All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Need help with UDP short packet/bad checksum exploit
Someone has been closing important processes/applications on my server using UDP short packet/bad checksum exploit:
Oct 19 23:13:23 ns308xxx kernel: [94000.179795] UDP: bad checksum. From 187.170.80.88:65535 to 94.23.xxx.xxx:1047 ulen 23
Oct 19 23:15:36 ns308xxx kernel: [94132.258814] UDP: bad checksum. From 187.151.153.198:65535 to 94.23.xxx.xxx:1047 ulen 23
ct 19 19:15:47 ns308xxx kernel: [79751.056498] UDP: short packet: From 112.135.47.60:51506 70/67 to 94.23.xxx.xxx:1035
Oct 19 19:15:47 ns308xxx kernel: [79751.076576] UDP: short packet: From 112.135.47.60:51506 70/67 to 94.23.xxx.xxx:1035
Oct 19 20:00:50 ns308xxx kernel: [82452.922808] UDP: short packet: From 62.165.217.91:4358 49320/66 to 94.23.xxx.xxx:1044
I host some call of duty game servers for my own gaming community & some friends also.A few months ago, we had shifted from leaseweb & hetzner to OVH only because of the DDOS protection.But now they are using other exploits to close our servers.
Is there anyway I can secure my server from such exploits? Any help would be highly appreciated.Thank you
Comments
So there's no one on this board who can help me with it?
"Someone has been closing important processes/applications on my server"
What exactly happens?
After those UDP short packets, the process gets killed.
Oct 20 14:34:52 ns308xxx kernel: [ 366.968020] cod4_lnxded24[2938]: segfault at 0 ip 00000000f7259ddd sp 00000000ffbc6850 error 4 in cod4_extfunc.so[f723a000+5d000]
What if you run:
iptables -A INPUT -m state --state INVALID -j DROP
~ Mark
Also add:
iptables -A INPUT -m unclean -j DROP
Thanks, would try that & let you know how it goes.
root@ns308xxx:~# iptables -A INPUT -m state --state INVALID -j DROP
root@ns308xxx:~# iptables -A INPUT -m unclean -j DROP
iptables: No chain/target/match by that name.
Sorry, unclean was removed from the kernel sometime ago. I just haven't had to use those modules for 10+ years.
How is the first rule working? Is it helping?
@MarkTurner no its not helping unfortunately
well a question to ask can you change the ports on the game servers?
Asked everyone I could think to. Googled it to death. I can't find a quality answer to this one. UDP just needs to die. I mean are we really still at the point where our traffic has to be stateless to provide adequate latency?
How often are these packets appearing on the port?
What about:
iptables -A INPUT -p udp -m length --length 0:32 -j DROP
Well, changing ports would not make any difference as they can use that exploit to close
any port
Will apply that & let you know with the results later.
Thank you & all those who put an effort with intention of helping me on this.
Packets with an invalid UDP checksum will not be delivered to the process. Far more likely your application is failing to parse a valid UDP packet with an invalid payload (such as a DNS response from a reflection attack).
That's what I thought too but this is pretty heavily reported with steam servers. Apparently it's causing some effect that trickles down to the application and crashes it fairly consistently.
@MarkTurner I am grateful to you for trying to help but it looks like nothing is able to stop those exploits for now
What about using CFS (firewall)
Its a bit confusing at first but it might help.
You might need to play around with it until you don't timeout real players by accident.
Well for now I have installed scripts to auto restart servers immediately after they go down.That seemed to be the only suitable solution for now.