From 746075dfce13c0f3da8628d1001d17ac3f4778d0 Mon Sep 17 00:00:00 2001 From: stephanie sappho lenzo Date: Thu, 30 Nov 2023 03:21:06 -0500 Subject: [PATCH] put rate limiting behind stac_prevent_connect_spam --- scripting/stac/stac_client.sp | 37 ++++++++++++++++++++++++++-------- scripting/stac/stac_cvars.sp | 15 ++++++++++++++ scripting/stac/stac_globals.sp | 3 +-- 3 files changed, 45 insertions(+), 10 deletions(-) diff --git a/scripting/stac/stac_client.sp b/scripting/stac/stac_client.sp index 43c7e66..d4383b8 100755 --- a/scripting/stac/stac_client.sp +++ b/scripting/stac/stac_client.sp @@ -44,8 +44,14 @@ public bool OnClientPreConnectEx(const char[] name, char password[255], const ch strcopy(latestIP, sizeof(latestIP), ip); strcopy(latestSteamID, sizeof(latestSteamID), steamID); - static int threshold = 5; + if (!stac_prevent_connect_spam.BoolValue) + { + return true; + } + + // TODO: does this need to be higher? or lower? or...? + static int threshold = 5; int connects; IPBuckets.GetValue(ip, connects); // 0 if not present connects++; @@ -53,11 +59,14 @@ public bool OnClientPreConnectEx(const char[] name, char password[255], const ch { rejectReason = "Rate limited."; - // BanIdentity(steamID, 60, BANFLAG_AUTHID, ""); // BanIdentity(ip, 60, BANFLAG_IP, ""); - + // THE REASON we are doing this, is so that we hook into srcds's built in + // "firewall", basically, where with the default game banning system, + // srcds will ignore packets from banned ips. + // this prevents any clients from spamming, in a way that would otherwise not really be possible, + // without stupid memory hacks that would be overcomplicated anyway since this already exists if ( CommandExists("sm_banip") && CommandExists("sm_addban") ) { ServerCommand("sm_addban 60 %s %s", steamID, "Rate limited"); @@ -73,15 +82,21 @@ public bool OnClientPreConnectEx(const char[] name, char password[255], const ch } IPBuckets.SetValue(ip, connects); - - StacLog("-> connects from ip %s %i", ip, connects); - + if (stac_debug.BoolValue) + { + StacLog("-> connects from ip %s %i", ip, connects); + } return true; } Action LeakIPConnectBucket(Handle timer) { + if (!stac_prevent_connect_spam.BoolValue) + { + return Plugin_Continue; + } + StringMapSnapshot snap = IPBuckets.Snapshot(); for (int i = 0; i < snap.Length; i++) @@ -93,11 +108,17 @@ Action LeakIPConnectBucket(Handle timer) IPBuckets.GetValue(ip, connects); // 0 if not present per zero-init above connects--; - StacLog("-> connects from ip %s %i", ip, connects); + if (stac_debug.BoolValue) + { + StacLog("(LeakIPConnectBucket) connects from ip %s %i", ip, connects); + } if (connects <= 0) { - StacLog("-> connects from ip %s %i [ REMOVING ] ", ip, connects); + if (stac_debug.BoolValue) + { + StacLog("-> connects from ip %s %i [ REMOVING ] ", ip, connects); + } IPBuckets.Remove(ip); continue; diff --git a/scripting/stac/stac_cvars.sp b/scripting/stac/stac_cvars.sp index 2bb25ac..8a21920 100755 --- a/scripting/stac/stac_cvars.sp +++ b/scripting/stac/stac_cvars.sp @@ -364,6 +364,21 @@ void initCvars() 1.0 ); + // + stac_prevent_connect_spam = + AutoExecConfig_CreateConVar + ( + "stac_prevent_connect_spam", + "1", + "[StAC] (BETA DETECTION) use a \"leaky bucket\" algorithm to prevent the same clients from spamming connect requests to your server. temp bans clients for 60 minutes if they hit the limit.\n\ + (recommended 1)", + FCVAR_NONE, + true, + 0.0, + true, + 1.0 + ); + initUsercmdCvars(); // actually exec the cfg after initing cvars lol diff --git a/scripting/stac/stac_globals.sp b/scripting/stac/stac_globals.sp index b3f5bd7..4ed01dc 100755 --- a/scripting/stac/stac_globals.sp +++ b/scripting/stac/stac_globals.sp @@ -29,8 +29,7 @@ ConVar stac_fixpingmasking_enabled; ConVar stac_silent; ConVar stac_max_connections_from_ip; ConVar stac_work_with_sv_cheats; - - +ConVar stac_prevent_connect_spam; /***** Server based stuff *****/