CS:GO DOS FIREWALL

xkaas

Hi!

I run a cS:GO server with pfsense infront of it.

I am having issues with DDoS. Our provider does provide Anti-DDOS for most attacks, but some called "VSE" goes through.

My table size looks like this:

https://prnt.sc/hph3xs

https://prnt.sc/hpgvk7

https://prnt.sc/hpgv39

The attacks still get through… Is there anything I can do to block them? They keep hogging the CPU and table size

GruensFroeschli

pfSense is a firewall not a (D)DoS protection service.

xkaas

I know.

But not a very good one then. I dont want it to filter DDoS.
I was digging for something like "Packet lenght" or packet size filtering, as most of these attacks hit the same limits.

I've blocked all ports - But it still hits… That's why (And many apparently blame PFSense).

dotdash

If the attacks get through the providers 'DDoS filtering' then they are on your pipe. The firewall blocks traffic from passing through the firewall. It still hits the outside interface and you still have to deal with it. If you think pfSense is a lousy firewall because it doesn't block DDoS, then you are unclear on the concepts, but feel free to try another firewall and see how well it works for you.

KOM

If you could mitigate a DDoS with a firewall then it would not be the problem that it is.

Analogy:  your doorman (firewall) won't let bad people into your house, but he can't stop them from knocking on your door to begin with.  You would need the city's (your ISP) help to keep them off your street.

chpalmer

Our provider does provide Anti-DDOS for most attacks

So your provider cannot stop the attacks.  They are still not to blame..  Just inefficient.

Truthfully the fault lies with those leveraging the attacks.

xkaas

So,

To let you guys no, NO, I dont expect PFSense to "filter" DDoS attacks for me.

However, my ISP uses ArborNetworks, and most attacks get filtered without no issues.

The kind of attack hitting me is VSE (Valve Source Exploit)

These attacks uses spoofed IP's, pretty much, they hit the internal IP on port 27015 (A CS:GO server)

If I block the port, I can see how it denies the traffic (please note that from now on, the internet is working fine and nothing is touched by the attack)

However, when I unblock the port, it doesn't work.

I was looking for maybe trying to block everything outside of my source country (Where all connections are made, no other people are getting in from other countries)
Or some packet lenght block / String block, as 99% of all of the "connections" made have the same lenght.

I know there's no real "filtering" for this other on ISP level, however, I hope there's some fix to this for now, as my ISP wont be able to make the rule from their side without a quite large payment (Greedy guys)

Thanks everyone who helps.

Here's a little gif of what I see when I refresh the firewall rule page of the block rule :)

https://gyazo.com/dbe1f270006011f786fcb7da4e45f964

(refreshing)

dotdash

@xkaas:

I was looking for maybe trying to block everything outside of my source country (Where all connections are made, no other people are getting in from other countries)

pfBlockerNG can be used to block/allow by source country.

leungda

install package suricata for IDS