How to Prevent the DDoS Attacks

How to Prevent the DDoS Attacks

Introduction

Things You'll Need Throughout on This Guide:

Linux Ubuntu (22.04) VDS Server

Pre-configured Warband Dedicated Server files

PuTTy Program

First of all , we'll set up the Linux server using the Ubuntu 22.04 Jammy Jellyfish version. A higher internet bandwidth and robust server hardware (e.g., 1 Gbps) will enhance the server’s resilience against attacks. Although Linux servers can be configured with a desktop environment similar to Windows, this guide will focus on a command-line setup, but don't worry you wont need desktop interface for this guide.

Installation Steps:

1 - Purchase and start your Linux server, and connect to it using SSH with PuTTy.

1.1 Perform the necessary system updates.

1.2 Enter commands to enable TCP SYN cookies and Ping protection.

2 - Transfer the Warband server files and move to the server setup step.

2.1 Run the Warband server in a separate screen to keep your main screen available for other tasks.

2.2 Once server setup is complete, open port 7240 for UDP (only UDP is sufficient).

3 - Proceed to install Suricata, which will handle the main protection.

3.1 After installing Suricata, configure it to run in IPS (Intrusion Prevention) mode.

3.2 Finally, write the necessary protection rules (suricata.rules) for Suricata.

Optional ideas for Security:

You can try iptables rules for control the traffic. But in this guide there is no info about that.

Also you can setup fail2ban and use with suricata log file and ban the ddos'ers ips automaticly.But i didn't add this to guide yet.

Step 1 : Linux Server SSH Connection And Updates


How to Prevent the DDoS Attacks image 20
How to Prevent the DDoS Attacks image 21
How to Prevent the DDoS Attacks image 22
How to Prevent the DDoS Attacks image 23

--> Download the PuTTy: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

You should set up your server with the Ubuntu operating system. If you're using Windows, you won't benefit from the features mentioned in this guide, as Windows lacks these types of security capabilities. If your VDS runs on Windows, consider reformatting it to a Linux OS. In this guide, I used the Linux Ubuntu Jammy Jellyfish version 22.04. Later versions are still in the update phase and may be considered less stable, though they might still work fine. The responsibility is yours.

Note down your server information, especially your server password. Make sure your server password isn’t overly complex, as you’ll be using it frequently.

(PuTTy program)

Download the PuTTY program. Then, enter your server's IP address in the Host Name (or IP address) field. Select SSH as the Connection type.

Finally, click the Open button below. In the window that appears, enter your username. Next, carefully type in your password, and you will now have access to your server.

Note: If you are copying commands from here and pasting them into the console, you can paste the copied text by simply right-clicking in the console. After that, just press Enter. Also you can use Ctrl + C combo for closing any command.

(you will see that if you connect successfully)

First we are going to use that commands for updating our system:

sudo apt update

sudo apt upgrade

sudo apt install xfce4 xfce4-goodies You're going to type that commands one by one.

For the incoming Y/N questions, you can simply press Y each time. You can also skip the prompts suggesting a reboot in different windows by pressing Enter.

After completing all the installations, we type

reboot

in our console and then close the PuTTY program for restart the server.

Once it's rebooted, connect the server again and we will enable SSH flood and PING flood protections with a few commands.

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog

echo 1 > /proc/sys/net/ipv4/tcp_synack_retries

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Enter these commands into the console one by one. And you finished the step 1.

Step 2 : Setupping The Warband Server And Configurations


How to Prevent the DDoS Attacks image 47
How to Prevent the DDoS Attacks image 48
How to Prevent the DDoS Attacks image 49
How to Prevent the DDoS Attacks image 50

Now that we’ve completed the necessary Linux setups and accessed the server, it's time to transfer your previously prepared Warband dedicated server files to our server.(I assume you have prepared your server files already.) Before that, compress your dedicated Warband server folder using WinRAR and save it as a .rar file. I will name the RAR file "warbandserver," and you will see it referred to as such in this guide.

First, I open the Command Prompt (CMD) on my computer as an administrator and enter these commands :

scp "C:\Users\YOURPCNAME\Desktop\warbandserver.rar" YOURSERVERSUSERNAME@YOURSERVERIP:/root/

In the section that says "root," you will enter the username provided by your hosting company for your server. After the @ symbol, you will include your server's IP address. The "/root/" part will remain the same.

I transferred the rar file to my Desktop thats why i am using that file way. Simply we're transferring the .rar files to our linux server's root folder. After typing this code you should enter your Linux server's password and start the transfer.

After sending the files, we will enter this command in the console to extract them from the RAR file. This command will download the unrar utility.

sudo apt install unrar

Then, we use this command to extract the server files from the RAR archive :

unrar x /root/warbandserver.rar

This command will extract our server folder to its current location.

