How to get acces to the UDP socket stats in cstrike/hlds_l

[Onno Kreuzinger]

Hi coders

i need help on making a very simple, yet efficent plugin, the anti DoS/dynamic iptables plugin.

i do need a very basic plugin accepting one argument, the numer of connections per ip per second, each ip over this limit should be written to a simple textfile. this textfile will be used genereate iptables rules on the fly.

i looked every where, there is no patch or tool to limit the number of udp packets per second per ip in linux (or windows).

well as the name suggest it is a linux thingie, but since a lot of server do run linux i think its ok to suggest it.

i can spare the iptables scripts, a testserver and the common sense, i migth even only need some basic framework and some explanations from where to get the number of packets efficently.

i had different alternatives in mind which would not need coding inside hlds:
1) use netstat and grep to get some basic data (uhhhahah bad idea)
2) parse the hlds log file and extract the logged in ip's, allow those at full speed, set a iptables general limit for all other ips on the hlds port (would nuke your public ping probably, but the clan match can't be DoS'ed easily)

and last but not least the still can flood you, if they saturate your switch port, you are dead anyways

[BAStumm]

hlds_l already has a method to limit queries per second both rcon and not and ip ban those that exceed the limits. You can even adjust the per second queries required to result in the ban.

[Onno Kreuzinger]

oh nice, i must have missed that feature in the manuals (err the incomplete command list on counter-strike.net)

but my purpose is to limit the traffic on the firewall, which is in my case more robust against flooding, it has enough network i/o to survive the common ddos attacks, the gameserver gets stuck quite fast (~30 mbit udp flood)

but i just rechekced that .net cs page, ist now free of any command reference, did i miss something, where can i find it ?

cheers Onno

[botman]

Traffic on the outside port of the firewall is beyond anything that you can write an application for.

You can't prevent people from sending data to your network interface. The only thing you can control is what you send back (if anything) in response to packets hitting your server.

If your firewall is sophisticated enough, you can filter packets that get through by IP address, port number, protocol type, etc, but if there are packets that are supposed to get through normally, you probably can't configure the firewall to let some packets through and prevent others of the same type from getting through (unless you have a pretty expensive firewall).

Any of the packets that do get through, the standard Half-Life engine flood filtering will ignore packets that shouldn't be responded to (and you don't need to do anything else besides setting up the cvar flood control settings).

botman

[Pierre-Marie Baty]

Quote:

Originally Posted by botman

unless you have a pretty expensive firewall

OpenBSD's packet filter can... and it's... (guess what?)... FREE!

</hype>

back on topic, I'm not sure you can come up with anything useful here, Onno. As botman says, the best and only place to deal with this is the firewall config. Don't let it even send back ACK packets to SYN requests on those you want to deny, perhaps that'll help cut the traffic down, but I wouldn't bet big on it.

The biggest problem here is UDP, which is a sort of "connectionless" protocol, meaning that the 2 talking don't need to exchange their intentions before sending anything. If a machine wants to tell you something in UDP, it'll send you the whole burst of data, without asking whether you're ready or not to receive it and without even wondering whether you're up or not. Doing anything at the TCP (protocol) level is useless, what you need to do must happen at the IP level and this can only be done by the firewall (or the OS kernel, if you're crazy enough )

[Onno Kreuzinger]

ok, now i got you on track, a drop is quite effective, it keeps the udp handling away from the stack and software, "even" the linux iptables is quite effective, i got this on a customers server, his server get flodded at 00:00 and 02:00 every night, all players leave and the fun "drops".
this nigth i simply used grep to get the ip's of authenticated users and put them in an allow list, all other udp traffic between 27000 and 27100 was dropped.
the system got quite smooth again, ssh did not lag any more, and the game was atleast playable.
for my later "use", i can do more, i can make a drop rule on the gbit interface of the last hop.

technical the plugin should write two file with ip's, one with authenticated ip's and a second one with high connect ip's and some numbers (delta-long,delta-short,summ,repeat count), a simple bash "daemon" can read, and parse this list and make iptables rules, if no alert is on, nothing is limited, only the usulal ports left open rules.
as soon as the level rises all authenticated users are put on top of the iptables list as allowed ip's, all services are connection limited at moderate levels, it more different ips start flooding, all services are tightly connection limited perhaps some services are taken down (*if* IRC/Bouncer/BNC,all mail stuff, ssl, dns) and hdls/27015 is only possible for authenticated players.

so i think it can help, and writing an iptables module for this is a much harder way to go
if it works its a killer feature

Cheers Onno

[sfx1999]

Quote:

Originally Posted by Pierre-Marie Baty

OpenBSD's packet filter can... and it's... (guess what?)... FREE!

</hype>

You need an avatar with a blowfish.

[Pierre-Marie Baty]

I already have the T-shirt