DoS attack to a MINA server

[stork <te...@gmail.com>]

Hi, I'm running a game server using the MINA framework, and unfortunately
it's being subject to a lot of DoS attacks. It's a very simple attack - the
game port is opened, and random data is written, and eventually all the
sockets fill up and the server can receive no more connections.
What can I do about this?
-- 
View this message in context: http://www.nabble.com/DoS-attack-to-a-MINA-server-tf4670535s16868.html#a13342276
Sent from the Apache MINA Support Forum mailing list archive at Nabble.com.

Re: DoS attack to a MINA server

[mat <fo...@gmail.com>]

I believe most of the firewall can provent the DoS. You can do some research
on that.

On 10/22/07, Mark <el...@gmail.com> wrote:
>
> There are a couple of filters that will help out with this.  Not sure
> what version you are using, but the trunk has a BlacklistFilter and a
> ConnectionThrottleFilter.
>
> Sounds like ConnectionThrottleFilter would work best for you.
>
> If you are using a version < 2.0, then you could 'port' the
> ConnectionThrottleFilter for you.
>
> On 10/22/07, stork <te...@gmail.com> wrote:
> >
> > Hi, I'm running a game server using the MINA framework, and
> unfortunately
> > it's being subject to a lot of DoS attacks. It's a very simple attack -
> the
> > game port is opened, and random data is written, and eventually all the
> > sockets fill up and the server can receive no more connections.
> > What can I do about this?
> > --
> > View this message in context:
> http://www.nabble.com/DoS-attack-to-a-MINA-server-tf4670535s16868.html#a13342276
> > Sent from the Apache MINA Support Forum mailing list archive at
> Nabble.com.
> >
> >
>
>
> --
> --------------------------------
> The adjuration to be "normal" seems shockingly repellent to me; I see
> neither hope nor comfort in sinking to that low level. I think it is
> ignorance that makes people think of abnormality only with horror and
> allows them to remain undismayed at the proximity of "normal" to
> average and mediocre. For surely anyone who achieves anything is,
> essentially, abnormal.
>     Dr. Karl Menninger
>

Re: DoS attack to a MINA server

[Mark <el...@gmail.com>]

Thanks.  I will take a look at that.


On 10/22/07, stork <te...@gmail.com> wrote:
>
> I think there's a problem with ConnectionThrottleFilter.. In fact I'm sure of
> it.
> See protected boolean isConnectionOk(IoSession session), if the map contains
> the client's address, it sets the clients last connected time _before_ it
> retrieves the connected time, leading the method to always return false.
>
>
> elihusmails wrote:
> >
> > There are a couple of filters that will help out with this.  Not sure
> > what version you are using, but the trunk has a BlacklistFilter and a
> > ConnectionThrottleFilter.
> >
> > Sounds like ConnectionThrottleFilter would work best for you.
> >
> > If you are using a version < 2.0, then you could 'port' the
> > ConnectionThrottleFilter for you.
> >
> > On 10/22/07, stork <te...@gmail.com> wrote:
> >>
> >> Hi, I'm running a game server using the MINA framework, and unfortunately
> >> it's being subject to a lot of DoS attacks. It's a very simple attack -
> >> the
> >> game port is opened, and random data is written, and eventually all the
> >> sockets fill up and the server can receive no more connections.
> >> What can I do about this?
> >> --
> >> View this message in context:
> >> http://www.nabble.com/DoS-attack-to-a-MINA-server-tf4670535s16868.html#a13342276
> >> Sent from the Apache MINA Support Forum mailing list archive at
> >> Nabble.com.
> >>
> >>
> >
> >
> > --
> > --------------------------------
> > The adjuration to be "normal" seems shockingly repellent to me; I see
> > neither hope nor comfort in sinking to that low level. I think it is
> > ignorance that makes people think of abnormality only with horror and
> > allows them to remain undismayed at the proximity of "normal" to
> > average and mediocre. For surely anyone who achieves anything is,
> > essentially, abnormal.
> >      Dr. Karl Menninger
> >
> >
>
> --
> View this message in context: http://www.nabble.com/DoS-attack-to-a-MINA-server-tf4670535s16868.html#a13349036
> Sent from the Apache MINA Support Forum mailing list archive at Nabble.com.
>
>


-- 
--------------------------------
The adjuration to be "normal" seems shockingly repellent to me; I see
neither hope nor comfort in sinking to that low level. I think it is
ignorance that makes people think of abnormality only with horror and
allows them to remain undismayed at the proximity of "normal" to
average and mediocre. For surely anyone who achieves anything is,
essentially, abnormal.
     Dr. Karl Menninger

Re: DoS attack to a MINA server

[Mark <el...@gmail.com>]

I just updated the trunk to fix that problem...

