulpe Code:
chkconfig --list | grep "$(runlevel|awk '{print $2}'):on"; |
Quote:
I like wireshark for getting a screen dump of all traffic, but how useful this is will be a function of whether you can capture data when there isn't much 'good' traffic and a lot of 'bad' traffic. It will be very helpful to know what the attack packets actually look like, because, for some cases there will be simple iptables blocks, and for others it would be more involved. Obviously. you should be trying to progress to a more secure situation, and a firewall will be an important part of that whatever the current attack looks like, but, if you are under attack currently, that must have a degree of priority. Quote:
Quote:
Quote:
All that 1) means, if true, is that they using Windows. Not that helpful as a way of countering the threat. 2) means that there is a rumour that the same people have been using a denial of service attack of some sort. Even if it can be relied upon, that doesn't tell you very much (can you rely on the idea that it isn't a DDoS...I doubt it, unless you know more about the technical capability of the person who gave you the report, and whether it is a DoS or a DDoS does make a difference in how easy it is to take short-term measures against.) 3) isn't all that helpful, either, unless the implication is that game developer can again enhance the logs to help you. |
netstat -ntulpe
Code:
Active Internet connections (only servers) Code:
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off Quote:
|
Quote:
If that is correct, then I will need to be able to log when packets are flooded that way, check what IP the packets came from, and then completely block any future packets from that IP so that they don't enter the server and reach the gaming software that is running on it. Quote:
Quote:
Quote:
|
Quote:
Code:
*filter Code:
#!/bin/sh -- Code:
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak && cat /etc/sysconfig/iptables.new > /etc/sysconfig/iptables && /etc/rc.d/init.d/iptables restart - Do adjust limits if you find a lot of logged "IN_lim " lines in /var/log/messages. - Also see http://wiki.centos.org/HowTos/Network/IPTables, http://www.centos.org/docs/5/html/De...-US/ch-fw.html and http://www.frozentux.net/iptables-tu...-tutorial.html for a basic understanding of Netfilter / iptables. - While you're at it run 'yum install logwatch' and run your logs through it. Not related to you getting DoSsed but it would be good to see if there's other things to address. |
When I try to enter:
/sbin/iptables-restore < /etc/sysconfig/iptables.new I get this message: Code:
[root@michigan2 ~]# /sbin/iptables-restore < /etc/sysconfig/iptables.new |
I'm no longer getting that error now that I input the iptables text you gave me directly in centos using the vi tool, instead of saving it in a text editor. Now I am getting an error that -i can't be used with output. When I remove -i, I get another error saying "lo" is a bad argument.
|
Oops.
0) It's missing a "# Generated by iptables-save v1.3.5 on Sat Oct 15 00:00:01 2011" line before the "*filter" line, 1) Should be "-A OUTPUT -o lo -j ACCEPT". If you change the loopback line then you should be able to execute the script like before. If that doesn't work try Code:
#!/bin/sh -- |
All times are GMT -5. The time now is 10:43 AM. |