This... actually isn't a bad idea. It's a pain to implement, though, for a couple of reasons.
First, the assumption by most on this thread is that it's a single guy operating from a single (or just a handful) of computers. They further assume that he's forging the source IP addresses so the requests look like they're coming from many many different machines. If this is true, there's no way to trace or block him based upon the information included in the packets he's creating. I think this assumption is wrong, as I'll explain below. Second, if this assumption is incorrect you need to find a way to identify each and every source and block them one at a time. Netblocks are at best a crude measure which risks blocking many legitimate clients. Such a process needs to be automated as much as possible or it's not effective. Now, why do I think that this is probably not coming from just a handful of sources? Simple. DDoS stands for Distributed Denial of Service, after all. Botnets are reaching incredible proportions. It's easy to rent as many as a quarter million compromised machines if you want to and you have the cash. Too cheap or too poor to rent someone else's network of infected PCs? No problem. Tools exist to build new malware and they're easy to come by if you're willing to start looking in the right places. All you have to do is build your bot code and figure out a way to get it loaded on 5,000, 10,000, or more PCs. After that, DDoS to your heart's content. Script kiddies do this _all_ _the_ _time_. So, when under attack your choices are: * Wait it out. * Work with your vendor to figure out a way block the attack in the first place. (Valve, obviously, in this case.) * Automate the process of identifying sources and filtering them out. * Cry a lot. Generally, I settle for a combination of the first and second options. If an attack gets bad enough, I work with my local ISP to implement the third. (My server is co-located in their datacenter and they're really good guys to work with.) Generally, some combination of tcpwrapper, netfilter, and iptables will do the job on my Linux server. Sometimes we find it easier to just block it at one of their routers so they don't have to deal with the traffic on their network. Every now and again, I find myself following the fourth option until I figure out what's going on and fall back on some combination of the first three options. :-) HTH. =JpS=SgtRock > Date: Sat, 5 Sep 2009 11:33:44 -0700 > From: Kyle Sanderson <kyle.l...@gmail.com> > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack > To: Half-Life dedicated Win32 server mailing list > <hlds@list.valvesoftware.com> > Message-ID: > <a7fe91400909051133j64c0619evf87c5d76c7d72...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > If you guys have root access, why are you not using netstat to grab his IP > and table him? I've done this in the past and it's worked out pretty well > for me. > > Kyle. > > On Sat, Sep 5, 2009 at 11:26 AM, Kenny Loggins <kenny.logg...@clanao.com > >wrote: > > > This guys ISP has to know dam well what he's doing. Its not had to see > that > > packets that leave your network originate from IP's that are not even on > > your network. Maybe we need to track down the ISP and go after him.. > > > > -----Original Message----- > > From: hlds-boun...@list.valvesoftware.com > > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio > Beretta > > Sent: Saturday, September 05, 2009 12:57 PM > > To: Half-Life dedicated Win32 server mailing list > > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack > > > > Or someone willing to take down a server.. and taking down other > > random ones just to avoid giving away his intentions. > > When did this attack started on your server? On mine it started at 4PM > > CEST (2PM UTC) > > > > BTW, this guy must be using spoofed addresses, since I'm being hit by > > approx 80000 AS2_INFO requests every 5 minutes from unique IP > > addresses. > > > > > > On Sat, Sep 5, 2009 at 7:25 PM, Kenny Loggins<kenny.logg...@clanao.com> > > wrote: > > > Same here he's hitting one of my server also... I'm up for painting the > > > wall's red with this guy when I find him... My guess is some new > > > inexperienced server admin looking to take down the poplar servers so > he > > can > > > get people into his server... He'll make some good red paint! > > > > > > > > > -----Original Message----- > > > From: hlds-boun...@list.valvesoftware.com > > > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry Ilverz > > > Sent: Saturday, September 05, 2009 11:30 AM > > > To: Half-Life dedicated Win32 server mailing list > > > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack > > > > > > My server is also under this type of attack.. So Valve hasnt fixed it > .. > > Or > > > it is some new exploit. sv_max_queries_sec_global 1 doesnt help. > Server's > > > fps is still dropping and its lagging like hell :( > > > > > > On Sat, Sep 5, 2009 at 7:23 PM, Saul Rennison > > > <saul.renni...@gmail.com>wrote: > > > > > >> sv_max_queries_sec_global 1? > > >> > > >> Will make your server appear unresponsive to the Server Browser while > > > being > > >> DDoS'd but saves the lag. > > >> > > >> Thanks, > > >> - Saul. > > >> > > > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
