Preventing DoS (Denial of service) - reverse engineering

[Iburidu]

Hello,

 

  I would like to cooperate with other programmers, testert, server owners to get rid of the annoying udp socket flood. I will collect everything we know about this topic here and make it easier our job to fix. I would like to ask everyone, if you know something about this topic in the game, then share your information. If you are a server owner, it would be nice of you if you would offer your server as a test one for this work.

 

So all I know now:

  - I have test all servers on version 1.00 (where there are only windows servers mostly): All windows servers are fully lagged out, nubsmoo's linux server seems to be ignoring the flood at all.

  - The flood: Any acceptable packet, that a server can handle: getinfo, getstatus, getchallenge, ipAuthorize, rcon, connect, disconnect (I've tested with getinfo only, without any challenge parameter)

  - Every server had a smaller lag if I sent invalid packet (without \xFF\xFF\xFF\xFF forexample).

  - I have tested aluigi's hooked recvfrom() function, I have edited it: if the attacker sends more than 200 packets in one second, then it would drop any other packets until quitting the application.

    - This one made the server invisible for me after the flood, and made me 999, if I did the flood during being on the server, but I was able to flood later also. It made smalled lag, but the server lagged..

  - I don't know about 1.01 servers, but as I read earlier in this forum, the servers are vulnerable. Tell if you have a not vulnerable edition

  - nubsmoo's linux server use a not-release edition build (containing debug symbols and commands).

[Iburidu]

You maybe misunderstood me. I don't talk about really dosing the router itself. I talked about valid jk packet flooding, like sending 100 000 getinfo packet in a second. I think the only prevention is limiting this socket communication / ip. Ofc this can be done before reaching the application itself (firewall etc), but I'm sure this can be limited application level also (like hooking the socket reader functions, or  prevent the program answering the packets repeately).

[Iburidu]

Oh, ye got it I wanted to implement the app limitation only, because 1.00 doesnt have it all. I tested your server and some other on 1.01, it seems these servers have protection. Maybe a firewall rule, maybe a patch, I don't know. I asked my hosting now to make better limitation on udp packets. Have you already check the proxocket stuff (published by aluigi)? It creates its own recvfrom function, and returns 0 size for packets, that we want to drop. Luigi used it for q3fill workaround. I created a limiter for all packets with this, it enabled 255 packet/second, then dropped everything. The strange thing is: it worked this way partially, it stopped packets before reaching the server (or it reached, but with 0 size), but the server lagged also. So maybe this return 0 is not enough, but I don't know other way to prevent these packets reaching the server. It can attack only the server that you flood (only on specified port), so not a router issue, that's why I tried to fix myself with hooks  

 

Thanks for the answers

[Iburidu]

OpenJK is not an option for me. First thing is I don't like it on 1.01, because it changed too many things and it can be feel on the fight system also. So much different from the old basejka, I loved. The other thing is I play on version 1.00, which is not compatible with OpenJK. But thanks for the answers I will continue to research and study the assembly code. Maybe I found a way to patch it, or I will deal with it this way and ignore the fuckers flooding servers  

[Xycaleth]

Just an FYI, a big enough attack can overcome any application level protection. It doesn't matter if you block all the bad packets, your bandwidth will be saturated to the point where the routers/switches receiving the packets won't be able to cope.

[Iburidu]

Yes, yes. I know this But imagine that, you have a server, which can be killed if someone writes a star character (*) to the console (so it can be killed easily). And there is an option to kill the server by solving a really hard math equalition, what only few people can do. Which one would you fix first?

[Smoo]

Theres actually a version of openjk for 1.00 but the guy who made it wont post it online lol

[Raz0r]

Theres actually a version of openjk for 1.00 but the guy who made it wont post it online lol

If you request it, they are legally required to post the source code thanks to the virus that is GPL.

[Smoo]

I'm just not sure who made it lol