12 replies to this topic

[Jerryn]

I'm hosting a small game server (no open source) and there are some bad incoming packets that I wish to block. These packets are mostly being used for blackhat purposes and it's really annoying.

Can I block them from reaching the real server? I know it's someway possible and when they attempt to send the bad packet, it never reaches the real server.

What should I look into though?


Thank you for your time

[fayyazlodhi]

Plain answer is yes you can block such packets.

A common solution is to install a firewall on your server and configure it to allow only your game traffic.

The tricky part would be to judge "which is your game traffic and which is not".

Generally, every firewall is configurable with rules based upon ip addresses or port numbers:

So if you know say for e.g. your game would always use ip addresses x or y or in the range x - y or port number say 3350, you can write a rule to allow this and block every thing else in firewall.

Alternately, if you know the unwanted traffic is using some specific ip range or port numbers, you can write a rule to block that and allow every thing else.

However, if this info is completely random then probably you would need some more sophisticated techniques to block such a traffic. Key is being able to correctly identify what is unwanted traffic and what is not.

Such techniques exist which dissect the application layer of packets for e.g. DPI stands for Deep Packet inspection is one such philosophy and there is at least one open source product available that can be configured and installed on linux.

But i hope you can get away with your needs using plain firewalls. Let me know if that is not the case.

[Jerryn]

Thanks for the reply. :)

I actually don't need to filter IP: Port connections. There's an exploit in the server that causes it to crash when a faulty packet (edited by the "hacker" on purpose) is sent to the server.

Let's say the packet is 0C0012000000 and someone edits the end 0C0012000001 and sends it to server = damage caused. I'd need to filter the packet somehow to automatically reject it when it's changed.

[fayyazlodhi]

So i presume you have a way of knowing the packet in a particular scenario would have 0C....00 and shouldn't be ....01. Why can't you put up a rule in firewall which says Xth byte of packet shouldn't be Y(e.g.)?

Or if it's possible you can put this into server's code to validate this.

To filter traffic either you can do it in the end application (the server) or some intermediate one listening (call it a firewall or whatever you like). The above has to be done at any of the locations.

[Jerryn]

I have no experience in this variety because I have never filtered packets before. Perhaps you could give me some tips and I can google it up for more information? It's a linux machine I'm running the server on by the way.

[fayyazlodhi]

IP Tables is the default to use on linux platform iptables(8) - Linux man page

[fayyazlodhi]

Specifically on the link above, following information explains how to set a rule with a byte pattern specified for e.g. 0x0803 at byte 19 etc.

"string

This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.
--algo bm|kmp
Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
--from offset
Set the offset from which it starts looking for any matching. If not passed, default is 0.
--to offset
Set the offset from which it starts looking for any matching. If not passed, default is the packet size.
--string pattern
Matches the given pattern. --hex-string pattern Matches the given pattern in hex notation. "

[Jerryn]

Thanks for leading me to iptables but unfortunately I couldn't understand even after googling.


Packets: (recorded twice)

0C00120000004473340260D646000106080027005816
0C001200000089B3DA02000000F00106080027005816

The red part is random every time. Checksum? This needs to be left untouched then. But the green part is an important value. It should only be 00, 01 or 02 but not 03.

Could you guide me with doing this?

[fayyazlodhi]

Assuming 0C is the first byte of your packet, i guess the place containing 01 is the 15 th byte.

# iptables -m string --from 15 --to 15 --algo bm --hex-string '03' -j DROP // drop the ones with 03
OR

# iptables -m string --from 15 --to 15 --algo bm --hex-string '00' -j ALLOW // allow the ones with 00
# iptables -m string --from 15 --to 15 --algo bm --hex-string '01' -j ALLOW // allow the ones with 01
# iptables -m string --from 15 --to 15 --algo bm --hex-string '02' -j ALLOW // allow the ones with 02

I am sure there is a more decent way of specifying OR options with in a single statement, but i dont know that off the hand but can easily be looked up. Something like allow "00 01 and 02 and drop every thing else". But i guess above should work too.

Edited by fayyazlodhi, 28 April 2011 - 08:10 PM.
slight technical error

[fayyazlodhi]

The following examples might help in case i have missed any thing. Generally you dont blindly apply a pattern matching rule on all traffic since that would be a lot of burden and slowing down network traffic. The examples below apply string matching filter on say tcp packets coming on a specific port only etc.

So if you know of any such criteria IN ADDITION to what is written above, use that:

Bug / problem with iptables v 1.4.1.1
Wiztelsys: String based network filtering with iptables on 2.6.x kernels

[Jerryn]

Thanks a million fayyazlodhi :) I'm testing if this works now and will post a result.

[bbqroast]

How about you monitor some legit traffic (get your good friends over for a LAN party or something) and then block everything but the traffic you recorded.
Has it occurred the most basic fix would be to program the server to handle the packets correctly?