Update on this - I got a response from cet.com claiming that the owner of the thaiguy.net/st3gaming server had given shell access to a friend who had then abused the privilege by running a flood script. This seems like a rather fishy explanation to me, given that i've found logs of 'thaiguy' playing in the DoS'd server, but I'll leave it at that for now.
> dumb question, but how can you (read I) tell if a DOS attack is happening > and how do you obtain their IP. Thanks The server was lagging horribly (nearly unplayable), on a server that is usually near perfect. The lag abbruptly stopped minutes later, then a few more ~5-10 minute lag episodes occured. Finding no other issues, and no other affected servers, i suspected an attack (like the old query packet spam) and setup tcpdump (e.g. tcpdump -w dumpfile -i eth1). Next time it happened I took a look at the packet dump (as in, compress it, download it, open it in wireshark) and found that 80% of all traffic was 300byte packets from one ip. - Neph On Sun, Jan 24, 2010 at 12:10 AM, Nephyrin Zey <nephy...@doublezen.net> wrote: > So earlier today one of my servers was lagging - badly. By time I showed up > the lag had cleared. Then again. Then again. Each time for about 5-10 > minutes it would lag, and by time I'd shown up, it was gone. Finally, I > caught the lag happening directly. No unusual FPS or CPU usage spikes, so i > ran a tcpdump for about 5 seconds. It captured 230,000 packets. Holy shit! > > A quick analysis shows that '206.63.226.12' was flooding the server with > almost exactly *32,000* packets per second, each containing the bytes > 'flood', followed by 295 null bytes, for a total of 300 bytes. With IP > overhead this is is about 88 megabits/second, or suspiciously close to > 100megs/second. I have a gigabit connection, however, srcds itself cannot > handle 88mbs of invalid packets without going to lagsville. > > I'm emailing an abuse report to his host now, but everyone should have a > heads up that this is occuring. The fact that it was going on for 5 minutes > at a time a few times an hour suggests he has some script making the rounds > against popular servers, or some such. > > As for this attack in general, using iptables or a similar tool to limit UDP > traffic to server ports to 100/second or so with a small burst should > prevent any traffic at a higher rate than normal game traffic from hitting > the process, though if you have a 100mbit or less connection the classic DoS > aspect of it might lag you out anyway. > > - Neph > > ** Begin internet detective ** > IP: 206.63.226.12 > Resolves to: bigboomer.thaiguy.net > Host: cet.com > IPs in this netblock (all belonging to cet.com): 206.63.224.0 - > 206.63.231.255 > > thaiguy.net is 206.63.81.2 > This, uncoincidentally, also belongs to cet.com in the block: 206.63.80.0 - > 206.63.87.0 > > And in what I'm sure is a huge coincidence: > > 206.63.81.1: gateway.thaiguy.net > 206.63.81.2: thaiguy.net > 206.63.81.3: dayofdefeat.thaiguy.net > 206.63.81.4: teamspeak.st3games.com > 206.63.81.5: battlefield1942.thaiguy.net > 206.63.81.6: st3-webhost.cet.com > 206.63.81.7: dcon.st3games.com > 206.63.81.8: zmod.st3games.com (CSS Server: "Zombie Mayhem! #1") > 206.63.81.8: (CSS Server: "[ST3Gaming.com] GG Advanced - Home of gK?") > 206.63.81.15: database.thaiguy.net > 206.63.81.18: (TF2 Server: "[ST3Gaming.com] 24/7 > DustBowl/Stats/InstaSpawn/") (( Did I mention the server has was attacking > of mine was 24/7 dustbowl? )) > 206.63.81.20: ns0.thaiguy.net > 206.63.81.21: ns1.thaiguy.net > > Gee, tf2 servers on his netblock. Of the same type as the one he was > attacking. What's all this st3games.com stuff? Oh, they have forums and a > steamgroup. > > http://steamcommunity.com/groups/ST3 > Oh, and the forum head admin username is "Novikane". Weird that: > http://steamcommunity.com/id/novikane > Is an admin of this group. > ** End internet detective ** > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
