I captured a DoS attack against my gameserver. Always using protocol sigcomp. Only from one IP adress. The adress seems to be spoofed because a block in firewall doesn't help! It causes some lag for my players on the server. I search a way to block incoming SIGCOMP Traffic. (on WINDOWS 2012 SERVER). This compression protocol is used/abused to perform the attack, because I don't have a chance to ban the IP. How to block DoS attacks using protocol SIGCOMP asked 18 Jan '15, 04:55  appreciated |
One Answer:
That all depends on your setup and the actual DoS traffic.
Any other scenario needs further analysis and careful action to not block legitimate traffic while trying out to filter the (D)DoS traffic. answered 18 Jan '15, 09:12  SYN-bit ♦♦ |
Is it possible to block that traffic with Snort for example?
OVH already got my Wireshark logs [at] antiddos but they even doesn't answer since weeks. DDOS attacks are mitigated by DDOS protection, but this "smaller" attacks get not mitigated and I can't ban the IP (I think it's spoofed 90% IPs from China or Russia). I don't have access to router or hardware firewall, it is a dedicated windows 2012 server with ddos protection/mitigation included. The attacks use protocol SIGCOMP or QUIC. (Quic is the protocol which is used with "LOIC" for example too.
(I converted your "answer" to a "comment", please refer to the FAQ)
Are you able to share a capture file with the presumed DoS traffic in it? Different attacks call for different anti-ddos measures. You can upload a tracefile to www.cloudshark.org and paste the link here in a comment.
Since it is all UDP traffic, it can be spoofed very easily. The traffic you think is SIGCOMP is just interpreted by Wireshark as SIGCOMP as it is sent to a port that Wireshark dissects as SIGCOMP. In fact the data part of the packet to port 6666 (dissected as SIGCOMP) and port 6688 is 0xffffffff55 in both cases. If this is not normal traffic to your game server, then you could block udp traffic with exactly this payload (on any port).
If this can be valid traffic, then you need something more advanced like threshold based blocking or maybe even something that can follow the state of a session to your server and if a session is not established within a certain time limit, block the IP for a while.
Whether you will be able to do this with the tools at hand is another question. You might need to invest in a more advanced infrastructure to be able to protect your game-server.
Thanks for your analyse!
Your wrote: "If this is not normal traffic to your game server, then you could block udp traffic with exactly this payload (on any port."
That's the way I would like to try first!
The problem is the attack is to "small" so the DDOS protection from OVH can't block it. (It's a dedicated server even with DDOS protection.
Do you think "Snort" is the right tool for that or know another way to do so?
I thought first I could make an ACL Rule with Wireshark but I don't think this will block the special payload?
==> I am searching for a way to block special payloads or data send to some ports SINCE WEEKS! It would help a lot because some older game engines can be easily crashed while sending special sequences to some ports belonging to the game.
This for example is deadly for me. Sending to UDP Port and gameserver will crash... or reboot. It's an attack against the game engine.
\secure\aaaaaaaaaaaaaaaaa
(and some letters more I don't want to write all in public because I have no fix and can't block it now)
So a solution to block special payloads or traffic would help in both cases I think. (at least the last one)
Yes, snort should be able to block specific payload patterns like the one in the tracefile or the one you mentioned in your last comment.