• Please make sure you are familiar with the forum rules. You can find them here: https://forums.tripwireinteractive.com/index.php?threads/forum-rules.2334636/

Server KF2 (or any Unreal Engine 3) server on RedHat/CentOS/Rocky/Alma Linux DDoS defense with the help of firewalld

--list-all is a wrong command you should run the command that displays the content of the network block, e.g.:

firewall-cmd --ipset=networkblock --get-entries

Also, at this point as an end customer who may not be into all the nuts and bolts I'd rely on Zmey's solution:

I have a linux server and would like to use Zmey's solution but there isn't really an example on how to run it. Does anyone have more info/example for the command to run this?
 
Upvote 0
So the closest I've come up with for instructions was this:
1.Under a tmux in root mkdir
2.wget the golang file
3.chmod a+x kf2-antiddos-linux-amd64
4.install golang
5. touch deny.sh
6. touch allow.sh
7. open both and copy and paste the code for them
8. in the tmux as root run:
tail /path/to/kf2/logs/Launch.log | ./kf2-antiddos-linux-amd64 /bin/bash ./deny.sh ./allow.sh

Thing is I don't know if that's correct but it does say started then nothing else. Wish there was a verbose option.
 
Upvote 0
An attacker has been trying to use my server to do amplification attacks again. However this time round it's a lot slow. They have been sending a couple of hundred packets per minute. Not enough to get caught by my packet rate limiter. They have also changed the way they are attacking using the same ip address with multiple source ports for a couple of minutes then moving on to another ip address and repeating. This is not really a issue as the script that reads the kf2 logs blocks these connections. However it's annoying to be part of a ddos against someone else's infrastructure and have CPU spikes because of these attacks. So i have another filter for the community that seems to work well for this kind of attack.

iptables -I FORWARD 1 -d <KF2 server ip address> -p udp --dport <KF2 server port range> -m connlimit --connlimit-above 20 --connlimit-mask 32 --connlimit-saddr -j DROP

e.g.
iptables -I FORWARD 1 -d 10.0.0.1/32 -p udp --dport 7777:7779 -m connlimit --connlimit-above 20 --connlimit-mask 32 --connlimit-saddr -j DROP


This filter limits the number of connections you can make from a single ip address to the server port to 20 active connections. A client only really needs one connections.
 
Last edited:
Upvote 0
An attacker has been trying to use my server to do amplification attacks again. However this time round it's a lot slow. They have been sending a couple of hundred packets per minute. Not enough to get caught by my packet rate limiter. They have also changed the way they are attacking using the same ip address with multiple source ports for a couple of minutes then moving on to another ip address and repeating. This is not really a issue as the script that reads the kf2 logs blocks these connections. However it's annoying to be part of a ddos against someone else's infrastructure and have CPU spikes because of these attacks. So i have another filter for the community that seems to work well for this kind of attack.

iptables -I FORWARD 1 -d <KF2 server ip address> -p udp --dport <KF2 server port range> -m connlimit --connlimit-above 20 --connlimit-mask 32 --connlimit-saddr -j DROP

e.g.
iptables -I FORWARD 1 -d 10.0.0.1/32 -p udp --dport 7777:7779 -m connlimit --connlimit-above 20 --connlimit-mask 32 --connlimit-saddr -j DROP


This filter limits the number of connections you can make from a single ip address to the server port to 20 active connections. A client only really needs one connections.
I shut my server down last month as none of these methods were enough to repell the attacks. if you have a cable connection like me then none this is going to work becuase it will be too much traffic to try and filter
 
Upvote 0
I shut my server down last month as none of these methods were enough to repell the attacks. if you have a cable connection like me then none this is going to work becuase it will be too much traffic to try and filter
So far I haven't had any volume issues (using more bandwidth then my line). The problem has always been the packet per second(pps). All the recent attacks have been less then 1Mbit/s. I assume your setup goes something like this:

Internet -> cable modem / router (port forward) -> kf2 server(iptables)

If you don't have a modem/router that can handle this quantity of packets it will easily get swamped by the pps of a dos attack. One solution is to put the modem/router in a forwarding / transparent / 1:1 / bridging mode so that all it does is the media conversion from cable to Ethernet. It will then pass the packets along to a Linux router and do the filtering there. e.g

Internet -> cable modem (bridging mode) -> Linux router (iptables + Port forward) -> KF2 server

Side note I have tested and you can reduce the number of connections safely down to 5. You might even be able to go lower but i haven't tested.
e.g.
iptables -I FORWARD 1 -d 10.0.0.1/32 -p udp --dport 7777:7779 -m connlimit --connlimit-above 5--connlimit-mask 32 --connlimit-saddr -j DROP
 
Upvote 0
...

Side note I have tested and you can reduce the number of connections safely down to 5. You might even be able to go lower but i haven't tested.
e.g.
iptables -I FORWARD 1 -d 10.0.0.1/32 -p udp --dport 7777:7779 -m connlimit --connlimit-above 5--connlimit-mask 32 --connlimit-saddr -j DROP
Thanks for the idea, I've wasted half a day today to adapt this for firewalld, which should result in this:

Code:
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -p udp --dport 7777:7779 -m connlimit --connlimit-above 5 --connlimit-mask 32 -j DROP

Still testing it, will report back if it doesn't work and needs amendments. At least firewall-cmd eats it with a "success" message and testing might take time depending if I get an intense DDoS soon.
 
Upvote 0
hey so ive noticed this was updated today! @o2xVc3UuXp0NyBihrUnu , I know you've poured a lot into the first post here, and its probably my own incompetency. But would this work if I was running the server in a docker container on my unraid box? Like this feels too good to be true, all I have to do is run that one command? Please clue me in, I'm not gonna lie, I'm more of a gamer than a server admin. I know its asking a lot.
 
Upvote 0
I have actually expanded on it a little because I discovered that the ddos amplification are attacking multiple targets sequentially(ish) in order to bypass the ip blocking rule that most people have in place. Here is how it works:
They send 5 packets to 10.0.0.1
Then 5 packets to 10.0.02
Then 5 packets to 10.0.03,
etc,etc
then 5 packets to 10.0.0.254
Then they loop back around to the start and then maybe if you read the whole log file in they get blocked one ip at a time. So effectively they bypass your server side blocking of individual ip addresses.


The solution I came up with is to change the size of the subnet mask we are rate limiting. I am currently using a /20. So in the example above we would effectively block all ip addresses 10.0.0.1 - 10.0.15.254 temporarily from connecting to the server. Remember this only effects new connections so it won't affect existing connections.

First line is for logging. Second line does the work.
Code:
iptables -I FORWARD 1 -d 10.0.0.1/32 -p udp -m udp --dport 7777:7779 -m connlimit --connlimit-above 20 --connlimit-mask 20 --connlimit-saddr -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "Drop-Connection-Limit 23: "
iptables -I FORWARD 2 -d 10.0.0.1/32 -p udp -m udp --dport 7777:7779 -m connlimit --connlimit-above 20 --connlimit-mask 20 --connlimit-saddr -j DROP

EDIT:
To my understanding firewall-cmd is just iptables underneath.
FYI for testing i like the command. It shows what is happen.
watch -n 2 -t -d "iptables -xnvL --line-number"
 
Last edited:
Upvote 0
firewall-cmd is the recommended and default interface to interact with the underlying filtering engine, which is not iptables but nftables on most current systems btw. That's one of the many reasons why it's better to use the common abstraction layer instead of the underlying low-level subsystem directly.

As for DDoS protection, fail2ban is probably a better choice. It is made for this exact purpose.
 
