Re: [hlds_linux] Incoming DoS attack

Michael Johansen Wed, 28 Nov 2012 02:35:24 -0800
If you're with a ISP/provider that actually takes care of their customers they 
|can| just blackhole the ip's that are attacking, or the signature of the 
attack in their routers, problem is that it takes time and it takes a lot of 
CPU, and there may also be like 20k IP's and then you're out of luck :(
> From: sai...@specialattack.net
> To: hlds_linux@list.valvesoftware.com
> Date: Wed, 28 Nov 2012 11:18:23 +0100
> Subject: Re: [hlds_linux] Incoming DoS attack
> 
> Our other server yesterday got hit by the so called "DNS response DDoS". So 
> I'm guessing right now the attack wasn't aimed at exploiting SRCDS itself, 
> but simply to put down our services.
> 
> Not much you can do but wait for the attacks to die out.
> 
> (If every ISP would just implement ip source guard you could at least 
> actually block IP addresses knowing they come from a real source.... meh)
> ________________________________________
> From: hlds_linux-boun...@list.valvesoftware.com 
> [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen 
> [michs...@live.no]
> Sent: 28 November 2012 09:57
> To: hlds_linux@list.valvesoftware.com
> Subject: Re: [hlds_linux] Incoming DoS attack
> 
> Syn cookies didn't help for me sadly. Had to tune sysctl a tad more. Bumping 
> up the maximum values for nf_conntrack module and all sorts of things. Now 
> I'm using a couple of iptables rules to block all SYN-packets going over 5 
> per second. I've blocked ~800k packets the last days since enabling it. It's 
> quite stable for now, but you never know when you're in for a larger attack 
> unfortunantly.
> 
> > Date: Wed, 28 Nov 2012 00:55:20 -0800
> > From: my_azz...@yahoo.com
> > To: hlds_linux@list.valvesoftware.com
> > Subject: Re: [hlds_linux] Incoming DoS attack
> >
> > Yea lol tell me about it! I have been constantly attacked on and off for 
> > the past 4 months due to my servers being in the top 20 on gametracker for 
> > CS1.6 I must have seen all kinds of ddos attacks out there.
> >
> > For those on linux and getting syn floods, a nice preventative thing you 
> > can do is enable syn cookies. read more: 
> > http://baheyeldin.com/technology/linux/detecting-and-preventing-syn-flood-attacks-web-servers-running-linux.html
> >
> >
> >
> >
> > ________________________________
> >  From: Michael Johansen <michs...@live.no>
> > To: hlds_linux@list.valvesoftware.com
> > Sent: Wednesday, November 28, 2012 3:45:26 AM
> > Subject: Re: [hlds_linux] Incoming DoS attack
> >
> >
> > The funny thing is, you can actually do so on the IP. Some skid has made a 
> > "Booter" as it's |called in their community| which you can use to take down 
> > shit. Send an abuse report to Santrex and block this ip in your software 
> > firewall if you are on gigabit, it's only capable of pushing out ~300 
> > mbit/s. IP: 46.166.130.152. Could also block every packet whos data 
> > contains "flood" or is 1024 bytes.
> > > Date: Wed, 28 Nov 2012 00:40:14 -0800
> > > From: my_azz...@yahoo.com
> > > To: hlds_linux@list.valvesoftware.com
> > > Subject: Re: [hlds_linux] Incoming DoS attack
> > >
> > > These days any 12 year old with their mommy's credit card can buy botnets 
> > > and booters to do attacks.
> > >
> > >
> > >
> > >
> > > ________________________________
> > >  From: Marco Padovan <e...@evcz.tk>
> > > To: hlds_linux@list.valvesoftware.com
> > > Sent: Tuesday, November 27, 2012 8:34:28 AM
> > > Subject: Re: [hlds_linux] Incoming DoS attack
> > >
> > > when you have fat pipes (1gbit or 10gbit uplinks) people need fatpipes
> > > too to spooffrom and take you down...
> > >
> > > but, IIRC, that well knonw .EU isp that allows spoofing let people do
> > > that only on the 100mbit network no on the gbit network.
> > >
> > > Therefore here comes the amplification (mostly DNS (udp 53) and chargen
> > > (UDP 19) ).... reporting those amplifiers (open resolvers) is very
> > > important;)
> > >
> > > Il 27/11/2012 14.29, Saint K. ha scritto:
> > > > That's kind of pointless in case of UDP attacks, chances are very high 
> > > > that the IP's simply are spoofed.
> > > >
> > > > Saint K.
> > > > ________________________________________
> > > > From: hlds_linux-boun...@list.valvesoftware.com 
> > > > [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan 
> > > > [e...@evcz.tk]
> > > > Sent: 27 November 2012 14:27
> > > > To: hlds_linux@list.valvesoftware.com
> > > > Subject: Re: [hlds_linux] Incoming DoS attack
> > > >
> > > > ihih, nice :)
> > > >
> > > > the most important thing while being ddosed is to report to the relevant
> > > > abuse desks so they can clean up their networks ;)
> > > >
> > > > Il 27/11/2012 14.26, Michael Johansen ha scritto:
> > > >> I am indeed. Thank you for all your help :)
> > > >>> Date: Tue, 27 Nov 2012 14:25:24 +0100
> > > >>> From: e...@evcz.tk
> > > >>> To: hlds_linux@list.valvesoftware.com
> > > >>> Subject: Re: [hlds_linux] Incoming DoS attack
> > > >>>
> > > >>> Hi,
> > > >>>
> > > >>> are you the Mike on WHT?
> > > >>>
> > > >>> I was the one replying in there :D
> > > >>>
> > > >>> Il 27/11/2012 13.54, Michael Johansen ha scritto:
> > > >>>> My face when, I just analyzed my own tcpdump and I had over ~150 
> > > >>>> Mbit/s traffic on UDP, where as my SYN stood for about 50k pps.
> > > >>>>> From: sai...@specialattack.net
> > > >>>>> To: hlds_linux@list.valvesoftware.com
> > > >>>>> Date: Tue, 27 Nov 2012 11:29:01 +0100
> > > >>>>> Subject: Re: [hlds_linux] Incoming DoS attack
> > > >>>>>
> > > >>>>> We have no control over the upstream network. All I can do is 
> > > >>>>> filter the packets at the machine, but that wouldn't prevent the 
> > > >>>>> link from still being overloaded.
> > > >>>>>
> > > >>>>> Currently a null-route is in place to stop the attack at the 
> > > >>>>> network boarder.
> > > >>>>>
> > > >>>>> Saint K.
> > > >>>>> ________________________________________
> > > >>>>> From: hlds_linux-boun...@list.valvesoftware.com 
> > > >>>>> [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael 
> > > >>>>> Johansen [michs...@live.no]
> > > >>>>> Sent: 27 November 2012 11:26
> > > >>>>> To: hlds_linux@list.valvesoftware.com
> > > >>>>> Subject: Re: [hlds_linux] Incoming DoS attack
> > > >>>>>
> > > >>>>> Just took a look at the tcpdump, doesn't look like the attacks I'm 
> > > >>>>> having. I may be stupid now, but wouldn't it work just by blocking 
> > > >>>>> packets with the size of 50?
> > > >>>>>
> > > >>>>>> From: sai...@specialattack.net
> > > >>>>>> To: hlds_linux@list.valvesoftware.com
> > > >>>>>> Date: Tue, 27 Nov 2012 11:19:08 +0100
> > > >>>>>> Subject: Re: [hlds_linux] Incoming DoS attack
> > > >>>>>>
> > > >>>>>> The IP's in the dump originate from China, but as it's UDP it 
> > > >>>>>> could very well be spoofed.
> > > >>>>>>
> > > >>>>>> Looking at the payload in the packets, each new packet only has 1 
> > > >>>>>> character change from the previous packet.
> > > >>>>>>
> > > >>>>>> Bruteforce, or perhaps signature scanning evasion?
> > > >>>>>>
> > > >>>>>> Saint K.
