Only RCON uses TCP, it looks like it chews too much CPU throwing away the garbage data, we are fixing that up.
- Alfred > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:hlds- > [EMAIL PROTECTED] On Behalf Of Nephyrin Zey > Sent: Monday, April 28, 2008 10:26 PM > To: Half-Life dedicated Win32 server mailing list; Half-Life dedicated > Linux server mailing list > Subject: [hlds] Nuke Exploit Info and Prevention > > The nuke exploit works as follows: > > Connect to a server via TCP (rcon, does anything else use TCP? I have > no idea.) on its port. > Send a million garbage packets > ??? > Profit > > The server goes insane handling them. > Solution: > Limit incoming TCP packets to ~1/second from any given IP on that port, > *OR* > Block TCP access to the server's port except from trusted people. > > Linux IPtables rules: > iptables -A INPUT -p tcp --dport 27015 -m hashlimit --hashlimit-mode > srcip,dstip,dstport --hashlimit 1/sec --hashlimit-burst 1 > --hashlimit-name TF_PACKET_LIMIT -j ACCEPT > iptables -A INPUT -p tcp --dport 27015 -j DROP > > /etc/init.d/iptables save > /etc/init.d/iptables start > > (Note: you probably shouldn't enable iptables blindly if you don't > know what you're doing) > > Windows: > Block TCP to 27015 except for trusted people. Or something. Someone > who admins window servers will need to guide you! > > - Neph > (sv_benchmark_force_start fix coming in a few minutes) > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds