Our other server yesterday got hit by the so called "DNS response DDoS". So I'm guessing right now the attack wasn't aimed at exploiting SRCDS itself, but simply to put down our services.
Not much you can do but wait for the attacks to die out. (If every ISP would just implement ip source guard you could at least actually block IP addresses knowing they come from a real source.... meh) ________________________________________ From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 28 November 2012 09:57 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Syn cookies didn't help for me sadly. Had to tune sysctl a tad more. Bumping up the maximum values for nf_conntrack module and all sorts of things. Now I'm using a couple of iptables rules to block all SYN-packets going over 5 per second. I've blocked ~800k packets the last days since enabling it. It's quite stable for now, but you never know when you're in for a larger attack unfortunantly. > Date: Wed, 28 Nov 2012 00:55:20 -0800 > From: my_azz...@yahoo.com > To: hlds_linux@list.valvesoftware.com > Subject: Re: [hlds_linux] Incoming DoS attack > > Yea lol tell me about it! I have been constantly attacked on and off for the > past 4 months due to my servers being in the top 20 on gametracker for CS1.6 > I must have seen all kinds of ddos attacks out there. > > For those on linux and getting syn floods, a nice preventative thing you can > do is enable syn cookies. read more: > http://baheyeldin.com/technology/linux/detecting-and-preventing-syn-flood-attacks-web-servers-running-linux.html > > > > > ________________________________ > From: Michael Johansen <michs...@live.no> > To: hlds_linux@list.valvesoftware.com > Sent: Wednesday, November 28, 2012 3:45:26 AM > Subject: Re: [hlds_linux] Incoming DoS attack > > > The funny thing is, you can actually do so on the IP. Some skid has made a > "Booter" as it's |called in their community| which you can use to take down > shit. Send an abuse report to Santrex and block this ip in your software > firewall if you are on gigabit, it's only capable of pushing out ~300 mbit/s. > IP: 46.166.130.152. Could also block every packet whos data contains "flood" > or is 1024 bytes. > > Date: Wed, 28 Nov 2012 00:40:14 -0800 > > From: my_azz...@yahoo.com > > To: hlds_linux@list.valvesoftware.com > > Subject: Re: [hlds_linux] Incoming DoS attack > > > > These days any 12 year old with their mommy's credit card can buy botnets > > and booters to do attacks. > > > > > > > > > > ________________________________ > > From: Marco Padovan <e...@evcz.tk> > > To: hlds_linux@list.valvesoftware.com > > Sent: Tuesday, November 27, 2012 8:34:28 AM > > Subject: Re: [hlds_linux] Incoming DoS attack > > > > when you have fat pipes (1gbit or 10gbit uplinks) people need fatpipes > > too to spooffrom and take you down... > > > > but, IIRC, that well knonw .EU isp that allows spoofing let people do > > that only on the 100mbit network no on the gbit network. > > > > Therefore here comes the amplification (mostly DNS (udp 53) and chargen > > (UDP 19) ).... reporting those amplifiers (open resolvers) is very > > important;) > > > > Il 27/11/2012 14.29, Saint K. ha scritto: > > > That's kind of pointless in case of UDP attacks, chances are very high > > > that the IP's simply are spoofed. > > > > > > Saint K. > > > ________________________________________ > > > From: hlds_linux-boun...@list.valvesoftware.com > > > [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan > > > [e...@evcz.tk] > > > Sent: 27 November 2012 14:27 > > > To: hlds_linux@list.valvesoftware.com > > > Subject: Re: [hlds_linux] Incoming DoS attack > > > > > > ihih, nice :) > > > > > > the most important thing while being ddosed is to report to the relevant > > > abuse desks so they can clean up their networks ;) > > > > > > Il 27/11/2012 14.26, Michael Johansen ha scritto: > > >> I am indeed. Thank you for all your help :) > > >>> Date: Tue, 27 Nov 2012 14:25:24 +0100 > > >>> From: e...@evcz.tk > > >>> To: hlds_linux@list.valvesoftware.com > > >>> Subject: Re: [hlds_linux] Incoming DoS attack > > >>> > > >>> Hi, > > >>> > > >>> are you the Mike on WHT? > > >>> > > >>> I was the one replying in there :D > > >>> > > >>> Il 27/11/2012 13.54, Michael Johansen ha scritto: > > >>>> My face when, I just analyzed my own tcpdump and I had over ~150 > > >>>> Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. > > >>>>> From: sai...