Blocking DoS attacks of Quake 3 server on Windows Server 2008

Discussion in 'Forum for discussion of ANTICHAT' started by begin_end, 25 Jan 2015.

  1. begin_end

    begin_end Green member

    Joined:
    4 Jan 2007
    Messages:
    265
    Likes Received:
    638
    Reputations:
    476
    Blocking DoS attacks of Quake 3 server on Windows Server 2008


    For many years I was located a small Quake 3 Arena server. It was used for the needs of the local games and technical experiments with settings and modules of this great game.

    And so, in lately more and more I began to notice at it a problem. Then suddenly the application process terminated, the CPU resources ended. Thinking at first a problem with the configuration file or the log-file I looked at them and everything was fine, except that log over the years increased to an unacceptable value, has been cleared. Restarting the process quake3.exe does not reduce CPU usage. And then was run WireShark. Was at once detected the highest network activity in the form of UDP packets to port 27960, opened by quake server. Packets were the quake protocol and contained a getstatus request. At this request, the server should reply packet quake with current information about the server (server version, map name, number of players, etc.). The getstatus packet size is small - 64 bytes, but the answer to it - more than 500 bytes. That is, an attacker can cause a traffic using a small back, almost ten times larger.

    [​IMG]
    The situation requires action, it is necessary to avoid flood packets to the quake server.

    Was reviewed manifestations problems on other resources. It turned out that the phenomenon usually, but fight it out unsystematically. For ioquake solution is embedded in the application itself, but I have a normal quake. On game hosting used some scripts, but not posted, and there linux. And in general, all the possible solution to the problem could be only under linux, normal for such servers. This means that the solution must be sought for himself.

    Problem description.

    In the beginning there were attempts to manually block bad IP address. This proved to be meaningless, since they are often changed and rarely recur. But was noted by one feature, some attackers have source port 2980, which is blocking some help. Generally, blocking incoming traffic in Windows 2008 Server proceed as follows:

    At the interface with the external IP...
    [​IMG]

    Via input filters...
    [​IMG]

    Accept all packets, except...
    [​IMG]

    And the addition of IP-filter to the original network (here attacker's IP).
    [​IMG]

    It would be nice to automate these steps. What was found equivalent of console command, through the netsh program:
    Code:
    netsh routing ip add filter name="[I][COLOR=Green]INTERFACE_NAME[/COLOR][/I]"[/COLOR][/COLOR][/COLOR]
    [COLOR=Wheat][COLOR=Wheat][COLOR=Wheat]filtertype=input srcaddr=[I][COLOR=Green]IP.ADDRESS.OF.ATTACKER[/COLOR][/I] srcmask=255.255.255.255
    dstaddr=0.0.0.0 dstmask=0.0.0.0 proto=ANY


    This console command excellent adds input filter on Windows 2003. However, on Windows 2008, it needs to be run from the command line, running from the explorer.exe, otherwise netsh has no routing option. But how we do automatically add the IP filter by this command? It requires programming.

    A small console application "Quake 3 flood detector" was developed. Application responds to getstatus and getinfo UDP flood, blocking IP of flooder for a second since the beginning of the flood.

    [​IMG]

    You can specify the threshold of flooding, ie the number of requests per second (RPS) which are considered to a flood. Just specify the IP of your Quake 3 server (which is searched for flood), the name of the BAT file (which is automatically entered the value of IP, with the launch) and the list of ignored IP (usually a master-servers of quake 3, which can sometimes exceed the RPS threshold).

    To use the application on Windows 2008 Server is enough: specify the name of the network interface in the file iplock.bat, in config.txt to specify IP of Quake 3 server, to hide the console or not, his master server (its IP). If there is more than one quake server, you will need to increase the number of RPS, it should not be less than the number of servers, multiplied by 4. The shortcut to q3fd.exe placed in startup or using third-party utility creates a standard service based on it. It depends on how organized autostart additional server programs in the system, such as the same quake3.exe.

    The Quake 3 flood detector 1.0 1.1 program q3flooddetect_10_exe_src.zip (44KB 72KB), along with configuration files and commented source code files (Delphi 7).
     
    _________________________
    #1 begin_end, 25 Jan 2015
    Last edited: 16 Dec 2017
    2 people like this.
  2. begin_end

    begin_end Green member

    Joined:
    4 Jan 2007
    Messages:
    265
    Likes Received:
    638
    Reputations:
    476
    The program was significantly updated.

    [​IMG]

    Information about changes and new version is available here.
     
    _________________________