Information Security Asked by Nihas on December 26, 2021
I’m running a Counterstrike server on UDP port 27015. I’m using Amazon AWS to host the game server. I have added only my friends’ IPs (about 50 of them) into a security group so the rest of the traffic is always blocked.
My enemy is spoofing my players’ IPs and sending UDP floods. He sends it from 3-4 IPs.
I’m currently capturing IPs in TCPdump and blocking manually.
For example:
I capture packets using tcpdump and then I save it in pcap file
I analyze that file and I check for length of the packet
If incoming packet length is more than 600 then I manually block IP
0.007450 192.168.168.2 → 183.83.145.212 UDP 240 27015 → 54491 Len=991
But it takes too long to do this manually.
Is it possible to get those IPs using a shell script or something so I can block that IP?
In general when you are spoofed with a legitimate IP Address, in your case your friend, what you can do is an analysis of the IP TTL values and try to see if your defense system allows you to put ACL, or rules that allows operations on TTLs such as <>= certain value. If this is not working probably you will need to go to rate limiting solutions.
Answered by camp0 on December 26, 2021
The best thing you can do is to save these captures you did and send it to ISP of the attacker, asking to take measures.
You can do nothing at your end to stop the attacker (without making a big DDoS-protection solution).
As long as the ISP allows the attacker to spoof his source addresses, the attack can continue. The thing you should check before sending the captures is: is it a direct attack or reflected. In case of the reflected attack the ISP is a victim itself (however anyway that could mean there is a malprotected service that should be reconfigured on the ISP side). Direct attacks are consist of packets, directed to your network (like TCP SYN or just UDP flood). Reflected attacks are seen as unexpected replies (like big DNS responses and no requests).
The more analysis you do on your side, the more serious ISP representative will take it - and the faster your issue will be solved.
Answered by Iron on December 26, 2021
First you should look into the reason why the attacker has your friend's IP in the first place. Ask your friend to change the IP, and make sure he is not leaking it again. Or ask him to use a VPN when he connects to your game server, and use that VPN for nothing else. In case the attacker has access to a website (e.g. a clan website) that your friend uses regularly, leaking his IP to the attacker. Also you should ask Amazon AWS to help you block the attacks.
Answered by Martin Fürholz on December 26, 2021
You should look at a solution such as OSSEC or Fail2ban. It will do exactly what you want to achieve. However UDP spoofing is difficult to block, because you can freely spoof the IP address.
Answered by Lucas Kauffman on December 26, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP