I think i have found a way to fix this completely. When kf2 client is opened it downloads a list of servers(well i assume it downloads a list i haven't verified this part, it's not overly import). The client then sends out a ping to all servers on the query port. Then the client displays the list of servers to the player. The player selects a server and joins it. Wireshark confirms this.
So effectively we have a means of authentication a little like port knocking. If the ip connects to the query port, then they are probably a real player and should be allowed to connect to server. This works the same for the kf2 native client and the steam client. Is there a EPIC client that shows a server list???? This only breaks down if the player connects directly to the server with the open command as far as I can tell. Interestingly this allows us to collect the vast majority of kf2 players ip addresses.
A possible untested solution:
We could then use something like a script or fail2ban with a custom command to scan the log file created by a iptables log rule and put the ip address into an ipset which is part of a iptables accept rule for connecting to the kf2 server port.
Also, here's another idea.
It's well known that TWI's official KF2 servers use very non-standard game ports from the 27000-30000 range of UDP. There are also no reports that their servers are under attack. Maybe they use some kind of next gen firewall that does the filtering for them or anti-DDoS CDN like CloudFlare to scrub the bad traffic. But maybe they aren't attacked at all.
I'm going to verify this hypothesis partially soon. The idea is as follows. If I were a sane attacker I would do my best to ensure the future of my operation by not going overboard and not going too noisy, because, let's say, I followed the Mirai botnet story and learnt my lessons. Therefore, I would exclude all major server hosters from my list of the servers used for amplification, such as TWI servers. How would I distinguish TWI from community hosted? There are two ways that come to my mind which are 1) filter out servers that have "Tripwire" in their title or 2) filter out all the TWI's server ranges.
The second maybe also helpful for another reason. Suppose you are a backbone ISP and have to deal with this BS. These attacks can focus on bringing > 1 Tbps of garbage traffic, capable of saturating the pipes of even major providers. Of course, if you are a backbone ISP you want none of that as you don't want to spend resources on providing routing for garbage traffic. They may very well engage in throttling of the garbage traffic. What criteria they would use for that? One good suggestion is by just relying on port ranges, knowing that the default and most popular UE3 game port is 7777 and >1 UE3 server on the same IP gets next port in line, e.g. 7778 and so on by default. Thus, they may engage in throttling of 7777 and plus say hundred UDP ports. Of course, if they did this, there would be no incentive to go public about it because it's all bad publicity and they would treat potential complaints with obscure explanations regarding performance issues and overall useless helpdesk stalling etc. Of course, the fact that TWI (and maybe other major hosters) don't use the default ports (BTW, does anyone know the reason why?) ensures that they don't complain.
Coincidentally, in the past 2 or so weeks the players on my servers were complaining about lags and jitter more often than usual and I know for sure it's not because of my servers. Is it a coincidence? Or is this how the aforementioned throttling may manifest itself?
If that was the case, one would do themselves good service by switching their servers from the default ports range up to something that TWI themselves uses. So I'm going to do this right now and report back the results.
Expected results: 1) attack stops at least for a while, until new addresses are rediscovered via Steam API 2) attack may stop altogether if the filtering by port numbers is in use 3) there may be less lags and jitter complaints because of less/no throttling.
My best guess as to how bot net ddos amplifiers work:
I doubt they are looking at information here or the steamAPI. It's way to much work. They will be looking at CVE's for services and seeing if there are known exploitable vulnerabilities. Then attackers will use something like shodan to get a list of all servers running software they know has vulnerabilities. e.g.
https://beta.shodan.io/search?query=port:27015+product:"Steam+Dedicated+Server"&page=2
Once they have a list they do a test run to see what the results are like, then they turn it on. It's is then fine tuned by sending sample packets to there test server during the attack.
In general there are 4 ways ISP's block this traffic.
1) Just having enough bandwidth to absorb the attack as it transits there network.
2) Rate limiting some services. This is normally done with some kindof monitoring box and automation of the edge of there network. This is normally considered a bad idea because you have already paid to have the traffic enter your network.
3) The most common way is by black-holing ip addresses. This is either done on there network or when they get too much traffic they have agreements with there upstreams (other ISP's they interconnect with) to black hole that ip addresses before they arrive in there network. This is normally setup in a automated fashion.
4) With drawing routes from there upstreams. This means to stop advertising the route to an upstream so they stop sending you traffic for that ip or subnet. This is normally last ditch as you are getting to much traffic and it is causing problems for other services.
As for tripwire they appear to be using VOXEL / Internap some kind of hosting company. This is based on the ip addresses used by there servers and a quick look up here
https://www.whois.com/whois. Looks like Bare Metal hosting. I assume there is some kind of commercial firewall in front of there servers. The marketing material says DDoS Protection & Mitigation
https://www.inap.com/managed-services/managed-security/