> > > >>>>>> ________________________________________
> > > >>>>>> From: hlds_linux-boun...@list.valvesoftware.com 
> > > >>>>>> [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael 
> > > >>>>>> Johansen [michs...@live.no]
> > > >>>>>> Sent: 27 November 2012 11:15
> > > >>>>>> To: hlds_linux@list.valvesoftware.com
> > > >>>>>> Subject: Re: [hlds_linux] Incoming DoS attack
> > > >>>>>>
> > > >>>>>> I haven't looked at the tcpdump, but I have been getting attacks 
> > > >>>>>> too, they're SYN floods, 300 - 400 mbps in size and always coming 
> > > >>>>>> from local/reserved (0.x) ip's. All started soem time after we set 
> > > >>>>>> up our mvm serves.
> > > >>>>>>> From: sai...@specialattack.net
> > > >>>>>>> To: hlds_linux@list.valvesoftware.com
> > > >>>>>>> Date: Tue, 27 Nov 2012 10:56:28 +0100
> > > >>>>>>> Subject: [hlds_linux] Incoming DoS attack
> > > >>>>>>>
> > > >>>>>>> Hi,
> > > >>>>>>>
> > > >>>>>>> We've been having DoS attacks aimed at one of our MvM servers.
> > > >>>>>>>
> > > >>>>>>> Anyone have any idea what they're attempting to do here? It is 
> > > >>>>>>> just to make the server unreachable, or are the actually trying 
> > > >>>>>>> to exploit srcds somehow?
> > > >>>>>>>
> > > >>>>>>> Here's a tcpdump made for about 30 seconds during the attack 
> > > >>>>>>> (which is still ongoing);
> > > >>>>>>>
> > > >>>>>>> http://www.specialattack.net/downloads/dump.rar
> > > >>>>>>>
> > > >>>>>>> Saint K.
> > > >>>>>>> _______________________________________________
> > > >>>>>>> To unsubscribe, edit your list preferences, or view the list 
> > > >>>>>>> archives, please visit:
> > > >>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> > > >>>>>> _______________________________________________
> > > >>>>>> To unsubscribe, edit your list preferences, or view the list 
> > > >>>>>> archives, please visit:
> > > >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> > > >>>>>>
> > > >>>>>> _______________________________________________
> > > >>>>>> To unsubscribe, edit your list preferences, or view the list 
> > > >>>>>> archives, please visit:
> > > >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> > > >>>>> _______________________________________________
> > > >>>>> To unsubscribe, edit your list preferences, or view the list 
> > > >>>>> archives, please visit:
> > > >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> > > >>>>>
> > > >>>>> _______________________________________________
> > > >>>>> To unsubscribe, edit your list preferences, or view the list 
> > > >>>>> archives, please visit:
> > > >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> > > >>>> _______________________________________________
> > > >>>> To unsubscribe, edit your list preferences, or view the list 
> > > >>>> archives, please visit:
> > > >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> > > >>> _______________________________________________
> > > >>> To unsubscribe, edit your list preferences, or view the list 
> > > >>> archives, please visit:
> > > >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> > > >> _______________________________________________
> > > >> To unsubscribe, edit your list preferences, or view the list archives, 
> > > >> please visit:
> > > >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> > > > _______________________________________________
> > > > To unsubscribe, edit your list preferences, or view the list archives, 
> > > > please visit:
> > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> > > >
> > > > _______________________________________________
> > > > To unsubscribe, edit your list preferences, or view the list archives, 
> > > > please visit:
> > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> > >
> > > _______________________________________________
> > > To unsubscribe, edit your list preferences, or view the list archives, 
> > > please visit:
> > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> > > _______________________________________________
> > > To unsubscribe, edit your list preferences, or view the list archives, 
> > > please visit:
> > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> >
> > _______________________________________________
> > To unsubscribe, edit your list preferences, or view the list archives, 
> > please visit:
> > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> > _______________________________________________
> > To unsubscribe, edit your list preferences, or view the list archives, 
> > please visit:
> > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> 
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> 
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
                                          
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Re: [hlds_linux] Incoming DoS attack

Reply via email to
