Flooding attack

[Szaman]

@Bonecrusher - but we are now talking about people who hosts Soldat Servers by themselves. What shoud they do?

[Bonecrusher]

I suppose there is a firewall in almost every modern router, may take a while to block all the different ip's but it's possible.

example: http://www.dslreports.com/forum/r19798124-Creating-router-firewall-rules-to-block-IP-addresses

[Szaman]

OK, you can. But we are trying to find some universal (semi-)automatic solution for that problem.

Btw, can someone confirm that admin port (by TCP) is NOT used while normal gaming? I mean - if you play, you use only UDP communcation?

[Bonecrusher]

You can block TCP and you will not be able to connect via admin programs. You will be able to join the server and play though.

[Szaman]

OK. Thanks for info

[Bonecrusher]

Not sure if it will prevent flooding attacks, you will have to test it.

[Szaman]

Afaik those attack are via TCP. So blocking TCP port should prevent them.

[jrgp]

Hey guys, few times a very bad guy is trying to crash our server:

14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).

After server takes 98% of processor and its impossible to join.
Do you know this IP?
Do you know a way of protecting against this? Something another than iptables?

The Linux tool fail2ban can be configured to watch the soldat logfiles in realtime and automatically block IPs that do weird things like what you pasted. It adds a new chain to iptables which it manages by itself and adds IPs to (and optionally removes them after)

You can block TCP and you will not be able to connect via admin programs. You will be able to join the server and play though.

You also won't be able to download custom maps/sceneries.

[Szaman]

1. But fail2ban has a delay with checking the log (interval checking)
2. Soldat has also an interval of logs updating (next delay)
3. There are some cases when Soldat is not producing/updating logs while being attacked
4. Due to those delays Soldat server will crash minimum once
5. Am I wrong or the maps are maintained on the other port (admin port + 123 if I remember correctly) ?

[Bonecrusher]

5. TCP is join port + 10.

[jrgp]

1. But fail2ban has a delay with checking the log (interval checking)
2. Soldat has also an interval of logs updating (next delay)
3. There are some cases when Soldat is not producing/updating logs while being attacked
4. Due to those delays Soldat server will crash minimum once

You can use the functionality provided by CSF (a front end to iptables) that automatically blocks IPs which open too many connections during a set interval on a specific TCP port. That may help this.

Have you tried keeping a 'tcpdump dst port 23083' open that logs the mallicous traffic you're getting? Have you looked in dmesg to see if you're getting packet flooding that sets off messages in the kernel log?

[dominikkk26]

Hmm developers should give the option to choose ports for clients (administrators) when connecting.

[elMorvano]

Okay... Soldat killed me now totally. I know an EASY way to kill the server. I'll write only with devs about this. PRIV.

Probably without any protecion all servers will just go mad.

[Falcon`]

I didn't read the whole topic, but i had once a problem like this. Solution was to add some pre-soldat authentication system that would open the admin port for given IP address. In my case i've used port knocking

[Szaman]

@FalconPL: very good idea

[elMorvano]

Temporary solution against my way (ofc. I won't tell you which way, this can even kill your machine) is: run your soldatserver by soldatserver_legacy. Thanks.

And now my scripts don't work - GG. I'm really tired of Soldat's bugs T_T