Now, the code we are going to enter is important. This code will open the firewall, and we will also open a port in the firewall.

sudo ufw status enable

sudo ufw allow 7240/udp

sudo ufw status

Enter these commands one by one. You can open the server ports you will use on port 7240/udp individually. Check them with sudo ufw status command.

(you should see smt like that)

Now it's time to install Wine. The Wine program is a compatibility layer that allows us to run Windows-based executable files (.exe) in a Linux environment. The Warband server is normally configured to run on Windows.

sudo apt install software-properties-common

sudo add-apt-repository ppa:wine/wine-builds

sudo apt update

sudo apt install --install-recommends winehq-stable

sudo apt update

sudo dpkg --add-architecture i386

sudo apt update

sudo apt install wine wine64 wine32

Enter all the commands I've provided sequentially into the console. If you encounter any errors, feel free to ask me. I'm here to help with any missing dependencies. You might receive some minor errors when you run these commands, but they won't affect the functionality of your server.

Now, we will create and configure our .sh file, which is similar to the .bat file used in Windows, to run our server.

nano ~/start_warband.sh

Enter this command in the console and add these commands in the opened window.

#!/bin/bash

# Start with wine warBanD server

wine /root/warbandserver/mb_warband_dedicated.exe -r /root/warbandserver/Sample_Battle.txt -m Native

/root/warbandserver/mb_warband_dedicated.exe is the location where we extracted our RAR file. If yours is different, you should adjust these file paths accordingly.

/root/warbandserver/Sample_Battle.txt is the file I'm using to run my server as "battle," as I've never encountered an issue with it before. Please confirm that the server files you've configured and edited also WORKS FINE in the Windows environment. If the CMD screen opens without any issues, then there is no problem.

This bash file contains the same content as the .bat file we used; it’s just being executed with Wine.

We can exit the nano text editor by using the combination Ctrl + O (Save) + Enter + Ctrl + X (Exit). The commands will be displayed at the bottom of the command line.

After that, we need to grant permissions to the bash file we created.

chmod +x start_warband.sh

We paste the command into the console to grant permissions. If you don't see any output after entering these commands, there's a 99% chance you've successfully executed them.

Now we will start our Warband server. However, we won’t use the current command line for this. Since we need this command line, we will open a separate screen. This way, our server will continue running in that separate screen environment while we can continue our work in the main screen.

sudo apt-get install screen

screen -S warband

I'm creating a new screen named 'warband' with the command.

Then, we enter the following command in the screen we opened:

/root/start_warband.sh

This will run the start_warband.sh file located in the root directory. Afterwards, you should see an output similar to what you see when you open the server on Windows. I’ve also shown this in the visual. You can exit from these screens using the Ctrl + A, D combination. Hold down Ctrl, first press A, and then press D.

If you want to return to warband screen,

screen -r warband

Use that command.

(you should see that)

And you completed the Step 2.

Step 3 : Downloading The Suricata And Configurations


How to Prevent the DDoS Attacks image 103

Now, check if your Warband server is visible on the game server list. If it is, that means you haven't encountered any errors so far.

Next, we will proceed with the installation of the Suricata program.

Suricata is a functional program that runs exclusively on Linux and allows us to monitor incoming packets to our server using IDS and IPS modes. It has the ability to drop or reject incoming packets using the IPS (Intrusion Prevention System) method.

In general, attacks on Warband servers are UDP-based flood attacks. We will install Suricata and enter rules to block these flood attacks. However, if you have a very cheap and low-quality VDS (perhaps costing around $2-3), the attacker’s VDS with a 1 Gbps internet capacity could potentially bottleneck your server. We simulated and tested attacks and attacks are successfully stopped but I haven't conducted such an extreme tests with big VDS's yet. But like i said, the better the server you have, the more capacity you have.

Now, let's begin the installation of Suricata by entering the commands in order.

sudo add-apt-repository ppa:oisf/suricata-stable

Press ENTER for pass the warning.

sudo apt install suricata

And after that:

sudo systemctl enable suricata.service

The output should look something like this:

suricata.service is not a native service, redirecting to systemd-sysv-install.

Executing: /lib/systemd/systemd-sysv-install enable suricata

When you enter this command, Suricata will now be set up as a service. It will run continuously without the need for manual startup when you rebooted.

Before continuing, stop Suricata with the following command:

sudo systemctl stop suricata.service

Now we will configure Suricata for the first time. The installation is complete.

sudo nano /etc/suricata/suricata.yaml

You will access the Suricata configuration file using the command.

Find the line that says # Community Flow ID on line 120. You can use the Ctrl + W command to search.

. . .

