From 88a2215c13b5af95584eb452cc3d6ed85ec14c44 Mon Sep 17 00:00:00 2001 From: BobTheBob <32057864+BobTheBob9@users.noreply.github.com> Date: Fri, 24 Dec 2021 23:30:42 +0000 Subject: add connectionless ratelimit --- NorthstarDedicatedTest/serverauthentication.cpp | 49 ++++++++++++++++++++++++ NorthstarDedicatedTest/serverauthentication.h | 50 ++++++++++++++++++++++++- 2 files changed, 98 insertions(+), 1 deletion(-) (limited to 'NorthstarDedicatedTest') diff --git a/NorthstarDedicatedTest/serverauthentication.cpp b/NorthstarDedicatedTest/serverauthentication.cpp index 0e82b5e0..ac4c4709 100644 --- a/NorthstarDedicatedTest/serverauthentication.cpp +++ b/NorthstarDedicatedTest/serverauthentication.cpp @@ -34,6 +34,9 @@ CNetChan___ProcessMessagesType CNetChan___ProcessMessages; typedef char(*CBaseClient__SendServerInfoType)(void* self); CBaseClient__SendServerInfoType CBaseClient__SendServerInfo; +typedef bool(*ProcessConnectionlessPacketType)(void* a1, netpacket_t* packet); +ProcessConnectionlessPacketType ProcessConnectionlessPacket; + // global vars ServerAuthenticationManager* g_ServerAuthenticationManager; @@ -44,6 +47,7 @@ ConVar* CVar_ns_auth_allow_insecure_write; ConVar* CVar_sv_quota_stringcmdspersecond; ConVar* Cvar_net_chan_limit_mode; ConVar* Cvar_net_chan_limit_msec_per_sec; +ConVar* Cvar_sv_querylimit_per_sec; void ServerAuthenticationManager::StartPlayerAuthServer() { @@ -375,6 +379,49 @@ void CBaseClient__SendServerInfoHook(void* self) CBaseClient__Disconnect(self, 1, "Overflowed CNetworkStringTableContainer::WriteBaselines, try restarting your client and reconnecting"); } +bool ProcessConnectionlessPacketHook(void* a1, netpacket_t* packet) +{ + if (packet->adr.type == NA_IP) + { + // bad lookup: optimise later tm + UnconnectedPlayerSendData* sendData = nullptr; + for (UnconnectedPlayerSendData& foundSendData : g_ServerAuthenticationManager->m_unconnectedPlayerSendData) + { + if (!memcmp(packet->adr.ip, foundSendData.ip, 16)) + { + sendData = &foundSendData; + break; + } + } + + if (!sendData) + { + sendData = &g_ServerAuthenticationManager->m_unconnectedPlayerSendData.emplace_back(); + memcpy(sendData->ip, packet->adr.ip, 16); + } + + if (Plat_FloatTime() < sendData->timeoutEnd) + return false; + + if (Plat_FloatTime() - sendData->lastQuotaStart >= 1.0) + { + sendData->lastQuotaStart = Plat_FloatTime(); + sendData->packetCount = 0; + } + + sendData->packetCount++; + + if (sendData->packetCount >= Cvar_sv_querylimit_per_sec->m_nValue) + { + // timeout for a minute + sendData->timeoutEnd = Plat_FloatTime() + 60.0; + return false; + } + } + + return ProcessConnectionlessPacket(a1, packet); +} + void InitialiseServerAuthentication(HMODULE baseAddress) { g_ServerAuthenticationManager = new ServerAuthenticationManager; @@ -388,6 +435,7 @@ void InitialiseServerAuthentication(HMODULE baseAddress) Cvar_net_chan_limit_mode = RegisterConVar("net_chan_limit_mode", "0", FCVAR_GAMEDLL, "The mode for netchan processing limits: 0 = none, 1 = kick, 2 = log"); Cvar_net_chan_limit_msec_per_sec = RegisterConVar("net_chan_limit_msec_per_sec", "0", FCVAR_GAMEDLL, "Netchannel processing is limited to so many milliseconds, abort