Yeah fortunately, NFO is both on top of that type of stuff themselves, and their primary network provider (InterNAP) is known for dealing well with mitigating DoS attacks on their clients. I received some notifications this weekend from NFO about some traffic that was probably related to attacks this weekend - which did impact my players briefly a couple of times.
On Mon, Jan 18, 2016 at 7:02 PM, David Parker <dpar...@utica.edu> wrote: > That's exactly what the president of NFO said it was: a reflection > attack. He said someone was firing a huge amount of queries at game > servers using the spoofed NFO IP as the source, and the server which really > had that IP address was receiving all of the query responses, even though > it never sent the requests. Unfortunately for the customer with that IP, > it had practically crippled the server at that point. > > - Dave > > On Mon, Jan 18, 2016 at 9:49 PM, Weasels Lair <wea...@weaselslair.com> > wrote: > >> Yep. An unfortunate downside to UDP-based applications is there is no >> "session" to manage. All packets are kind of "fire and forget". Very easy >> to spoof. Not that you can't spoof TCP too, but then the conversation >> falls apart with no reliable way to respond back. >> >> I'm this case, it would be categorized as a sort of reflection attack, >> since it's intended obviously to make effected systems take the knee-jerk >> reaction of blocking or reporting NFO as a bad player - when I'm fact the >> traffic isn't really coming from them. >> >> I just switched to them as a host, and love it so far. >> On Jan 18, 2016 6:37 PM, "David Parker" <dpar...@utica.edu> wrote: >> >>> Hello, >>> >>> This is usually caused by an attack which simply floods the server with >>> queries (usually A2S_INFO). >>> >>> This happened on one of my servers a few months ago (running on Linux), >>> and the offending IP address was owned by NFO. I contacted them and had a >>> good discussion with a few of the NFO guys. It turned out that someone in >>> Russia was doing this to a lot of servers, and spoofing the NFO IP as the >>> source. They said it wasn't the first time this had happened, but they >>> were very helpful in diagnosing the issue and figuring out what was >>> happening. >>> >>> I simply used a firewall rule to block the source IP, and the messages >>> stopped immediately. >>> >>> Hope this helps. >>> >>> - Dave >>> >>> On Mon, Jan 18, 2016 at 7:34 PM, supp...@boomgaming.net < >>> supp...@boomgaming.net> wrote: >>> >>>> Hello Everyone, >>>> >>>> I've searched the web on this but can't find the specific answers I'm >>>> looking for so I'm coming to my fellow server operators for a little >>>> guidance. I'm hoping some of you have seen or experienced what I'm writing >>>> about below. >>>> >>>> I still love and use HLSW to watch the logs of my servers constantly. >>>> More and more often now I'm seeing messages similar to the ones below >>>> flooding my console (the IP addresses and ports change but the messages are >>>> the same): >>>> >>>> 11:55:44 L 01/18/2016 - 11:55:44: Traffic from 188.127.239.74:27021 was >>>> blocked for exceeding rate limits >>>> 11:55:44 L 01/18/2016 - 11:55:44: Traffic from 188.127.239.74:27021 was >>>> blocked for exceeding rate limits >>>> 11:55:44 L 01/18/2016 - 11:55:44: Traffic from 188.127.239.74:27021 was >>>> blocked for exceeding rate limits >>>> 11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was >>>> blocked for exceeding rate limits >>>> 11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was >>>> blocked for exceeding rate limits >>>> 11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was >>>> blocked for exceeding rate limits >>>> 11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was >>>> blocked for exceeding rate limits >>>> 11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was >>>> blocked for exceeding rate limits >>>> 11:55:46 L 01/18/2016 - 11:55:46: Traffic from 188.127.239.74:27021 was >>>> blocked for exceeding rate limits >>>> >>>> My initial research says that these are attacks on my servers but I'm >>>> no so sure that's correct. I'm running my TF2 and CSS servers on my own >>>> Windows 2008 Dedicated server and when I see these messages, I immediately >>>> add them to a Windows Firewall rule I have to block any and all traffic >>>> from these IPs before the server even sees it. What's interesting is that I >>>> still see these messages even though they get added to the firewall's block >>>> list. Eventually they stop but a litle while later, I get messages like it >>>> from other IPs. Sometimes I can go a day or two without any, and other days >>>> I get as many as 15 IPs doing this. >>>> >>>> I want to note that I don't see any significant performance hits on the >>>> servers when this occurs but I'd like to know more about these messages as >>>> they specifically relate to a game server. Based upon the content of the >>>> message, I assume these mean something bad is being blocked. >>>> >>>> What I find even more interesting is that many of the offending IPs >>>> that are doing this are the specific IP addresses and ports from other game >>>> servers, In the case of the one above, it belongs to a CS 1.6 server in >>>> Russia. Why would another game server box be attempting to connect to my >>>> servers on the same port it's being hosted on? >>>> >>>> This problem has grown in frequency over the past few months. Prior to >>>> that, I don't remember seeing these messages at all in console. >>>> >>>> Can anyone give me some background on what these mean and what they're >>>> about? Also, any idea why they Windows Firewall doesn't block their traffic >>>> completely when I add them to the scope of the Firewall wall so they don't >>>> appear in the console logs? >>>> >>>> Thanks for reading and Happy Monday, >>>> Mike Vail >>>> >>>> _______________________________________________ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>> >>>> >>> >>> >>> -- >>> Dave Parker >>> Systems Administrator >>> Utica College >>> Integrated Information Technology Services >>> (315) 792-3229 >>> Registered Linux User #408177 >>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>> >>> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >> >> > > > -- > Dave Parker > Systems Administrator > Utica College > Integrated Information Technology Services > (315) 792-3229 > Registered Linux User #408177 > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds > >
_______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
