Tutorial VALVE DDOS PROTECTION (99.9%)

[NatureNMoon]

Hi everyone

I saw many people who have some serious issues for valve games like CSGO, RUST etc...
If you are providing VALVE GAMES and under attack, please use the iptables rule set below;

If you do not have IPTABLES or IPSET, or you are not sure if you have them or not, please use the command line below;

For CentOS:

yum install iptables && yum install ipset

For Ubuntu/Debian:

apt-get install iptables && apt-get install ipset

Here is the iptables rule set for VALVE GAMES(Read the detailed description in the script)
Please put the bash script into a file called r4p3-valve.sh;
There is a command line "-d r4p3" in the bash script, please change it by using your external ip address. For example; "-d 67.67.67.67" or whatever it is.

#!/bin/bash
# Daniel Q. - Nature N Moon - Valve DDOS Protection - R4P3.NET
# Use this command line "chmod 777 r4p3-valve.sh && ./r4p3-valve.sh"
# The IPTABLES script has been created to keep the Valve Servers alive by Natuere N Moon in R4P3.NET
# Your SSH port must be 22
# Your web applications must be 80 or 443
# File Transfer Port: 21
# There is a command line "-d r4p3" in the bash script, please change it by using your external ip address. For example; "-d 34.34.34.34" or whatever it is.

echo "R4P3 VALVE RULE SET HAS BEEN SUCCESSFULLY STARTED"
ipset create valve_allowed hash:ip hashsize 2097152 maxelem 40000000 timeout 259200

iptables -N R4P3_VALVE -t raw
iptables -N VALVE -t raw

iptables -A PREROUTING -t raw -j R4P3_VALVE

iptables -A R4P3_VALVE -d r4p3 -t raw -m set ! --match-set valve_allowed src -j VALVE

iptables -A VALVE -t raw -p tcp -m multiport --dports 21,22,80,443,27015:27030,27036:27037 -j RETURN
iptables -A VALVE -t raw -p udp --sport 53 -m length --length 750:65535 -j DROP
iptables -A VALVE -t raw -p udp ! --sport 53 -m hashlimit --hashlimit-upto 7/sec --hashlimit-burst 10 --hashlimit-mode dstip --hashlimit-name r4p3_valve --hashlimit-htable-max 2000000 -m string --string "TSource" --algo kmp -j SET --add-set valve_allowed src
iptables -A VALVE -t raw -m set ! --match-set valve_allowed src -j DROP

echo "R4P3 VALVE RULE SET HAS BEEN SUCCESSFULLY DONE"

How to start?

chmod 777 r4p3-valve.sh && ./r4p3-valve.sh

 

[danieljc]

What script do you really do?

 

[NatureNMoon]

What script do you really do?

This script is for all VALVE games such as, CSGO, RUST, CS1.6, etc..
If you provide one of these, you can use the script above to protect your servers from all ddosers.

 

[User_38581]

iptables -A VALVE -t raw -p tcp -m multiport --dports 21,22,80,443,27015:27030,27036:27037

Can I ask how come ports 27015:27030 are having -p tcp? Shouldn't they be under -p udp as port on which clients connect to on server? Or Im mistaken?

 

[NatureNMoon]

Can I ask how come ports 27015:27030 are having -p tcp? Shouldn't they be under -p udp as port on which clients connect to on server? Or Im mistaken?

the action is RETURN instead of using ACCEPT action, everyone MUST USE -j RETURN action.
You may check my thread about IPTABLES https://ciphers.pw/threads/about-iptables.8014/
So about your question: For example, you want to protect your VALVE games, but you must protect your other ports except valve's ports, like 22 ssh tcp, 80 http tcp etc..
The command line says 21,22,80,433... can pass without mitigating but the rest must be checked by the other rules. As I mentioned above, check my thread about IPTABLES

Also, sometimes, STEAM VALVE sends some verifications packets that's why I let 27036-27037 tcp come in. When you use SYNPROXY for TCP traffic. SYNPROXY is going to block SYN floods, so you can just -j RETURN these ports from your raw chain in PREROUTING.

Sincerely.

 

[applestar]

Its not working, because in your code unset variable "VALVE"

 

[NatureNMoon]

Its not working, because in your code unset variable "VALVE"

Please use the command line below to create VALVE chain on RAW PREROUTING;

iptables -N VALVE -t raw

 

[Ptx]

I am thinking about creating a similar version of this for Firewalld, but before use a lot of time on that, have anyone else done this already?..

 

[applestar]

Please use the command line below to create VALVE chain on RAW PREROUTING;

iptables -N VALVE -t raw

Why, after applying this script, the connection speed dropped very much when I connect to filezilla I wait almost a minute until I connect via SFTP or SSH to port 22.
But after the reboot command, all connections work quickly.

 

[NatureNMoon]

Why, after applying this script, the connection speed dropped very much when I connect to filezilla I wait almost a minute until I connect via SFTP or SSH to port 22.
But after the reboot command, all connections work quickly.

It may be about SELinux, you may disable it. The rule contains 22 RETURN, there is no way to affect your connection to SSH 22 TCP.

 

[applestar]

I testing on debian 8 , Ubuntu 16.04 same results

It may be about SELinux, you may disable it. The rule contains 22 RETURN, there is no way to affect your connection to SSH 22 TCP.

 

[applestar]

I think error in line
iptables -A VALVE -t raw -p udp ! --sport 53 -m hashlimit --hashlimit-upto 7/sec --hashlimit-burst 10 --hashlimit-mode dstip --hashlimit-name r4p3_valve --hashlimit-htable-max 2000000 -m string --string "TSource" --algo kmp -j SET --add-set valve_allowed src

"valve_allowed src -j RETURN"

 

[NatureNMoon]

I think error in line
iptables -A VALVE -t raw -p udp ! --sport 53 -m hashlimit --hashlimit-upto 7/sec --hashlimit-burst 10 --hashlimit-mode dstip --hashlimit-name r4p3_valve --hashlimit-htable-max 2000000 -m string --string "TSource" --algo kmp -j SET --add-set valve_allowed src

"valve_allowed src -j RETURN"

my post above , please do it it will be fixed.

 

[anderpp]

hello gentlemen,

Any special rules for cs 1.6 that block a2s?

ff ff ff ff 54 53 6F 75 72 63 65 20 45 6E 67 69 6E 65 20 51 75 65 72 79 00 ( TSource Engine Query ),
ff ff ff ff 55 (a2s_Player) and ff ff ff ff 56 (a2s_rules)

Both are problems. What irritates is that to block these attacks a limit and limit-burst show the server status as not responding, even if the server has not crashed.

 

[Asphyxia]

even if the server has not crashed

What OS you hosting on and do you have a packet capture by chance?
Also to make sure I get you, people are sending A2S flooding packets right

 

[Asphyxia]

Also I found some Ruby that someone claims fixed this but it’s REALLY old so may not work?

#!/usr/bin/env ruby

#Path to iptables
iptables = 'sudo /sbin/iptables'
#Servers we want to enter in to the firewall
servers = [
          {:ip => '127.0.0.1',
          :ports => [ 27013, 27014, 27015, 27016, 27017, 27018, 27019, 27025 ]},
          {:ip => '127.0.0.1',
          :ports => [ 27013, 27014, 27015, 27016, 27017, 27018, 27019, 27025 ]}
          ]
#clear old stuff
`#{iptables} -F`

### default rule for established connections
`#{iptables} -A OUTPUT -m state --state established,related -j ACCEPT`
`#{iptables} -A INPUT -m state --state established,related -j ACCEPT`
###

### put ips you want to allow bypassing all these rules here
#`#{iptables} -A INPUT -s myip -j ACCEPT`
#`#{iptables} -A INPUT -s my_ip -j ACCEPT`
##

### local connections
`#{iptables} -A INPUT -s 127.0.0.1 -j ACCEPT`
#
#
servers.each do |server|
  ip = server[:ip]
  server[:ports].each do |port|
    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff54|' -m limit --limit 15/s --limit-burst 10 -j ACCEPT`
    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff|' -m limit --limit 15/s --limit-burst 10 -j ACCEPT`
    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff|' -m limit --limit 1/s  --limit-burst 1 -j ULOG --ulog-nlgroup 1 --ulog-prefix \"SOURCE UDP FLOOD #{port}\"`
    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff54|' -m limit --limit 1/s  --limit-burst 1 -j ULOG --ulog-nlgroup 1 --ulog-prefix \"SOURCE UDP FLOOD #{port}\"`
    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff54|' -j DROP`
    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff|' -j DROP`
  end
end

You could rate limit the specific stuff though like at the bottom of the script surely? Just a guess

 

[anderpp]

Also I found some Ruby that someone claims fixed this but it’s REALLY old so may not work?