connection if exceeding budget"); Cvar_ns_player_auth_port = RegisterConVar("ns_player_auth_port", "8081", FCVAR_GAMEDLL, ""); + Cvar_sv_querylimit_per_sec = RegisterConVar("sv_querylimit_per_sec", "15", FCVAR_GAMEDLL, ""); HookEnabler hook; ENABLER_CREATEHOOK(hook, (char*)baseAddress + 0x114430, &CBaseServer__ConnectClientHook, reinterpret_cast(&CBaseServer__ConnectClient)); @@ -397,6 +445,7 @@ void InitialiseServerAuthentication(HMODULE baseAddress) ENABLER_CREATEHOOK(hook, (char*)baseAddress + 0x1022E0, &CGameClient__ExecuteStringCommandHook, reinterpret_cast(&CGameClient__ExecuteStringCommand)); ENABLER_CREATEHOOK(hook, (char*)baseAddress + 0x2140A0, &CNetChan___ProcessMessagesHook, reinterpret_cast(&CNetChan___ProcessMessages)); ENABLER_CREATEHOOK(hook, (char*)baseAddress + 0x104FB0, &CBaseClient__SendServerInfoHook, reinterpret_cast(&CBaseClient__SendServerInfo)); + ENABLER_CREATEHOOK(hook, (char*)baseAddress + 0x117800, &ProcessConnectionlessPacketHook, reinterpret_cast(&ProcessConnectionlessPacket)); // patch to disable kicking based on incorrect serverfilter in connectclient, since we repurpose it for use as an auth token { diff --git a/NorthstarDedicatedTest/serverauthentication.h b/NorthstarDedicatedTest/serverauthentication.h index 02429f48..a8863b2f 100644 --- a/NorthstarDedicatedTest/serverauthentication.h +++ b/NorthstarDedicatedTest/serverauthentication.h @@ -19,13 +19,60 @@ struct AdditionalPlayerData size_t pdataSize; bool needPersistenceWriteOnLeave = true; - double lastClientCommandQuotaStart = 0; + double lastClientCommandQuotaStart = -1.0; int numClientCommandsInQuota = 0; double lastNetChanProcessingLimitStart = -1.0; double netChanProcessingLimitTime = 0; }; +#pragma once +typedef enum +{ + NA_NULL = 0, + NA_LOOPBACK, + NA_IP, +} netadrtype_t; + +#pragma pack(push, 1) +typedef struct netadr_s +{ + netadrtype_t type; + unsigned char ip[16]; // IPv6 + // IPv4's 127.0.0.1 is [::ffff:127.0.0.1], that is: + // 00 00 00 00 00 00 00 00 00 00 FF FF 7F 00 00 01 + unsigned short port; +} netadr_t; +#pragma pack(pop) + +#pragma pack(push, 1) +typedef struct netpacket_s +{ + netadr_t adr; // sender address + //int source; // received source + char unk[10]; + double received_time; + unsigned char* data; // pointer to raw packet data + void* message; // easy bitbuf data access // 'inpacket.message' etc etc (pointer) + char unk2[16]; + int size; + + //bf_read message; // easy bitbuf data access // 'inpacket.message' etc etc (pointer) + //int size; // size in bytes + //int wiresize; // size in bytes before decompression + //bool stream; // was send as stream + //struct netpacket_s* pNext; // for internal use, should be NULL in public +} netpacket_t; +#pragma pack(pop) + +struct UnconnectedPlayerSendData +{ + char ip[16]; + double lastQuotaStart = 0.0; + int packetCount = 0; + double timeoutEnd = -1.0; +}; + class ServerAuthenticationManager { private: @@ -35,6 +82,7 @@ public: std::mutex m_authDataMutex; std::unordered_map m_authData; std::unordered_map m_additionalPlayerData; + std::vector m_unconnectedPlayerSendData; bool m_runningPlayerAuthThread = false; bool m_bNeedLocalAuthForNewgame = false; -- cgit v1.2.3