I am not a promoter, but with Hetzner if an attack is on my server, I just get an email with the list of ip's that where doing the ddos stating they stopped them from coming through.
-----Original Message----- From: hlds_linux-boun...@list.valvesoftware.com [mailto:hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen Sent: woensdag 28 november 2012 11:35 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack If you're with a ISP/provider that actually takes care of their customers they |can| just blackhole the ip's that are attacking, or the signature of the attack in their routers, problem is that it takes time and it takes a lot of CPU, and there may also be like 20k IP's and then you're out of luck :( > From: sai...@specialattack.net > To: hlds_linux@list.valvesoftware.com > Date: Wed, 28 Nov 2012 11:18:23 +0100 > Subject: Re: [hlds_linux] Incoming DoS attack > > Our other server yesterday got hit by the so called "DNS response DDoS". So I'm guessing right now the attack wasn't aimed at exploiting SRCDS itself, but simply to put down our services. > > Not much you can do but wait for the attacks to die out. > > (If every ISP would just implement ip source guard you could at least > actually block IP addresses knowing they come from a real source.... > meh) ________________________________________ > From: hlds_linux-boun...@list.valvesoftware.com > [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael > Johansen [michs...@live.no] > Sent: 28 November 2012 09:57 > To: hlds_linux@list.valvesoftware.com > Subject: Re: [hlds_linux] Incoming DoS attack > > Syn cookies didn't help for me sadly. Had to tune sysctl a tad more. Bumping up the maximum values for nf_conntrack module and all sorts of things. Now I'm using a couple of iptables rules to block all SYN-packets going over 5 per second. I've blocked ~800k packets the last days since enabling it. It's quite stable for now, but you never know when you're in for a larger attack unfortunantly. > > > Date: Wed, 28 Nov 2012 00:55:20 -0800 > > From: my_azz...@yahoo.com > > To: hlds_linux@list.valvesoftware.com > > Subject: Re: [hlds_linux] Incoming DoS attack > > > > Yea lol tell me about it! I have been constantly attacked on and off for the past 4 months due to my servers being in the top 20 on gametracker for CS1.6 I must have seen all kinds of ddos attacks out there. > > > > For those on linux and getting syn floods, a nice preventative thing > > you can do is enable syn cookies. read more: > > http://baheyeldin.com/technology/linux/detecting-and-preventing-syn- > > flood-attacks-web-servers-running-linux.html > > > > > > > > > > ________________________________ > > From: Michael Johansen <michs...@live.no> > > To: hlds_linux@list.valvesoftware.com > > Sent: Wednesday, November 28, 2012 3:45:26 AM > > Subject: Re: [hlds_linux] Incoming DoS attack > > > > > > The funny thing is, you can actually do so on the IP. Some skid has made a "Booter" as it's |called in their community| which you can use to take down shit. Send an abuse report to Santrex and block this ip in your software firewall if you are on gigabit, it's only capable of pushing out ~300 mbit/s. IP: 46.166.130.152. Could also block every packet whos data contains "flood" or is 1024 bytes. > > > Date: Wed, 28 Nov 2012 00:40:14 -0800 > > > From: my_azz...@yahoo.com > > > To: hlds_linux@list.valvesoftware.com > > > Subject: Re: [hlds_linux] Incoming DoS attack > > > > > > These days any 12 year old with their mommy's credit card can buy botnets and booters to do attacks. > > > > > > > > > > > > > > > ________________________________ > > > From: Marco Padovan <e...@evcz.tk> > > > To: hlds_linux@list.valvesoftware.com > > > Sent: Tuesday, November 27, 2012 8:34:28 AM > > > Subject: Re: [hlds_linux] Incoming DoS attack > > > > > > when you have fat pipes (1gbit or 10gbit uplinks) people need > > > fatpipes too to spooffrom and take you down... > > > > > > but, IIRC, that well knonw .EU isp that allows spoofing let people > > > do that only on the 100mbit network no on the gbit network. > > > > > > Therefore here comes the amplification (mostly DNS (udp 53) and > > > chargen (UDP 19) ).... reporting those amplifiers (open resolvers) > > > is very > > > important;) > > > > > > Il 27/11/2012 14.29, Saint K. ha scritto: > > > > That's kind of pointless in case of UDP attacks, chances are very high that the IP's simply are spoofed. > > > > > > > > Saint K. > > > > ________________________________________ > > > > From: hlds_linux-boun...@list.valvesoftware.com > > > > [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco > > > > Padovan [e...@evcz.tk] > > > > Sent: 27 November 2012 14:27 > > > > To: hlds_linux@list.valvesoftware.com > > > > Subject: Re: [hlds_linux] Incoming DoS attack > > > > > > > > ihih, nice :) > > > > > > > > the most important thing while being ddosed is to report to the > > > > relevant abuse desks so they can clean up their networks ;) > > > > > > > > Il 27/11/2012 14.26, Michael Johansen ha scritto: > > > >> I am indeed. Thank you for all your help :) > > > >>> Date: Tue, 27 Nov 2012 14:25:24 +0100 > > > >>> From: e...@evcz.tk > > > >>> To: hlds_linux@list.valvesoftware.com > > > >>> Subject: Re: [hlds_linux] Incoming DoS attack > > > >>> > > > >>> Hi, > > > >>> > > > >>> are you the Mike on WHT? > > > >>> > > > >>> I was the one replying in there :D > > > >>> > > > >>> Il 27/11/2012 13.54, Michael Johansen ha scritto: > > > >>>> My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. > > > >>>>> From: sai...