Files

> > CS2D > Lua Scripts > Null-packet Protection
Files overviewCS2D overviewLua Scripts overview

English Null-packet Protection >

37 comments6 kb, 590 Downloads

old Null-packet Protection

Lee
Moderator Off Offline

If you're running a linux dedicated server and you don't have root access to set up iptable rules to mitigate these recent DoS attacks, you can now fix this from within Lua.

Just drop patch.so into sys/lua/patch.so and add
1
require 'sys.lua.patch'

into server.lua.

IMG:https://i.imgur.com/E37R9hE.png


Notice how the server is still processing new packets after null-packets are sent into it.
Approved by Yates

Download Download

6 kb, 590 Downloads

Comments

37 comments
Page
To the start Previous 1 2 Next To the start

Log in!

You need to log in to be able to write comments!Log in

old

Lee
Moderator Off Offline

@user mrc: That seems like something that's outside of the control of CS2D servers. What's the characteristic of the attack? Do you have any logs? Does the CS2D software crash or does your server go down? Part of the process is to play cat-and-mouse with the attacker; at the end of the day, it's far easier for you to mitigate something than for the other side to reverse-engineer what you're doing.

If the attacker really is using a stress-testing tool, there's very little maneuverability on his end. Log the traffic, find the pattern, drop those packets, rinse and repeat. At some other point in the future, he'll do it again, generalize the pattern and drop the new packets. Since there's a finite set of options the attacker can vary, and since each attack combinatorially reduces that option-space, it'll eventually get to a point where it becomes prohibitively expensive for him to keep on adapting to your changes.

old

GeoB99
Moderator Off Offline

@user mrc: There are two things that rely to this problem. The first one is how you set up / configure the iptables correctly. Setting up few iptable settings isn't enough to have your server protected from DoS attacks (unless those aren't huge in terms of their request payload).

Another thing that relies to this problem is how powerful is your machine. This can't be solved though (or not in a clean / easy way). The main concept in the realm of DoS is basically this: eating computer resources as much as you can. When someone tries to launch DoS or (D)DoS attacks - by botnets, all the wave of packet requests floods the victim's machine sucking all the rest of computing resources until the machine cannot respond any more. There's a possibility if your machine is more powerful and with a big bandwidth it may resist to such attacks but you can't be sure 100%.

What can I do anyway?: Set up the iptables at correct configuration and other preventive modules as much as possible. Whenever in case if your server gets down, use a restart script for this. This won't protect your server but at least it restarts the server if it is down. There aren't other alternatives.
I like it!

old

mrc
User Off Offline

I already have iptables, people use websites like ipstresser to crash servers. Its easy and free, thats why its a huge problem.

old

TopNotch
User Off Offline

@user mrc Yes, unless you already had the iptables configured on your machine.
I like it!

old

Mami Tomoe
User Off Offline

@user mrc: only for null (empty) attacks

old

mrc
User Off Offline

Let me get this straight, this script causes dedicated to continue working after the attack? And without it the dedicated stops working after the attack?

old

DC
Admin On Online

@user mrc: There is no efficient protection against real DDoS attacks and there will never be one unless the entire internet changes completely. This script protects your server from empty package attacks which are a well known way to make CS2D servers unreachable.

user Lee provided me with very helpful information on how to possibly fix this issue (thank you very much again!) in the actual CS2D software so hopefully I'm able to fix it with the next release. Until then it's very advisable to either use this protection script or to completely block all empty UDP packets with firewall rules as described on http://www.cs2d.com/security.php

old

Lee
Moderator Off Offline

No, it shouldn't crash from null-packets anymore

edit: I don't want to just make empty promises, so here's an experiment I did on myself to see if I can take myself offline.

IMG:https://i.imgur.com/Hyf8gR9.png?1


The server is at 45.33.108.162, I don't have iptable rules configured for the null packet (if I did, the server log wouldn't have caught it), and as you can see, subsequent join requests are processed as normal and Rickamonster is still doing fine.
edited 1×, last 29.02.16 04:42:53 am

old

mrc
User Off Offline

I mean, with this script the server won't crash anymore (DDoS attacks)?

old

Lee
Moderator Off Offline

@mrc, this should prevent crashes, what's your use-case? I made this specifically after seeing your thread.

old

BcY
Reviewer Off Offline

Thanks so much,i dont have an exact word to say that how useful it will be for me.
I like it!

old

mrc
User Off Offline

This prevent crashes?
edited 1×, last 29.02.16 12:43:04 am

old

THEMUD
User Off Offline

Cool and useful, good job!
I like it!

old

GeoB99
Moderator Off Offline

Pretty useful, I can say.
I like it!

old

Lee
Moderator Off Offline

DC is fixing it, this is meant to be a temporary patch until the problem is fixed.

old

VADemon
User Off Offline

Too bad CS2D doesn't handle it internally and the patch cannot be used across different versions.

Current version: 1.0.0.1 ONLY!
I like it!

old

Yates
Reviewer Off Offline

Very useful for those who are not or cannot into Linux.
I like it!
To the start Previous 1 2 Next To the start