Tutorial VALVE DDOS PROTECTION (99.9%)

A

anderpp

New Member
Feb 4, 2021
12
9
5
anderpp said:
Asphyxia!

This is nothing new ....
If you have Hlds Server and monitored the packages you will understand what I'm talking about.
Below are examples of how this communication occurs:

When the player opens the cs 1.6 and considering that he has registered the server in the list of favorites, the following sequence occurs.
Player request ff ff ff ff 54 53 6F 75 72 63 65 20 45 6E 67 69 6E 65 20 51 75 65 72 79 00 (TSource)
Server Response ff ff ff ff 6d
Server Responde ff ff ff ff 49

Sometimes it happens this way
Player request ff ff ff ff 54 53 6F 75 72 63 65 20 45 6E 67 69 6E 65 20 51 75 65 72 79 00(TSource)
Server Response ff ff ff ff 6d
Server Responde ff ff ff ff 49
Player request ff ff ff ff 54 53 6F 75 72 63 65 20 45 6E 67 69 6E 65 20 51 75 65 72 79 00(TSource)
Server Response ff ff ff ff 6d
Server Response ff ff ff ff 44
Server Responde ff ff ff ff 49

When the player clicks on the server to see details, such as players, time, Scores...
Player request ff ff ff ff 54 53 6F 75 72 63 65 20 45 6E 67 69 6E 65 20 51 75 65 72 79 00
Server Response ff ff ff ff 6d
Server Responde ff ff ff ff 49
Player request ff ff ff ff 55 ff ff ff ff (a2s_player)
Server response ff ff ff ff 41
Player request ff ff ff ff 55
Server response ff ff ff ff 44

When the player clicks on the server to connect
Player request ff ff ff ff 54 53 6F 75 72 63 65 20 45 6E 67 69 6E 65 20 51 75 65 72 79 00
Server Response ff ff ff ff 6d
Server Responde ff ff ff ff 49
Player request ff ff ff ff 67 65 74 63 ( getc challenge )
Server response ff ff ff ff 41
Player response ff ff ff ff 63

I test the request tolerance, but it is still difficult to find a suitable term. I don't test this on anyone, even though these are resources of the game itself. Refreshing the server list is the most natural thing in the world. What people don't know is that it generates a TSource request.
Even if I use the auto click to elaborate the rule, I will never come close to what happens in a spoofed attack.
My two servers have crashed sometimes with excessive requests for spoofed ips TSearch packages.
Click to expand...
I can upload two attack logs that I did with tcpdump?
They are 110mb and 215mb, link google drive.
 
Asphyxia

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
anderpp said:
I can upload two attack logs that I did with tcpdump?
They are 110mb and 215mb, link google drive.
Click to expand...
Yes please upload these to Google Drive or somewhere I can download to review, also:

1612581410120.png

So this makes me realize they are using UDP for this, I think what should be done is we should limit the use of the UDP-related protocol to 1 request every minute for example for the particular refresh (or whatever is causing the crash).

This would then prevent the IP spoofing and UDP flooding from being as effective, wouldn't you think so?

Do you also.. have crash logs by chance. Like when the server goes off on you - does it generate any type of errors inside a log file to hint to us "Closed due to incomplete... blah blah"
 
A

anderpp

New Member
Feb 4, 2021
12
9
5
There are no crash logs.

What happens is ... With the excessive number of Tsearch packets sent and fake ff ff ff ff flooding the UDP port the kick or ban server on all the players who are playing.

The message everyone receives is:

You have been disconnected from the server
Reason: Banned or move commands flooding (burst)
 
Asphyxia

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
anderpp said:
Reason: Banned or move commands flooding (burst)
Click to expand...
1612583276084.png

I am analyzing this UDP traffic in logs now.

1612583356067.png



Do you know specifically in your capture, did you identify a specific IP or spoofed IP origin so I can more quickly start analyzing the source's logs - to easier find what they're doing to cause this.
 
A

anderpp

New Member
Feb 4, 2021
12
9
5
All getstatus are ips spoofed and are not part of the hlds structure> cs.16

The start is marked by the flood of these getstatus and the next ones are T Search
 
Asphyxia

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
75 65 72 79 00
anderpp said:
The start is marked by the flood of these getstatus and the next ones are T Search
Click to expand...
I am doing packet comparisons, do you have clean-only traffic also?

Are any of those files clean? Just trying to see indicators to block off safely... without wrecking the game.
 
Asphyxia

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Have you noticed all the QUIC stuff related to the port under 'Expert Information'?

1612588563106.png

Do you use WireShark or something else to review pcaps.

I use both WireShark and Colasoft Capsa

Just strange to see in the 'Expert Info' these errors compared to not seeing these in the clean capture. Then again, looks like the clean caps are smaller.
 
A

anderpp

New Member
Feb 4, 2021
12
9
5
Asphyxia said:
Have you noticed all the QUIC stuff related to the port under 'Expert Information'?

View attachment 3196

Do you use WireShark or something else to review pcaps.

I use both WireShark and Colasoft Capsa

Just strange to see in the 'Expert Info' these errors compared to not seeing these in the clean capture. Then again, looks like the clean caps are smaller.
Click to expand...
I use WireShark.
yes i see, this protocol is not even part ... I believe this started to happen after the system went into lapse
 
Asphyxia

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
1612597042227.png

This is a pretty cute graph showing the traffic / packet capture.

After we looked into this, looks like we may need to use hashlimit to rate limit UDP connections per IP.

There appears to be either UDP reflection / amplification going on here or maybe a botnet attack just straight flooding UDP requests.

Essentially if we can limit the rate of these.. similar to in the Ruby script - I think this will have us all set.

Please let me know if I can help make the iptables rules to protect your server ;)

Also - when you are finished with your rules can you post them here so others can protect their servers? If not, that is okay too
 
kalle

kalle

high minded
Contributor
Oct 28, 2015
411
253
178
HLDS servers are vulnerable to reflected amplification attack, where attacker can forge UDP packets and spam game server from spoofed addresses.
Recently they proposed a fix that is being tested by the community. https://steamcommunity.com/discussions/forum/14/2974028351344359625/

Also I wrote something on my blog about this and poc.

Changes to server browser packets in latest Steam client

Security related update, currently in test phase.
blog.izetmulalic.com blog.izetmulalic.com

Note: this is only working for legal servers, servers that support non-steam clients are probably not gonna work with this.
A better alternative to this is ReHLDS which has support for request rate limit.
 
You must log in or register to reply here.
Top