I have no idea if this is related to this thread or not, but it looks like visitors of the Steampowered Forums have identified an individual that is performing attacks similar to what people here are experiencing. I figured I'd pass along what seemed to be some relevant information:
http://forums.steampowered.com/forums/showthread.php?t=950413 -Richard Eid On Sat, Sep 5, 2009 at 3:50 PM, <jps.sgtr...@gmail.com> wrote: > This... actually isn't a bad idea. It's a pain to implement, though, for a > couple of reasons. > > First, the assumption by most on this thread is that it's a single guy > operating from a single (or just a handful) of computers. They further > assume that he's forging the source IP addresses so the requests look like > they're coming from many many different machines. If this is true, there's > no way to trace or block him based upon the information included in the > packets he's creating. I think this assumption is wrong, as I'll explain > below. > > Second, if this assumption is incorrect you need to find a way to identify > each and every source and block them one at a time. Netblocks are at best > a > crude measure which risks blocking many legitimate clients. Such a process > needs to be automated as much as possible or it's not effective. > > Now, why do I think that this is probably not coming from just a handful of > sources? Simple. DDoS stands for Distributed Denial of Service, after > all. Botnets are reaching incredible proportions. It's easy to rent as > many as a quarter million compromised machines if you want to and you have > the cash. > > Too cheap or too poor to rent someone else's network of infected PCs? No > problem. Tools exist to build new malware and they're easy to come by if > you're willing to start looking in the right places. All you have to do is > build your bot code and figure out a way to get it loaded on 5,000, 10,000, > or more PCs. After that, DDoS to your heart's content. Script kiddies do > this _all_ _the_ _time_. > > So, when under attack your choices are: > > * Wait it out. > > * Work with your vendor to figure out a way block the attack in the first > place. (Valve, obviously, in this case.) > > * Automate the process of identifying sources and filtering them out. > > * Cry a lot. > > Generally, I settle for a combination of the first and second options. If > an attack gets bad enough, I work with my local ISP to implement the third. > (My server is co-located in their datacenter and they're really good guys > to > work with.) Generally, some combination of tcpwrapper, netfilter, and > iptables will do the job on my Linux server. Sometimes we find it easier > to > just block it at one of their routers so they don't have to deal with the > traffic on their network. > > Every now and again, I find myself following the fourth option until I > figure out what's going on and fall back on some combination of the first > three options. :-) > > HTH. > > =JpS=SgtRock > > > > Date: Sat, 5 Sep 2009 11:33:44 -0700 > > From: Kyle Sanderson <kyle.l...@gmail.com> > > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack > > To: Half-Life dedicated Win32 server mailing list > > <hlds@list.valvesoftware.com> > > Message-ID: > > <a7fe91400909051133j64c0619evf87c5d76c7d72...@mail.gmail.com> > > Content-Type: text/plain; charset=UTF-8 > > > > If you guys have root access, why are you not using netstat to grab his > IP > > and table him? I've done this in the past and it's worked out pretty well > > for me. > > > > Kyle. > > > > On Sat, Sep 5, 2009 at 11:26 AM, Kenny Loggins <kenny.logg...@clanao.com > > >wrote: > > > > > This guys ISP has to know dam well what he's doing. Its not had to see > > that > > > packets that leave your network originate from IP's that are not even > on > > > your network. Maybe we need to track down the ISP and go after him.. > > > > > > -----Original Message----- > > > From: hlds-boun...@list.valvesoftware.com > > > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio > > Beretta > > > Sent: Saturday, September 05, 2009 12:57 PM > > > To: Half-Life dedicated Win32 server mailing list > > > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack > > > > > > Or someone willing to take down a server.. and taking down other > > > random ones just to avoid giving away his intentions. > > > When did this attack started on your server? On mine it started at 4PM > > > CEST (2PM UTC) > > > > > > BTW, this guy must be using spoofed addresses, since I'm being hit by > > > approx 80000 AS2_INFO requests every 5 minutes from unique IP > > > addresses. > > > > > > > > > On Sat, Sep 5, 2009 at 7:25 PM, Kenny Loggins<kenny.logg...@clanao.com > > > > > wrote: > > > > Same here he's hitting one of my server also... I'm up for painting > the > > > > wall's red with this guy when I find him... My guess is some new > > > > inexperienced server admin looking to take down the poplar servers so > > he > > > can > > > > get people into his server... He'll make some good red paint! > > > > > > > > > > > > -----Original Message----- > > > > From: hlds-boun...@list.valvesoftware.com > > > > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry > Ilverz > > > > Sent: Saturday, September 05, 2009 11:30 AM > > > > To: Half-Life dedicated Win32 server mailing list > > > > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack > > > > > > > > My server is also under this type of attack.. So Valve hasnt fixed it > > .. > > > Or > > > > it is some new exploit. sv_max_queries_sec_global 1 doesnt help. > > Server's > > > > fps is still dropping and its lagging like hell :( > > > > > > > > On Sat, Sep 5, 2009 at 7:23 PM, Saul Rennison > > > > <saul.renni...@gmail.com>wrote: > > > > > > > >> sv_max_queries_sec_global 1? > > > >> > > > >> Will make your server appear unresponsive to the Server Browser > while > > > > being > > > >> DDoS'd but saves the lag. > > > >> > > > >> Thanks, > > > >> - Saul. > > > >> > > > > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
