On Fri, Mar 30, 2012 at 11:16 AM, lwf <l...@rocketblast.com> wrote:
> ffffffff71303030303030303030303030303000
Good old OOB packet spam.
> I'm not entirely sure if it's relevant to the attack, but
> "sv_max_connects_sec" ("Maximum connections per second to respond to
> from a single IP address.") was set to the default "2.0" and it did not
> help other than possibly reducing backscatter, which by itself wasn't
> terribly useful. We're going to try enforcing this in iptables
> instead.
sv_max_connects_sec is for a completely different exploit.
You could drastically lower sv_max_queries_sec_global to help against
the high CPU usage of SRCDS when it's under attack from this, but it
would render your server invisible to players while under attack (and
may not help at that traffic level).
Unfortunately the per-IP one would be useless due to the spoofed addresses.
As you said, you could use IPTables to only limit 'q' OOB packets, but
there is no reason the attacker wouldn't just switch to another packet
type.
Asher.
On Fri, Mar 30, 2012 at 11:16 AM, lwf <l...@rocketblast.com> wrote:
> Hi.
>
> We had a similar experience on one of our most popular servers at
> Wednesday night (UTC+1). The same cheater was on that server at the
> time and it continued after after the cheater was banned. It appears
> to be the same attacker.
> http://tf2.rocketblast.com/bans/index.php?p=banlist&searchText=STEAM_0%3A1%3A40467009
>
> It's highly unusual for us to get attacked, it was years ago we had
> incidents so we had no sort of DoS protections already in place,
> however we were dumping traffic at the time.
> The attack consisted of a UDP flood (70000 p/s, 35 Mbit/s, also
> causing backscatter) using spoofed source addresses and source port
> 27015, causing the srcds server it was targeted at to use 100% CPU,
> lag and eventually drop all players. The cheater rejoined when this
> happened. The data (20 byte) was the same for every packet, in hex:
>
> ffffffff71303030303030303030303030303000
>
> I'm not entirely sure if it's relevant to the attack, but
> "sv_max_connects_sec" ("Maximum connections per second to respond to
> from a single IP address.") was set to the default "2.0" and it did not
> help other than possibly reducing backscatter, which by itself wasn't
> terribly useful. We're going to try enforcing this in iptables
> instead.
>
> On Thu, Mar 29, 2012 at 22:07, AeroliteGaming.com
> <ad...@aerolitegaming.co.uk> wrote:
>> Some asshole:
>> http://steamcommunity.com/profiles/76561198041199747
>>
>> Is managing to take my server down somehow, hes done it twice now therefore
>> killing the server and losing players. He did it last night and now tonight,
>> hes banned but is still managing to flood it or something, changing the port
>> of the server seems to work but I don't want to do that seeing as people
>> have it favourited and as soon as he finds out the new ip he'll go for that.
>> Anyone else had this and know a fix? He's also been crit hacking too.
>>
>> Thanks.
>>
>> _______________________________________________
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives, please
> visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
