Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Thanks, I have sent it to the email you asked me to.
So based on the PCAP this guy is just flooding the server with thousands of packets per second. I'm trying to limit the rate of packets one IP address can send, but it's not as straightforward as I had hoped.
I just want to make it so that the same IP address can't send me more than 100 packets per second. I found this:
But I've learned that the "hitcount" can not be set higher than 20 (which is much too low) without increasing the default value of ip_pkt_list_tot, which is located in /etc/modprobe.conf. And, OF COURSE, this file does not exist and can not be modified on an OpenVZ vps, which is what I have.
Wtf? Then how is limiting the rate of packets from a particular IP address done on OpenVZ servers? We're just a sitting duck for DOS attacks?
Last edited by smallgamer; 10-24-2011 at 04:52 AM.
Will --seconds take a decimal? If I can set it to 20 hits within .2 seconds, that would be the equivalent of 100 hits within 1 second, which is what I'm aiming for.
As for this attack, the tcpdump worked and I've got a log file now of the latest attack.
You didn't post the command you ran. And the capture encompasses a very short time frame. Less than half an hour is not exactly a rich data set on a well-used game server.
Quote:
Originally Posted by smallgamer
EDIT: Pcap file has been sent
Next time please contact me first to make drop-off arrangements. I don't care much for file sharing sites.
It is clearly visible when the attacker starts flooding the server with packets
In the stats above "client.15" (last octet) has a significant larger packet count compared to the two following players. Generating statistics for the first 3 players (and unless you managed to start tcpdump at the end of an attack the first line definitely is a capture error) with
So based on the PCAP this guy is just flooding the server with thousands of packets per second.
So discarding the first line it doesn't seem like client.15 exceeds any thresholds. Looking at data using Snort doesn't trigger anything. Wireshark doesn't show any interesting payload, except using a filter of
Code:
udp.length == 8
or in tcpdump
Code:
'udp && len<=46'
does show a sh*tload of payload-less packets. I wouldn't call it flooding, more like a set of bursts, as other players manage to get packets in as well. Now I haven't got any in-game experience wrt lag and players response times don't seem optimal anyway (we're talking the Unreliable Data Protocol) so I can't see how this would influence the game. And again, twenty minutes ain't exactly the amount of data to draw any conclusion from.
Quote:
Originally Posted by smallgamer
But I've learned that the "hitcount" can not be set higher than 20 (which is much too low) without increasing the default value of ip_pkt_list_tot, which is located in /etc/modprobe.conf. And, OF COURSE, this file does not exist and can not be modified on an OpenVZ vps, which is what I have. Wtf? Then how is limiting the rate of packets from a particular IP address done on OpenVZ servers?
modprobe.conf sets module loading parameters. If you can't load modules yourself then you can't change ip_pkt_list_tot yourself. Ask your provider. And please don't b*tch about OpenVZ here: nobody here forced you to rent one.
Quote:
Originally Posted by smallgamer
I'm trying to limit the rate of packets one IP address can send
Should you still want to block these packets, and given your past experiences with iptables modules, I suggest an alternative and that's using fail2ban plus Snort. You'll have to do the legwork yourself (install fail2ban and Snort, add your UDP ports to /etc/services, configure ports in /etc/fail2ban/jail.conf and an appropriate action in /etc/fail2ban/action.d/ for a rule searching for "CS_pkt_sz_lt_1", test the rule, set server IP address in snort_cs.conf) but as promised here's a Snort rule. You don't need any snort rule sets except this config and run snort with the (suboptimal: "-A fast") "-c /path/to/snort_cs.conf -A fast -q -K none -l /var/log" args:
Code:
var HOME_NET INSERTIPADDRESSHERE/32
var EXTERNAL_NET !$HOME_NET
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
portvar CS_PORTS [1200,27000:27050,28000,29000,36900:37000]
alert udp $EXTERNAL_NET any -> $HOME_NET $CS_PORTS (msg:"CS_pkt_sz_lt_1"; dsize: <1; reference:url,www.linuxquestions.org/questions/linux-security-4/game-server-under-attack-908100/; sid: 999999999; rev:1;)
[EDIT]
I. Alternatively you can also use a third party app like Guardian instead of fail2ban.
II. If you choose to block using Netfilter you could use a rule something like
Code:
-A INPUT -p udp -m length --length 0:8 -j DROP
though you've got to find out if --length needs the IP packet size (28) or the UDP size (8).
[/EDIT]
That's it for now.
Last edited by unSpawn; 10-25-2011 at 02:13 PM.
Reason: //Forgot alternatives.
You didn't post the command you ran. And the capture encompasses a very short time frame. Less than half an hour is not exactly a rich data set on a well-used game server.
It appeared to be long enough to see the attack and plenty of standard game packets surrounding it. Perhaps you would like to tell me the minimum time you need, information I was not given before.
Quote:
Next time please contact me first to make drop-off arrangements. I don't care much for file sharing sites.
I already complied with your request and sent it to your email, so I'm not sure what your point is here.
Quote:
And please don't b*tch about OpenVZ here: nobody here forced you to rent one.
I apologize profusely - I didn't realize my logical questions regarding OpenVZ's apparent dead end in this area would be so offensive to you.
I didn't come here to be berated, and while I appreciate your help, I would also appreciate it if you would show me the same common courtesy that I show you. I assume that we're both adults here and that's not too much to ask.
Quote:
So discarding the first line it doesn't seem like client.15 exceeds any thresholds.