@specialattack.net > > > >>>>> To: hlds_linux@list.valvesoftware.com > > > >>>>> Date: Tue, 27 Nov 2012 11:29:01 +0100 > > > >>>>> Subject: Re: [hlds_linux] Incoming DoS attack > > > >>>>> > > > >>>>> We have no control over the upstream network. All I can do is filter the packets at the machine, but that wouldn't prevent the link from still being overloaded. > > > >>>>> > > > >>>>> Currently a null-route is in place to stop the attack at the network boarder. > > > >>>>> > > > >>>>> Saint K. > > > >>>>> ________________________________________ > > > >>>>> From: hlds_linux-boun...@list.valvesoftware.com > > > >>>>> [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of > > > >>>>> Michael Johansen [michs...@live.no] > > > >>>>> Sent: 27 November 2012 11:26 > > > >>>>> To: hlds_linux@list.valvesoftware.com > > > >>>>> Subject: Re: [hlds_linux] Incoming DoS attack > > > >>>>> > > > >>>>> Just took a look at the tcpdump, doesn't look like the attacks I'm having. I may be stupid now, but wouldn't it work just by blocking packets with the size of 50? > > > >>>>> > > > >>>>>> From: sai...@specialattack.net > > > >>>>>> To: hlds_linux@list.valvesoftware.com > > > >>>>>> Date: Tue, 27 Nov 2012 11:19:08 +0100 > > > >>>>>> Subject: Re: [hlds_linux] Incoming DoS attack > > > >>>>>> > > > >>>>>> The IP's in the dump originate from China, but as it's UDP it could very well be spoofed. > > > >>>>>> > > > >>>>>> Looking at the payload in the packets, each new packet only has 1 character change from the previous packet. > > > >>>>>> > > > >>>>>> Bruteforce, or perhaps signature scanning evasion? > > > >>>>>> > > > >>>>>> Saint K. > > > >>>>>> ________________________________________ > > > >>>>>> From: hlds_linux-boun...@list.valvesoftware.com > > > >>>>>> [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of > > > >>>>>> Michael Johansen [michs...@live.no] > > > >>>>>> Sent: 27 November 2012 11:15 > > > >>>>>> To: hlds_linux@list.valvesoftware.com > > > >>>>>> Subject: Re: [hlds_linux] Incoming DoS attack > > > >>>>>> > > > >>>>>> I haven't looked at the tcpdump, but I have been getting attacks too, they're SYN floods, 300 - 400 mbps in size and always coming from local/reserved (0.x) ip's. All started soem time after we set up our mvm serves. > > > >>>>>>> From: sai...@specialattack.net > > > >>>>>>> To: hlds_linux@list.valvesoftware.com > > > >>>>>>> Date: Tue, 27 Nov 2012 10:56:28 +0100 > > > >>>>>>> Subject: [hlds_linux] Incoming DoS attack > > > >>>>>>> > > > >>>>>>> Hi, > > > >>>>>>> > > > >>>>>>> We've been having DoS attacks aimed at one of our MvM servers. > > > >>>>>>> > > > >>>>>>> Anyone have any idea what they're attempting to do here? It is just to make the server unreachable, or are the actually trying to exploit srcds somehow? > > > >>>>>>> > > > >>>>>>> Here's a tcpdump made for about 30 seconds during the > > > >>>>>>> attack (which is still ongoing); > > > >>>>>>> > > > >>>>>>> http://www.specialattack.net/downloads/dump.rar > > > >>>>>>> > > > >>>>>>> Saint K. > > > >>>>>>> _______________________________________________ > > > >>>>>>> To unsubscribe, edit your list preferences, or view the list archives, please visit: > > > >>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hl > > > >>>>>>> ds_linux > > > >>>>>> _______________________________________________ > > > >>>>>> To unsubscribe, edit your list preferences, or view the list archives, please visit: > > > >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hld > > > >>>>>> s_linux > > > >>>>>> > > > >>>>>> _______________________________________________ > > > >>>>>> To unsubscribe, edit your list preferences, or view the list archives, please visit: > > > >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hld > > > >>>>>> s_linux > > > >>>>> _______________________________________________ > > > >>>>> To unsubscribe, edit your list preferences, or view the list archives, please visit: > > > >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds > > > >>>>> _linux > > > >>>>> > > > >>>>> _______________________________________________ > > > >>>>> To unsubscribe, edit your list preferences, or view the list archives, please visit: > > > >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds > > > >>>>> _linux > > > >>>> _______________________________________________ > > > >>>> To unsubscribe, edit your list preferences, or view the list archives, please visit: > > > >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_ > > > >>>> linux > > > >>> _______________________________________________ > > > >>> To unsubscribe, edit your list preferences, or view the list archives, please visit: > > > >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_l > > > >>> inux > > > >> _______________________________________________ > > > >> To unsubscribe, edit your list preferences, or view the list archives, please visit: > > > >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_li > > > >> nux > > > > _______________________________________________ > > > > To unsubscribe, edit your list preferences, or view the list archives, please visit: > > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_lin > > > > ux > > > > > > > > _______________________________________________ > > > > To unsubscribe, edit your list preferences, or view the list archives, please visit: > > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_lin > > > > ux > > > > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list archives, please visit: > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list archives, please visit: > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, please visit: > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, please visit: > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