# Community Flow ID

# Adds a 'community_id' field to EVE records. These are meant to give

# records a predictable flow ID that can be used to match records to

# output of other tools such as Zeek (Bro).

#

# Takes a 'seed' that needs to be same across sensors and tools

# to make the id less predictable.

# enable/disable the community id feature.

community-id: true

. . .

this command have to be : true .

Now we come to an important part. We need to find out the name of our server's local network.

Type the command:

ip -p -j route show default

[ {

"dst": "default",

"gateway": "203.0.113.254",

"dev": "eth0",

"protocol": "static",

"flags": []

} ]

The output should look like this. The "dev" section will show an output similar to eth0, which is your Ethernet interface name.

Additionally, when you type ip address in the console, find the line that shows inet 31.31.31.216/24 to identify the name of the interface where your server's IP is displayed. For example, in my case, it shows 2: ens190.

Now, type the following command again:

sudo nano /etc/suricata/suricata.yaml

Let's return to the editing with the following command.

In the search section, look for af-packet.

# Linux high speed capture support

af-packet:

- interface: eth0

# Number of receive threads. "auto" uses the number of cores

#threads: auto

# Default clusterid. AF_PACKET will load balance packets based on flow.

cluster-id: 99

. . .

You will need to change the eth0 part in the interface: eth0 section to your own interface name. This af-packet mode allows you to capture packets on the selected interface.

There is another value you need to change under af-packet: search for copy-mode: and change the setting from none to ips.

Now, before adding the necessary protection rules to the rules file, let's run Suricata once to test whether we get the correct output.

Enter this command into the console:

sudo suricata -T -c /etc/suricata/suricata.yaml -v

21/10/2024 -- 15:00:40 - <Info> - Running suricata under test mode

21/10/2024 -- 15:00:40 - <Notice> - This is Suricata version 6.0.3 RELEASE running in SYSTEM mode

21/10/2024 -- 15:00:40 - <Info> - CPUs/cores online: 2

21/10/2024 -- 15:00:40 - <Info> - fast output device (regular) initialized: fast.log

21/10/2024 -- 15:00:40 - <Info> - eve-log output device (regular) initialized: eve.json

21/10/2024 -- 15:00:40 - <Info> - stats output device (regular) initialized: stats.log

21/10/2024 -- 15:00:46 - <Info> - 1 rule files processed. 23879 rules successfully loaded, 0 rules failed

21/10/2024 -- 15:00:46 - <Info> - Threshold config parsed: 0 rule(s) found

21/10/2024 -- 15:00:47 - <Info> - 23882 signatures processed. 1183 are IP-only rules, 4043 are inspecting packet payload, 18453 inspect application layer, 107 are decoder event only

21/10/2024 -- 15:01:13 - <Notice> - Configuration provided was successfully loaded. Exiting.

21/10/2024 -- 15:01:13 - <Info> - cleaning up signature grouping structure... complete

You should receive an output similar to this. You can stop any program using the Ctrl + C combination if it doesn’t stop.

sudo systemctl start suricata.service

Then we will enter this command, which will show us the status:

sudo systemctl status suricata.service

● suricata.service - LSB: Next Generation IDS/IPS

Loaded: loaded (/etc/init.d/suricata; generated)

Active: active (running) since Thu 2021-10-21 18:22:56 UTC; 1min 57s ago

Docs: man:systemd-sysv-generator(8)

Process: 22636 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)

Tasks: 8 (limit: 2344)

Memory: 359.2M

CGroup: /system.slice/suricata.service

└─22656 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv

Oct 21 18:22:56 suricata systemd[1]: Starting LSB: Next Generation IDS/IPS...

Oct 21 18:22:56 suricata suricata[22636]: Starting suricata in IDS (af-packet) mode... done.

Oct 21 18:22:56 suricata systemd[1]: Started LSB: Next Generation IDS/IPS.

We should see an output indicating active (running).

Final Step : Completing The Installation With IPS System


How to Prevent the DDoS Attacks image 194

Now, let's go to the final step: completing the installation of IPS (Intrusion Prevention System) mode and adding rules.

sudo apt update

sudo apt install jq

Enter the following commands one by one:

Then, navigate to the rules file with:

sudo nano /var/lib/suricata/rules/suricata.rules

paste these rules to the screen ----------->

# UDP Flood Protection for warBanD Servers

# All rules enforce 55 packets per second limit

# Rule 1: Drop high-rate UDP packets from single source

drop udp any any -> 31.57.156.216 any (msg:"UDP FLOOD ATTACK Detected - High packets per source"; \

flow:stateless; \

threshold: type both, track by_src, count 55, seconds 1; \

classtype:denial-of-service; \

sid:2000001; rev:1;)

# Rule 2: Drop over sized UDP packets.

drop udp any any -> 31.57.156.216 any (msg:"UDP FLOOD ATTACK Detected - Rejecting packet size over 1500 bytes"; \

dsize:>1500; \

classtype:denial-of-service; \

sid:2000007; rev:1;)

# Rule 3: Drop UDP fragments

drop udp any any -> 31.57.156.216 any (msg:"UDP FLOOD ATTACK Detected - Fragmented packets"; \

flow:stateless; \

fragbits:M; \

threshold: type both, track by_src, count 55, seconds 1; \

classtype:denial-of-service; \

sid:2000003; rev:1;)

Let's save this by pressing Ctrl + O, than ENTER, and finally close the screen with Ctrl + X.

Let me summarize it, if an IP sends more than 50 packets within one second, Suricata will drop all subsequent packets from that IP, protecting the server from congestion. The second rule helps by blocking any unusually large traffic packets greater than 1500 bytes. The third rule is designed to block fragmented packets.

Important Note: " count 55, seconds 1 "If you lower these packet counts there will be a packet loss on your server and suricata will drop

normal players packets. If you use 55 packets in 1 seconds there will be not a problem. A normal player can't send you more than 55 packets.

Now, enter the following command:

sudo nano /etc/default/suricata

. . .

# LISTENMODE=af-packet

LISTENMODE=nfqueue

. . .

In the opened window, comment out the line starting with af-packet by placing a # at the beginning and add LISTENMODE=nfqueue below it. This listening mode will allow us to run Suricata in IPS (Intrusion Prevention System) mode. If we don’t do this, attacks will only be logged, and if IPS were enabled, these packets would have been dropped, which is what the logging indicates. The af-packet mode handles this.

Now, press Ctrl + O, then ENTER, and finally Ctrl + X to close the file.

and Restart the Suricata:

sudo systemctl restart suricata.service

And then run this command:

sudo systemctl status suricata.service

Output should be like this:

● suricata.service - LSB: Next Generation IDS/IPS

Loaded: loaded (/etc/init.d/suricata; generated)

Active: active (running) since Wed 2021-12-01 15:54:28 UTC; 2s ago

Docs: man:systemd-sysv-generator(8)

Process: 1452 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)

Tasks: 12 (limit: 9513)

Memory: 63.6M

CGroup: /system.slice/suricata.service

└─1472 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -q 0 -D -vvv

Dec 01 15:54:28 suricata systemd[1]: Starting LSB: Next Generation IDS/IPS...

Dec 01 15:54:28 suricata suricata[1452]: Starting suricata in IPS (nfqueue) mode... done.

Dec 01 15:54:28 suricata systemd[1]: Started LSB: Next Generation IDS/IPS.

You have to see these warnings:

Active: active (running) and Starting suricata in IPS (nfqueue) mode... done.

Now, we will use iptables commands to ensure that the UDP packets join the 7240/UDP directed to Suricata. The checked UDP packets will be released back to the server.

if you dont remember your interface name just type the " ip address " command and you will see your interface name as i mentioned before.

Now we will enter the following commands, but pay attention to change YOURINTERFACENAME to your actual interface name.

sudo iptables -I INPUT -i YOURINTERFACENAME -p udp --dport 7240 -j NFQUEUE

sudo iptables -I OUTPUT -o YOURINTERFACENAME -p udp --sport 7240 -j NFQUEUE

Pay attention to change YOURINTERFACENAME to your actual interface name.

After entering these commands in sequence, you have redirected all incoming and outgoing packets to Suricata.

Now we need a plugin to save the iptables commands.

sudo apt-get install iptables-persistent

Yazıp programı indirin. Ardından sırayla gireceğiniz komutlar:

sudo netfilter-persistent save

sudo netfilter-persistent reload

If you add a rule to iptables, use these commands to save and reload them.

Finally, type reboot in the console to restart. Then log back into the server using PuTTy.

First use these commands one by one.

sudo systemctl restart suricata.service

sudo systemctl restart suricata

Then:

sudo systemctl status suricata.service

Make sure it is active. After viewing the status, you can exit by pressing Ctrl + C.

If you want to see the printed logs, use the log viewing command:

sudo tail /var/log/suricata/fast.log

You can use this. If no logs have been written, it will appear empty.

To clear the logs, you can use this command:

sudo truncate -s 0 /var/log/suricata/fast.log...

If ddos packets are captured and dropped, the log will be written like this.

And thats all!

Re-enter the screen you created by typing screen -r warband and start again your Warband server if its closed.

If you want to learn about more information about Suricata program you can visit these URL's :

https://docs.suricata.io/en/latest/what-is-suricata.html

https://suricata.io

The version you are working with may not match the version used in the documentation. Be careful!

Ensure that your Warband server is visible in the warband server list and make sure its playable. Have fun!

Source: https://steamcommunity.com/sharedfiles/filedetails/?id=3355637119					

More Mount & Blade: Warband guilds