#!/usr/bin/env ruby

#Path to iptables
iptables = 'sudo /sbin/iptables'
#Servers we want to enter in to the firewall
servers = [
          {:ip => '127.0.0.1',
          :ports => [ 27013, 27014, 27015, 27016, 27017, 27018, 27019, 27025 ]},
          {:ip => '127.0.0.1',
          :ports => [ 27013, 27014, 27015, 27016, 27017, 27018, 27019, 27025 ]}
          ]
#clear old stuff
`#{iptables} -F`

### default rule for established connections
`#{iptables} -A OUTPUT -m state --state established,related -j ACCEPT`
`#{iptables} -A INPUT -m state --state established,related -j ACCEPT`
###

### put ips you want to allow bypassing all these rules here
#`#{iptables} -A INPUT -s myip -j ACCEPT`
#`#{iptables} -A INPUT -s my_ip -j ACCEPT`
##

### local connections
`#{iptables} -A INPUT -s 127.0.0.1 -j ACCEPT`
#
#
servers.each do |server|
  ip = server[:ip]
  server[:ports].each do |port|
    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff54|' -m limit --limit 15/s --limit-burst 10 -j ACCEPT`
    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff|' -m limit --limit 15/s --limit-burst 10 -j ACCEPT`
    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff|' -m limit --limit 1/s  --limit-burst 1 -j ULOG --ulog-nlgroup 1 --ulog-prefix \"SOURCE UDP FLOOD #{port}\"`
    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff54|' -m limit --limit 1/s  --limit-burst 1 -j ULOG --ulog-nlgroup 1 --ulog-prefix \"SOURCE UDP FLOOD #{port}\"`
    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff54|' -j DROP`
    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff|' -j DROP`
  end
end

You could rate limit the specific stuff though like at the bottom of the script surely? Just a guess

I don't have the records
system linux ubuntu 16.04
these rules are old, I flood by clicking refresh and don't drop any packages.

 

[anderpp]

currently i use this>

iptables -A INPUT -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF54|' -m limit --limit 5/s --limit-burst 2 -j ACCEPT
iptables -A INPUT -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF54|' -j DROP
iptables -A INPUT -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF55|' -m limit --limit 5/s --limit-burst 2 -j ACCEPT
iptables -A INPUT -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF55|' -j DROP

 

[Asphyxia]

currently i use this>

Very beautiful, so are you telling me you can flood yourself - so could we for example generate some example flooding activity and check this out with a PCAP (packet) analysis tool?

I'd be curious to inspect this with you to help create rules to block this.

 

[anderpp]

Asphyxia!

This is nothing new ....
If you have Hlds Server and monitored the packages you will understand what I'm talking about.
Below are examples of how this communication occurs:

When the player opens the cs 1.6 and considering that he has registered the server in the list of favorites, the following sequence occurs.
Player request ff ff ff ff 54 53 6F 75 72 63 65 20 45 6E 67 69 6E 65 20 51 75 65 72 79 00 (TSource)
Server Response ff ff ff ff 6d
Server Responde ff ff ff ff 49

Sometimes it happens this way
Player request ff ff ff ff 54 53 6F 75 72 63 65 20 45 6E 67 69 6E 65 20 51 75 65 72 79 00(TSource)
Server Response ff ff ff ff 6d
Server Responde ff ff ff ff 49
Player request ff ff ff ff 54 53 6F 75 72 63 65 20 45 6E 67 69 6E 65 20 51 75 65 72 79 00(TSource)
Server Response ff ff ff ff 6d
Server Response ff ff ff ff 44
Server Responde ff ff ff ff 49

When the player clicks on the server to see details, such as players, time, Scores...
Player request ff ff ff ff 54 53 6F 75 72 63 65 20 45 6E 67 69 6E 65 20 51 75 65 72 79 00
Server Response ff ff ff ff 6d
Server Responde ff ff ff ff 49
Player request ff ff ff ff 55 ff ff ff ff (a2s_player)
Server response ff ff ff ff 41
Player request ff ff ff ff 55
Server response ff ff ff ff 44

When the player clicks on the server to connect
Player request ff ff ff ff 54 53 6F 75 72 63 65 20 45 6E 67 69 6E 65 20 51 75 65 72 79 00
Server Response ff ff ff ff 6d
Server Responde ff ff ff ff 49
Player request ff ff ff ff 67 65 74 63 ( getc challenge )
Server response ff ff ff ff 41
Player response ff ff ff ff 63

I test the request tolerance, but it is still difficult to find a suitable term. I don't test this on anyone, even though these are resources of the game itself. Refreshing the server list is the most natural thing in the world. What people don't know is that it generates a TSource request.
Even if I use the auto click to elaborate the rule, I will never come close to what happens in a spoofed attack.
My two servers have crashed sometimes with excessive requests for spoofed ips TSearch packages.