The attack i saw didn't raise bandwidth usage, only CPU. Load average
went 4-5 times higher than it usually is and cores were more loaded. It
also wasn't the same culprit shown here.
-ics
Calvin Judy kirjoitti:
You can solve it with iptables if you're running linux.
An upgrade on bandwidth isn't going to do anything, it's srcds query
attacks, uses about as much bandwidth as gametracker.
And reporting it to valve probably isn't going to work unless there's
some strong evidence to prove he's doing it. (which there isn't.)
The attack comes from different ips because it's reflected.
----- Original Message ----- From: "ElitePowered ."
<elitepowe...@gmail.com>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.valvesoftware.com>
Sent: Monday, September 02, 2013 1:19 PM
Subject: Re: [hlds_linux] NET_GetLong attacks
How about you report his ip to the right officals. That'll do a much
better
job than a steam id. It'll take a while to process but he'll be dealt
with.
For now, i think a lot of us are being affected by this attack. And it's
more than 1 person. I'm seeing IPs from many places. Best solution is to
report it to valve until they respond and to also start using query
cache
which should help a bit. I haven't tried Bottiger's solution yet but i
think it's hopeful. You might want to upgrade on your bandwith :)
On Mon, Sep 2, 2013 at 12:26 PM, Violent Crimes <
violentcri...@convictgaming.com> wrote:
Hey I know who is attacking you its the same guy who is attacking me.
http://bans.blackoutgaming.**org/index.php?p=banlist&**
advSearch=STEAM_0:1:43055663&**advType=steamid<http://bans.blackoutgaming.org/index.php?p=banlist&advSearch=STEAM_0:1:43055663&advType=steamid>
STEAM_0:1:43055663
On 9/2/2013 7:25 AM, Michael Johansen wrote:
Blocked those and the attack still persists.
From: evo...@gmail.com
To:
hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com>
Date: Mon, 2 Sep 2013 07:14:43 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks
Okay, the number you provided (53) is the size of the string, the
entire
packet size is either 60 or 67 depending on the query. (there's 2
queries
that are repeating.)
Try these rules:
iptables -A INPUT -p udp --dport 27135 -m length --length 60 -j DROP
iptables -A INPUT -p udp --dport 27135 -m length --length 67 -j DROP
I just tried these locally and they do not stop the valid queries
from
the
steam browser.
----- Original Message -----
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.**valvesoftware.com
<hlds_linux@list.valvesoftware.com>
>
Sent: Monday, September 02, 2013 6:57 AM
Subject: Re: [hlds_linux] NET_GetLong attacks
http://replays.blackoutgaming.**org/attack1.cap<http://replays.blackoutgaming.org/attack1.cap>
This is from an attack. You should be able to open it using
WireShark.
From: evo...@gmail.com
To:
hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com>
Date: Mon, 2 Sep 2013 06:44:46 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks
Post the tcpdump so we can look at it.
----- Original Message -----
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.**valvesoftware.com<hlds_linux@list.valvesoftware.com>
>
Sent: Monday, September 02, 2013 6:38 AM
Subject: Re: [hlds_linux] NET_GetLong attacks
I tried that too, and the servers stopped showing in both server
browser
and SourceBans. It looks like the only way to stop this is with a
plugin
or
extension on the servers.
From: evo...@gmail.com
To:
hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com>
Date: Mon, 2 Sep 2013 06:35:04 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks
Modify the packet size in the rule I gave you to match what
tcpdump
is
showing then, see if that works.
----- Original Message -----
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.**valvesoftware.com<hlds_linux@list.valvesoftware.com>
>
Sent: Monday, September 02, 2013 6:32 AM
Subject: Re: [hlds_linux] NET_GetLong attacks
I don't know how SRCDS find that range, but tcpdump claims the
packet
is
53
bytes. And I'll have to take back what I said that the server
lag
was
gone - it still lags badly whenever the attack hits. The
cache takes
quite
a bit of it, but it still lags.
From: evo...@gmail.com
To:
hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com>
Date: Mon, 2 Sep 2013 06:07:49 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks
Rating limiting the a2s queries will still make the server
appear
offline,
if you read your log that you posted, it gives you the size,
and
the
acceptable size, you should be able to tailor a rule to fit
your
needs.
Log:
NET_GetLong: Split packet from 157.208.132.148:54712 with
invalid
split
size (number 99/ count 114) where size 8293 is out of valid
range
[564 -
1248 ]
NET_GetLong: Split packet from 61.52.31.78:45086 with invalid
split
size
(number 99/ count 114) where size 8293 is out of valid range
[564 -
1248 ]
Size: 8293
Valid Size: 564-1248
Rule:
iptables -A INPUT -i eth0 -p udp --dport 27015 -m length
--length
8293 -j
DROP
Make sure you also update the destination port if it's
different.
(I
just
tried this rule on my machine and it's working.)
----- Original Message -----
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.**valvesoftware.com<hlds_linux@list.valvesoftware.com>
>
Sent: Monday, September 02, 2013 5:12 AM
Subject: Re: [hlds_linux] NET_GetLong attacks
I've tried that, and it doesn't work. For now the solution
is to
run
Query
Cache to make the server playable, it will still disappear
from
the
serverbrowser though. Is there a solution to that? Somehow
rate-limiting
A2S queries?
From: evo...@gmail.com
To:
hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com>
Date: Mon, 2 Sep 2013 04:10:15 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks
Yes, it was mentioned on the other thread titled "steam
server
ports."
http://forums.alliedmods.net/**showthread.php?t=151551<http://forums.alliedmods.net/showthread.php?t=151551>
The 4th section from the top is dealing with attacks like
this.
----- Original Message -----
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.**valvesoftware.com<hlds_linux@list.valvesoftware.com>
>
Sent: Monday, September 02, 2013 2:38 AM
Subject: Re: [hlds_linux] NET_GetLong attacks
Is it possible to stop this attack using iptables? Usually
using
the
"Valve-way" of stopping the attacks won't work very well.
Date: Sun, 1 Sep 2013 23:45:23 -0400
From:
violentcrimes@convictgaming.**com<violentcri...@convictgaming.com>
To:
hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com>
Subject: Re: [hlds_linux] NET_GetLong attacks
That might have worked with the other filtering we are
doing.
If
it
does
I will send you the money. Send me a private email with
your
steam
user.
On 9/1/2013 11:11 PM, Bottiger wrote:
If you used the version I posted it should not have set
your
sv_max_queries_sec_global
so high.
You are supposed to lower that number until it becomes
playable
and
raise
the window.
______________________________**_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**
hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________**_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**
hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________**_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**
hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________**_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**
hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________**_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**
hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________**_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**
hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________**_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**
hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________**_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________**_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________**_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________**_________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________**_________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
_______________________________________________
To unsubscribe, edit your list preferences, or view the list
archives, please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux