Michael's issue has been solved with iptables rules. I still recommend you
load a linux vm on your windows server and do the same.
----- Original Message -----
From: "Violent Crimes" <violentcri...@convictgaming.com>
To: <hlds_linux@list.valvesoftware.com>
Sent: Monday, September 02, 2013 12:26 PM
Subject: Re: [hlds_linux] NET_GetLong attacks
Hey I know who is attacking you its the same guy who is attacking me.
http://bans.blackoutgaming.org/index.php?p=banlist&advSearch=STEAM_0:1:43055663&advType=steamid
STEAM_0:1:43055663
On 9/2/2013 7:25 AM, Michael Johansen wrote:
Blocked those and the attack still persists.
From: evo...@gmail.com
To: hlds_linux@list.valvesoftware.com
Date: Mon, 2 Sep 2013 07:14:43 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks
Okay, the number you provided (53) is the size of the string, the entire
packet size is either 60 or 67 depending on the query. (there's 2
queries
that are repeating.)
Try these rules:
iptables -A INPUT -p udp --dport 27135 -m length --length 60 -j DROP
iptables -A INPUT -p udp --dport 27135 -m length --length 67 -j DROP
I just tried these locally and they do not stop the valid queries from
the
steam browser.
----- Original Message -----
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.valvesoftware.com>
Sent: Monday, September 02, 2013 6:57 AM
Subject: Re: [hlds_linux] NET_GetLong attacks
http://replays.blackoutgaming.org/attack1.cap
This is from an attack. You should be able to open it using WireShark.
From: evo...@gmail.com
To: hlds_linux@list.valvesoftware.com
Date: Mon, 2 Sep 2013 06:44:46 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks
Post the tcpdump so we can look at it.
----- Original Message -----
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.valvesoftware.com>
Sent: Monday, September 02, 2013 6:38 AM
Subject: Re: [hlds_linux] NET_GetLong attacks
I tried that too, and the servers stopped showing in both server
browser
and SourceBans. It looks like the only way to stop this is with a
plugin
or
extension on the servers.
From: evo...@gmail.com
To: hlds_linux@list.valvesoftware.com
Date: Mon, 2 Sep 2013 06:35:04 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks
Modify the packet size in the rule I gave you to match what tcpdump
is
showing then, see if that works.
----- Original Message -----
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.valvesoftware.com>
Sent: Monday, September 02, 2013 6:32 AM
Subject: Re: [hlds_linux] NET_GetLong attacks
I don't know how SRCDS find that range, but tcpdump claims the
packet
is
53
bytes. And I'll have to take back what I said that the server lag
was
gone - it still lags badly whenever the attack hits. The cache
takes
quite
a bit of it, but it still lags.
From: evo...@gmail.com
To: hlds_linux@list.valvesoftware.com
Date: Mon, 2 Sep 2013 06:07:49 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks
Rating limiting the a2s queries will still make the server appear
offline,
if you read your log that you posted, it gives you the size, and
the
acceptable size, you should be able to tailor a rule to fit your
needs.
Log:
NET_GetLong: Split packet from 157.208.132.148:54712 with invalid
split
size (number 99/ count 114) where size 8293 is out of valid range
[564 -
1248 ]
NET_GetLong: Split packet from 61.52.31.78:45086 with invalid
split
size
(number 99/ count 114) where size 8293 is out of valid range
[564 -
1248 ]
Size: 8293
Valid Size: 564-1248
Rule:
iptables -A INPUT -i eth0 -p udp --dport 27015 -m length --length
8293 -j
DROP
Make sure you also update the destination port if it's different.
(I
just
tried this rule on my machine and it's working.)
----- Original Message -----
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.valvesoftware.com>
Sent: Monday, September 02, 2013 5:12 AM
Subject: Re: [hlds_linux] NET_GetLong attacks
I've tried that, and it doesn't work. For now the solution is to
run
Query
Cache to make the server playable, it will still disappear from
the
serverbrowser though. Is there a solution to that? Somehow
rate-limiting
A2S queries?
From: evo...@gmail.com
To: hlds_linux@list.valvesoftware.com
Date: Mon, 2 Sep 2013 04:10:15 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks
Yes, it was mentioned on the other thread titled "steam server
ports."
http://forums.alliedmods.net/showthread.php?t=151551
The 4th section from the top is dealing with attacks like this.
----- Original Message -----
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.valvesoftware.com>
Sent: Monday, September 02, 2013 2:38 AM
Subject: Re: [hlds_linux] NET_GetLong attacks
Is it possible to stop this attack using iptables? Usually
using
the
"Valve-way" of stopping the attacks won't work very well.
Date: Sun, 1 Sep 2013 23:45:23 -0400
From: violentcri...@convictgaming.com
To: hlds_linux@list.valvesoftware.com
Subject: Re: [hlds_linux] NET_GetLong attacks
That might have worked with the other filtering we are doing.
If
it
does
I will send you the money. Send me a private email with your
steam
user.
On 9/1/2013 11:11 PM, Bottiger wrote:
If you used the version I posted it should not have set
your
sv_max_queries_sec_global
so high.
You are supposed to lower that number until it becomes
playable
and
raise
the window.
_______________________________________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
