Try the hashlimit module. Example: limit the input of srcds server on port 27015 up to 100 packets per second/ip
iptables -A INPUT -p udp --destination-port 27015 -m hashlimit -m udp --hashlimit-burst 15 --hashlimit-upto 100 --hashlimit-mode srcip --hashlimit-name srcdsin -j ACCEPT iptables -A INPUT -p udp -j DROP 2013/9/2 Violent Crimes <violentcri...@convictgaming.com> > On 9/2/2013 7:25 AM, Michael Johansen wrote: > >> Blocked those and the attack still persists. >> >> From: evo...@gmail.com >>> To: hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com> >>> Date: Mon, 2 Sep 2013 07:14:43 -0400 >>> Subject: Re: [hlds_linux] NET_GetLong attacks >>> >>> Okay, the number you provided (53) is the size of the string, the entire >>> packet size is either 60 or 67 depending on the query. (there's 2 queries >>> that are repeating.) >>> >>> Try these rules: >>> iptables -A INPUT -p udp --dport 27135 -m length --length 60 -j DROP >>> iptables -A INPUT -p udp --dport 27135 -m length --length 67 -j DROP >>> >>> I just tried these locally and they do not stop the valid queries from >>> the >>> steam browser. >>> >>> >>> ----- Original Message ----- >>> From: "Michael Johansen" <michs...@live.no> >>> To: "Half-Life dedicated Linux server mailing list" >>> <hlds_linux@list.**valvesoftware.com <hlds_linux@list.valvesoftware.com> >>> > >>> Sent: Monday, September 02, 2013 6:57 AM >>> Subject: Re: [hlds_linux] NET_GetLong attacks >>> >>> >>> >>> http://replays.blackoutgaming.**org/attack1.cap<http://replays.blackoutgaming.org/attack1.cap> >>>> >>>> This is from an attack. You should be able to open it using WireShark. >>>> >>>>> From: evo...@gmail.com >>>>> To: hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com> >>>>> Date: Mon, 2 Sep 2013 06:44:46 -0400 >>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>> >>>>> Post the tcpdump so we can look at it. >>>>> >>>>> ----- Original Message ----- >>>>> From: "Michael Johansen" <michs...@live.no> >>>>> To: "Half-Life dedicated Linux server mailing list" >>>>> <hlds_linux@list.**valvesoftware.com<hlds_linux@list.valvesoftware.com> >>>>> > >>>>> Sent: Monday, September 02, 2013 6:38 AM >>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>> >>>>> >>>>> I tried that too, and the servers stopped showing in both server >>>>>> browser >>>>>> and SourceBans. It looks like the only way to stop this is with a >>>>>> plugin >>>>>> or >>>>>> extension on the servers. >>>>>> >>>>>>> From: evo...@gmail.com >>>>>>> To: >>>>>>> hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com> >>>>>>> Date: Mon, 2 Sep 2013 06:35:04 -0400 >>>>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>>>> >>>>>>> Modify the packet size in the rule I gave you to match what tcpdump >>>>>>> is >>>>>>> showing then, see if that works. >>>>>>> >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>> From: "Michael Johansen" <michs...@live.no> >>>>>>> To: "Half-Life dedicated Linux server mailing list" >>>>>>> <hlds_linux@list.**valvesoftware.com<hlds_linux@list.valvesoftware.com> >>>>>>> > >>>>>>> Sent: Monday, September 02, 2013 6:32 AM >>>>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>>>> >>>>>>> >>>>>>> I don't know how SRCDS find that range, but tcpdump claims the >>>>>>>> packet >>>>>>>> is >>>>>>>> 53 >>>>>>>> bytes. And I'll have to take back what I said that the server lag >>>>>>>> was >>>>>>>> gone - it still lags badly whenever the attack hits. The cache takes >>>>>>>> quite >>>>>>>> a bit of it, but it still lags. >>>>>>>> >>>>>>>> From: evo...@gmail.com >>>>>>>>> To: >>>>>>>>> hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com> >>>>>>>>> Date: Mon, 2 Sep 2013 06:07:49 -0400 >>>>>>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>>>>>> >>>>>>>>> Rating limiting the a2s queries will still make the server appear >>>>>>>>> offline, >>>>>>>>> if you read your log that you posted, it gives you the size, and >>>>>>>>> the >>>>>>>>> acceptable size, you should be able to tailor a rule to fit your >>>>>>>>> needs. >>>>>>>>> >>>>>>>>> Log: >>>>>>>>> NET_GetLong: Split packet from 157.208.132.148:54712 with invalid >>>>>>>>> split >>>>>>>>> size (number 99/ count 114) where size 8293 is out of valid range >>>>>>>>> [564 - >>>>>>>>> 1248 ] >>>>>>>>> NET_GetLong: Split packet from 61.52.31.78:45086 with invalid >>>>>>>>> split >>>>>>>>> size >>>>>>>>> (number 99/ count 114) where size 8293 is out of valid range [564 - >>>>>>>>> 1248 ] >>>>>>>>> >>>>>>>>> Size: 8293 >>>>>>>>> Valid Size: 564-1248 >>>>>>>>> >>>>>>>>> Rule: >>>>>>>>> iptables -A INPUT -i eth0 -p udp --dport 27015 -m length --length >>>>>>>>> 8293 -j >>>>>>>>> DROP >>>>>>>>> >>>>>>>>> Make sure you also update the destination port if it's different. >>>>>>>>> (I >>>>>>>>> just >>>>>>>>> tried this rule on my machine and it's working.) >>>>>>>>> >>>>>>>>> >>>>>>>>> ----- Original Message ----- >>>>>>>>> From: "Michael Johansen" <michs...@live.no> >>>>>>>>> To: "Half-Life dedicated Linux server mailing list" >>>>>>>>> <hlds_linux@list.