@specialattack.net > > >>>>> To: hlds_linux@list.valvesoftware.com > > >>>>> Date: Tue, 27 Nov 2012 11:29:01 +0100 > > >>>>> Subject: Re: [hlds_linux] Incoming DoS attack > > >>>>> > > >>>>> We have no control over the upstream network. All I can do is filter > > >>>>> the packets at the machine, but that wouldn't prevent the link from > > >>>>> still being overloaded. > > >>>>> > > >>>>> Currently a null-route is in place to stop the attack at the network > > >>>>> boarder. > > >>>>> > > >>>>> Saint K. > > >>>>> ________________________________________ > > >>>>> From: hlds_linux-boun...@list.valvesoftware.com > > >>>>> [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael > > >>>>> Johansen [michs...@live.no] > > >>>>> Sent: 27 November 2012 11:26 > > >>>>> To: hlds_linux@list.valvesoftware.com > > >>>>> Subject: Re: [hlds_linux] Incoming DoS attack > > >>>>> > > >>>>> Just took a look at the tcpdump, doesn't look like the attacks I'm > > >>>>> having. I may be stupid now, but wouldn't it work just by blocking > > >>>>> packets with the size of 50? > > >>>>> > > >>>>>> From: sai...@specialattack.net > > >>>>>> To: hlds_linux@list.valvesoftware.com > > >>>>>> Date: Tue, 27 Nov 2012 11:19:08 +0100 > > >>>>>> Subject: Re: [hlds_linux] Incoming DoS attack > > >>>>>> > > >>>>>> The IP's in the dump originate from China, but as it's UDP it could > > >>>>>> very well be spoofed. > > >>>>>> > > >>>>>> Looking at the payload in the packets, each new packet only has 1 > > >>>>>> character change from the previous packet. > > >>>>>> > > >>>>>> Bruteforce, or perhaps signature scanning evasion? > > >>>>>> > > >>>>>> Saint K. > > >>>>>> ________________________________________ > > >>>>>> From: hlds_linux-boun...@list.valvesoftware.com > > >>>>>> [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael > > >>>>>> Johansen [michs...@live.no] > > >>>>>> Sent: 27 November 2012 11:15 > > >>>>>> To: hlds_linux@list.valvesoftware.com > > >>>>>> Subject: Re: [hlds_linux] Incoming DoS attack > > >>>>>> > > >>>>>> I haven't looked at the tcpdump, but I have been getting attacks > > >>>>>> too, they're SYN floods, 300 - 400 mbps in size and always coming > > >>>>>> from local/reserved (0.x) ip's. All started soem time after we set > > >>>>>> up our mvm serves. > > >>>>>>> From: sai...@specialattack.net > > >>>>>>> To: hlds_linux@list.valvesoftware.com > > >>>>>>> Date: Tue, 27 Nov 2012 10:56:28 +0100 > > >>>>>>> Subject: [hlds_linux] Incoming DoS attack > > >>>>>>> > > >>>>>>> Hi, > > >>>>>>> > > >>>>>>> We've been having DoS attacks aimed at one of our MvM servers. > > >>>>>>> > > >>>>>>> Anyone have any idea what they're attempting to do here? It is just > > >>>>>>> to make the server unreachable, or are the actually trying to > > >>>>>>> exploit srcds somehow? > > >>>>>>> > > >>>>>>> Here's a tcpdump made for about 30 seconds during the attack (which > > >>>>>>> is still ongoing); > > >>>>>>> > > >>>>>>> http://www.specialattack.net/downloads/dump.rar > > >>>>>>> > > >>>>>>> Saint K. > > >>>>>>> _______________________________________________ > > >>>>>>> To unsubscribe, edit your list preferences, or view the list > > >>>>>>> archives, please visit: > > >>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >>>>>> _______________________________________________ > > >>>>>> To unsubscribe, edit your list preferences, or view the list > > >>>>>> archives, please visit: > > >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >>>>>> > > >>>>>> _______________________________________________ > > >>>>>> To unsubscribe, edit your list preferences, or view the list > > >>>>>> archives, please visit: > > >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >>>>> _______________________________________________ > > >>>>> To unsubscribe, edit your list preferences, or view the list > > >>>>> archives, please visit: > > >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >>>>> > > >>>>> _______________________________________________ > > >>>>> To unsubscribe, edit your list preferences, or view the list > > >>>>> archives, please visit: > > >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >>>> _______________________________________________ > > >>>> To unsubscribe, edit your list preferences, or view the list archives, > > >>>> please visit: > > >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >>> _______________________________________________ > > >>> To unsubscribe, edit your list preferences, or view the list archives, > > >>> please visit: > > >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >> _______________________________________________ > > >> To unsubscribe, edit your list preferences, or view the list archives, > > >> please visit: > > >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list archives, > > > please visit: > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > > > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list archives, > > > please visit: > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