Upvote 0
firewall-cmd is the recommended and default interface to interact with the underlying filtering engine, which is not iptables but nftables on most current systems btw. That's one of the many reasons why it's better to use the common abstraction layer instead of the underlying low-level subsystem directly.

As for DDoS protection, fail2ban is probably a better choice. It is made for this exact purpose.
Very true regarding firewall-cmd, I should do some more research into nftables.

Would you mind sharing your fail2ban config? It will be interesting to see how that blocks subnets as i wasn't aware it's possible.
 
Upvote 0
hey so ive noticed this was updated today! @o2xVc3UuXp0NyBihrUnu , I know you've poured a lot into the first post here, and its probably my own incompetency. But would this work if I was running the server in a docker container on my unraid box? Like this feels too good to be true, all I have to do is run that one command? Please clue me in, I'm not gonna lie, I'm more of a gamer than a server admin. I know its asking a lot.
Absolutely zero clue. Need to experiment with it.

Never had to, as KF2 provides a very flexible way to run multiple servers through using different config directories.

I may set up a docker instance just to see how it works with the firewalls and report back, but no promises.
 
Upvote 0
The solution I came up with is to change the size of the subnet mask we are rate limiting. I am currently using a /20.
Seems reasonable and I also switched to /20 both for rate limiting and IP banning since this morning and it works better for intense DDoS.

For the last 1.5 years since the topic was started I actually never needed rate limiting as whoever was behind these attacks used a sane approach. But this new thing that started 2 days ago just crashes the KF2 servers in a few minutes with its insane rate of >1K connections per second. So I've had to adapt this for firewalld and also amended my one-liners to be even more aggressive and for now I think /20 is the right choice.

If one wants to keep it in the standby mode /32 would probably more suitable, but for an intense DDoS /20 works better -- less spam in the logs, less memory leak, less network lag issues for players during the bursts.

I reflected this all in the OP and put the emergency actions package on top so people who come here don't have to read all the theory and the history of our research and have a very concise action plan at the ready so they can stop the bleeding right away and read later.
 
  • Like
Reactions: Emenblade
Upvote 0
That makes a tonne of sense. Yeah for the time being I just closed the port and stopped the docker. I'm looking into it on my end but much of this is over my head, gonna have to do me some learning I reckon. Does any one know if tripwire has a plan for this? Cause this would be solved if they implemented rate limiting in the code no?
 
Upvote 0
yeah and I found some time to look into implementing this solution to my server setup, but its running in a docker container on unriad. unraid doesnt have firewalld and upon googling what could happen if i set that up as a script running on the box and not inside the docker container, and it looks like it could mess up some other stuff... im at a loss for now untill I learn more about this sort of stuff I guess!
 
Upvote 0
That makes a tonne of sense. Yeah for the time being I just closed the port and stopped the docker. I'm looking into it on my end but much of this is over my head, gonna have to do me some learning I reckon. Does any one know if tripwire has a plan for this? Cause this would be solved if they implemented rate limiting in the code no?
Many did. The total server count went down below 2K servers worldwide yesterday. I bet this has a lot to do with this DDoS.

Dude, Tripwire broke the workshop 8 months ago and still can't fix it all meanwhile the fix is to just ship the right version of the steamclient library. I bet it's even more over their head than it is over yours. Assume no support.

Besides, this thing is UE3 protocol. I bet TWI never researched how it works as they never needed to, it just works and they use the UE3 engine. It's more of a question for Epic.
 
Upvote 0
Many did. The total server count went down below 2K servers worldwide yesterday. I bet this has a lot to do with this DDoS.

Dude, Tripwire broke the workshop 8 months ago and still can't fix it all meanwhile the fix is to just ship the right version of the steamclient library. I bet it's even more over their head than it is over yours. Assume no support.

Besides, this thing is UE3 protocol. I bet TWI never researched how it works as they never needed to, it just works and they use the UE3 engine. It's more of a question for Epic.
I wonder if other games are affected with the same thing?
 
Upvote 0