Hello,
This is usually caused by an attack which simply floods the server with
queries (usually A2S_INFO).
This happened on one of my servers a few months ago (running on Linux), and
the offending IP address was owned by NFO. I contacted them and had a good
discussion with a few of the NFO guys. It turned out that someone in
Russia was doing this to a lot of servers, and spoofing the NFO IP as the
source. They said it wasn't the first time this had happened, but they
were very helpful in diagnosing the issue and figuring out what was
happening.
I simply used a firewall rule to block the source IP, and the messages
stopped immediately.
Hope this helps.
- Dave
On Mon, Jan 18, 2016 at 7:34 PM, supp...@boomgaming.net <
supp...@boomgaming.net> wrote:
> Hello Everyone,
>
> I've searched the web on this but can't find the specific answers I'm
> looking for so I'm coming to my fellow server operators for a little
> guidance. I'm hoping some of you have seen or experienced what I'm writing
> about below.
>
> I still love and use HLSW to watch the logs of my servers constantly. More
> and more often now I'm seeing messages similar to the ones below flooding
> my console (the IP addresses and ports change but the messages are the
> same):
>
> 11:55:44 L 01/18/2016 - 11:55:44: Traffic from 188.127.239.74:27021 was
> blocked for exceeding rate limits
> 11:55:44 L 01/18/2016 - 11:55:44: Traffic from 188.127.239.74:27021 was
> blocked for exceeding rate limits
> 11:55:44 L 01/18/2016 - 11:55:44: Traffic from 188.127.239.74:27021 was
> blocked for exceeding rate limits
> 11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was
> blocked for exceeding rate limits
> 11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was
> blocked for exceeding rate limits
> 11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was
> blocked for exceeding rate limits
> 11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was
> blocked for exceeding rate limits
> 11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was
> blocked for exceeding rate limits
> 11:55:46 L 01/18/2016 - 11:55:46: Traffic from 188.127.239.74:27021 was
> blocked for exceeding rate limits
>
> My initial research says that these are attacks on my servers but I'm no
> so sure that's correct. I'm running my TF2 and CSS servers on my own
> Windows 2008 Dedicated server and when I see these messages, I immediately
> add them to a Windows Firewall rule I have to block any and all traffic
> from these IPs before the server even sees it. What's interesting is that I
> still see these messages even though they get added to the firewall's block
> list. Eventually they stop but a litle while later, I get messages like it
> from other IPs. Sometimes I can go a day or two without any, and other days
> I get as many as 15 IPs doing this.
>
> I want to note that I don't see any significant performance hits on the
> servers when this occurs but I'd like to know more about these messages as
> they specifically relate to a game server. Based upon the content of the
> message, I assume these mean something bad is being blocked.
>
> What I find even more interesting is that many of the offending IPs that
> are doing this are the specific IP addresses and ports from other game
> servers, In the case of the one above, it belongs to a CS 1.6 server in
> Russia. Why would another game server box be attempting to connect to my
> servers on the same port it's being hosted on?
>
> This problem has grown in frequency over the past few months. Prior to
> that, I don't remember seeing these messages at all in console.
>
> Can anyone give me some background on what these mean and what they're
> about? Also, any idea why they Windows Firewall doesn't block their traffic
> completely when I add them to the scope of the Firewall wall so they don't
> appear in the console logs?
>
> Thanks for reading and Happy Monday,
> Mike Vail
>
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>
>
--
Dave Parker
Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