On 10/22/07, stork <te...@gmail.com> wrote:
>
> I think there's a problem with ConnectionThrottleFilter.. In fact I'm sure of
> it.
> See protected boolean isConnectionOk(IoSession session), if the map contains
> the client's address, it sets the clients last connected time _before_ it
> retrieves the connected time, leading the method to always return false.
>
>
> elihusmails wrote:
> >
> > There are a couple of filters that will help out with this.  Not sure
> > what version you are using, but the trunk has a BlacklistFilter and a
> > ConnectionThrottleFilter.
> >
> > Sounds like ConnectionThrottleFilter would work best for you.
> >
> > If you are using a version < 2.0, then you could 'port' the
> > ConnectionThrottleFilter for you.
> >
> > On 10/22/07, stork <te...@gmail.com> wrote:
> >>
> >> Hi, I'm running a game server using the MINA framework, and unfortunately
> >> it's being subject to a lot of DoS attacks. It's a very simple attack -
> >> the
> >> game port is opened, and random data is written, and eventually all the
> >> sockets fill up and the server can receive no more connections.
> >> What can I do about this?
> >> --
> >> View this message in context:
> >> http://www.nabble.com/DoS-attack-to-a-MINA-server-tf4670535s16868.html#a13342276
> >> Sent from the Apache MINA Support Forum mailing list archive at
> >> Nabble.com.
> >>
> >>
> >
> >
> > --
> > --------------------------------
> > The adjuration to be "normal" seems shockingly repellent to me; I see
> > neither hope nor comfort in sinking to that low level. I think it is
> > ignorance that makes people think of abnormality only with horror and
> > allows them to remain undismayed at the proximity of "normal" to
> > average and mediocre. For surely anyone who achieves anything is,
> > essentially, abnormal.
> >      Dr. Karl Menninger
> >
> >
>
> --
> View this message in context: http://www.nabble.com/DoS-attack-to-a-MINA-server-tf4670535s16868.html#a13349036
> Sent from the Apache MINA Support Forum mailing list archive at Nabble.com.
>
>


-- 
--------------------------------
The adjuration to be "normal" seems shockingly repellent to me; I see
neither hope nor comfort in sinking to that low level. I think it is
ignorance that makes people think of abnormality only with horror and
allows them to remain undismayed at the proximity of "normal" to
average and mediocre. For surely anyone who achieves anything is,
essentially, abnormal.
     Dr. Karl Menninger

Re: DoS attack to a MINA server

[stork <te...@gmail.com>]

I think there's a problem with ConnectionThrottleFilter.. In fact I'm sure of
it.
See protected boolean isConnectionOk(IoSession session), if the map contains
the client's address, it sets the clients last connected time _before_ it
retrieves the connected time, leading the method to always return false.


elihusmails wrote:
> 
> There are a couple of filters that will help out with this.  Not sure
> what version you are using, but the trunk has a BlacklistFilter and a
> ConnectionThrottleFilter.
> 
> Sounds like ConnectionThrottleFilter would work best for you.
> 
> If you are using a version < 2.0, then you could 'port' the
> ConnectionThrottleFilter for you.
> 
> On 10/22/07, stork <te...@gmail.com> wrote:
>>
>> Hi, I'm running a game server using the MINA framework, and unfortunately
>> it's being subject to a lot of DoS attacks. It's a very simple attack -
>> the
>> game port is opened, and random data is written, and eventually all the
>> sockets fill up and the server can receive no more connections.
>> What can I do about this?
>> --
>> View this message in context:
>> http://www.nabble.com/DoS-attack-to-a-MINA-server-tf4670535s16868.html#a13342276
>> Sent from the Apache MINA Support Forum mailing list archive at
>> Nabble.com.
>>
>>
> 
> 
> -- 
> --------------------------------
> The adjuration to be "normal" seems shockingly repellent to me; I see
> neither hope nor comfort in sinking to that low level. I think it is
> ignorance that makes people think of abnormality only with horror and
> allows them to remain undismayed at the proximity of "normal" to
> average and mediocre. For surely anyone who achieves anything is,
> essentially, abnormal.
>      Dr. Karl Menninger
> 
> 

-- 
View this message in context: http://www.nabble.com/DoS-attack-to-a-MINA-server-tf4670535s16868.html#a13349036
Sent from the Apache MINA Support Forum mailing list archive at Nabble.com.

Re: DoS attack to a MINA server

[Michael Grundvig <mi...@electrotank.com>]

I assume you are doing this as well, but you need to drop "bad" connections 
as quickly as possible. Any aberrant behavior should be logged and stopped 
fast. In your case, you could detect a protocol error due to the bad data 
and drop them. Then keep a running tab of their IP in memory, the number of 
protocol errors they have caused and when they caused them. Then with a bit 
of a sliding-window-style algorithm you can determine if they are causing 
too many errors too frequently and add them to the blacklist filter 
automatically. Once the window has slid past their errors, you can even 
remove them from the blacklist filter automatically. If done properly, you 
can stop hackers in their tracks without lifting a finger. This model is 
used in some "healing" firewalls IIRC.

Once you start blocking these attacks, your hackers will get smarter 
(maybe). Another DoS attack to watch for then is where they use your 
protocol correctly but fire off too many connections. The 
ConnectionThrottleFilter is good for this. You can also get burned when they 
use your protocol correctly but send messages that are too big. For 
instance, if you have a "payload" area in your protocol, make certain they 
can't just keep sending data in that payload. You need to have a cap 
somewhere. I worked on a project years ago where this occurred, a bug in the 
system allowed an unlimited sized payload but still tried to manage it in 
memory. Large payloads would OOM the server every time. Nasty bug that can 
be very hard to track down if a hacker is doing it. Every time you reboot, 
they can simply OOM you again.

Good luck!

Mike

----- Original Message ----- 
From: "Mark" <el...@gmail.com>
To: <de...@mina.apache.org>
Sent: Monday, October 22, 2007 9:11 AM
Subject: Re: DoS attack to a MINA server


> There are a couple of filters that will help out with this.  Not sure
> what version you are using, but the trunk has a BlacklistFilter and a
> ConnectionThrottleFilter.
>
> Sounds like ConnectionThrottleFilter would work best for you.
>
> If you are using a version < 2.0, then you could 'port' the
> ConnectionThrottleFilter for you.
>
> On 10/22/07, stork <te...@gmail.com> wrote:
>>
>> Hi, I'm running a game server using the MINA framework, and unfortunately
>> it's being subject to a lot of DoS attacks. It's a very simple attack - 
>> the
>> game port is opened, and random data is written, and eventually all the
>> sockets fill up and the server can receive no more connections.
>> What can I do about this?
>> --
>> View this message in context: 
>> http://www.nabble.com/DoS-attack-to-a-MINA-server-tf4670535s16868.html#a13342276
>> Sent from the Apache MINA Support Forum mailing list archive at 
>> Nabble.com.
>>
>>
>
>
> -- 
> --------------------------------
> The adjuration to be "normal" seems shockingly repellent to me; I see
> neither hope nor comfort in sinking to that low level. I think it is
> ignorance that makes people think of abnormality only with horror and
> allows them to remain undismayed at the proximity of "normal" to
> average and mediocre. For surely anyone who achieves anything is,
> essentially, abnormal.
>     Dr. Karl Menninger 

Re: DoS attack to a MINA server

[Mark <el...@gmail.com>]

There are a couple of filters that will help out with this.  Not sure
what version you are using, but the trunk has a BlacklistFilter and a
ConnectionThrottleFilter.

Sounds like ConnectionThrottleFilter would work best for you.

If you are using a version < 2.0, then you could 'port' the
ConnectionThrottleFilter for you.

On 10/22/07, stork <te...@gmail.com> wrote:
>
> Hi, I'm running a game server using the MINA framework, and unfortunately
> it's being subject to a lot of DoS attacks. It's a very simple attack - the
> game port is opened, and random data is written, and eventually all the
> sockets fill up and the server can receive no more connections.
> What can I do about this?
> --
> View this message in context: http://www.nabble.com/DoS-attack-to-a-MINA-server-tf4670535s16868.html#a13342276
> Sent from the Apache MINA Support Forum mailing list archive at Nabble.com.
>
>


-- 
--------------------------------
The adjuration to be "normal" seems shockingly repellent to me; I see
neither hope nor comfort in sinking to that low level. I think it is
ignorance that makes people think of abnormality only with horror and
allows them to remain undismayed at the proximity of "normal" to
average and mediocre. For surely anyone who achieves anything is,
essentially, abnormal.
     Dr. Karl Menninger