I'm not sure I understand. My attacker, Client.15, sends 512 packets per second, over ten times as many as the others. Is that not the threshold in question?
Quote:
does show a sh*tload of payload-less packets. I wouldn't call it flooding, more like a set of bursts, as other players manage to get packets in as well. Now I haven't got any in-game experience wrt lag and players response times don't seem optimal anyway (we're talking the Unreliable Data Protocol) so I can't see how this would influence the game. And again, twenty minutes ain't exactly the amount of data to draw any conclusion from.
...
Should you still want to block these packets
Do you mean blocking these packets from other players? No, I'm not concerned about that. I want to block the udp packets that exceed 100/second from any one IP address, i.e., the ones sent by Client.15. Do those instructions for snort and fail2ban refer to blocking the packets from other players, or the DOS attack from Client.15?
Last edited by smallgamer; 10-25-2011 at 05:12 AM.
I'm not sure I understand. My attacker, Client.15, sends 512 packets per second, over ten times as many as the others. Is that not the threshold in question?
I said ditch the first reported line. And it's not 512 p/s, it's not even a sustained rate but, like I said before, bursts.
Quote:
Originally Posted by smallgamer
Do those instructions for snort and fail2ban refer to blocking the packets from other players, or the DOS attack from Client.15?
The Snort rule was tested against the contents of the full capture and only client.15 tripped it.
Quote:
Originally Posted by smallgamer
I want to block the udp packets that exceed 100/second from any one IP address, i.e., the ones sent by Client.15.
See 'man iptables' the "hashlimit" or "limit" module.
Thanks for the additional info. I'm sorry if my attitude was poor. I had just finished an exchange with this creep's ISP. They are STILL refusing to terminate his internet connection after nine reported attacks with logs (the previous form of attack showed up in the game server logs) over the course of the last eight months.
Last edited by smallgamer; 10-25-2011 at 03:26 PM.
I said ditch the first reported line. And it's not 512 p/s, it's not even a sustained rate but, like I said before, bursts.
I'm confused by this part. When I look at the PCAP file, I actually see thousands of packets per second coming from this IP. Isn't that what I need to stop?
Also, will these rules...
Code:
-A INPUT -p udp -m state --state NEW -j ACCEPT
-A INPUT -p udp -m limit --limit 100/sec -j ACCEPT
-A INPUT -p udp -j DROP
... limit udp packets to no more than 100 per second from the same IP address, or will it limit udp packets to no more than 100 per second TOTAL from all IP addresses combined?
I'm confused by this part. When I look at the PCAP file, I actually see thousands of packets per second coming from this IP. Isn't that what I need to stop?
All commands used above are available from base or third party repos. So repeating analysis isn't hard. It is suggested you download 'tcpstat' and run it to confirm my conclusion is the right one or to refute it.
Quote:
Originally Posted by smallgamer
... limit udp packets to no more than 100 per second from the same IP address, or will it limit udp packets to no more than 100 per second TOTAL from all IP addresses combined?
All IP addresses:
rule 0. UDP traffic that is not part of an already established connection leaves the INPUT chain as accepted,
rule 1. all remaining UDP traffic (implied: --state ESTABLISHED) is limited to a maximum of 100 packets per second (regardless of destination port or source IP address) and then leaves the INPUT chain as accepted,
rule 2. any remaining UDP traffic then leaves the INPUT chain being dropped.
* Rules that have the biggest impact on performance should be placed at the start of the chain as much as possible (think --state ESTABLISHED). Rules that impact performance should use as narrow a filter as possible. Right now you'll also be limiting say DNS responses while CS2D runs on just a few destination ports. Source addresses that are not (repeat) offenders should not be "punished" for the antics of others.
All commands used above are available from base or third party repos. So repeating analysis isn't hard. It is suggested you download 'tcpstat' and run it to confirm my conclusion is the right one or to refute it.
I'm sure that I would get the same results if I entered the same command you did. I don't doubt that. What I don't understand is why the PCAP file shows thousands of incoming packets per second if the attacker isn't really sending thousands per second, or how stopping that flood of packets through rate limiting could be irrelevant to stopping his attack. I'm really not getting it yet, lol. Sorry if I'm being dense...
Quote:
All IP addresses:
rule 0. UDP traffic that is not part of an already established connection leaves the INPUT chain as accepted,
rule 1. all remaining UDP traffic (implied: --state ESTABLISHED) is limited to a maximum of 100 packets per second (regardless of destination port or source IP address) and then leaves the INPUT chain as accepted,
rule 2. any remaining UDP traffic then leaves the INPUT chain being dropped.
* Rules that have the biggest impact on performance should be placed at the start of the chain as much as possible (think --state ESTABLISHED). Rules that impact performance should use as narrow a filter as possible. Right now you'll also be limiting say DNS responses while CS2D runs on just a few destination ports. Source addresses that are not (repeat) offenders should not be "punished" for the antics of others.
Ok, I understand this part. So basically those rules won't do anything except make my server reject just about everybody's packets once a flood from an attacker puts me over 100 total packets per second. I can see how that's not a solution.
It seems like the only way I've found so far to rate limit packets on a per-IP-address basis is this:
Code:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP
But that brings me back to the issue of not being able to set "hitcount" higher than 20 or "seconds" lower than 1, which is a problem since what I need to limit is IP addresses that send more than 75-100 packets per second, not IP addresses that send more than 20 packets per second (which is almost all of them in this game).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
