Thanks, yeah, this proves it. Now I wonder if one uses a more random port which is far from the 7777 value, something like TWI does, will it help? Their servers aren't attacked according to the last info I have, but it's from the last week, who knows by now.
Hi!
www.businessinsider.com
Yes, exactly. For now i have closed my KF2 servers due to that issue...
EDIT:
EDIT 2:
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address=<ip> port protocol=udp port=<kf2_ports_range> reject"
#Run once to create the firewall rule
new-NetFirewallRule -DisplayName "Block DDOS" -Direction inbound –LocalPort Any -Protocol any -Action Block -RemoteAddress "80.80.80.80/32" -Program "C:\KF2Server\Binaries\Win64\KFServer.exe"
new-NetFirewallRule -DisplayName "Block DDOSout" -Direction outbound –LocalPort Any -Protocol any -Action Block -RemoteAddress "80.80.80.80/32" -Program "C:\KF2Server\Binaries\Win64\KFServer.exe"
#Log location
cd "C:\KF2Server\KFGame\Logs"
while(1){
$Files=Get-ChildItem Launch_*.log
#Setup the firewall rules
foreach ($file in $files){
#Get the ip addresses from the file, only look at the last 3000 lines to speed it up
$IPs=Get-Content $file.fullname -Tail 1000 | where { $_ -like "*NetComeGo: Open TheWorld*" } | % { $_ -replace "\[\d+.\d+\] NetComeGo: Open TheWorld \d+\/\d+\/\d+ \d+\:\d+\:\d+ ",'' } | Group-Object
#Must be more than 50 connections
$NewIPS=$IPS | where { $_.count -gt 50 } | % { "$($_.name.trim())" }
if($NewIPS){
#Get existing rules
$IPString = (Get-NetFirewallRule -DisplayName "Block DDOS" | Get-NetFirewallAddressFilter ).RemoteAddress
write-host $file.fullname
write-host $NewIPS
$IPString+=$NewIPS
$IPString=$IPString | sort -Unique
#Ban the ips
set-NetFirewallRule -DisplayName "Block DDOS" -Direction inbound –LocalPort Any -Protocol any -Action Block -RemoteAddress $IPString -Enabled True
set-NetFirewallRule -DisplayName "Block DDOSout" -Direction outbound -LocalPort Any -Protocol any -Action Block -RemoteAddress $IPString -Enabled True
write-host "$(get-date)--------"
}
}
write-host -NoNewline "."
sleep 15
}There's nothing distributed about this, it's a literal DoS. I haven't ever been hit by more than 2 IPs at once concurrently.You are correct that the replies are much more sizeable than the initial requests to connect. Here's how it looked like on my servers. A downwards (means outbound) spike starts when a whole bunch of new IPs are added to the attack and then ends when my banning bot picks it up and blocks the traffic:
View attachment 2336424
You are also correct that it might be a part of a broader DDoS that uses KF2 servers as amplification beacons. But for our purposes this is irrelevant as whatever the small volume of traffic comes to our servers it is still enough to bring our servers down and as I noted previously I witnessed my servers hanging up completely after receiving (and responding to) merely ~5K malicious requests. Therefore it still should be considered a DDoS attack against KF2 servers as it still reaches the goal of bringing them down, even if it's a collateral damage situation.
Also, by now in my research I established that, from all the attacked hosts I analyzed, all of them listened on default port UDP 7777. This is also true for your server per the hoster notification you provided, thank you. This fully explains why TWI doesn't care about it and was reluctant to react in any way, as almost all if not all of their KF2 servers use weird ports, typically it's some random number from the range 27000-30000 UDP. Thus, by the nature of this attack, only lone (because if a person hosts >1 on a single IP they have to change the default ports on all but 1st server) community servers are the victims.
This suggests a stupid and simple solution to the DDoS problem that still amazingly works, which is to just change the listening port from the default one to any other random value. This has proven to prevent the attack, even if one unbans all the IPs one has banned previously to provoke it. With great success this technique has been implemented on a few hosts I've dealt with, so if you don't like the IP banning solution outlined in the OP (which still works flawlessly and prevents hangups and complaints from the hoster), you can just change the listening port to some random value. The only downside to this I know is it effectively removes the server from frequenters favorite list, as it's populated by IPort and they will have to readd it.
View attachment 2336425
Hilarious stuff! You are right, at this point I'm convinced that it's an amplification DDoS with spoofed source IPs that are necessarily coming from a source (which we won't be able to establish) that doesn't do egress filtering on their routers. Otherwise we'll have to assume that it's Google DNS that is either compromised or participates in a DDoS, both of which are very low likelihood scenarios.
Yeah, but as it turns out these IPs are targets (source IP is likely spoofed), not true sources. The attacker most likely uses many KF2 servers at once to amplify the attack against Google DNS and other targets. Your particular server is just one pawn out of the many, so it's still a DDoS. Another consideration that the true sources may be many, you just can't know it as all of them use the same source IP which is spoofed, so your server responds to them.
Why they're not attacked? Not running high population servers. They only run 6 man servers. Attacking a server hosting 2 people doesn't cause much grief. When you poll the player count and target based on that - TADA. This isn't an automated attack and it is not distributed. It is being manually kicked off. If it were distributed I'd be getting hit with hundreds/thousands of IPs from a botnet. Instead it has been no more than 3 at any one time. Usually just 1, sometimes 2.Well, yeah. So it increasingly looks like changing the default port doesn't help long term.
Theoretically, the port your server listens on is discoverable via Steam Client or maybe also via Steam API, so it shouldn't be a big deal to run a discovery and then attack what's discovered. The reason why changing the port at least temporarily stops the attack is probably because the discovery is run once in a while, so if you changed the port, the attack stops until the next discovery event happens and your server ends up in the list of the ones the dude wants to attack at the moment. Then, again, theoretically, immediately changing the port after the attack is detected should again stop it until the next discovery event, so, theoretically one can develop a script that detects the attack, stops the server (if noone's playing), changes the port to some random value, starts the server. The downside is the server gets removed from the favorites tab and also it's temporary and one will need to keep changing it making the favorites functionality useless for his users.
It is unclear why TWI said that they aren't under attack. Aren't they really? Or their pipes are so big that they just don't care about traffic, they don't have NG firewalls that would start dropping it and their servers don't hang up? It's unlikely IMO given what we know that it's TWI themselves behind the attack (although so far it seems that only the community servers are affected) as it's a criminal offense and one would think the company wouldn't risk doing that.
I'm actually lost at guessing the motives of someone behind the attacks. I've heard that it's very typical, say, in Minecraft scene to DDoS the servers of one's competitors. It kind of makes some sense at least. Could it be the motive here? Say, some rather big community servers owner tries to knock down his competitors. Kind of ridiculous to me, but that's what happens in the Minecraft scene. E.g.:
3 US hackers took out key parts of the internet in 2016 because they wanted to make money on Minecraft
Minecraft is big money.
Could very well be a typical journo BS, hard to tell. But hey, maybe I should start thinking about providing a DDoS KF2 hosting services or DDoS KF2 protection consulting services.
Not a DDoS. If it were the service I pay for would have kicked off, and it does when it's a legit one. Which happens every 3-8 months. I have 20gpbs mitigation enabled, this attack does not touch that threshold at all and it does not come from a distributed source.
Your server(s) is not the target of the attack. Your server is participating in the DDOS of the target by amplifying the amount of data sent to the target.
I'm going to repeat it for the second and last time and ignore subsequent iterations unless new information is provided.
