- Category: Blog
- Written by Constantin Oesterling
- Hits: 4844
SA:MP (San Andreas Multiplayer) DDoS Protection
Table of Contents
- What Is GTA SA-MP?
- How to Create a SA-MP Server on Linux
- What Is SA-MP DDoS?
- Do I Need DDoS Protection for SA-MP?
- How to Protect SA-MP From DDoS
- SA-MP Anti DDoS IPTables Rules
- DDoS Protected SA-MP Hosting
DDoS attacks targeting SA-MP servers are posing a major threat to the online gaming community. Once the game server draws attention and attracts more players than other servers, it becomes the target of cyber attacks, such as DoS and DDoS attacks.
If the game server operators find themselves in the situation that their server is being attacked by competitors, they need a permanent solution to keep their server online and the players happy and not become a victim of these cyber criminals.
In this article we’ll show you what you can do to protect your SAMP from DDoS and run (or keep running) a successful GTA SA:MP server. It will teach you about:
- What SAMP is
- How to set up a SAMP server
- SAMP DDoS tools
- SA-MP anti DDoS strategies
SA-MP stands for “San Andreas: Multiplayer” and is an unofficial multiplayer (MMO) mod for Rockstar’s Grand Theft Auto: San Andreas (GTA: SA). It’s free to operate a SAMP server, but it requires the GTA: SA DVD for players to join.
The first public version 0.1 of the mod was published in May 2006 on SA-MP.com and got heavily improved, extended and popular over time. The current version is 0.3.7 and was published almost exactly 9 years after the first release.
At the time of writing there are almost 4,000 SA-MP servers online and about ten times as many players, and it’s just morning! That’s quite a lot of attention considering that it’s not even an official part of GTA: SA.
If you want to run your own San Andreas Multiplayer server, we strongly recommend to use Linux for it, although there is a Windows server version too. At first you have to select an operating system. While Ubuntu will work nicely, we would recommend that you use CentOS 7 instead. CentOS 7 is a Linux distribution based on Red Hat Enterprise Linux, which offers great performance improvements over CentOS 6 and will be just perfect to run your San Andreas Multiplayer server.
Let’s not beat around the bush and proceed with the commands you need to run to quickly set up a SAMP 0.3.7 R2 server on CentOS 7.
You should be logged in as “root” and first run the following command to open port 7777 UDP, which is the default game port that players will connect to:
firewall-cmd --permanent --zone=public --add-port=7777/udp systemctl firewalld reload
Note: Each line is a separate command
Next we make sure our system is up to date and the packages that we need are installed:
yum -y update yum -y install libstdc++.i686 glibc.i686 wget tar
Now it’s always a good idea to run applications under any system user that’s not root. So let’s create a new user that we can run the SAMP server under. Let’s call that user “sampy” and switch to it right after creating it:
adduser sampy su sampy -
That’s it already - the default shell is already Bash, which is fine. Now let’s get to installing the actual SA-MP server using our new user which we just switched to from root with the last command above (hint: you can check which user you’re using with the command “whoami”):
cd ~ wget -O ~/samp.tar.gz http://files.sa-mp.com/samp037svr_R2-1.tar.gz tar xfvz samp.tar.gz cd samp03 sed -i 's/rcon_password changeme/rcon_password s3cr3t/' server.cfg ./samp03svr &
This will change your RCON password to “s3cr3t” and start the San Andreas Multiplayer server in the background. If you want to use a different RCON password or change any other setting of your server, simply open the file named “server.cfg” with a text editor such as “vim” or “nano” and edit it accordingly.
If you want to stop your SA-MP server, just run the command:
killall -9 samp03svr
These are just a few limited instructions on how to get a basic SAMP server running on CentOS 7. If you need more information, you should check the official installation instructions.
Mostly due to competition between server operators, SAMP is a popular target of so-called DDoS attacks, which stands for Distributed Denial of Service attack. A DDoS attack is a flood of network packets designed to make the target unresponsive, ie. bring down the game server. There are even specific attack tools that simulate legitimate game traffic of SAMP.
Now for a small demonstration let’s look at a DoS tool called DOSaMp03z, which is designed to bring down a SAMP server.
DOSaMp03z generates UDP protocol network packets similar to the ones used by the legitimate game client. The tool allows you to select a target host and target port and then it starts flooding the server with bogus packets like the ones below. In this example 192.168.2.20 is the source of the attack and 192.168.2.30 is the game server:
15:23:14.971862 IP (tos 0x0, ttl 128, id 15287, offset 0, flags [none], proto UDP (17), length 604) 192.168.2.20.58602 > 192.168.2.30.7777: [udp sum ok] UDP, length 576 15:23:14.972096 IP (tos 0x0, ttl 128, id 15288, offset 0, flags [none], proto UDP (17), length 604) 192.168.2.20.58602 > 192.168.2.30.7777: [udp sum ok] UDP, length 576 15:23:14.972540 IP (tos 0x0, ttl 128, id 15289, offset 0, flags [none], proto UDP (17), length 604) 192.168.2.20.58602 > 192.168.2.30.7777: [udp sum ok] UDP, length 576 15:23:14.972984 IP (tos 0x0, ttl 128, id 15290, offset 0, flags [none], proto UDP (17), length 604) 192.168.2.20.58602 > 192.168.2.30.7777: [udp sum ok] UDP, length 576 15:23:14.973308 IP (tos 0x0, ttl 128, id 15291, offset 0, flags [none], proto UDP (17), length 604) 192.168.2.20.58602 > 192.168.2.30.7777: [udp sum ok] UDP, length 576 15:23:14.973634 IP (tos 0x0, ttl 128, id 15292, offset 0, flags [none], proto UDP (17), length 604) 192.168.2.20.58602 > 192.168.2.30.7777: [udp sum ok] UDP, length 576 15:23:14.974045 IP (tos 0x0, ttl 128, id 15293, offset 0, flags [none], proto UDP (17), length 604) 192.168.2.20.58602 > 192.168.2.30.7777: [udp sum ok] UDP, length 576
The full packet in ASCII looks like this:
15:30:27.755385 IP (tos 0x0, ttl 128, id 13223, offset 0, flags [none], proto UDP (17), length 604) 192.168.2.20.56776 > 192.168.2.30.7777: [udp sum ok] UDP, length 576 E..\3......z...5...2...a.H6..RI.7.....X..y..Y/..L.y.L...L.Y.L.LSL.L.Ls;.L&.ZL..>L.M.L.-&;.]... ...7.....X..y..Y/..L.y.L...L.Y.L.LSL.L.Ls;.L&.ZL..>L.M.L.-&;.]... ...7.....X..y..Y/..L.y.L...L.Y.L.LSL.L.Ls;.L&.ZL..>L.M.L.-&;.]... ...7.....X..y..Y/..L.y.L...L.Y.L.LSL.L.Ls;.L&.ZL..>L.M.L.-&;.]... ...7.....X..y..Y/..L.y.L...L.Y.L.LSL.L.Ls;.L&.ZL..>L.M.L.-&;.]... ...7.....X..y..Y/..L.y.L...L.Y.L.LSL.L.Ls;.L&.ZL..>L.M.L.-&;.]... ...7.....X..y..Y/..L.y.L...L.Y.L.LSL.L.Ls;.L&.ZL..>L.M.L.-&;.]... ...7.....X..y..Y/..L.y.L...L.Y.L.LSL.L.Ls;.L&.ZL..>L.M.L.-&;.]... ...7.....X..y..Y/..L.y.L...L.Y.L.LSL.L.Ls;.L&.Z
The effect this has on the SA-MP server is that it gets confused by these packets and starts utilizing 100% of the CPU resources until it crashes or drops players.
The tool we selected to showcase this attack is a quite dumb one - continue reading to find out why and how to block this - but there are more sophisticated DDoS tools out there that can’t be blocked as easily.
We already learned that SAMP is a popular target of DDoS attacks. So if you run a SAMP server, it is very likely that someone will attack it sooner or later. If you find yourself in this situation, you need DDoS protection for your SAMP server. SAMP DDoS protection is nothing that every hosting provider can offer, due to the very specific attack tools that servers are being hit with.
Most provider who offer DDoS protection with their hosting services only protect against very generic network layer attacks, such as SYN floods and DNS amplification attacks to name only a few of the many attack methods that hackers have at their disposal.
While this generic sort of protection might be sufficient for online services that just want some sort of insurance or are only under attack from time to time, they will quickly reach their limits when it comes to sophisticated application layer attacks that mimic the legitimate protocol traffic of an application, like the DoS attack tools for SAMP.
This means that a SAMP game server operator will likely face major issues with off the shelf solution by larger hosting and DDoS protection providers sooner or later. That’s why instead of using an unprotected network or a mainstream DDoS protection provider, it makes sense to select a provider that can actually offer application specific anti DDoS filtering for SAMP. This makes sure that you don’t wake up to any bad surprises later on once your game server is popular enough.
While you can use iptables rules like the ones we’ll be discussing now to mitigate some of the DoS packets that SAMP DDoS tools generate, they won’t help a lot against larger attacks. There are many larger scale attacks, such as NTP amplification and SYN flood attacks, that you can’t deal with directly on your server, because they’re simply too large for it.
However you can block a few of these attacks with iptables, so let’s see how.
Earlier we looked into how the attack traffic of a SAMP DoS tool called DOSaMp03z looks like, remember?
15:23:14.973634 IP (tos 0x0, ttl 128, id 15292, offset 0, flags [none], proto UDP (17), length 604) 192.168.2.20.58602 > 192.168.2.30.7777: [udp sum ok] UDP, length 576
Luckily this attack is easy to block, because it has very distinct patterns that the legitimate game traffic doesn’t have. Are you able to spot them?
Here’s a little help: every bad packet has a TTL value of 128 and a length of 604. Neither of these patterns occur with legitimate game packets, which means they can be used to distinguish and block the DoS attack traffic, while letting through the good packets.
While it’s probably safe to use either pattern to block this attack, we want to be completely sure it doesn’t affect any legitimate players and therefore we’re only going to block packets that match both patterns.
Anti DDoS SAMP rules for IPTables:
iptables -N SAMP-DDOS iptables -A INPUT -p udp --dport 7777 -m ttl --ttl-eq=128 -j SAMP-DDOS iptables -A SAMP-DDOS -p udp --dport 7777 -m length --length 17:604 -j DROP
What these rules do is they first create a new iptables chain called “SAMP-DDOS”. Then there is a rules that matches all UDP packets with destination port 7777 (which is our game port) and a TTL (Time To Live) of 128 and forwards them to the “SAMP-DDOS” iptables chain. In that chain there is a second rule that matches all packets with protocol number 17 and a length of 604 and drops them.
Effectively this means that these iptables anti DDoS rules will drop all UDP packets towards port 7777 that have a TTL of 128 and a length of 604, which all packets generated by that particular DoS tool have.
If you want to also block another well known DDoS tool called UDP Unicorn, which is a bit more advanced, you can just block all UDP packets with a TTL of 128, because that's the pattern that every attack initiated with UDP Unicorn has. This means that you would want to use a more generic version of the anti DDoS rule above to block this DoS tool too, i.e. just:
iptables -A INPUT -p udp -m ttl --ttl-eq=128 -j DROP
In addition to the above rules you can also try to limit UDP packets per source IP address with your game port as destination. This is a type of iptables rule that people very often suggest to mitigate the effects of a DoS, but actually chances are that it doesn’t help much against attacks and could also affect legit game traffic. So if you must you can try the below rule and maybe it helps against one or two attacks:
iptables -A INPUT -p udp --dport 7777 -m limit --limit 6/s --limit-burst 12 -j DROP
Using iptables is not a permanent solution to this issue however, especially not the rules that just limit packets, as they are usually not efficient at blocking bad packets or play nice with legitimate connections. Also there are just too many attacks that have complex patterns or overwhelm every server.
The best solution is to move your whole SAMP server to a provider who not only offers generic protection, but also anti DDoS rules particularly designed to protect SAMP servers from DDoS attacks. JavaPipe is that kind of provider.
Generally it’s a good idea to start with a small VPS with DDoS protection or a protected VPS with unlimited traffic, which will be able to smoothly run your SAMP server due to its ultra-fast SSD storage and high-frequency DDR3 RAM (of course CentOS 7 is available as an operating system). If you run a larger server, you can also select a dedicated server which offers more powerful resources.
Of course all of our solutions are able to protect your SAMP server from all kinds of DDoS and DoS attacks - we developed specific DDoS filtering rules for SAMP. If you want to host your SAMP server with us, please make sure to let us know you’re running SAMP, so we can apply our app specific protection rules to your IP address.