Re: [hlds_linux] NET_GetLong attacks

Mon, 02 Sep 2013 10:26:45 -0700

The attack i saw didn't raise bandwidth usage, only CPU. Load average went 4-5 times higher than it usually is and cores were more loaded. It also wasn't the same culprit shown here. 

-ics

Calvin Judy kirjoitti:

You can solve it with iptables if you're running linux.
An upgrade on bandwidth isn't going to do anything, it's srcds query attacks, uses about as much bandwidth as gametracker.
And reporting it to valve probably isn't going to work unless there's some strong evidence to prove he's doing it. (which there isn't.) 

The attack comes from different ips because it's reflected.
----- Original Message ----- From: "ElitePowered ." <elitepowe...@gmail.com> To: "Half-Life dedicated Linux server mailing list" <hlds_linux@list.valvesoftware.com> 
Sent: Monday, September 02, 2013 1:19 PM
Subject: Re: [hlds_linux] NET_GetLong attacks
How about you report his ip to the right officals. That'll do a much better job than a steam id. It'll take a while to process but he'll be dealt with. 
For now, i think a lot of us are being affected by this attack. And it's
more than 1 person. I'm seeing IPs from many places. Best solution is to
report it to valve until they respond and to also start using query cache 
which should help a bit. I haven't tried Bottiger's solution yet but i
think it's hopeful. You might want to upgrade on your bandwith :)


On Mon, Sep 2, 2013 at 12:26 PM, Violent Crimes <
violentcri...@convictgaming.com> wrote:


Hey I know who is attacking you its the same guy who is attacking me.
http://bans.blackoutgaming.**org/index.php?p=banlist&**
advSearch=STEAM_0:1:43055663&**advType=steamid<http://bans.blackoutgaming.org/index.php?p=banlist&advSearch=STEAM_0:1:43055663&advType=steamid> 


STEAM_0:1:43055663



On 9/2/2013 7:25 AM, Michael Johansen wrote:


Blocked those and the attack still persists.

 From: evo...@gmail.com
To: hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com> 
Date: Mon, 2 Sep 2013 07:14:43 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks
Okay, the number you provided (53) is the size of the string, the entire packet size is either 60 or 67 depending on the query. (there's 2 queries 
that are repeating.)

Try these rules:
iptables -A INPUT -p udp --dport 27135 -m length --length 60 -j DROP
iptables -A INPUT -p udp --dport 27135 -m length --length 67 -j DROP
I just tried these locally and they do not stop the valid queries from 
the
steam browser.


----- Original Message -----
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.**valvesoftware.com <hlds_linux@list.valvesoftware.com> 
>
Sent: Monday, September 02, 2013 6:57 AM
Subject: Re: [hlds_linux] NET_GetLong attacks
http://replays.blackoutgaming.**org/attack1.cap<http://replays.blackoutgaming.org/attack1.cap>
This is from an attack. You should be able to open it using WireShark. 


From: evo...@gmail.com
To: hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com> 
Date: Mon, 2 Sep 2013 06:44:46 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks

Post the tcpdump so we can look at it.

----- Original Message -----
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.**valvesoftware.com<hlds_linux@list.valvesoftware.com> 
>
Sent: Monday, September 02, 2013 6:38 AM
Subject: Re: [hlds_linux] NET_GetLong attacks


 I tried that too, and the servers stopped showing in both server

browser
and SourceBans. It looks like the only way to stop this is with a
plugin
or
extension on the servers.


From: evo...@gmail.com
To: hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com> 
Date: Mon, 2 Sep 2013 06:35:04 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks
Modify the packet size in the rule I gave you to match what tcpdump 
is
showing then, see if that works.


----- Original Message -----
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.**valvesoftware.com<hlds_linux@list.valvesoftware.com> 
>
Sent: Monday, September 02, 2013 6:32 AM
Subject: Re: [hlds_linux] NET_GetLong attacks


 I don't know how SRCDS find that range, but tcpdump claims the

packet
is
53
bytes. And I'll have to take back what I said that the server lag 
was
gone - it still lags badly whenever the attack hits. The cache takes 
quite
a bit of it, but it still lags.

 From: evo...@gmail.com
To: hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com> 
Date: Mon, 2 Sep 2013 06:07:49 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks
Rating limiting the a2s queries will still make the server appear 
offline,
if you read your log that you posted, it gives you the size, and 
the
acceptable size, you should be able to tailor a rule to fit your 
needs.

Log:
NET_GetLong: Split packet from 157.208.132.148:54712 with invalid 
split
size (number 99/ count 114) where size 8293 is out of valid range 
[564 -
1248 ]
NET_GetLong:  Split packet from 61.52.31.78:45086 with invalid
split
size
(number 99/ count 114) where size 8293 is out of valid range [564 - 
1248 ]

Size: 8293
Valid Size: 564-1248

Rule:
iptables -A INPUT -i eth0 -p udp --dport 27015 -m length --length 
8293 -j
DROP
Make sure you also update the destination port if it's different. 
(I
just
tried this rule on my machine and it's working.)


----- Original Message -----
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.**valvesoftware.com<hlds_linux@list.valvesoftware.com> 
>
Sent: Monday, September 02, 2013 5:12 AM
Subject: Re: [hlds_linux] NET_GetLong attacks
I've tried that, and it doesn't work. For now the solution is to 
run
Query
Cache to make the server playable, it will still disappear from 
the
serverbrowser though. Is there a solution to that? Somehow
rate-limiting
A2S queries?

 From: evo...@gmail.com
To: hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com> 
Date: Mon, 2 Sep 2013 04:10:15 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks
Yes, it was mentioned on the other thread titled "steam server 
ports."
http://forums.alliedmods.net/**showthread.php?t=151551<http://forums.alliedmods.net/showthread.php?t=151551>
The 4th section from the top is dealing with attacks like this. 

----- Original Message -----
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.**valvesoftware.com<hlds_linux@list.valvesoftware.com> 
>
Sent: Monday, September 02, 2013 2:38 AM
Subject: Re: [hlds_linux] NET_GetLong attacks


 Is it possible to stop this attack using iptables? Usually

using
the
"Valve-way" of stopping the attacks won't work very well.


Date: Sun, 1 Sep 2013 23:45:23 -0400
From: violentcrimes@convictgaming.**com<violentcri...@convictgaming.com> To: hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com> 
Subject: Re: [hlds_linux] NET_GetLong attacks
That might have worked with the other filtering we are doing. 
If
it
does
I will send you the money. Send me a private email with your 
steam
user.


On 9/1/2013 11:11 PM, Bottiger wrote:


If you used the version I posted it should not have set
your
sv_max_queries_sec_global
so high.

You are supposed to lower that number until it becomes
playable
and
raise
the window.


 ______________________________**_________________

To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**
hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> 



______________________________**_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**
hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> 


______________________________**_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**
hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> 



______________________________**_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**
hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> 


______________________________**_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**
hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> 



______________________________**_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**
hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> 


______________________________**_________________
To unsubscribe, edit your list preferences, or view the list archives, 
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**
hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> 



______________________________**_________________
To unsubscribe, edit your list preferences, or view the list archives, 
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> 


______________________________**_________________
To unsubscribe, edit your list preferences, or view the list archives, 
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> 



______________________________**_________________
To unsubscribe, edit your list preferences, or view the list archives, 
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> 



______________________________**_________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> 




______________________________**_________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> 


_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux 


_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please visit: 
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux



_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux

Reply via email to