- 0
-
Recently Browsing 0 members
- No registered users viewing this page.
-
Activity
-
8
Viable protections against Layer7 attacks on servers
Actually, it is not in fact a small attack. And idk if i'm running on a virtual machine, for now it's a test vps bought from a hosting company which offers iso installation directly, so I just installed a 12.1 FreeBSD with that feature for it. Here's the output from ifconfig: vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> ether 00:ce:b4:37:72:cd inet 160.20.145.45 netmask 0xffffff00 broadcast 160.20.145.255 inet6 fe80::2ce:b4ff:fe37:72cd%vtnet0 prefixlen 64 scopeid 0x1 media: Ethernet 10Gbase-T <full-duplex> status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> I disabled pf, I can login and play normally, however, once I start the attack, the whole server will start lagging and, after a little bit will eventually kick my character and the whole login will break down, not even getting past "Connecting to server..." -
8
Viable protections against Layer7 attacks on servers
Such attack is normally too weak to bring any server down. The problem most likely lies elsewhere. Please provide the output of ifconfig and specifically, there's something to consider since you are running off a virtual machine: [Hidden Content] You should also disable pf and see what happens then. Does the attack still bring the channel down? If not, then your problem is with VirtIO. If yes, I suggest you follow this tutorial by Papix which is actually a pretty good idea: Otherwise you can contact me on Discord if you want me to have a look at it myself for a small fee. -
20
-
5
-
8
Viable protections against Layer7 attacks on servers
Running a layer7 attack via a public stresser, using a method called "HTTP-SOCKET", which is spamming GET requests to [Hidden Content] with 30 requests per ip, using around 2k ips with random geolocation. Here's my pf conf: # This is a minimalistic configuration with basic rate limiting # Change the value to reflect your public interface. You can see this with ifconfig. ext_if="vtnet0" # Ports used for services (ssh, http, https) service_ports="{ 22, 3306 }" # Ports game_ports="{20076, 20083, 20081, 20079, 20077 }" auth_ports="{20085}" icmp_types = "{ echoreq, unreach }" # table for abusive_hosts = Block IP´s. table <abusive_hosts> persist file "/usr/home/game/Firewall/abusive_hosts" # IP addresses that should override the firewall rules, such as your web server. table <whitelist> const { 127.0.0.1 } martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 255.255.255.255/32 \ ::/128 ::1/128 ::ffff:0:0/96 ::/96 100::/64 \ 2001:10::/28 2001:db8::/32 fc00::/7 fe80::/10 \ fec0::/10 ff00::/8 }" set block-policy drop set limit { states 100000, frags 20000, src-nodes 100000, table-entries 200000 } set loginterface $ext_if set skip on lo scrub on $ext_if reassemble tcp no-df random-id antispoof quick for { lo0 $ext_if } block in block in quick from <abusive_hosts> # Drop all Non-Routable Addresses block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians pass out all keep state pass out on $ext_if all modulate state # Allow ping pass inet proto icmp all icmp-type $icmp_types keep state # Rate limits pass in on $ext_if proto tcp to any port $service_ports flags S/SA synproxy state \ (max-src-conn 30, max-src-conn-rate 15/5, overload <abusive_hosts> flush global) pass in on $ext_if proto tcp to any port $game_ports flags S/SA synproxy state \ (max-src-conn 30, max-src-conn-rate 15/5, overload <abusive_hosts> flush global) pass in on $ext_if proto tcp to any port $auth_ports flags S/SA synproxy state \ (max-src-conn 30, max-src-conn-rate 15/3, overload <abusive_hosts> flush global) pass in quick from <whitelist> -
8
Viable protections against Layer7 attacks on servers
What sort of attack are you running and what is your pf.conf? -
8
Viable protections against Layer7 attacks on servers
Sorry, here's the tcpdump using your arguments & the port of the attacked channel. (tcpdump -i vtnet0 -n -vvv port 20085 in my case) [Hidden Content] And here is the tcpdump for every port besides the one of my ssh (in my case is 22 since it's a test server) [Hidden Content]- 1
-
-
8
Viable protections against Layer7 attacks on servers
Please use the -n option and exclude the ssh port. Otherwise the dump isn't useful. tcpdump -i vtnet0 -n -vvv port not <your ssh port number>- 1
-
-
8
Viable protections against Layer7 attacks on servers
I have direct access to the stresser and can always test it, I tried to block it myself but unfortunately failed. I even tried to install nginx & deny all connections but that didn't worked LOL. The attack is simply sending requests to [Hidden Content] where the ip is of course, the server's ip and the port being either a channel or the auth, won't matter as it will completely break the whole auth. Here's a tcpdump (using tcpdump -i vtnet0 tcp) log while attacking for 5 minutes: [Hidden Content] (pastebin alternative cuz the text is way longer then 500kb)
-
Question
Hawkings 2
Hi all, I'm new here. I'm a programmer who loves C++ and I recently discovered that Metin2 source is public so I'd like to modify it, basically for fun but maybe I can share my modified game and/or client with some friends or with everybody, so I'd like to start from a proper version. I downloaded the files from a post in a Spanish forum created in 2013 and maybe they are outdated, so I'm wondering if there's a newer version or if it's fine to use it. Also I've seen many branches (mainline, novaline) so it would be great if you tell me the differences between them or an advide on which to use.
Thanks in advance!
Link to comment
Share on other sites
Top Posters For This Question
2
2
1
Popular Days
May 23
3
May 24
2
Top Posters For This Question
Denis 2 posts
Hawkings 2 posts
Sober 1 post
Popular Days
May 23 2014
3 posts
May 24 2014
2 posts
Popular Posts
Denis
the novaline branch is touched by third persons,the mainline is untouched.I suggest you to use mainline game binary and novaline client binary(I told you novaline because you won't have any packets error with that branch,if you use another you'll have errors)
Denis
Yes you can delete them
Hawkings
Hi all, I'm new here. I'm a programmer who loves C++ and I recently discovered that Metin2 source is public so I'd like to modify it, basically for fun but maybe I can share my modified game and/or client with some friends or with everybody, so I'd like to start from a proper version. I downloaded the files from a post in a Spanish forum created in 2013 and maybe they are outdated, so I'm wondering if there's a newer version or if it's fine to use it. Also I've seen many branches (mainline, nova
4 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now