80 lines
2.9 KiB
Plaintext
80 lines
2.9 KiB
Plaintext
=================================
|
|
XC_ConnectionHandler actor readme
|
|
=================================
|
|
|
|
This actor is automatically spawned on net servers running XC_GameEngine.
|
|
It was made to operate independantly of XC_GameEngine so you can spawn it
|
|
on a non XC_GameEngine server by simply adding it to the ServerActors list
|
|
as follows:
|
|
|
|
[Engine.GameEngine]
|
|
...
|
|
ServerActors=XC_Engine.XC_ConnectionHandler
|
|
|
|
|
|
=== Features:
|
|
Can timeout connections without channel data at much lower values.
|
|
Timeout value can switch to a lower 'critical' timeout when connection count
|
|
exceeds a user defined value as a way to aggresively enforce less resource
|
|
usage on the server.
|
|
|
|
Can query the TCPNetDriver object an extra amount of times per frame, this
|
|
is done to mitigate a design flaw in the driver where a bad set of packets
|
|
can delay the client's incoming data by a 'n' amount of frames causing
|
|
said data to be discarded by the server due to artificially increased
|
|
delay.
|
|
By querying the TCPNetDriver an extra (user defined) times per frame, we
|
|
ensure than the malicious packets causing artificial delay are gone from
|
|
the socket at a much faster rate.
|
|
|
|
The connection handler is best run using XC_IpDrv.XC_TcpNetDriver as main
|
|
net driver, but said net driver hasn't been throughly tested and only works
|
|
on Win32 platforms so use at own risk.
|
|
|
|
=== Settings (On XC_Engine.ini):
|
|
The default settings are as follow:
|
|
|
|
[XC_Engine.XC_ConnectionHandler]
|
|
DatalessTimeout=5.0
|
|
CriticalTimeout=2.0
|
|
CriticalConnCount=10
|
|
ExtraTCPQueries=2
|
|
|
|
DatalessTimeout: Timeout for dataless connections in normal conditions
|
|
CriticalTimeout: Timeout for dataless connections in critical conditions
|
|
CriticalConnCount: Amount of dataless connections needed to trigger critical mode
|
|
ExtraTCPQueries: Extra TCPNetDriver queries per frame
|
|
|
|
There are some restrictions:
|
|
- DatalessTimeout may not be lower than 2.0
|
|
- CriticalConnCount may not be lower than 2
|
|
Lowering said values to anything below will reset those to their defaults.
|
|
|
|
|
|
=== Notes on attacks:
|
|
This is best run in conjunction with ServerCrashFix.
|
|
As SCF handles exploits, this handles data overflow and a TCPNetDriver flaw.
|
|
|
|
The values are completely arbitrary and depend on the volume of an attack.
|
|
At extreme DDoS conditions these values had to be used:
|
|
DatalessTimeout=3.0
|
|
CriticalTimeout=0.0
|
|
CriticalConnCount=6
|
|
ExtraTCPQueries=50
|
|
With some remote ports firewalled.
|
|
|
|
Firewalling remote ports is important to prevent bandwidth amplification
|
|
attacks from reaching UT.
|
|
You can easily spot those amplification attacks as you notice thousands
|
|
of different IP addresses, but very common remote ports where said data
|
|
originates from.
|
|
|
|
|
|
Example:
|
|
SSDP reflected DoS attack.
|
|
|
|
Consists of vulnerable routers returning 30x the attacker's bandwidth to
|
|
the game server via spoofing, these connection attempts can be easily spotted:
|
|
random.ip.address:1900 -> multiple times
|
|
|
|
All you have to do is firewall all incoming connections with remote port 1900. |