DDOS attack on ioquake3 servers

Ask ioquake3 support questions here.

Moderator: Monk

DDOS attack on ioquake3 servers

Postby RawShark » Thu Jan 12, 2012 2:08 am

I have come across the following scenario:

Your Quake 3 or ioquake3 server may be being used for a Distributed Reflection Denial of Service attack if attackers spoofs some packets (with target server ip) and asks gameserver to send all server information (about 2k of data). Gameserver sends all server information (500k of data). Attacker repeats for thousands of gameservers.

Is it possible to have ioquake3 detect and avoid this kind of attack? This exploit is around several years and raises its head now and then. There is one of these attacks happening right now across thousands of quake 3 servers, targeting several webservers (install and run iftop on your Linux server. Note the amount of outgoing traffic is incredibly high on port 27960 if your server is being used in the attack).

I'd like to hear what people think about this. We have shut down our server to avoid the IP being blacklisted until a solution presents itself. I'm thinking ioquake3 should be patched in some way to detect this exploit? I can't really think of any combination of firewall rules to avoid the attack and keep the game server active.
User avatar
RawShark
 
Posts: 18
Joined: Tue Feb 24, 2009 6:27 am
Location: Ireland

Re: DDOS attack on ioquake3 servers

Postby RawShark » Thu Jan 12, 2012 4:34 am

User avatar
RawShark
 
Posts: 18
Joined: Tue Feb 24, 2009 6:27 am
Location: Ireland

Re: DDOS attack on ioquake3 servers

Postby Monk » Sat Jan 28, 2012 12:38 pm

In case anyone was curious, this was discussed on the mailing list as well:

http://lists.ioquake.org/pipermail/ioqu ... hread.html
http://lists.ioquake.org/pipermail/ioqu ... 04778.html
Monk
 
Posts: 340
Joined: Wed Aug 20, 2008 4:27 pm

Re: DDOS attack on ioquake3 servers

Postby Roi » Tue Feb 28, 2012 3:35 pm

We are experiencing the same problems with our ioq3 servers.

We have three servers running (OSP, RA3 1.76 and RA3 1.80) on two machines, see here: http://www.concarne.org/server/

The provider where we are having our machines wrote yesterday and today and informed us about DDoS attacks coming from our machines. After setting up a tcpdump we finally guessed today that it were the Quake servers.

We set up the iptables provided by RawShark and hope that this helps. At least the servers are still reachable and usable. Hope the iptables solution works.
Roi
 
Posts: 3
Joined: Tue Feb 28, 2012 11:07 am

Re: DDOS attack on ioquake3 servers

Postby RawShark » Wed Feb 29, 2012 3:10 am

There are additional rules, which you can add as well as the previous, which help decrease the attacks further:

iptables -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_game
iptables -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_game -j DROP

This looks out for something slightly different, but combined with the previous should halt nearly ALL unwanted traffic. You'll still have incoming requests form the spoofed IPs, but no traffic will go back out to the real IPs, hence no more DOS attacks form your server.

iftop is a good tool to use to see the traffic flows before and after applying. We use iftop -P, which shows ports as well as hosts.

Hope this helps.
User avatar
RawShark
 
Posts: 18
Joined: Tue Feb 24, 2009 6:27 am
Location: Ireland

Re: DDOS attack on ioquake3 servers

Postby Roi » Wed Feb 29, 2012 1:01 pm

RawShark wrote:There are additional rules, which you can add as well as the previous, which help decrease the attacks further:

iptables -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_game
iptables -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_game -j DROP


Ah, thank you very much! I imagine that these two rules should be put behind this rule, right?

iptables -A quake3_ddos -m recent --update --name getstatus --hitcount 5 --seconds 2 -j DROP


Well, as it does not go into the quake3_ddos chain, it does not really matter.

BTW: Why didn't you put these two rules into quake3_ddos to get all Q3 traffic into one chain?

RawShark wrote:This looks out for something slightly different, but combined with the previous should halt nearly ALL unwanted traffic. You'll still have incoming requests form the spoofed IPs, but no traffic will go back out to the real IPs, hence no more DOS attacks form your server.


Your rules did drop away a lot of traffic already, see here:

Code: Select all
Chain quake3_ddos (1 references)
 pkts bytes target     prot opt in     out     source               destination
23326 1571K ACCEPT     all  --  any    any     anywhere             anywhere             u32 ! "0x1c=0xffffffff"
  39M 1631M            all  --  any    any     anywhere             anywhere             u32 "0x20=0x67657473&&0x24=0x74617475&&0x25&0xff=0x73" recent: SET name: getstatus side: source
  39M 1626M DROP       all  --  any    any     anywhere             anywhere             recent: UPDATE seconds: 2 hit_count: 5 name: getstatus side: source
 111K 4772K ACCEPT     all  --  any    any     anywhere             anywhere


If it is enough, we don't know, yet. We got another complain from our hoster, but this was about the time we implemented the iptables rules yesterday evening.

I will put these rules into my iptables script, but first I wait for your comments how it would be the best design. ;-)

RawShark wrote:iftop is a good tool to use to see the traffic flows before and after applying. We use iftop -P, which shows ports as well as hosts.


Yeah, iftop is a pretty nice tool. Thank you for bringing this to our attention again. :-)
Roi
 
Posts: 3
Joined: Tue Feb 28, 2012 11:07 am

Re: DDOS attack on ioquake3 servers

Postby RawShark » Wed Feb 29, 2012 1:58 pm

As regards combining it all into one chain? Not really my forté, I don't understand iptables enough (everything so far is cut/paste from various forums). I bow on this to the superior knowledge of others - anyone want to present an "ultimate" firewall script for Quake 3 servers?
User avatar
RawShark
 
Posts: 18
Joined: Tue Feb 24, 2009 6:27 am
Location: Ireland

Re: DDOS attack on ioquake3 servers

Postby Roi » Wed Feb 29, 2012 2:05 pm

RawShark wrote:As regards combining it all into one chain? Not really my forté, I don't understand iptables enough (everything so far is cut/paste from various forums). I bow on this to the superior knowledge of others - anyone want to present an "ultimate" firewall script for Quake 3 servers?


Same here. I can build more than less simple rules, but the rules your presented were a bit too high for me. So I am not really sure how to really put the two rules into the set.

Can somebody help? ;)
Roi
 
Posts: 3
Joined: Tue Feb 28, 2012 11:07 am

Re: DDOS attack on ioquake3 servers

Postby Zob » Fri Mar 02, 2012 5:07 pm

Symptoms on the server I administrate are: players suffer heavy lag (like their connection being cut) for several seconds every few minutes.
This seems to happen on ioq3 servers even with rate limiting patch.
Zob
 
Posts: 2
Joined: Fri Mar 02, 2012 4:55 pm

Re: DDOS attack on ioquake3 servers

Postby RawShark » Sat Mar 03, 2012 5:11 am

The above iptables rules stop outgoing traffic, which means your server no longer takes part in the DDOS. However, iff you use the iftop tool, you will see that the INCOMING traffic from the spoofed IP addresses continues. If you have a lot of this incoming traffic, it would definitely cause lag on your server. You can create iptable rules to block the heavy hitters, but ultimately you should change the ip of your server and only list it publicly where absolutely necessary. This is my own thoughts on this, nothing definitive here.
User avatar
RawShark
 
Posts: 18
Joined: Tue Feb 24, 2009 6:27 am
Location: Ireland

Next

Return to Technical Support

Who is online

Users browsing this forum: No registered users and 2 guests

cron