**valvesoftware.com<hlds_linux@list.valvesoftware.com> >>>>>>>>> > >>>>>>>>> Sent: Monday, September 02, 2013 5:12 AM >>>>>>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>>>>>> >>>>>>>>> >>>>>>>>> I've tried that, and it doesn't work. For now the solution is to >>>>>>>>>> run >>>>>>>>>> Query >>>>>>>>>> Cache to make the server playable, it will still disappear from >>>>>>>>>> the >>>>>>>>>> serverbrowser though. Is there a solution to that? Somehow >>>>>>>>>> rate-limiting >>>>>>>>>> A2S queries? >>>>>>>>>> >>>>>>>>>> From: evo...@gmail.com >>>>>>>>>>> To: >>>>>>>>>>> hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com> >>>>>>>>>>> Date: Mon, 2 Sep 2013 04:10:15 -0400 >>>>>>>>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>>>>>>>> >>>>>>>>>>> Yes, it was mentioned on the other thread titled "steam server >>>>>>>>>>> ports." >>>>>>>>>>> >>>>>>>>>>> http://forums.alliedmods.net/**showthread.php?t=151551<http://forums.alliedmods.net/showthread.php?t=151551> >>>>>>>>>>> >>>>>>>>>>> The 4th section from the top is dealing with attacks like this. >>>>>>>>>>> >>>>>>>>>>> ----- Original Message ----- >>>>>>>>>>> From: "Michael Johansen" <michs...@live.no> >>>>>>>>>>> To: "Half-Life dedicated Linux server mailing list" >>>>>>>>>>> <hlds_linux@list.**valvesoftware.com<hlds_linux@list.valvesoftware.com> >>>>>>>>>>> > >>>>>>>>>>> Sent: Monday, September 02, 2013 2:38 AM >>>>>>>>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Is it possible to stop this attack using iptables? Usually >>>>>>>>>>>> using >>>>>>>>>>>> the >>>>>>>>>>>> "Valve-way" of stopping the attacks won't work very well. >>>>>>>>>>>> >>>>>>>>>>>>> Date: Sun, 1 Sep 2013 23:45:23 -0400 >>>>>>>>>>>>> From: >>>>>>>>>>>>> violentcrimes@convictgaming.**com<violentcri...@convictgaming.com> >>>>>>>>>>>>> To: >>>>>>>>>>>>> hlds_linux@list.valvesoftware.**com<hlds_linux@list.valvesoftware.com> >>>>>>>>>>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>>>>>>>>>> >>>>>>>>>>>>> That might have worked with the other filtering we are doing. >>>>>>>>>>>>> If >>>>>>>>>>>>> it >>>>>>>>>>>>> does >>>>>>>>>>>>> I will send you the money. Send me a private email with your >>>>>>>>>>>>> steam >>>>>>>>>>>>> user. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On 9/1/2013 11:11 PM, Bottiger wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> If you used the version I posted it should not have set >>>>>>>>>>>>>> your >>>>>>>>>>>>>> sv_max_queries_sec_global >>>>>>>>>>>>>> so high. >>>>>>>>>>>>>> >>>>>>>>>>>>>> You are supposed to lower that number until it becomes >>>>>>>>>>>>>> playable >>>>>>>>>>>>>> and >>>>>>>>>>>>>> raise >>>>>>>>>>>>>> the window. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> ______________________________**_________________ >>>>>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>>>>> archives, >>>>>>>>>>>> please visit: >>>>>>>>>>>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/** >>>>>>>>>>>> hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ______________________________**_________________ >>>>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>>>> archives, >>>>>>>>>>> please visit: >>>>>>>>>>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/** >>>>>>>>>>> hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>>>>>>> >>>>>>>>>> ______________________________**_________________ >>>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>>> archives, >>>>>>>>>> please visit: >>>>>>>>>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/** >>>>>>>>>> hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>>>>>> >>>>>>>>> >>>>>>>>> ______________________________**_________________ >>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>> archives, >>>>>>>>> please visit: >>>>>>>>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/** >>>>>>>>> hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>>>>> >>>>>>>> ______________________________**_________________ >>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>> archives, >>>>>>>> please visit: >>>>>>>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/** >>>>>>>> hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>>>> >>>>>>>> >>>>>>> ______________________________**_________________ >>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>> archives, >>>>>>> please visit: >>>>>>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/** >>>>>>> hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>>> >>>>>> ______________________________**_________________ >>>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>>> please visit: >>>>>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/** >>>>>> hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>> >>>>> >>>>> ______________________________**_________________ >>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>> please visit: >>>>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>> >>>> ______________________________**_________________ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>> >>> >>> ______________________________**_________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>> >> >> ______________________________**_________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >> >> > > ______________________________**_________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux