Re: [hlds] TF2 DDOS AS2_INFO attack

[Claudio Beretta]

I've got a report that my tool doesn't work on multihomed machines where
there is more then one server running on the same port but on different IPs.To
fix add the -b IPAddress argument to sudppipe2

I've updated the tool description page to reflect this.
http://www.wantedgov.it/page/62-srcds-query-cache/


On Sun, Sep 6, 2009 at 5:56 PM, Claudio Beretta
wrote:

> try with this one
> http://www.wantedgov.it/gov/SrcdsQueryCache.7z?v2.1
> in the previous version i left uninitialized a variable that tracks
> time, so that might be the cause of you not seeing any forwarding.
> This version also fixes a minor logic bug, which could prevent the
> tool to reply to some T requests.
>
> On Sun, Sep 6, 2009 at 5:22 PM, Shizzle Nizzle wrote:
> > just getting a bunch of T request nothing forwarded though.
> > server is actually running on port 27016
> > so my commandline is
> >  -X xx.xx.xx.xx 27016 27015
> >
> >
> > On Sun, Sep 6, 2009 at 10:10 AM, Claudio Beretta
> > wrote:
> >
> >> no, the code that filters requests based on the source port is never
> >> executed when launching with the arguments specified on the tool page.
> >> The code that is executed is from line 419 ( if (len > 5) ) to line
> >> 496 ( c = check_sd(&peerl, 0); ). The other if / else branches are
> >> executed with other launch arguments. I just left it in since I'm
> >> lazy.
> >>
> >> Try running it without the -q argument (quiet), you should see something
> >> like
> >> - got a T request FROM 191.83.51.210:17073 (25 bytes)
> >> - forwarding request to 194.177.96.192:27300 (25 bytes)
> >> - done (25 bytes)
> >> - got a I reply FROM 194.177.96.192:27300 (84 bytes)
> >> - got a T request FROM 31.52.173.97:48316 (25 bytes)
> >> - replying from cache to 31.52.173.97:48316 (84 bytes)
> >> - reply from cache done (84 bytes)
> >> - got a T request FROM 89.32.56.194:14628 (25 bytes)
> >> - replying from cache to 89.32.56.194:14628 (84 bytes)
> >> - reply from cache done (84 bytes)
> >> - got a T request FROM 116.108.191.75:20483 (25 bytes)
> >> - replying from cache to 116.108.191.75:20483 (84 bytes)
> >> - reply from cache done (84 bytes)
> >> - got a T request FROM 35.38.228.9:9249 (25 bytes)
> >> - replying from cache to 35.38.228.9:9249 (84 bytes)
> >> - reply from cache done (84 bytes)
> >>
> >> getting something different?
> >>
> >> On Sun, Sep 6, 2009 at 4:38 PM, Shizzle Nizzle
> wrote:
> >> > i wasnt able to get this to work on any of my servers. if i read the
> >> source
> >> > file correctly. if the src port isnt 27005/27006 it will drop them
> >> aswell? i
> >> > no some people who dont seem to use that port that is legit traffic
> would
> >> it
> >> > drop them too?
> >> >
> >> > On Sun, Sep 6, 2009 at 5:29 AM, Donnie Newlove <
> donnie.newl...@gmail.com
> >> >wrote:
> >> >
> >> >> >I know this isn't the most elegant solution, but windows firewall
> >> sucks,
> >> >> ipsec doesn't seem to allow fine grained filtering and I never coded
> MMS
> >> >> plugins before. This tool should be used only during attacks (since
> new
> >> >> players might add the server running on the new port to their
> >> favorites).
> >> >>
> >> >> Well, you could just change the port of the server and then let the
> >> >> query cache listen on that port and it would make no difference
> except
> >> >> you would have to take the server offline for a moment, but after
> that
> >> >> it would be business as usual.
> >> >>
> >> >> On Sun, Sep 6, 2009 at 10:35 AM, Claudio
> >> >> Beretta wrote:
> >> >> > here it is
> >> >> > http://www.wantedgov.it/page/62-srcds-query-cache/
> >> >> >
> >> >> > more info on that page
> >> >> >
> >> >> >
> >> >> >
> >> >> > On Sun, Sep 6, 2009 at 12:44 AM, Claudio
> >> >> > Beretta wrote:
> >> >> >> I'm doing it right now, should be ready tomorrow.
> >> >> >>
> >> >> >> On Sun, Sep 6, 2009 at 12:32 AM, Kenny Loggins<
> >> kenny.logg...@clanao.com>
> >> >> wrote:
> >> >> >>> I'm willing to pay someone to write a windows version of a query
>

Re: [hlds] TF2 DDOS AS2_INFO attack

[Matthew Gottlieb]

THANKS!  I've posted a link to your site within the srcds.com forums
since several of our members have been hit with this attack.

On Sun, Sep 6, 2009 at 1:46 PM, Kenny Loggins wrote:
> Woo hoo works like a charm :) sent you some $$ via paypal and a huge thank
> you!!
>
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
> Sent: Sunday, September 06, 2009 3:35 AM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>
> here it is
> http://www.wantedgov.it/page/62-srcds-query-cache/
>
> more info on that page
>
>
>
> On Sun, Sep 6, 2009 at 12:44 AM, Claudio
> Beretta wrote:
>> I'm doing it right now, should be ready tomorrow.
>>
>> On Sun, Sep 6, 2009 at 12:32 AM, Kenny Loggins
> wrote:
>>> I'm willing to pay someone to write a windows version of a query proxy.
>>>
>>> -Original Message-
>>> From: hlds-boun...@list.valvesoftware.com
>>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison
>>> Sent: Saturday, September 05, 2009 4:36 PM
>>> To: Half-Life dedicated Win32 server mailing list
>>> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>>>
>>> This is why A2S_INFO requires a challenge :|
>>>
>>> Thanks,
>>> - Saul.
>>>
>>>
>>> 2009/9/5 Matt Stanton 
>>>
>>>> If these attacks are coming from ips that are outside of the range of
>>>> your standard users' network range, then it's possible you could filter
>>>> out requests from unallocated ip blocks and ip blocks from areas of the
>>>> internet that are gnerally too far away to have decent latency on your
>>>> server.  Unfortunately, this would mean building a database of ip blocks
>>>> that are allocated to networks that are within a reasonable distance of
>>>> your server's network and checking every A2S_INFO packet that comes in
>>>> against this database, which would likely eat a decent amount of CPU.
>>>>
>>>> Nephyrin Zey wrote:
>>>> > The bandwidth involved in this attack is tiny. The issue is srcds
> chokes
>>>> > on large numbers of A2S_INFO packets, its not the traffic that's doing
>>>> > machines in. I'd reckon a single residential connection could take
> down
>>>> > a server this way. Once you fix the srcds issue, the problem stops. I
>>>> > have a daemon that intercepts server queries and handles them itself.
>>>> > It's currently handling this attacker hammering on two servers without
>>>> > breaking 1% CPU or making a single-pixel dent in my bandwidth graphs,
>>>> > and my tf2 servers continue to run just fine.
>>>> >
>>>> > And if you actually examine the attack, it's very obviously a single
>>>> > source with spoofed IPs. I rather doubt someone has a million-strong
>>>> > botnet containing nearly 30% unallocated IP ranges, that all happen to
>>>> > have the same exact path length.
>>>> >
>>>> > - Neph
>>>> >
>>>> > On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
>>>> >
>>>> >> This... actually isn't a bad idea.  It's a pain to implement, though,
>>>> for a
>>>> >> couple of reasons.
>>>> >>
>>>> >> First, the assumption by most on this thread is that it's a single
> guy
>>>> >> operating from a single (or just a handful) of computers.  They
> further
>>>> >> assume that he's forging the source IP addresses so the requests look
>>>> like
>>>> >> they're coming from many many different machines.  If this is true,
>>>> there's
>>>> >> no way to trace or block him based upon the information included in
> the
>>>> >> packets he's creating.  I think this assumption is wrong, as I'll
>>>> explain
>>>> >> below.
>>>> >>
>>>> >> Second, if this assumption is incorrect you need to find a way to
>>>> identify
>>>> >> each and every source and block them one at a time.  Netblocks are at
>>>> best a
>>>> >> crude measure which risks blocking many legitimate clients.  Such a
>>>> process
>>>> >> needs to be automate

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kenny Loggins]

Woo hoo works like a charm :) sent you some $$ via paypal and a huge thank
you!!

-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
Sent: Sunday, September 06, 2009 3:35 AM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] TF2 DDOS AS2_INFO attack

here it is
http://www.wantedgov.it/page/62-srcds-query-cache/

more info on that page



On Sun, Sep 6, 2009 at 12:44 AM, Claudio
Beretta wrote:
> I'm doing it right now, should be ready tomorrow.
>
> On Sun, Sep 6, 2009 at 12:32 AM, Kenny Loggins
wrote:
>> I'm willing to pay someone to write a windows version of a query proxy.
>>
>> -Original Message-
>> From: hlds-boun...@list.valvesoftware.com
>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison
>> Sent: Saturday, September 05, 2009 4:36 PM
>> To: Half-Life dedicated Win32 server mailing list
>> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>>
>> This is why A2S_INFO requires a challenge :|
>>
>> Thanks,
>> - Saul.
>>
>>
>> 2009/9/5 Matt Stanton 
>>
>>> If these attacks are coming from ips that are outside of the range of
>>> your standard users' network range, then it's possible you could filter
>>> out requests from unallocated ip blocks and ip blocks from areas of the
>>> internet that are gnerally too far away to have decent latency on your
>>> server.  Unfortunately, this would mean building a database of ip blocks
>>> that are allocated to networks that are within a reasonable distance of
>>> your server's network and checking every A2S_INFO packet that comes in
>>> against this database, which would likely eat a decent amount of CPU.
>>>
>>> Nephyrin Zey wrote:
>>> > The bandwidth involved in this attack is tiny. The issue is srcds
chokes
>>> > on large numbers of A2S_INFO packets, its not the traffic that's doing
>>> > machines in. I'd reckon a single residential connection could take
down
>>> > a server this way. Once you fix the srcds issue, the problem stops. I
>>> > have a daemon that intercepts server queries and handles them itself.
>>> > It's currently handling this attacker hammering on two servers without
>>> > breaking 1% CPU or making a single-pixel dent in my bandwidth graphs,
>>> > and my tf2 servers continue to run just fine.
>>> >
>>> > And if you actually examine the attack, it's very obviously a single
>>> > source with spoofed IPs. I rather doubt someone has a million-strong
>>> > botnet containing nearly 30% unallocated IP ranges, that all happen to
>>> > have the same exact path length.
>>> >
>>> > - Neph
>>> >
>>> > On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
>>> >
>>> >> This... actually isn't a bad idea.  It's a pain to implement, though,
>>> for a
>>> >> couple of reasons.
>>> >>
>>> >> First, the assumption by most on this thread is that it's a single
guy
>>> >> operating from a single (or just a handful) of computers.  They
further
>>> >> assume that he's forging the source IP addresses so the requests look
>>> like
>>> >> they're coming from many many different machines.  If this is true,
>>> there's
>>> >> no way to trace or block him based upon the information included in
the
>>> >> packets he's creating.  I think this assumption is wrong, as I'll
>>> explain
>>> >> below.
>>> >>
>>> >> Second, if this assumption is incorrect you need to find a way to
>>> identify
>>> >> each and every source and block them one at a time.  Netblocks are at
>>> best a
>>> >> crude measure which risks blocking many legitimate clients.  Such a
>>> process
>>> >> needs to be automated as much as possible or it's not effective.
>>> >>
>>> >> Now, why do I think that this is probably not coming from just a
>> handful
>>> of
>>> >> sources?  Simple.  DDoS stands for Distributed Denial of Service,
after
>>> >> all.  Botnets are reaching incredible proportions.  It's easy to rent
>> as
>>> >> many as a quarter million compromised machines if you want to and you
>>> have
>>> >> the cash.
>>> >>
>>> >> Too cheap or to

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kenny Loggins]

Im sending a donation for sure :)

-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
Sent: Sunday, September 06, 2009 3:35 AM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] TF2 DDOS AS2_INFO attack

here it is
http://www.wantedgov.it/page/62-srcds-query-cache/

more info on that page



On Sun, Sep 6, 2009 at 12:44 AM, Claudio
Beretta wrote:
> I'm doing it right now, should be ready tomorrow.
>
> On Sun, Sep 6, 2009 at 12:32 AM, Kenny Loggins
wrote:
>> I'm willing to pay someone to write a windows version of a query proxy.
>>
>> -Original Message-
>> From: hlds-boun...@list.valvesoftware.com
>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison
>> Sent: Saturday, September 05, 2009 4:36 PM
>> To: Half-Life dedicated Win32 server mailing list
>> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>>
>> This is why A2S_INFO requires a challenge :|
>>
>> Thanks,
>> - Saul.
>>
>>
>> 2009/9/5 Matt Stanton 
>>
>>> If these attacks are coming from ips that are outside of the range of
>>> your standard users' network range, then it's possible you could filter
>>> out requests from unallocated ip blocks and ip blocks from areas of the
>>> internet that are gnerally too far away to have decent latency on your
>>> server.  Unfortunately, this would mean building a database of ip blocks
>>> that are allocated to networks that are within a reasonable distance of
>>> your server's network and checking every A2S_INFO packet that comes in
>>> against this database, which would likely eat a decent amount of CPU.
>>>
>>> Nephyrin Zey wrote:
>>> > The bandwidth involved in this attack is tiny. The issue is srcds
chokes
>>> > on large numbers of A2S_INFO packets, its not the traffic that's doing
>>> > machines in. I'd reckon a single residential connection could take
down
>>> > a server this way. Once you fix the srcds issue, the problem stops. I
>>> > have a daemon that intercepts server queries and handles them itself.
>>> > It's currently handling this attacker hammering on two servers without
>>> > breaking 1% CPU or making a single-pixel dent in my bandwidth graphs,
>>> > and my tf2 servers continue to run just fine.
>>> >
>>> > And if you actually examine the attack, it's very obviously a single
>>> > source with spoofed IPs. I rather doubt someone has a million-strong
>>> > botnet containing nearly 30% unallocated IP ranges, that all happen to
>>> > have the same exact path length.
>>> >
>>> > - Neph
>>> >
>>> > On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
>>> >
>>> >> This... actually isn't a bad idea.  It's a pain to implement, though,
>>> for a
>>> >> couple of reasons.
>>> >>
>>> >> First, the assumption by most on this thread is that it's a single
guy
>>> >> operating from a single (or just a handful) of computers.  They
further
>>> >> assume that he's forging the source IP addresses so the requests look
>>> like
>>> >> they're coming from many many different machines.  If this is true,
>>> there's
>>> >> no way to trace or block him based upon the information included in
the
>>> >> packets he's creating.  I think this assumption is wrong, as I'll
>>> explain
>>> >> below.
>>> >>
>>> >> Second, if this assumption is incorrect you need to find a way to
>>> identify
>>> >> each and every source and block them one at a time.  Netblocks are at
>>> best a
>>> >> crude measure which risks blocking many legitimate clients.  Such a
>>> process
>>> >> needs to be automated as much as possible or it's not effective.
>>> >>
>>> >> Now, why do I think that this is probably not coming from just a
>> handful
>>> of
>>> >> sources?  Simple.  DDoS stands for Distributed Denial of Service,
after
>>> >> all.  Botnets are reaching incredible proportions.  It's easy to rent
>> as
>>> >> many as a quarter million compromised machines if you want to and you
>>> have
>>> >> the cash.
>>> >>
>>> >> Too cheap or too poor to rent someone else's network of 

Re: [hlds] TF2 DDOS AS2_INFO attack

[Claudio Beretta]

try with this one
http://www.wantedgov.it/gov/SrcdsQueryCache.7z?v2.1
in the previous version i left uninitialized a variable that tracks
time, so that might be the cause of you not seeing any forwarding.
This version also fixes a minor logic bug, which could prevent the
tool to reply to some T requests.

On Sun, Sep 6, 2009 at 5:22 PM, Shizzle Nizzle wrote:
> just getting a bunch of T request nothing forwarded though.
> server is actually running on port 27016
> so my commandline is
>  -X xx.xx.xx.xx 27016 27015
>
>
> On Sun, Sep 6, 2009 at 10:10 AM, Claudio Beretta
> wrote:
>
>> no, the code that filters requests based on the source port is never
>> executed when launching with the arguments specified on the tool page.
>> The code that is executed is from line 419 ( if (len > 5) ) to line
>> 496 ( c = check_sd(&peerl, 0); ). The other if / else branches are
>> executed with other launch arguments. I just left it in since I'm
>> lazy.
>>
>> Try running it without the -q argument (quiet), you should see something
>> like
>> - got a T request FROM 191.83.51.210:17073 (25 bytes)
>> - forwarding request to 194.177.96.192:27300 (25 bytes)
>> - done (25 bytes)
>> - got a I reply FROM 194.177.96.192:27300 (84 bytes)
>> - got a T request FROM 31.52.173.97:48316 (25 bytes)
>> - replying from cache to 31.52.173.97:48316 (84 bytes)
>> - reply from cache done (84 bytes)
>> - got a T request FROM 89.32.56.194:14628 (25 bytes)
>> - replying from cache to 89.32.56.194:14628 (84 bytes)
>> - reply from cache done (84 bytes)
>> - got a T request FROM 116.108.191.75:20483 (25 bytes)
>> - replying from cache to 116.108.191.75:20483 (84 bytes)
>> - reply from cache done (84 bytes)
>> - got a T request FROM 35.38.228.9:9249 (25 bytes)
>> - replying from cache to 35.38.228.9:9249 (84 bytes)
>> - reply from cache done (84 bytes)
>>
>> getting something different?
>>
>> On Sun, Sep 6, 2009 at 4:38 PM, Shizzle Nizzle wrote:
>> > i wasnt able to get this to work on any of my servers. if i read the
>> source
>> > file correctly. if the src port isnt 27005/27006 it will drop them
>> aswell? i
>> > no some people who dont seem to use that port that is legit traffic would
>> it
>> > drop them too?
>> >
>> > On Sun, Sep 6, 2009 at 5:29 AM, Donnie Newlove > >wrote:
>> >
>> >> >I know this isn't the most elegant solution, but windows firewall
>> sucks,
>> >> ipsec doesn't seem to allow fine grained filtering and I never coded MMS
>> >> plugins before. This tool should be used only during attacks (since new
>> >> players might add the server running on the new port to their
>> favorites).
>> >>
>> >> Well, you could just change the port of the server and then let the
>> >> query cache listen on that port and it would make no difference except
>> >> you would have to take the server offline for a moment, but after that
>> >> it would be business as usual.
>> >>
>> >> On Sun, Sep 6, 2009 at 10:35 AM, Claudio
>> >> Beretta wrote:
>> >> > here it is
>> >> > http://www.wantedgov.it/page/62-srcds-query-cache/
>> >> >
>> >> > more info on that page
>> >> >
>> >> >
>> >> >
>> >> > On Sun, Sep 6, 2009 at 12:44 AM, Claudio
>> >> > Beretta wrote:
>> >> >> I'm doing it right now, should be ready tomorrow.
>> >> >>
>> >> >> On Sun, Sep 6, 2009 at 12:32 AM, Kenny Loggins<
>> kenny.logg...@clanao.com>
>> >> wrote:
>> >> >>> I'm willing to pay someone to write a windows version of a query
>> proxy.
>> >> >>>
>> >> >>> -Original Message-
>> >> >>> From: hlds-boun...@list.valvesoftware.com
>> >> >>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul
>> >> Rennison
>> >> >>> Sent: Saturday, September 05, 2009 4:36 PM
>> >> >>> To: Half-Life dedicated Win32 server mailing list
>> >> >>> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>> >> >>>
>> >> >>> This is why A2S_INFO requires a challenge :|
>> >> >>>
>> >> >>> Thanks,
>> >> >>> - Saul.
>> >> >>>
>> >> >>>
>> >> >>> 2009/9/5 Matt Stanton 
>> >> &g

Re: [hlds] TF2 DDOS AS2_INFO attack

[Shizzle Nizzle]

just getting a bunch of T request nothing forwarded though.
server is actually running on port 27016
so my commandline is
 -X xx.xx.xx.xx 27016 27015


On Sun, Sep 6, 2009 at 10:10 AM, Claudio Beretta
wrote:

> no, the code that filters requests based on the source port is never
> executed when launching with the arguments specified on the tool page.
> The code that is executed is from line 419 ( if (len > 5) ) to line
> 496 ( c = check_sd(&peerl, 0); ). The other if / else branches are
> executed with other launch arguments. I just left it in since I'm
> lazy.
>
> Try running it without the -q argument (quiet), you should see something
> like
> - got a T request FROM 191.83.51.210:17073 (25 bytes)
> - forwarding request to 194.177.96.192:27300 (25 bytes)
> - done (25 bytes)
> - got a I reply FROM 194.177.96.192:27300 (84 bytes)
> - got a T request FROM 31.52.173.97:48316 (25 bytes)
> - replying from cache to 31.52.173.97:48316 (84 bytes)
> - reply from cache done (84 bytes)
> - got a T request FROM 89.32.56.194:14628 (25 bytes)
> - replying from cache to 89.32.56.194:14628 (84 bytes)
> - reply from cache done (84 bytes)
> - got a T request FROM 116.108.191.75:20483 (25 bytes)
> - replying from cache to 116.108.191.75:20483 (84 bytes)
> - reply from cache done (84 bytes)
> - got a T request FROM 35.38.228.9:9249 (25 bytes)
> - replying from cache to 35.38.228.9:9249 (84 bytes)
> - reply from cache done (84 bytes)
>
> getting something different?
>
> On Sun, Sep 6, 2009 at 4:38 PM, Shizzle Nizzle wrote:
> > i wasnt able to get this to work on any of my servers. if i read the
> source
> > file correctly. if the src port isnt 27005/27006 it will drop them
> aswell? i
> > no some people who dont seem to use that port that is legit traffic would
> it
> > drop them too?
> >
> > On Sun, Sep 6, 2009 at 5:29 AM, Donnie Newlove  >wrote:
> >
> >> >I know this isn't the most elegant solution, but windows firewall
> sucks,
> >> ipsec doesn't seem to allow fine grained filtering and I never coded MMS
> >> plugins before. This tool should be used only during attacks (since new
> >> players might add the server running on the new port to their
> favorites).
> >>
> >> Well, you could just change the port of the server and then let the
> >> query cache listen on that port and it would make no difference except
> >> you would have to take the server offline for a moment, but after that
> >> it would be business as usual.
> >>
> >> On Sun, Sep 6, 2009 at 10:35 AM, Claudio
> >> Beretta wrote:
> >> > here it is
> >> > http://www.wantedgov.it/page/62-srcds-query-cache/
> >> >
> >> > more info on that page
> >> >
> >> >
> >> >
> >> > On Sun, Sep 6, 2009 at 12:44 AM, Claudio
> >> > Beretta wrote:
> >> >> I'm doing it right now, should be ready tomorrow.
> >> >>
> >> >> On Sun, Sep 6, 2009 at 12:32 AM, Kenny Loggins<
> kenny.logg...@clanao.com>
> >> wrote:
> >> >>> I'm willing to pay someone to write a windows version of a query
> proxy.
> >> >>>
> >> >>> -Original Message-
> >> >>> From: hlds-boun...@list.valvesoftware.com
> >> >>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul
> >> Rennison
> >> >>> Sent: Saturday, September 05, 2009 4:36 PM
> >> >>> To: Half-Life dedicated Win32 server mailing list
> >> >>> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> >> >>>
> >> >>> This is why A2S_INFO requires a challenge :|
> >> >>>
> >> >>> Thanks,
> >> >>> - Saul.
> >> >>>
> >> >>>
> >> >>> 2009/9/5 Matt Stanton 
> >> >>>
> >> >>>> If these attacks are coming from ips that are outside of the range
> of
> >> >>>> your standard users' network range, then it's possible you could
> >> filter
> >> >>>> out requests from unallocated ip blocks and ip blocks from areas of
> >> the
> >> >>>> internet that are gnerally too far away to have decent latency on
> your
> >> >>>> server.  Unfortunately, this would mean building a database of ip
> >> blocks
> >> >>>> that are allocated to networks that are within a reasonable
> distance
> >> of
> >> >>>> your server&#

Re: [hlds] TF2 DDOS AS2_INFO attack

[Claudio Beretta]

no, the code that filters requests based on the source port is never
executed when launching with the arguments specified on the tool page.
The code that is executed is from line 419 ( if (len > 5) ) to line
496 ( c = check_sd(&peerl, 0); ). The other if / else branches are
executed with other launch arguments. I just left it in since I'm
lazy.

Try running it without the -q argument (quiet), you should see something like
- got a T request FROM 191.83.51.210:17073 (25 bytes)
- forwarding request to 194.177.96.192:27300 (25 bytes)
- done (25 bytes)
- got a I reply FROM 194.177.96.192:27300 (84 bytes)
- got a T request FROM 31.52.173.97:48316 (25 bytes)
- replying from cache to 31.52.173.97:48316 (84 bytes)
- reply from cache done (84 bytes)
- got a T request FROM 89.32.56.194:14628 (25 bytes)
- replying from cache to 89.32.56.194:14628 (84 bytes)
- reply from cache done (84 bytes)
- got a T request FROM 116.108.191.75:20483 (25 bytes)
- replying from cache to 116.108.191.75:20483 (84 bytes)
- reply from cache done (84 bytes)
- got a T request FROM 35.38.228.9:9249 (25 bytes)
- replying from cache to 35.38.228.9:9249 (84 bytes)
- reply from cache done (84 bytes)

getting something different?

On Sun, Sep 6, 2009 at 4:38 PM, Shizzle Nizzle wrote:
> i wasnt able to get this to work on any of my servers. if i read the source
> file correctly. if the src port isnt 27005/27006 it will drop them aswell? i
> no some people who dont seem to use that port that is legit traffic would it
> drop them too?
>
> On Sun, Sep 6, 2009 at 5:29 AM, Donnie Newlove 
> wrote:
>
>> >I know this isn't the most elegant solution, but windows firewall sucks,
>> ipsec doesn't seem to allow fine grained filtering and I never coded MMS
>> plugins before. This tool should be used only during attacks (since new
>> players might add the server running on the new port to their favorites).
>>
>> Well, you could just change the port of the server and then let the
>> query cache listen on that port and it would make no difference except
>> you would have to take the server offline for a moment, but after that
>> it would be business as usual.
>>
>> On Sun, Sep 6, 2009 at 10:35 AM, Claudio
>> Beretta wrote:
>> > here it is
>> > http://www.wantedgov.it/page/62-srcds-query-cache/
>> >
>> > more info on that page
>> >
>> >
>> >
>> > On Sun, Sep 6, 2009 at 12:44 AM, Claudio
>> > Beretta wrote:
>> >> I'm doing it right now, should be ready tomorrow.
>> >>
>> >> On Sun, Sep 6, 2009 at 12:32 AM, Kenny Loggins
>> wrote:
>> >>> I'm willing to pay someone to write a windows version of a query proxy.
>> >>>
>> >>> -----Original Message-
>> >>> From: hlds-boun...@list.valvesoftware.com
>> >>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul
>> Rennison
>> >>> Sent: Saturday, September 05, 2009 4:36 PM
>> >>> To: Half-Life dedicated Win32 server mailing list
>> >>> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>> >>>
>> >>> This is why A2S_INFO requires a challenge :|
>> >>>
>> >>> Thanks,
>> >>> - Saul.
>> >>>
>> >>>
>> >>> 2009/9/5 Matt Stanton 
>> >>>
>> >>>> If these attacks are coming from ips that are outside of the range of
>> >>>> your standard users' network range, then it's possible you could
>> filter
>> >>>> out requests from unallocated ip blocks and ip blocks from areas of
>> the
>> >>>> internet that are gnerally too far away to have decent latency on your
>> >>>> server.  Unfortunately, this would mean building a database of ip
>> blocks
>> >>>> that are allocated to networks that are within a reasonable distance
>> of
>> >>>> your server's network and checking every A2S_INFO packet that comes in
>> >>>> against this database, which would likely eat a decent amount of CPU.
>> >>>>
>> >>>> Nephyrin Zey wrote:
>> >>>> > The bandwidth involved in this attack is tiny. The issue is srcds
>> chokes
>> >>>> > on large numbers of A2S_INFO packets, its not the traffic that's
>> doing
>> >>>> > machines in. I'd reckon a single residential connection could take
>> down
>> >>>> > a server this way. Once you fix the srcds issue, the problem stops.
>> I
>> >>>> > have a daemon that intercepts server queries and handles them
>> itself.
>> >>>> > It's currently handling this attacker hammering on two servers
>> without
>> >>>> > breaking 1% CPU or making a single-pixel dent in my bandwidth
>> graphs,
>> >>>> > and my tf2 servers continue to run just fine.
>> >>>> >

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Shizzle Nizzle]

i wasnt able to get this to work on any of my servers. if i read the source
file correctly. if the src port isnt 27005/27006 it will drop them aswell? i
no some people who dont seem to use that port that is legit traffic would it
drop them too?

On Sun, Sep 6, 2009 at 5:29 AM, Donnie Newlove wrote:

> >I know this isn't the most elegant solution, but windows firewall sucks,
> ipsec doesn't seem to allow fine grained filtering and I never coded MMS
> plugins before. This tool should be used only during attacks (since new
> players might add the server running on the new port to their favorites).
>
> Well, you could just change the port of the server and then let the
> query cache listen on that port and it would make no difference except
> you would have to take the server offline for a moment, but after that
> it would be business as usual.
>
> On Sun, Sep 6, 2009 at 10:35 AM, Claudio
> Beretta wrote:
> > here it is
> > http://www.wantedgov.it/page/62-srcds-query-cache/
> >
> > more info on that page
> >
> >
> >
> > On Sun, Sep 6, 2009 at 12:44 AM, Claudio
> > Beretta wrote:
> >> I'm doing it right now, should be ready tomorrow.
> >>
> >> On Sun, Sep 6, 2009 at 12:32 AM, Kenny Loggins
> wrote:
> >>> I'm willing to pay someone to write a windows version of a query proxy.
> >>>
> >>> -Original Message-
> >>> From: hlds-boun...@list.valvesoftware.com
> >>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul
> Rennison
> >>> Sent: Saturday, September 05, 2009 4:36 PM
> >>> To: Half-Life dedicated Win32 server mailing list
> >>> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> >>>
> >>> This is why A2S_INFO requires a challenge :|
> >>>
> >>> Thanks,
> >>> - Saul.
> >>>
> >>>
> >>> 2009/9/5 Matt Stanton 
> >>>
> >>>> If these attacks are coming from ips that are outside of the range of
> >>>> your standard users' network range, then it's possible you could
> filter
> >>>> out requests from unallocated ip blocks and ip blocks from areas of
> the
> >>>> internet that are gnerally too far away to have decent latency on your
> >>>> server.  Unfortunately, this would mean building a database of ip
> blocks
> >>>> that are allocated to networks that are within a reasonable distance
> of
> >>>> your server's network and checking every A2S_INFO packet that comes in
> >>>> against this database, which would likely eat a decent amount of CPU.
> >>>>
> >>>> Nephyrin Zey wrote:
> >>>> > The bandwidth involved in this attack is tiny. The issue is srcds
> chokes
> >>>> > on large numbers of A2S_INFO packets, its not the traffic that's
> doing
> >>>> > machines in. I'd reckon a single residential connection could take
> down
> >>>> > a server this way. Once you fix the srcds issue, the problem stops.
> I
> >>>> > have a daemon that intercepts server queries and handles them
> itself.
> >>>> > It's currently handling this attacker hammering on two servers
> without
> >>>> > breaking 1% CPU or making a single-pixel dent in my bandwidth
> graphs,
> >>>> > and my tf2 servers continue to run just fine.
> >>>> >
> >>>> > And if you actually examine the attack, it's very obviously a single
> >>>> > source with spoofed IPs. I rather doubt someone has a million-strong
> >>>> > botnet containing nearly 30% unallocated IP ranges, that all happen
> to
> >>>> > have the same exact path length.
> >>>> >
> >>>> > - Neph
> >>>> >
> >>>> > On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
> >>>> >
> >>>> >> This... actually isn't a bad idea.  It's a pain to implement,
> though,
> >>>> for a
> >>>> >> couple of reasons.
> >>>> >>
> >>>> >> First, the assumption by most on this thread is that it's a single
> guy
> >>>> >> operating from a single (or just a handful) of computers.  They
> further
> >>>> >> assume that he's forging the source IP addresses so the requests
> look
> >>>> like
> >>>> >> they're coming from many many di

Re: [hlds] TF2 DDOS AS2_INFO attack

[Donnie Newlove]

>I know this isn't the most elegant solution, but windows firewall sucks, ipsec 
>doesn't seem to allow fine grained filtering and I never coded MMS plugins 
>before. This tool should be used only during attacks (since new players might 
>add the server running on the new port to their favorites).

Well, you could just change the port of the server and then let the
query cache listen on that port and it would make no difference except
you would have to take the server offline for a moment, but after that
it would be business as usual.

On Sun, Sep 6, 2009 at 10:35 AM, Claudio
Beretta wrote:
> here it is
> http://www.wantedgov.it/page/62-srcds-query-cache/
>
> more info on that page
>
>
>
> On Sun, Sep 6, 2009 at 12:44 AM, Claudio
> Beretta wrote:
>> I'm doing it right now, should be ready tomorrow.
>>
>> On Sun, Sep 6, 2009 at 12:32 AM, Kenny Loggins 
>> wrote:
>>> I'm willing to pay someone to write a windows version of a query proxy.
>>>
>>> -Original Message-
>>> From: hlds-boun...@list.valvesoftware.com
>>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison
>>> Sent: Saturday, September 05, 2009 4:36 PM
>>> To: Half-Life dedicated Win32 server mailing list
>>> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>>>
>>> This is why A2S_INFO requires a challenge :|
>>>
>>> Thanks,
>>> - Saul.
>>>
>>>
>>> 2009/9/5 Matt Stanton 
>>>
>>>> If these attacks are coming from ips that are outside of the range of
>>>> your standard users' network range, then it's possible you could filter
>>>> out requests from unallocated ip blocks and ip blocks from areas of the
>>>> internet that are gnerally too far away to have decent latency on your
>>>> server.  Unfortunately, this would mean building a database of ip blocks
>>>> that are allocated to networks that are within a reasonable distance of
>>>> your server's network and checking every A2S_INFO packet that comes in
>>>> against this database, which would likely eat a decent amount of CPU.
>>>>
>>>> Nephyrin Zey wrote:
>>>> > The bandwidth involved in this attack is tiny. The issue is srcds chokes
>>>> > on large numbers of A2S_INFO packets, its not the traffic that's doing
>>>> > machines in. I'd reckon a single residential connection could take down
>>>> > a server this way. Once you fix the srcds issue, the problem stops. I
>>>> > have a daemon that intercepts server queries and handles them itself.
>>>> > It's currently handling this attacker hammering on two servers without
>>>> > breaking 1% CPU or making a single-pixel dent in my bandwidth graphs,
>>>> > and my tf2 servers continue to run just fine.
>>>> >
>>>> > And if you actually examine the attack, it's very obviously a single
>>>> > source with spoofed IPs. I rather doubt someone has a million-strong
>>>> > botnet containing nearly 30% unallocated IP ranges, that all happen to
>>>> > have the same exact path length.
>>>> >
>>>> > - Neph
>>>> >
>>>> > On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
>>>> >
>>>> >> This... actually isn't a bad idea.  It's a pain to implement, though,
>>>> for a
>>>> >> couple of reasons.
>>>> >>
>>>> >> First, the assumption by most on this thread is that it's a single guy
>>>> >> operating from a single (or just a handful) of computers.  They further
>>>> >> assume that he's forging the source IP addresses so the requests look
>>>> like
>>>> >> they're coming from many many different machines.  If this is true,
>>>> there's
>>>> >> no way to trace or block him based upon the information included in the
>>>> >> packets he's creating.  I think this assumption is wrong, as I'll
>>>> explain
>>>> >> below.
>>>> >>
>>>> >> Second, if this assumption is incorrect you need to find a way to
>>>> identify
>>>> >> each and every source and block them one at a time.  Netblocks are at
>>>> best a
>>>> >> crude measure which risks blocking many legitimate clients.  Such a
>>>> process
>>>> >> needs to be automated as 

Re: [hlds] TF2 DDOS AS2_INFO attack

[Claudio Beretta]

archive updated with source
gcc -o sudppipe2.exe sudppipe.c -lws2_32


On Sun, Sep 6, 2009 at 10:58 AM, Spencer 'voogru'
MacDonald wrote:
> How about the source so we can compile it on our own?
>
> I don't know about you but im not into running random exe files.
>
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
> Sent: Sunday, September 06, 2009 4:35 AM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>
> here it is
> http://www.wantedgov.it/page/62-srcds-query-cache/
>
> more info on that page
>
>
>
> On Sun, Sep 6, 2009 at 12:44 AM, Claudio
> Beretta wrote:
>> I'm doing it right now, should be ready tomorrow.
>>
>> On Sun, Sep 6, 2009 at 12:32 AM, Kenny Loggins
> wrote:
>>> I'm willing to pay someone to write a windows version of a query proxy.
>>>
>>> -Original Message-
>>> From: hlds-boun...@list.valvesoftware.com
>>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison
>>> Sent: Saturday, September 05, 2009 4:36 PM
>>> To: Half-Life dedicated Win32 server mailing list
>>> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>>>
>>> This is why A2S_INFO requires a challenge :|
>>>
>>> Thanks,
>>> - Saul.
>>>
>>>
>>> 2009/9/5 Matt Stanton 
>>>
>>>> If these attacks are coming from ips that are outside of the range of
>>>> your standard users' network range, then it's possible you could filter
>>>> out requests from unallocated ip blocks and ip blocks from areas of the
>>>> internet that are gnerally too far away to have decent latency on your
>>>> server.  Unfortunately, this would mean building a database of ip blocks
>>>> that are allocated to networks that are within a reasonable distance of
>>>> your server's network and checking every A2S_INFO packet that comes in
>>>> against this database, which would likely eat a decent amount of CPU.
>>>>
>>>> Nephyrin Zey wrote:
>>>> > The bandwidth involved in this attack is tiny. The issue is srcds
> chokes
>>>> > on large numbers of A2S_INFO packets, its not the traffic that's doing
>>>> > machines in. I'd reckon a single residential connection could take
> down
>>>> > a server this way. Once you fix the srcds issue, the problem stops. I
>>>> > have a daemon that intercepts server queries and handles them itself.
>>>> > It's currently handling this attacker hammering on two servers without
>>>> > breaking 1% CPU or making a single-pixel dent in my bandwidth graphs,
>>>> > and my tf2 servers continue to run just fine.
>>>> >
>>>> > And if you actually examine the attack, it's very obviously a single
>>>> > source with spoofed IPs. I rather doubt someone has a million-strong
>>>> > botnet containing nearly 30% unallocated IP ranges, that all happen to
>>>> > have the same exact path length.
>>>> >
>>>> > - Neph
>>>> >
>>>> > On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
>>>> >
>>>> >> This... actually isn't a bad idea.  It's a pain to implement, though,
>>>> for a
>>>> >> couple of reasons.
>>>> >>
>>>> >> First, the assumption by most on this thread is that it's a single
> guy
>>>> >> operating from a single (or just a handful) of computers.  They
> further
>>>> >> assume that he's forging the source IP addresses so the requests look
>>>> like
>>>> >> they're coming from many many different machines.  If this is true,
>>>> there's
>>>> >> no way to trace or block him based upon the information included in
> the
>>>> >> packets he's creating.  I think this assumption is wrong, as I'll
>>>> explain
>>>> >> below.
>>>> >>
>>>> >> Second, if this assumption is incorrect you need to find a way to
>>>> identify
>>>> >> each and every source and block them one at a time.  Netblocks are at
>>>> best a
>>>> >> crude measure which risks blocking many legitimate clients.  Such a
>>>> process
>>>> >> needs to be automa

Re: [hlds] TF2 DDOS AS2_INFO attack

[Shane Arnold]

+1

While I'm sure his intentions are honest, would be much nicer if we 
could have the source please. Especially seeing it's not signed.

Spencer 'voogru' MacDonald wrote:
> How about the source so we can compile it on our own?
> 
> I don't know about you but im not into running random exe files.
> 
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
> Sent: Sunday, September 06, 2009 4:35 AM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> 
> here it is
> http://www.wantedgov.it/page/62-srcds-query-cache/
> 
> more info on that page
> 
> 
> 
> On Sun, Sep 6, 2009 at 12:44 AM, Claudio
> Beretta wrote:
>> I'm doing it right now, should be ready tomorrow.
>>
>> On Sun, Sep 6, 2009 at 12:32 AM, Kenny Loggins
> wrote:
>>> I'm willing to pay someone to write a windows version of a query proxy.
>>>
>>> -Original Message-
>>> From: hlds-boun...@list.valvesoftware.com
>>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison
>>> Sent: Saturday, September 05, 2009 4:36 PM
>>> To: Half-Life dedicated Win32 server mailing list
>>> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>>>
>>> This is why A2S_INFO requires a challenge :|
>>>
>>> Thanks,
>>> - Saul.
>>>
>>>
>>> 2009/9/5 Matt Stanton 
>>>
>>>> If these attacks are coming from ips that are outside of the range of
>>>> your standard users' network range, then it's possible you could filter
>>>> out requests from unallocated ip blocks and ip blocks from areas of the
>>>> internet that are gnerally too far away to have decent latency on your
>>>> server.  Unfortunately, this would mean building a database of ip blocks
>>>> that are allocated to networks that are within a reasonable distance of
>>>> your server's network and checking every A2S_INFO packet that comes in
>>>> against this database, which would likely eat a decent amount of CPU.
>>>>
>>>> Nephyrin Zey wrote:
>>>>> The bandwidth involved in this attack is tiny. The issue is srcds
> chokes
>>>>> on large numbers of A2S_INFO packets, its not the traffic that's doing
>>>>> machines in. I'd reckon a single residential connection could take
> down
>>>>> a server this way. Once you fix the srcds issue, the problem stops. I
>>>>> have a daemon that intercepts server queries and handles them itself.
>>>>> It's currently handling this attacker hammering on two servers without
>>>>> breaking 1% CPU or making a single-pixel dent in my bandwidth graphs,
>>>>> and my tf2 servers continue to run just fine.
>>>>>
>>>>> And if you actually examine the attack, it's very obviously a single
>>>>> source with spoofed IPs. I rather doubt someone has a million-strong
>>>>> botnet containing nearly 30% unallocated IP ranges, that all happen to
>>>>> have the same exact path length.
>>>>>
>>>>> - Neph
>>>>>
>>>>> On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
>>>>>
>>>>>> This... actually isn't a bad idea.  It's a pain to implement, though,
>>>> for a
>>>>>> couple of reasons.
>>>>>>
>>>>>> First, the assumption by most on this thread is that it's a single
> guy
>>>>>> operating from a single (or just a handful) of computers.  They
> further
>>>>>> assume that he's forging the source IP addresses so the requests look
>>>> like
>>>>>> they're coming from many many different machines.  If this is true,
>>>> there's
>>>>>> no way to trace or block him based upon the information included in
> the
>>>>>> packets he's creating.  I think this assumption is wrong, as I'll
>>>> explain
>>>>>> below.
>>>>>>
>>>>>> Second, if this assumption is incorrect you need to find a way to
>>>> identify
>>>>>> each and every source and block them one at a time.  Netblocks are at
>>>> best a
>>>>>> crude measure which risks blocking many legitimate clients.  Such a
>>>> process
>>>>>> ne

Re: [hlds] TF2 DDOS AS2_INFO attack

[Spencer 'voogru' MacDonald]

How about the source so we can compile it on our own?

I don't know about you but im not into running random exe files.

-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
Sent: Sunday, September 06, 2009 4:35 AM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] TF2 DDOS AS2_INFO attack

here it is
http://www.wantedgov.it/page/62-srcds-query-cache/

more info on that page



On Sun, Sep 6, 2009 at 12:44 AM, Claudio
Beretta wrote:
> I'm doing it right now, should be ready tomorrow.
>
> On Sun, Sep 6, 2009 at 12:32 AM, Kenny Loggins
wrote:
>> I'm willing to pay someone to write a windows version of a query proxy.
>>
>> -Original Message-
>> From: hlds-boun...@list.valvesoftware.com
>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison
>> Sent: Saturday, September 05, 2009 4:36 PM
>> To: Half-Life dedicated Win32 server mailing list
>> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>>
>> This is why A2S_INFO requires a challenge :|
>>
>> Thanks,
>> - Saul.
>>
>>
>> 2009/9/5 Matt Stanton 
>>
>>> If these attacks are coming from ips that are outside of the range of
>>> your standard users' network range, then it's possible you could filter
>>> out requests from unallocated ip blocks and ip blocks from areas of the
>>> internet that are gnerally too far away to have decent latency on your
>>> server.  Unfortunately, this would mean building a database of ip blocks
>>> that are allocated to networks that are within a reasonable distance of
>>> your server's network and checking every A2S_INFO packet that comes in
>>> against this database, which would likely eat a decent amount of CPU.
>>>
>>> Nephyrin Zey wrote:
>>> > The bandwidth involved in this attack is tiny. The issue is srcds
chokes
>>> > on large numbers of A2S_INFO packets, its not the traffic that's doing
>>> > machines in. I'd reckon a single residential connection could take
down
>>> > a server this way. Once you fix the srcds issue, the problem stops. I
>>> > have a daemon that intercepts server queries and handles them itself.
>>> > It's currently handling this attacker hammering on two servers without
>>> > breaking 1% CPU or making a single-pixel dent in my bandwidth graphs,
>>> > and my tf2 servers continue to run just fine.
>>> >
>>> > And if you actually examine the attack, it's very obviously a single
>>> > source with spoofed IPs. I rather doubt someone has a million-strong
>>> > botnet containing nearly 30% unallocated IP ranges, that all happen to
>>> > have the same exact path length.
>>> >
>>> > - Neph
>>> >
>>> > On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
>>> >
>>> >> This... actually isn't a bad idea.  It's a pain to implement, though,
>>> for a
>>> >> couple of reasons.
>>> >>
>>> >> First, the assumption by most on this thread is that it's a single
guy
>>> >> operating from a single (or just a handful) of computers.  They
further
>>> >> assume that he's forging the source IP addresses so the requests look
>>> like
>>> >> they're coming from many many different machines.  If this is true,
>>> there's
>>> >> no way to trace or block him based upon the information included in
the
>>> >> packets he's creating.  I think this assumption is wrong, as I'll
>>> explain
>>> >> below.
>>> >>
>>> >> Second, if this assumption is incorrect you need to find a way to
>>> identify
>>> >> each and every source and block them one at a time.  Netblocks are at
>>> best a
>>> >> crude measure which risks blocking many legitimate clients.  Such a
>>> process
>>> >> needs to be automated as much as possible or it's not effective.
>>> >>
>>> >> Now, why do I think that this is probably not coming from just a
>> handful
>>> of
>>> >> sources?  Simple.  DDoS stands for Distributed Denial of Service,
after
>>> >> all.  Botnets are reaching incredible proportions.  It's easy to rent
>> as
>>> >> many as a quarter million compromised machines if you want to and you
>>> have
>>> >> the cash.
>>> &

Re: [hlds] TF2 DDOS AS2_INFO attack

[Claudio Beretta]

here it is
http://www.wantedgov.it/page/62-srcds-query-cache/

more info on that page



On Sun, Sep 6, 2009 at 12:44 AM, Claudio
Beretta wrote:
> I'm doing it right now, should be ready tomorrow.
>
> On Sun, Sep 6, 2009 at 12:32 AM, Kenny Loggins 
> wrote:
>> I'm willing to pay someone to write a windows version of a query proxy.
>>
>> -Original Message-
>> From: hlds-boun...@list.valvesoftware.com
>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison
>> Sent: Saturday, September 05, 2009 4:36 PM
>> To: Half-Life dedicated Win32 server mailing list
>> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>>
>> This is why A2S_INFO requires a challenge :|
>>
>> Thanks,
>> - Saul.
>>
>>
>> 2009/9/5 Matt Stanton 
>>
>>> If these attacks are coming from ips that are outside of the range of
>>> your standard users' network range, then it's possible you could filter
>>> out requests from unallocated ip blocks and ip blocks from areas of the
>>> internet that are gnerally too far away to have decent latency on your
>>> server.  Unfortunately, this would mean building a database of ip blocks
>>> that are allocated to networks that are within a reasonable distance of
>>> your server's network and checking every A2S_INFO packet that comes in
>>> against this database, which would likely eat a decent amount of CPU.
>>>
>>> Nephyrin Zey wrote:
>>> > The bandwidth involved in this attack is tiny. The issue is srcds chokes
>>> > on large numbers of A2S_INFO packets, its not the traffic that's doing
>>> > machines in. I'd reckon a single residential connection could take down
>>> > a server this way. Once you fix the srcds issue, the problem stops. I
>>> > have a daemon that intercepts server queries and handles them itself.
>>> > It's currently handling this attacker hammering on two servers without
>>> > breaking 1% CPU or making a single-pixel dent in my bandwidth graphs,
>>> > and my tf2 servers continue to run just fine.
>>> >
>>> > And if you actually examine the attack, it's very obviously a single
>>> > source with spoofed IPs. I rather doubt someone has a million-strong
>>> > botnet containing nearly 30% unallocated IP ranges, that all happen to
>>> > have the same exact path length.
>>> >
>>> > - Neph
>>> >
>>> > On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
>>> >
>>> >> This... actually isn't a bad idea.  It's a pain to implement, though,
>>> for a
>>> >> couple of reasons.
>>> >>
>>> >> First, the assumption by most on this thread is that it's a single guy
>>> >> operating from a single (or just a handful) of computers.  They further
>>> >> assume that he's forging the source IP addresses so the requests look
>>> like
>>> >> they're coming from many many different machines.  If this is true,
>>> there's
>>> >> no way to trace or block him based upon the information included in the
>>> >> packets he's creating.  I think this assumption is wrong, as I'll
>>> explain
>>> >> below.
>>> >>
>>> >> Second, if this assumption is incorrect you need to find a way to
>>> identify
>>> >> each and every source and block them one at a time.  Netblocks are at
>>> best a
>>> >> crude measure which risks blocking many legitimate clients.  Such a
>>> process
>>> >> needs to be automated as much as possible or it's not effective.
>>> >>
>>> >> Now, why do I think that this is probably not coming from just a
>> handful
>>> of
>>> >> sources?  Simple.  DDoS stands for Distributed Denial of Service, after
>>> >> all.  Botnets are reaching incredible proportions.  It's easy to rent
>> as
>>> >> many as a quarter million compromised machines if you want to and you
>>> have
>>> >> the cash.
>>> >>
>>> >> Too cheap or too poor to rent someone else's network of infected PCs?
>>>  No
>>> >> problem.  Tools exist to build new malware and they're easy to come by
>>> if
>>> >> you're willing to start looking in the right places.  All you have to
>> do
>>> is
>>> >> build you

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kyle Sanderson]

Oh I'm sorry, I didn't realize this was the Win32 mailing list.

I'll make my mail sorting rules more specific, sorry guys >.<
Kyle.

On Sat, Sep 5, 2009 at 11:45 PM, Shizzle Nizzle  wrote:

> this is windows, iptables is nonexistant. i no people have suggested plenty
> of linux solutions for this problem in different ways to solve it :) but i
> dont think something that easy exists for windows. ipsec doesnt do anything
> like that nor does any normal software firewall for windows, seems the only
> thing that could help is a UDP proxy but requires c programming.
>
> On Sun, Sep 6, 2009 at 1:29 AM, Kyle Sanderson 
> wrote:
>
> > Um... I'm going out on a limb here that no one has read the other topics
> > that have discussed this. Since it has yet to be posted here... has
> anyone
> > tried what Tony suggested by limiting the amount of queries via iptables
> > then logging the blocked ips? This rule was made by Tony, as simple as it
> > is
> > I would still like to give him credit as I didn't think of it.
> >
> > -A INPUT -p udp -m udp --dport 27015:27016 -m length --length 53 -m
> > hashlimit --hashlimit 15/sec --hashlimit-burst 30 --hashlimit-mode
> > dstip,dstport --hashlimit-name a2sspam -j ACCEPT
> > -A INPUT -p udp -m udp --dport 27015:27016 -m length --length 53 -j DROP
> >
> > But yeah... Not sure if this did it or not but I haven't been "lagged
> out"
> > since. If this is something completely different, I'm sorry.
> > Kyle.
> >
> > On Sat, Sep 5, 2009 at 9:06 PM, Kenny Loggins  > >wrote:
> >
> > > I have an open request on a fix for this problem. I'm willing to
> > completely
> > > pay for a programmers time and I'm willing to bet other people would
> also
> > > chip in on this. Anyone willing to work this let me know
> > >
> > > http://forums.alliedmods.net/showthread.php?t=102779
> > >
> > >
> > >
> > > -Original Message-
> > > From: hlds-boun...@list.valvesoftware.com
> > > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Shizzle
> Nizzle
> > > Sent: Saturday, September 05, 2009 11:00 PM
> > > To: Half-Life dedicated Win32 server mailing list
> > > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> > >
> > > from what i no ipsec does nothing to what iptables is capable of doing
> so
> > > thats out of the picture completely. the sudpipe udp proxy program
> > requires
> > > i suppose a background knowledge of C, only know php/sql myself :) i
> see
> > > plenty of bright people around here that have solutions for linux lol
> :)
> > > wrong mailing list :P maybe some for windows? :)
> > >
> > > anyways im ready to put down $65 to any plugin/program for windows that
> > > manages these UDP floods specifically for source servers. i think a few
> > > others said they would be willing to put money in the pot too.
> > >
> > > On Sat, Sep 5, 2009 at 9:37 PM, Kenny Loggins
> > > wrote:
> > >
> > > > Anyone know of any hardware solutions to this problem?
> > > >
> > > > ClanAO.com
> > > >
> > > > On Sep 5, 2009, at 8:09 PM, Kaspars  wrote:
> > > >
> > > > > Actually I got inspired by the word "daemon" and I realized that
> the
> > > > > key to
> > > > > the problem is a daemon... a proxy daemon... a caching proxy
> > > > > daemon :) I
> > > > > didn't have much time to check the incoming packet pattern, however
> > > > > I'm not
> > > > > sure that they all were 53 bytes long, actually the number was
> > > > > something
> > > > > like 33 that showed up a LOT of times in iptables logs (but I might
> > be
> > > > > wrong... and I'm sure the fault lies in drinking too much beer).
> > > > > Nevertheless I went for the 100% match with the -m string and it
> > works
> > > > > really good. I'm having about 300r/s and I don't see any CPU usage
> > > > > with this
> > > > > method. Anyways you are free to modify the source or iptables
> filter
> > > > > command
> > > > > :)
> > > > >
> > > > > 2009/9/6 Nephyrin Zey 
> > > > >
> > > > >> As an alternative to using -m string, you can just filter length
> 53
> > > > >> packets - no packets aside from the query packet end up being that

Re: [hlds] TF2 DDOS AS2_INFO attack

[Shizzle Nizzle]

this is windows, iptables is nonexistant. i no people have suggested plenty
of linux solutions for this problem in different ways to solve it :) but i
dont think something that easy exists for windows. ipsec doesnt do anything
like that nor does any normal software firewall for windows, seems the only
thing that could help is a UDP proxy but requires c programming.

On Sun, Sep 6, 2009 at 1:29 AM, Kyle Sanderson  wrote:

> Um... I'm going out on a limb here that no one has read the other topics
> that have discussed this. Since it has yet to be posted here... has anyone
> tried what Tony suggested by limiting the amount of queries via iptables
> then logging the blocked ips? This rule was made by Tony, as simple as it
> is
> I would still like to give him credit as I didn't think of it.
>
> -A INPUT -p udp -m udp --dport 27015:27016 -m length --length 53 -m
> hashlimit --hashlimit 15/sec --hashlimit-burst 30 --hashlimit-mode
> dstip,dstport --hashlimit-name a2sspam -j ACCEPT
> -A INPUT -p udp -m udp --dport 27015:27016 -m length --length 53 -j DROP
>
> But yeah... Not sure if this did it or not but I haven't been "lagged out"
> since. If this is something completely different, I'm sorry.
> Kyle.
>
> On Sat, Sep 5, 2009 at 9:06 PM, Kenny Loggins  >wrote:
>
> > I have an open request on a fix for this problem. I'm willing to
> completely
> > pay for a programmers time and I'm willing to bet other people would also
> > chip in on this. Anyone willing to work this let me know
> >
> > http://forums.alliedmods.net/showthread.php?t=102779
> >
> >
> >
> > -Original Message-
> > From: hlds-boun...@list.valvesoftware.com
> > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Shizzle Nizzle
> > Sent: Saturday, September 05, 2009 11:00 PM
> > To: Half-Life dedicated Win32 server mailing list
> > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> >
> > from what i no ipsec does nothing to what iptables is capable of doing so
> > thats out of the picture completely. the sudpipe udp proxy program
> requires
> > i suppose a background knowledge of C, only know php/sql myself :) i see
> > plenty of bright people around here that have solutions for linux lol :)
> > wrong mailing list :P maybe some for windows? :)
> >
> > anyways im ready to put down $65 to any plugin/program for windows that
> > manages these UDP floods specifically for source servers. i think a few
> > others said they would be willing to put money in the pot too.
> >
> > On Sat, Sep 5, 2009 at 9:37 PM, Kenny Loggins
> > wrote:
> >
> > > Anyone know of any hardware solutions to this problem?
> > >
> > > ClanAO.com
> > >
> > > On Sep 5, 2009, at 8:09 PM, Kaspars  wrote:
> > >
> > > > Actually I got inspired by the word "daemon" and I realized that the
> > > > key to
> > > > the problem is a daemon... a proxy daemon... a caching proxy
> > > > daemon :) I
> > > > didn't have much time to check the incoming packet pattern, however
> > > > I'm not
> > > > sure that they all were 53 bytes long, actually the number was
> > > > something
> > > > like 33 that showed up a LOT of times in iptables logs (but I might
> be
> > > > wrong... and I'm sure the fault lies in drinking too much beer).
> > > > Nevertheless I went for the 100% match with the -m string and it
> works
> > > > really good. I'm having about 300r/s and I don't see any CPU usage
> > > > with this
> > > > method. Anyways you are free to modify the source or iptables filter
> > > > command
> > > > :)
> > > >
> > > > 2009/9/6 Nephyrin Zey 
> > > >
> > > >> As an alternative to using -m string, you can just filter length 53
> > > >> packets - no packets aside from the query packet end up being that
> > > >> length. Not super elegant, but a lot less overhead.
> > > >>
> > > >> And, as I said, my daemon works differently and could be used to
> > > >> easily
> > > >> start thousands of fake servers on a single box, which would screw
> > > >> more
> > > >> things over than it would help.
> > > >>
> > > >> - Neph
> > > >>
> > > >> On 09/05/2009 05:20 PM, Kaspars wrote:
> > > >>> God dammit... this is really fucked up... sorry for my language, I
> > > >>> just
> > > >> got
&

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kyle Sanderson]

Um... I'm going out on a limb here that no one has read the other topics
that have discussed this. Since it has yet to be posted here... has anyone
tried what Tony suggested by limiting the amount of queries via iptables
then logging the blocked ips? This rule was made by Tony, as simple as it is
I would still like to give him credit as I didn't think of it.

-A INPUT -p udp -m udp --dport 27015:27016 -m length --length 53 -m
hashlimit --hashlimit 15/sec --hashlimit-burst 30 --hashlimit-mode
dstip,dstport --hashlimit-name a2sspam -j ACCEPT
-A INPUT -p udp -m udp --dport 27015:27016 -m length --length 53 -j DROP

But yeah... Not sure if this did it or not but I haven't been "lagged out"
since. If this is something completely different, I'm sorry.
Kyle.

On Sat, Sep 5, 2009 at 9:06 PM, Kenny Loggins wrote:

> I have an open request on a fix for this problem. I'm willing to completely
> pay for a programmers time and I'm willing to bet other people would also
> chip in on this. Anyone willing to work this let me know
>
> http://forums.alliedmods.net/showthread.php?t=102779
>
>
>
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Shizzle Nizzle
> Sent: Saturday, September 05, 2009 11:00 PM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>
> from what i no ipsec does nothing to what iptables is capable of doing so
> thats out of the picture completely. the sudpipe udp proxy program requires
> i suppose a background knowledge of C, only know php/sql myself :) i see
> plenty of bright people around here that have solutions for linux lol :)
> wrong mailing list :P maybe some for windows? :)
>
> anyways im ready to put down $65 to any plugin/program for windows that
> manages these UDP floods specifically for source servers. i think a few
> others said they would be willing to put money in the pot too.
>
> On Sat, Sep 5, 2009 at 9:37 PM, Kenny Loggins
> wrote:
>
> > Anyone know of any hardware solutions to this problem?
> >
> > ClanAO.com
> >
> > On Sep 5, 2009, at 8:09 PM, Kaspars  wrote:
> >
> > > Actually I got inspired by the word "daemon" and I realized that the
> > > key to
> > > the problem is a daemon... a proxy daemon... a caching proxy
> > > daemon :) I
> > > didn't have much time to check the incoming packet pattern, however
> > > I'm not
> > > sure that they all were 53 bytes long, actually the number was
> > > something
> > > like 33 that showed up a LOT of times in iptables logs (but I might be
> > > wrong... and I'm sure the fault lies in drinking too much beer).
> > > Nevertheless I went for the 100% match with the -m string and it works
> > > really good. I'm having about 300r/s and I don't see any CPU usage
> > > with this
> > > method. Anyways you are free to modify the source or iptables filter
> > > command
> > > :)
> > >
> > > 2009/9/6 Nephyrin Zey 
> > >
> > >> As an alternative to using -m string, you can just filter length 53
> > >> packets - no packets aside from the query packet end up being that
> > >> length. Not super elegant, but a lot less overhead.
> > >>
> > >> And, as I said, my daemon works differently and could be used to
> > >> easily
> > >> start thousands of fake servers on a single box, which would screw
> > >> more
> > >> things over than it would help.
> > >>
> > >> - Neph
> > >>
> > >> On 09/05/2009 05:20 PM, Kaspars wrote:
> > >>> God dammit... this is really fucked up... sorry for my language, I
> > >>> just
> > >> got
> > >>> too many beers today...
> > >>> Anyways, I just wanted to give something to the community as Neph
> > >>> is not
> > >>> willing to do it. This will fix the ddos attack for *nix however
> > >>> if you
> > >> are
> > >>> using it, I'm not giving any warranty :)
> > >>>
> > >>> Here goes:
> > >>> first, get the source and compile: http://www.gign.lv/tmp/test.c
> > >>> run it in the screen like ./test 21015 YOUR_EXTERNAL_TF2_SERVER_IP
> > >>> YOUR_SERVER_PORT
> > >>> 21015 is some random port for the udp proxy :) it must be opened in
> > >> firewall
> > >>>
> > >>> then some iptables magic:
> > >>> iptables -t nat -A

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kenny Loggins]

I have an open request on a fix for this problem. I'm willing to completely
pay for a programmers time and I'm willing to bet other people would also
chip in on this. Anyone willing to work this let me know

http://forums.alliedmods.net/showthread.php?t=102779



-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Shizzle Nizzle
Sent: Saturday, September 05, 2009 11:00 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] TF2 DDOS AS2_INFO attack

from what i no ipsec does nothing to what iptables is capable of doing so
thats out of the picture completely. the sudpipe udp proxy program requires
i suppose a background knowledge of C, only know php/sql myself :) i see
plenty of bright people around here that have solutions for linux lol :)
wrong mailing list :P maybe some for windows? :)

anyways im ready to put down $65 to any plugin/program for windows that
manages these UDP floods specifically for source servers. i think a few
others said they would be willing to put money in the pot too.

On Sat, Sep 5, 2009 at 9:37 PM, Kenny Loggins
wrote:

> Anyone know of any hardware solutions to this problem?
>
> ClanAO.com
>
> On Sep 5, 2009, at 8:09 PM, Kaspars  wrote:
>
> > Actually I got inspired by the word "daemon" and I realized that the
> > key to
> > the problem is a daemon... a proxy daemon... a caching proxy
> > daemon :) I
> > didn't have much time to check the incoming packet pattern, however
> > I'm not
> > sure that they all were 53 bytes long, actually the number was
> > something
> > like 33 that showed up a LOT of times in iptables logs (but I might be
> > wrong... and I'm sure the fault lies in drinking too much beer).
> > Nevertheless I went for the 100% match with the -m string and it works
> > really good. I'm having about 300r/s and I don't see any CPU usage
> > with this
> > method. Anyways you are free to modify the source or iptables filter
> > command
> > :)
> >
> > 2009/9/6 Nephyrin Zey 
> >
> >> As an alternative to using -m string, you can just filter length 53
> >> packets - no packets aside from the query packet end up being that
> >> length. Not super elegant, but a lot less overhead.
> >>
> >> And, as I said, my daemon works differently and could be used to
> >> easily
> >> start thousands of fake servers on a single box, which would screw
> >> more
> >> things over than it would help.
> >>
> >> - Neph
> >>
> >> On 09/05/2009 05:20 PM, Kaspars wrote:
> >>> God dammit... this is really fucked up... sorry for my language, I
> >>> just
> >> got
> >>> too many beers today...
> >>> Anyways, I just wanted to give something to the community as Neph
> >>> is not
> >>> willing to do it. This will fix the ddos attack for *nix however
> >>> if you
> >> are
> >>> using it, I'm not giving any warranty :)
> >>>
> >>> Here goes:
> >>> first, get the source and compile: http://www.gign.lv/tmp/test.c
> >>> run it in the screen like ./test 21015 YOUR_EXTERNAL_TF2_SERVER_IP
> >>> YOUR_SERVER_PORT
> >>> 21015 is some random port for the udp proxy :) it must be opened in
> >> firewall
> >>>
> >>> then some iptables magic:
> >>> iptables -t nat -A PREROUTING -p udp -d YOUR_EXTERNAL_TF2_SERVER_IP
> >> --dport
> >>> YOUR_SERVER_PORT -m string --algo kmp --string 'TSource Engine
> >>> Query' -j
> >>> REDIRECT --to-port 21015
> >>>
> >>> thats about it...
> >>>
> >>> 2009/9/6 Nephyrin Zey
> >>>
> >>>
> >>>> The problem with my solution is the daemon would be really really
> >>>> abusive in the wrong hands. We dont need someone using it to easily
> >>>> start 100 fake servers at 255/255 slots and polluting the server
> >>>> list.
> >>>> It's not some super complex feat, but releasing an easy compiled
> >>>> prepackaged version is just asking for it - and the real solution
> >>>> needs
> >>>> to be valve. Plus, it's not very easy to configure and I'm not
> >>>> even sure
> >>>> windows ipsec is capable of that level of packet interception.
> >>>>
> >>>> Something on the lines of tony's plugin would be a much better
> >>>> solution,
> >>>> but you

Re: [hlds] TF2 DDOS AS2_INFO attack

[Shizzle Nizzle]

from what i no ipsec does nothing to what iptables is capable of doing so
thats out of the picture completely. the sudpipe udp proxy program requires
i suppose a background knowledge of C, only know php/sql myself :) i see
plenty of bright people around here that have solutions for linux lol :)
wrong mailing list :P maybe some for windows? :)

anyways im ready to put down $65 to any plugin/program for windows that
manages these UDP floods specifically for source servers. i think a few
others said they would be willing to put money in the pot too.

On Sat, Sep 5, 2009 at 9:37 PM, Kenny Loggins wrote:

> Anyone know of any hardware solutions to this problem?
>
> ClanAO.com
>
> On Sep 5, 2009, at 8:09 PM, Kaspars  wrote:
>
> > Actually I got inspired by the word "daemon" and I realized that the
> > key to
> > the problem is a daemon... a proxy daemon... a caching proxy
> > daemon :) I
> > didn't have much time to check the incoming packet pattern, however
> > I'm not
> > sure that they all were 53 bytes long, actually the number was
> > something
> > like 33 that showed up a LOT of times in iptables logs (but I might be
> > wrong... and I'm sure the fault lies in drinking too much beer).
> > Nevertheless I went for the 100% match with the -m string and it works
> > really good. I'm having about 300r/s and I don't see any CPU usage
> > with this
> > method. Anyways you are free to modify the source or iptables filter
> > command
> > :)
> >
> > 2009/9/6 Nephyrin Zey 
> >
> >> As an alternative to using -m string, you can just filter length 53
> >> packets - no packets aside from the query packet end up being that
> >> length. Not super elegant, but a lot less overhead.
> >>
> >> And, as I said, my daemon works differently and could be used to
> >> easily
> >> start thousands of fake servers on a single box, which would screw
> >> more
> >> things over than it would help.
> >>
> >> - Neph
> >>
> >> On 09/05/2009 05:20 PM, Kaspars wrote:
> >>> God dammit... this is really fucked up... sorry for my language, I
> >>> just
> >> got
> >>> too many beers today...
> >>> Anyways, I just wanted to give something to the community as Neph
> >>> is not
> >>> willing to do it. This will fix the ddos attack for *nix however
> >>> if you
> >> are
> >>> using it, I'm not giving any warranty :)
> >>>
> >>> Here goes:
> >>> first, get the source and compile: http://www.gign.lv/tmp/test.c
> >>> run it in the screen like ./test 21015 YOUR_EXTERNAL_TF2_SERVER_IP
> >>> YOUR_SERVER_PORT
> >>> 21015 is some random port for the udp proxy :) it must be opened in
> >> firewall
> >>>
> >>> then some iptables magic:
> >>> iptables -t nat -A PREROUTING -p udp -d YOUR_EXTERNAL_TF2_SERVER_IP
> >> --dport
> >>> YOUR_SERVER_PORT -m string --algo kmp --string 'TSource Engine
> >>> Query' -j
> >>> REDIRECT --to-port 21015
> >>>
> >>> thats about it...
> >>>
> >>> 2009/9/6 Nephyrin Zey
> >>>
> >>>
>  The problem with my solution is the daemon would be really really
>  abusive in the wrong hands. We dont need someone using it to easily
>  start 100 fake servers at 255/255 slots and polluting the server
>  list.
>  It's not some super complex feat, but releasing an easy compiled
>  prepackaged version is just asking for it - and the real solution
>  needs
>  to be valve. Plus, it's not very easy to configure and I'm not
>  even sure
>  windows ipsec is capable of that level of packet interception.
> 
>  Something on the lines of tony's plugin would be a much better
>  solution,
>  but you'll have to hound him about that
> 
>  - Neph
> 
>  On 09/05/2009 03:14 PM, Kenny Loggins wrote:
> 
> > I don't think either you or Neph have released your plugins to the
> >> public
> >
>  so
> 
> > this solution works great for you guys. Maybe we can have some
> > into or
> > direction from you so the general public can do something about
> > this?
> >
> > As long as they get away with this it's going to keep happening
> > if a
> >
>  plugin
> 
> > was available to stop this it is not long "fun" or productive to
> > DOS
> >
>  servers
> 
> > anymore.
> >
> >
> 
>  ___
>  To unsubscribe, edit your list preferences, or view the list
>  archives,
>  please visit:
>  http://list.valvesoftware.com/mailman/listinfo/hlds
> 
> 
> >>> ___
> >>> To unsubscribe, edit your list preferences, or view the list
> >>> archives,
> >> please visit:
> >>> http://list.valvesoftware.com/mailman/listinfo/hlds
> >>>
> >>
> >>
> >> ___
> >> To unsubscribe, edit your list preferences, or view the list
> >> archives,
> >> please visit:
> >> http://list.valvesoftware.com/mailman/listinfo/hlds
> >>
> > ___
> > To unsubscribe, ed

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kenny Loggins]

Anyone know of any hardware solutions to this problem?

ClanAO.com

On Sep 5, 2009, at 8:09 PM, Kaspars  wrote:

> Actually I got inspired by the word "daemon" and I realized that the  
> key to
> the problem is a daemon... a proxy daemon... a caching proxy  
> daemon :) I
> didn't have much time to check the incoming packet pattern, however  
> I'm not
> sure that they all were 53 bytes long, actually the number was  
> something
> like 33 that showed up a LOT of times in iptables logs (but I might be
> wrong... and I'm sure the fault lies in drinking too much beer).
> Nevertheless I went for the 100% match with the -m string and it works
> really good. I'm having about 300r/s and I don't see any CPU usage  
> with this
> method. Anyways you are free to modify the source or iptables filter  
> command
> :)
>
> 2009/9/6 Nephyrin Zey 
>
>> As an alternative to using -m string, you can just filter length 53
>> packets - no packets aside from the query packet end up being that
>> length. Not super elegant, but a lot less overhead.
>>
>> And, as I said, my daemon works differently and could be used to  
>> easily
>> start thousands of fake servers on a single box, which would screw  
>> more
>> things over than it would help.
>>
>> - Neph
>>
>> On 09/05/2009 05:20 PM, Kaspars wrote:
>>> God dammit... this is really fucked up... sorry for my language, I  
>>> just
>> got
>>> too many beers today...
>>> Anyways, I just wanted to give something to the community as Neph  
>>> is not
>>> willing to do it. This will fix the ddos attack for *nix however  
>>> if you
>> are
>>> using it, I'm not giving any warranty :)
>>>
>>> Here goes:
>>> first, get the source and compile: http://www.gign.lv/tmp/test.c
>>> run it in the screen like ./test 21015 YOUR_EXTERNAL_TF2_SERVER_IP
>>> YOUR_SERVER_PORT
>>> 21015 is some random port for the udp proxy :) it must be opened in
>> firewall
>>>
>>> then some iptables magic:
>>> iptables -t nat -A PREROUTING -p udp -d YOUR_EXTERNAL_TF2_SERVER_IP
>> --dport
>>> YOUR_SERVER_PORT -m string --algo kmp --string 'TSource Engine  
>>> Query' -j
>>> REDIRECT --to-port 21015
>>>
>>> thats about it...
>>>
>>> 2009/9/6 Nephyrin Zey
>>>
>>>
 The problem with my solution is the daemon would be really really
 abusive in the wrong hands. We dont need someone using it to easily
 start 100 fake servers at 255/255 slots and polluting the server  
 list.
 It's not some super complex feat, but releasing an easy compiled
 prepackaged version is just asking for it - and the real solution  
 needs
 to be valve. Plus, it's not very easy to configure and I'm not  
 even sure
 windows ipsec is capable of that level of packet interception.

 Something on the lines of tony's plugin would be a much better  
 solution,
 but you'll have to hound him about that

 - Neph

 On 09/05/2009 03:14 PM, Kenny Loggins wrote:

> I don't think either you or Neph have released your plugins to the
>> public
>
 so

> this solution works great for you guys. Maybe we can have some  
> into or
> direction from you so the general public can do something about  
> this?
>
> As long as they get away with this it's going to keep happening  
> if a
>
 plugin

> was available to stop this it is not long "fun" or productive to  
> DOS
>
 servers

> anymore.
>
>

 ___
 To unsubscribe, edit your list preferences, or view the list  
 archives,
 please visit:
 http://list.valvesoftware.com/mailman/listinfo/hlds


>>> ___
>>> To unsubscribe, edit your list preferences, or view the list  
>>> archives,
>> please visit:
>>> http://list.valvesoftware.com/mailman/listinfo/hlds
>>>
>>
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list  
>> archives,
>> please visit:
>> http://list.valvesoftware.com/mailman/listinfo/hlds
>>
> ___
> To unsubscribe, edit your list preferences, or view the list  
> archives, please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kaspars]

Actually I got inspired by the word "daemon" and I realized that the key to
the problem is a daemon... a proxy daemon... a caching proxy daemon :) I
didn't have much time to check the incoming packet pattern, however I'm not
sure that they all were 53 bytes long, actually the number was something
like 33 that showed up a LOT of times in iptables logs (but I might be
wrong... and I'm sure the fault lies in drinking too much beer).
Nevertheless I went for the 100% match with the -m string and it works
really good. I'm having about 300r/s and I don't see any CPU usage with this
method. Anyways you are free to modify the source or iptables filter command
:)

2009/9/6 Nephyrin Zey 

> As an alternative to using -m string, you can just filter length 53
> packets - no packets aside from the query packet end up being that
> length. Not super elegant, but a lot less overhead.
>
> And, as I said, my daemon works differently and could be used to easily
> start thousands of fake servers on a single box, which would screw more
> things over than it would help.
>
> - Neph
>
> On 09/05/2009 05:20 PM, Kaspars wrote:
> > God dammit... this is really fucked up... sorry for my language, I just
> got
> > too many beers today...
> > Anyways, I just wanted to give something to the community as Neph is not
> > willing to do it. This will fix the ddos attack for *nix however if you
> are
> > using it, I'm not giving any warranty :)
> >
> > Here goes:
> > first, get the source and compile: http://www.gign.lv/tmp/test.c
> > run it in the screen like ./test 21015 YOUR_EXTERNAL_TF2_SERVER_IP
> > YOUR_SERVER_PORT
> > 21015 is some random port for the udp proxy :) it must be opened in
> firewall
> >
> > then some iptables magic:
> > iptables -t nat -A PREROUTING -p udp -d YOUR_EXTERNAL_TF2_SERVER_IP
> --dport
> > YOUR_SERVER_PORT -m string --algo kmp --string 'TSource Engine Query' -j
> > REDIRECT --to-port 21015
> >
> > thats about it...
> >
> > 2009/9/6 Nephyrin Zey
> >
> >
> >> The problem with my solution is the daemon would be really really
> >> abusive in the wrong hands. We dont need someone using it to easily
> >> start 100 fake servers at 255/255 slots and polluting the server list.
> >> It's not some super complex feat, but releasing an easy compiled
> >> prepackaged version is just asking for it - and the real solution needs
> >> to be valve. Plus, it's not very easy to configure and I'm not even sure
> >> windows ipsec is capable of that level of packet interception.
> >>
> >> Something on the lines of tony's plugin would be a much better solution,
> >> but you'll have to hound him about that
> >>
> >> - Neph
> >>
> >> On 09/05/2009 03:14 PM, Kenny Loggins wrote:
> >>
> >>> I don't think either you or Neph have released your plugins to the
> public
> >>>
> >> so
> >>
> >>> this solution works great for you guys. Maybe we can have some into or
> >>> direction from you so the general public can do something about this?
> >>>
> >>> As long as they get away with this it's going to keep happening if a
> >>>
> >> plugin
> >>
> >>> was available to stop this it is not long "fun" or productive to DOS
> >>>
> >> servers
> >>
> >>> anymore.
> >>>
> >>>
> >>
> >> ___
> >> To unsubscribe, edit your list preferences, or view the list archives,
> >> please visit:
> >> http://list.valvesoftware.com/mailman/listinfo/hlds
> >>
> >>
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
> >
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Nephyrin Zey]

As an alternative to using -m string, you can just filter length 53 
packets - no packets aside from the query packet end up being that 
length. Not super elegant, but a lot less overhead.

And, as I said, my daemon works differently and could be used to easily 
start thousands of fake servers on a single box, which would screw more 
things over than it would help.

- Neph

On 09/05/2009 05:20 PM, Kaspars wrote:
> God dammit... this is really fucked up... sorry for my language, I just got
> too many beers today...
> Anyways, I just wanted to give something to the community as Neph is not
> willing to do it. This will fix the ddos attack for *nix however if you are
> using it, I'm not giving any warranty :)
>
> Here goes:
> first, get the source and compile: http://www.gign.lv/tmp/test.c
> run it in the screen like ./test 21015 YOUR_EXTERNAL_TF2_SERVER_IP
> YOUR_SERVER_PORT
> 21015 is some random port for the udp proxy :) it must be opened in firewall
>
> then some iptables magic:
> iptables -t nat -A PREROUTING -p udp -d YOUR_EXTERNAL_TF2_SERVER_IP --dport
> YOUR_SERVER_PORT -m string --algo kmp --string 'TSource Engine Query' -j
> REDIRECT --to-port 21015
>
> thats about it...
>
> 2009/9/6 Nephyrin Zey
>
>
>> The problem with my solution is the daemon would be really really
>> abusive in the wrong hands. We dont need someone using it to easily
>> start 100 fake servers at 255/255 slots and polluting the server list.
>> It's not some super complex feat, but releasing an easy compiled
>> prepackaged version is just asking for it - and the real solution needs
>> to be valve. Plus, it's not very easy to configure and I'm not even sure
>> windows ipsec is capable of that level of packet interception.
>>
>> Something on the lines of tony's plugin would be a much better solution,
>> but you'll have to hound him about that
>>
>> - Neph
>>
>> On 09/05/2009 03:14 PM, Kenny Loggins wrote:
>>  
>>> I don't think either you or Neph have released your plugins to the public
>>>
>> so
>>  
>>> this solution works great for you guys. Maybe we can have some into or
>>> direction from you so the general public can do something about this?
>>>
>>> As long as they get away with this it's going to keep happening if a
>>>
>> plugin
>>  
>>> was available to stop this it is not long "fun" or productive to DOS
>>>
>> servers
>>  
>>> anymore.
>>>
>>>
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> http://list.valvesoftware.com/mailman/listinfo/hlds
>>
>>  
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Donnie Newlove]

If it could be any help Luigi have had a udp proxy for windows for a
long time. Search on the page for sudpipe.

http://aluigi.altervista.org/mytoolz.htm#win

On Sun, Sep 6, 2009 at 2:20 AM, Kaspars wrote:
> God dammit... this is really fucked up... sorry for my language, I just got
> too many beers today...
> Anyways, I just wanted to give something to the community as Neph is not
> willing to do it. This will fix the ddos attack for *nix however if you are
> using it, I'm not giving any warranty :)
>
> Here goes:
> first, get the source and compile: http://www.gign.lv/tmp/test.c
> run it in the screen like ./test 21015 YOUR_EXTERNAL_TF2_SERVER_IP
> YOUR_SERVER_PORT
> 21015 is some random port for the udp proxy :) it must be opened in firewall
>
> then some iptables magic:
> iptables -t nat -A PREROUTING -p udp -d YOUR_EXTERNAL_TF2_SERVER_IP --dport
> YOUR_SERVER_PORT -m string --algo kmp --string 'TSource Engine Query' -j
> REDIRECT --to-port 21015
>
> thats about it...
>
> 2009/9/6 Nephyrin Zey 
>
>> The problem with my solution is the daemon would be really really
>> abusive in the wrong hands. We dont need someone using it to easily
>> start 100 fake servers at 255/255 slots and polluting the server list.
>> It's not some super complex feat, but releasing an easy compiled
>> prepackaged version is just asking for it - and the real solution needs
>> to be valve. Plus, it's not very easy to configure and I'm not even sure
>> windows ipsec is capable of that level of packet interception.
>>
>> Something on the lines of tony's plugin would be a much better solution,
>> but you'll have to hound him about that
>>
>> - Neph
>>
>> On 09/05/2009 03:14 PM, Kenny Loggins wrote:
>> > I don't think either you or Neph have released your plugins to the public
>> so
>> > this solution works great for you guys. Maybe we can have some into or
>> > direction from you so the general public can do something about this?
>> >
>> > As long as they get away with this it's going to keep happening if a
>> plugin
>> > was available to stop this it is not long "fun" or productive to DOS
>> servers
>> > anymore.
>> >
>>
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> http://list.valvesoftware.com/mailman/listinfo/hlds
>>
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kaspars]

By the way, I forgot to mention what does this *fix* do... this is a simple
UDP proxy that caches a request, so if you have 300 request/second, it will
just query the server once in a five seconds and give back to the client
cached data.

2009/9/6 Kaspars 

> God dammit... this is really fucked up... sorry for my language, I just got
> too many beers today...
> Anyways, I just wanted to give something to the community as Neph is not
> willing to do it. This will fix the ddos attack for *nix however if you are
> using it, I'm not giving any warranty :)
>
> Here goes:
> first, get the source and compile: http://www.gign.lv/tmp/test.c
> run it in the screen like ./test 21015 YOUR_EXTERNAL_TF2_SERVER_IP
> YOUR_SERVER_PORT
> 21015 is some random port for the udp proxy :) it must be opened in
> firewall
>
> then some iptables magic:
> iptables -t nat -A PREROUTING -p udp -d YOUR_EXTERNAL_TF2_SERVER_IP --dport
> YOUR_SERVER_PORT -m string --algo kmp --string 'TSource Engine Query' -j
> REDIRECT --to-port 21015
>
> thats about it...
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kaspars]

God dammit... this is really fucked up... sorry for my language, I just got
too many beers today...
Anyways, I just wanted to give something to the community as Neph is not
willing to do it. This will fix the ddos attack for *nix however if you are
using it, I'm not giving any warranty :)

Here goes:
first, get the source and compile: http://www.gign.lv/tmp/test.c
run it in the screen like ./test 21015 YOUR_EXTERNAL_TF2_SERVER_IP
YOUR_SERVER_PORT
21015 is some random port for the udp proxy :) it must be opened in firewall

then some iptables magic:
iptables -t nat -A PREROUTING -p udp -d YOUR_EXTERNAL_TF2_SERVER_IP --dport
YOUR_SERVER_PORT -m string --algo kmp --string 'TSource Engine Query' -j
REDIRECT --to-port 21015

thats about it...

2009/9/6 Nephyrin Zey 

> The problem with my solution is the daemon would be really really
> abusive in the wrong hands. We dont need someone using it to easily
> start 100 fake servers at 255/255 slots and polluting the server list.
> It's not some super complex feat, but releasing an easy compiled
> prepackaged version is just asking for it - and the real solution needs
> to be valve. Plus, it's not very easy to configure and I'm not even sure
> windows ipsec is capable of that level of packet interception.
>
> Something on the lines of tony's plugin would be a much better solution,
> but you'll have to hound him about that
>
> - Neph
>
> On 09/05/2009 03:14 PM, Kenny Loggins wrote:
> > I don't think either you or Neph have released your plugins to the public
> so
> > this solution works great for you guys. Maybe we can have some into or
> > direction from you so the general public can do something about this?
> >
> > As long as they get away with this it's going to keep happening if a
> plugin
> > was available to stop this it is not long "fun" or productive to DOS
> servers
> > anymore.
> >
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Nephyrin Zey]

The problem with my solution is the daemon would be really really 
abusive in the wrong hands. We dont need someone using it to easily 
start 100 fake servers at 255/255 slots and polluting the server list. 
It's not some super complex feat, but releasing an easy compiled 
prepackaged version is just asking for it - and the real solution needs 
to be valve. Plus, it's not very easy to configure and I'm not even sure 
windows ipsec is capable of that level of packet interception.

Something on the lines of tony's plugin would be a much better solution, 
but you'll have to hound him about that

- Neph

On 09/05/2009 03:14 PM, Kenny Loggins wrote:
> I don't think either you or Neph have released your plugins to the public so
> this solution works great for you guys. Maybe we can have some into or
> direction from you so the general public can do something about this?
>
> As long as they get away with this it's going to keep happening if a plugin
> was available to stop this it is not long "fun" or productive to DOS servers
> anymore.
>


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Shizzle Nizzle]

thanks a lot claudio if this fixes the problem. you will be for sure
handsomely rewarded :)

On Sat, Sep 5, 2009 at 5:44 PM, Claudio Beretta
wrote:

> I'm doing it right now, should be ready tomorrow.
>
> On Sun, Sep 6, 2009 at 12:32 AM, Kenny Loggins
> wrote:
> > I'm willing to pay someone to write a windows version of a query proxy.
> >
> > -Original Message-
> > From: hlds-boun...@list.valvesoftware.com
> > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison
> > Sent: Saturday, September 05, 2009 4:36 PM
> > To: Half-Life dedicated Win32 server mailing list
> > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> >
> > This is why A2S_INFO requires a challenge :|
> >
> > Thanks,
> > - Saul.
> >
> >
> > 2009/9/5 Matt Stanton 
> >
> >> If these attacks are coming from ips that are outside of the range of
> >> your standard users' network range, then it's possible you could filter
> >> out requests from unallocated ip blocks and ip blocks from areas of the
> >> internet that are gnerally too far away to have decent latency on your
> >> server.  Unfortunately, this would mean building a database of ip blocks
> >> that are allocated to networks that are within a reasonable distance of
> >> your server's network and checking every A2S_INFO packet that comes in
> >> against this database, which would likely eat a decent amount of CPU.
> >>
> >> Nephyrin Zey wrote:
> >> > The bandwidth involved in this attack is tiny. The issue is srcds
> chokes
> >> > on large numbers of A2S_INFO packets, its not the traffic that's doing
> >> > machines in. I'd reckon a single residential connection could take
> down
> >> > a server this way. Once you fix the srcds issue, the problem stops. I
> >> > have a daemon that intercepts server queries and handles them itself.
> >> > It's currently handling this attacker hammering on two servers without
> >> > breaking 1% CPU or making a single-pixel dent in my bandwidth graphs,
> >> > and my tf2 servers continue to run just fine.
> >> >
> >> > And if you actually examine the attack, it's very obviously a single
> >> > source with spoofed IPs. I rather doubt someone has a million-strong
> >> > botnet containing nearly 30% unallocated IP ranges, that all happen to
> >> > have the same exact path length.
> >> >
> >> > - Neph
> >> >
> >> > On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
> >> >
> >> >> This... actually isn't a bad idea.  It's a pain to implement, though,
> >> for a
> >> >> couple of reasons.
> >> >>
> >> >> First, the assumption by most on this thread is that it's a single
> guy
> >> >> operating from a single (or just a handful) of computers.  They
> further
> >> >> assume that he's forging the source IP addresses so the requests look
> >> like
> >> >> they're coming from many many different machines.  If this is true,
> >> there's
> >> >> no way to trace or block him based upon the information included in
> the
> >> >> packets he's creating.  I think this assumption is wrong, as I'll
> >> explain
> >> >> below.
> >> >>
> >> >> Second, if this assumption is incorrect you need to find a way to
> >> identify
> >> >> each and every source and block them one at a time.  Netblocks are at
> >> best a
> >> >> crude measure which risks blocking many legitimate clients.  Such a
> >> process
> >> >> needs to be automated as much as possible or it's not effective.
> >> >>
> >> >> Now, why do I think that this is probably not coming from just a
> > handful
> >> of
> >> >> sources?  Simple.  DDoS stands for Distributed Denial of Service,
> after
> >> >> all.  Botnets are reaching incredible proportions.  It's easy to rent
> > as
> >> >> many as a quarter million compromised machines if you want to and you
> >> have
> >> >> the cash.
> >> >>
> >> >> Too cheap or too poor to rent someone else's network of infected PCs?
> >>  No
> >> >> problem.  Tools exist to build new malware and they're easy to come
> by
> >> if
> >> >> you're willing 

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kingsley Foreman]

I'm also getting this attack...

Its a nasty one, approx 5 of our servers are being hit.

Kingsley

--
From: "Claudio Beretta" 
Sent: Sunday, September 06, 2009 8:14 AM
To: "Half-Life dedicated Win32 server mailing list" 

Subject: Re: [hlds] TF2 DDOS AS2_INFO attack

> I'm doing it right now, should be ready tomorrow.
>
> On Sun, Sep 6, 2009 at 12:32 AM, Kenny Loggins 
> wrote:
>> I'm willing to pay someone to write a windows version of a query proxy.
>>
>> -Original Message-
>> From: hlds-boun...@list.valvesoftware.com
>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison
>> Sent: Saturday, September 05, 2009 4:36 PM
>> To: Half-Life dedicated Win32 server mailing list
>> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>>
>> This is why A2S_INFO requires a challenge :|
>>
>> Thanks,
>> - Saul.
>>
>>
>> 2009/9/5 Matt Stanton 
>>
>>> If these attacks are coming from ips that are outside of the range of
>>> your standard users' network range, then it's possible you could filter
>>> out requests from unallocated ip blocks and ip blocks from areas of the
>>> internet that are gnerally too far away to have decent latency on your
>>> server.  Unfortunately, this would mean building a database of ip blocks
>>> that are allocated to networks that are within a reasonable distance of
>>> your server's network and checking every A2S_INFO packet that comes in
>>> against this database, which would likely eat a decent amount of CPU.
>>>
>>> Nephyrin Zey wrote:
>>> > The bandwidth involved in this attack is tiny. The issue is srcds 
>>> > chokes
>>> > on large numbers of A2S_INFO packets, its not the traffic that's doing
>>> > machines in. I'd reckon a single residential connection could take 
>>> > down
>>> > a server this way. Once you fix the srcds issue, the problem stops. I
>>> > have a daemon that intercepts server queries and handles them itself.
>>> > It's currently handling this attacker hammering on two servers without
>>> > breaking 1% CPU or making a single-pixel dent in my bandwidth graphs,
>>> > and my tf2 servers continue to run just fine.
>>> >
>>> > And if you actually examine the attack, it's very obviously a single
>>> > source with spoofed IPs. I rather doubt someone has a million-strong
>>> > botnet containing nearly 30% unallocated IP ranges, that all happen to
>>> > have the same exact path length.
>>> >
>>> > - Neph
>>> >
>>> > On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
>>> >
>>> >> This... actually isn't a bad idea.  It's a pain to implement, though,
>>> for a
>>> >> couple of reasons.
>>> >>
>>> >> First, the assumption by most on this thread is that it's a single 
>>> >> guy
>>> >> operating from a single (or just a handful) of computers.  They 
>>> >> further
>>> >> assume that he's forging the source IP addresses so the requests look
>>> like
>>> >> they're coming from many many different machines.  If this is true,
>>> there's
>>> >> no way to trace or block him based upon the information included in 
>>> >> the
>>> >> packets he's creating.  I think this assumption is wrong, as I'll
>>> explain
>>> >> below.
>>> >>
>>> >> Second, if this assumption is incorrect you need to find a way to
>>> identify
>>> >> each and every source and block them one at a time.  Netblocks are at
>>> best a
>>> >> crude measure which risks blocking many legitimate clients.  Such a
>>> process
>>> >> needs to be automated as much as possible or it's not effective.
>>> >>
>>> >> Now, why do I think that this is probably not coming from just a
>> handful
>>> of
>>> >> sources?  Simple.  DDoS stands for Distributed Denial of Service, 
>>> >> after
>>> >> all.  Botnets are reaching incredible proportions.  It's easy to rent
>> as
>>> >> many as a quarter million compromised machines if you want to and you
>>> have
>>> >> the cash.
>>> >>
>>> >> Too cheap or too poor to rent someone else

Re: [hlds] TF2 DDOS AS2_INFO attack

[Shizzle Nizzle]

ill add to that too.

On Sat, Sep 5, 2009 at 5:32 PM, Kenny Loggins wrote:

> I'm willing to pay someone to write a windows version of a query proxy.
>
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison
> Sent: Saturday, September 05, 2009 4:36 PM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>
> This is why A2S_INFO requires a challenge :|
>
> Thanks,
> - Saul.
>
>
> 2009/9/5 Matt Stanton 
>
> > If these attacks are coming from ips that are outside of the range of
> > your standard users' network range, then it's possible you could filter
> > out requests from unallocated ip blocks and ip blocks from areas of the
> > internet that are gnerally too far away to have decent latency on your
> > server.  Unfortunately, this would mean building a database of ip blocks
> > that are allocated to networks that are within a reasonable distance of
> > your server's network and checking every A2S_INFO packet that comes in
> > against this database, which would likely eat a decent amount of CPU.
> >
> > Nephyrin Zey wrote:
> > > The bandwidth involved in this attack is tiny. The issue is srcds
> chokes
> > > on large numbers of A2S_INFO packets, its not the traffic that's doing
> > > machines in. I'd reckon a single residential connection could take down
> > > a server this way. Once you fix the srcds issue, the problem stops. I
> > > have a daemon that intercepts server queries and handles them itself.
> > > It's currently handling this attacker hammering on two servers without
> > > breaking 1% CPU or making a single-pixel dent in my bandwidth graphs,
> > > and my tf2 servers continue to run just fine.
> > >
> > > And if you actually examine the attack, it's very obviously a single
> > > source with spoofed IPs. I rather doubt someone has a million-strong
> > > botnet containing nearly 30% unallocated IP ranges, that all happen to
> > > have the same exact path length.
> > >
> > > - Neph
> > >
> > > On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
> > >
> > >> This... actually isn't a bad idea.  It's a pain to implement, though,
> > for a
> > >> couple of reasons.
> > >>
> > >> First, the assumption by most on this thread is that it's a single guy
> > >> operating from a single (or just a handful) of computers.  They
> further
> > >> assume that he's forging the source IP addresses so the requests look
> > like
> > >> they're coming from many many different machines.  If this is true,
> > there's
> > >> no way to trace or block him based upon the information included in
> the
> > >> packets he's creating.  I think this assumption is wrong, as I'll
> > explain
> > >> below.
> > >>
> > >> Second, if this assumption is incorrect you need to find a way to
> > identify
> > >> each and every source and block them one at a time.  Netblocks are at
> > best a
> > >> crude measure which risks blocking many legitimate clients.  Such a
> > process
> > >> needs to be automated as much as possible or it's not effective.
> > >>
> > >> Now, why do I think that this is probably not coming from just a
> handful
> > of
> > >> sources?  Simple.  DDoS stands for Distributed Denial of Service,
> after
> > >> all.  Botnets are reaching incredible proportions.  It's easy to rent
> as
> > >> many as a quarter million compromised machines if you want to and you
> > have
> > >> the cash.
> > >>
> > >> Too cheap or too poor to rent someone else's network of infected PCs?
> >  No
> > >> problem.  Tools exist to build new malware and they're easy to come by
> > if
> > >> you're willing to start looking in the right places.  All you have to
> do
> > is
> > >> build your bot code and figure out a way to get it loaded on 5,000,
> > 10,000,
> > >> or more PCs.  After that, DDoS to your heart's content.  Script
> kiddies
> > do
> > >> this _all_ _the_ _time_.
> > >>
> > >> So, when under attack your choices are:
> > >>
> > >> *  Wait it out.
> > >>
> > >> *  Work with your vendor to figure out a way block the attack i

Re: [hlds] TF2 DDOS AS2_INFO attack

[Claudio Beretta]

I'm doing it right now, should be ready tomorrow.

On Sun, Sep 6, 2009 at 12:32 AM, Kenny Loggins wrote:
> I'm willing to pay someone to write a windows version of a query proxy.
>
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison
> Sent: Saturday, September 05, 2009 4:36 PM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>
> This is why A2S_INFO requires a challenge :|
>
> Thanks,
> - Saul.
>
>
> 2009/9/5 Matt Stanton 
>
>> If these attacks are coming from ips that are outside of the range of
>> your standard users' network range, then it's possible you could filter
>> out requests from unallocated ip blocks and ip blocks from areas of the
>> internet that are gnerally too far away to have decent latency on your
>> server.  Unfortunately, this would mean building a database of ip blocks
>> that are allocated to networks that are within a reasonable distance of
>> your server's network and checking every A2S_INFO packet that comes in
>> against this database, which would likely eat a decent amount of CPU.
>>
>> Nephyrin Zey wrote:
>> > The bandwidth involved in this attack is tiny. The issue is srcds chokes
>> > on large numbers of A2S_INFO packets, its not the traffic that's doing
>> > machines in. I'd reckon a single residential connection could take down
>> > a server this way. Once you fix the srcds issue, the problem stops. I
>> > have a daemon that intercepts server queries and handles them itself.
>> > It's currently handling this attacker hammering on two servers without
>> > breaking 1% CPU or making a single-pixel dent in my bandwidth graphs,
>> > and my tf2 servers continue to run just fine.
>> >
>> > And if you actually examine the attack, it's very obviously a single
>> > source with spoofed IPs. I rather doubt someone has a million-strong
>> > botnet containing nearly 30% unallocated IP ranges, that all happen to
>> > have the same exact path length.
>> >
>> > - Neph
>> >
>> > On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
>> >
>> >> This... actually isn't a bad idea.  It's a pain to implement, though,
>> for a
>> >> couple of reasons.
>> >>
>> >> First, the assumption by most on this thread is that it's a single guy
>> >> operating from a single (or just a handful) of computers.  They further
>> >> assume that he's forging the source IP addresses so the requests look
>> like
>> >> they're coming from many many different machines.  If this is true,
>> there's
>> >> no way to trace or block him based upon the information included in the
>> >> packets he's creating.  I think this assumption is wrong, as I'll
>> explain
>> >> below.
>> >>
>> >> Second, if this assumption is incorrect you need to find a way to
>> identify
>> >> each and every source and block them one at a time.  Netblocks are at
>> best a
>> >> crude measure which risks blocking many legitimate clients.  Such a
>> process
>> >> needs to be automated as much as possible or it's not effective.
>> >>
>> >> Now, why do I think that this is probably not coming from just a
> handful
>> of
>> >> sources?  Simple.  DDoS stands for Distributed Denial of Service, after
>> >> all.  Botnets are reaching incredible proportions.  It's easy to rent
> as
>> >> many as a quarter million compromised machines if you want to and you
>> have
>> >> the cash.
>> >>
>> >> Too cheap or too poor to rent someone else's network of infected PCs?
>>  No
>> >> problem.  Tools exist to build new malware and they're easy to come by
>> if
>> >> you're willing to start looking in the right places.  All you have to
> do
>> is
>> >> build your bot code and figure out a way to get it loaded on 5,000,
>> 10,000,
>> >> or more PCs.  After that, DDoS to your heart's content.  Script kiddies
>> do
>> >> this _all_ _the_ _time_.
>> >>
>> >> So, when under attack your choices are:
>> >>
>> >> *  Wait it out.
>> >>
>> >> *  Work with your vendor to figure out a way block the attack in the
>> first
>> >> place.  (Valve, 

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kenny Loggins]

I'm willing to pay someone to write a windows version of a query proxy.

-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison
Sent: Saturday, September 05, 2009 4:36 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] TF2 DDOS AS2_INFO attack

This is why A2S_INFO requires a challenge :|

Thanks,
- Saul.


2009/9/5 Matt Stanton 

> If these attacks are coming from ips that are outside of the range of
> your standard users' network range, then it's possible you could filter
> out requests from unallocated ip blocks and ip blocks from areas of the
> internet that are gnerally too far away to have decent latency on your
> server.  Unfortunately, this would mean building a database of ip blocks
> that are allocated to networks that are within a reasonable distance of
> your server's network and checking every A2S_INFO packet that comes in
> against this database, which would likely eat a decent amount of CPU.
>
> Nephyrin Zey wrote:
> > The bandwidth involved in this attack is tiny. The issue is srcds chokes
> > on large numbers of A2S_INFO packets, its not the traffic that's doing
> > machines in. I'd reckon a single residential connection could take down
> > a server this way. Once you fix the srcds issue, the problem stops. I
> > have a daemon that intercepts server queries and handles them itself.
> > It's currently handling this attacker hammering on two servers without
> > breaking 1% CPU or making a single-pixel dent in my bandwidth graphs,
> > and my tf2 servers continue to run just fine.
> >
> > And if you actually examine the attack, it's very obviously a single
> > source with spoofed IPs. I rather doubt someone has a million-strong
> > botnet containing nearly 30% unallocated IP ranges, that all happen to
> > have the same exact path length.
> >
> > - Neph
> >
> > On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
> >
> >> This... actually isn't a bad idea.  It's a pain to implement, though,
> for a
> >> couple of reasons.
> >>
> >> First, the assumption by most on this thread is that it's a single guy
> >> operating from a single (or just a handful) of computers.  They further
> >> assume that he's forging the source IP addresses so the requests look
> like
> >> they're coming from many many different machines.  If this is true,
> there's
> >> no way to trace or block him based upon the information included in the
> >> packets he's creating.  I think this assumption is wrong, as I'll
> explain
> >> below.
> >>
> >> Second, if this assumption is incorrect you need to find a way to
> identify
> >> each and every source and block them one at a time.  Netblocks are at
> best a
> >> crude measure which risks blocking many legitimate clients.  Such a
> process
> >> needs to be automated as much as possible or it's not effective.
> >>
> >> Now, why do I think that this is probably not coming from just a
handful
> of
> >> sources?  Simple.  DDoS stands for Distributed Denial of Service, after
> >> all.  Botnets are reaching incredible proportions.  It's easy to rent
as
> >> many as a quarter million compromised machines if you want to and you
> have
> >> the cash.
> >>
> >> Too cheap or too poor to rent someone else's network of infected PCs?
>  No
> >> problem.  Tools exist to build new malware and they're easy to come by
> if
> >> you're willing to start looking in the right places.  All you have to
do
> is
> >> build your bot code and figure out a way to get it loaded on 5,000,
> 10,000,
> >> or more PCs.  After that, DDoS to your heart's content.  Script kiddies
> do
> >> this _all_ _the_ _time_.
> >>
> >> So, when under attack your choices are:
> >>
> >> *  Wait it out.
> >>
> >> *  Work with your vendor to figure out a way block the attack in the
> first
> >> place.  (Valve, obviously, in this case.)
> >>
> >> *  Automate the process of identifying sources and filtering them out.
> >>
> >> *  Cry a lot.
> >>
> >> Generally, I settle for a combination of the first and second options.
>  If
> >> an attack gets bad enough, I work with my local ISP to implement the
> third.
> >> (My server is co-located in their datacenter and they're really good
> guys to
> >> w

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kenny Loggins]

I don't think either you or Neph have released your plugins to the public so
this solution works great for you guys. Maybe we can have some into or
direction from you so the general public can do something about this?

As long as they get away with this it's going to keep happening if a plugin
was available to stop this it is not long "fun" or productive to DOS servers
anymore.

-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Tony Paloma
Sent: Saturday, September 05, 2009 4:52 PM
To: 'Half-Life dedicated Win32 server mailing list'
Subject: Re: [hlds] TF2 DDOS AS2_INFO attack

I wrote a plugin to do something similar for my own servers.

-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Nephyrin Zey
Sent: Saturday, September 05, 2009 2:44 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] TF2 DDOS AS2_INFO attack

On 09/05/2009 02:28 PM, Shizzle Nizzle wrote:
> can you explain how you went about fixing this nephyrin or provide more
> details?
>

Daemon responds to queries using information retrieved from the server 
~once/second. iptables captures incoming server queries and redirects 
them to daemon, daemon responds using real server's IP/port to avoid 
confusing requester.

Right now I have one daemon per server, each looks like it's getting 
exactly 3000 queries/second, none of them have broke 1% CPU or 336kb ram

- Neph

___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds
___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds



___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kenny Loggins]

I would have to be all linux boxes or really old windows systems. You can't
get RAW sockets to do something like this on any modern windows (XP an up)
system. Since every query comes from one IP and never repeats itself I think
its highly unlikely to be a D:DOS attack.


-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of
jps.sgtr...@gmail.com
Sent: Saturday, September 05, 2009 2:51 PM
To: hlds@list.valvesoftware.com
Subject: Re: [hlds] TF2 DDOS AS2_INFO attack

This... actually isn't a bad idea.  It's a pain to implement, though, for a
couple of reasons.

First, the assumption by most on this thread is that it's a single guy
operating from a single (or just a handful) of computers.  They further
assume that he's forging the source IP addresses so the requests look like
they're coming from many many different machines.  If this is true, there's
no way to trace or block him based upon the information included in the
packets he's creating.  I think this assumption is wrong, as I'll explain
below.

Second, if this assumption is incorrect you need to find a way to identify
each and every source and block them one at a time.  Netblocks are at best a
crude measure which risks blocking many legitimate clients.  Such a process
needs to be automated as much as possible or it's not effective.

Now, why do I think that this is probably not coming from just a handful of
sources?  Simple.  DDoS stands for Distributed Denial of Service, after
all.  Botnets are reaching incredible proportions.  It's easy to rent as
many as a quarter million compromised machines if you want to and you have
the cash.

Too cheap or too poor to rent someone else's network of infected PCs?  No
problem.  Tools exist to build new malware and they're easy to come by if
you're willing to start looking in the right places.  All you have to do is
build your bot code and figure out a way to get it loaded on 5,000, 10,000,
or more PCs.  After that, DDoS to your heart's content.  Script kiddies do
this _all_ _the_ _time_.

So, when under attack your choices are:

*  Wait it out.

*  Work with your vendor to figure out a way block the attack in the first
place.  (Valve, obviously, in this case.)

*  Automate the process of identifying sources and filtering them out.

*  Cry a lot.

Generally, I settle for a combination of the first and second options.  If
an attack gets bad enough, I work with my local ISP to implement the third.
(My server is co-located in their datacenter and they're really good guys to
work with.)  Generally, some combination of tcpwrapper, netfilter, and
iptables will do the job on my Linux server.  Sometimes we find it easier to
just block it at one of their routers so they don't have to deal with the
traffic on their network.

Every now and again, I find myself following the fourth option until I
figure out what's going on and fall back on some combination of the first
three options.  :-)

HTH.

=JpS=SgtRock


> Date: Sat, 5 Sep 2009 11:33:44 -0700
> From: Kyle Sanderson 
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> To: Half-Life dedicated Win32 server mailing list
>
> Message-ID:
>
> Content-Type: text/plain; charset=UTF-8
>
> If you guys have root access, why are you not using netstat to grab his IP
> and table him? I've done this in the past and it's worked out pretty well
> for me.
>
> Kyle.
>
> On Sat, Sep 5, 2009 at 11:26 AM, Kenny Loggins  >wrote:
>
> > This guys ISP has to know dam well what he's doing. Its not had to see
> that
> > packets that leave your network originate from IP's that are not even on
> > your network. Maybe we need to track down the ISP and go after him..
> >
> > -Original Message-
> > From: hlds-boun...@list.valvesoftware.com
> > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio
> Beretta
> > Sent: Saturday, September 05, 2009 12:57 PM
> > To: Half-Life dedicated Win32 server mailing list
> > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> >
> > Or someone willing to take down a server.. and taking down other
> > random ones just to avoid giving away his intentions.
> > When did this attack started on your server? On mine it started at 4PM
> > CEST (2PM UTC)
> >
> > BTW, this guy must be using spoofed addresses, since I'm being hit by
> > approx 8 AS2_INFO requests every 5 minutes from unique IP
> > addresses.
> >
> >
> > On Sat, Sep 5, 2009 at 7:25 PM, Kenny Loggins
> > wrote:
> > > Same here he's hitting one of my server also... I'm up for painting
the
> > > wall's red with this guy when I find him... My guess is some new
> > > 

Re: [hlds] TF2 DDOS AS2_INFO attack

[Shizzle Nizzle]

would you be so kind as to help us out tony? :)  like you have in the past
with your other dos protection fixes

On Sat, Sep 5, 2009 at 4:52 PM, Tony Paloma  wrote:

> I wrote a plugin to do something similar for my own servers.
>
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Nephyrin Zey
> Sent: Saturday, September 05, 2009 2:44 PM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>
> On 09/05/2009 02:28 PM, Shizzle Nizzle wrote:
> > can you explain how you went about fixing this nephyrin or provide more
> > details?
> >
>
> Daemon responds to queries using information retrieved from the server
> ~once/second. iptables captures incoming server queries and redirects
> them to daemon, daemon responds using real server's IP/port to avoid
> confusing requester.
>
> Right now I have one daemon per server, each looks like it's getting
> exactly 3000 queries/second, none of them have broke 1% CPU or 336kb ram
>
> - Neph
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Shizzle Nizzle]

oh wait iptables.. isnt this for linux? either way i didnt understand much
of that :|

On Sat, Sep 5, 2009 at 4:43 PM, Nephyrin Zey  wrote:

> On 09/05/2009 02:28 PM, Shizzle Nizzle wrote:
> > can you explain how you went about fixing this nephyrin or provide more
> > details?
> >
>
> Daemon responds to queries using information retrieved from the server
> ~once/second. iptables captures incoming server queries and redirects
> them to daemon, daemon responds using real server's IP/port to avoid
> confusing requester.
>
> Right now I have one daemon per server, each looks like it's getting
> exactly 3000 queries/second, none of them have broke 1% CPU or 336kb ram
>
> - Neph
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Tony Paloma]

I wrote a plugin to do something similar for my own servers.

-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Nephyrin Zey
Sent: Saturday, September 05, 2009 2:44 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] TF2 DDOS AS2_INFO attack

On 09/05/2009 02:28 PM, Shizzle Nizzle wrote:
> can you explain how you went about fixing this nephyrin or provide more
> details?
>

Daemon responds to queries using information retrieved from the server 
~once/second. iptables captures incoming server queries and redirects 
them to daemon, daemon responds using real server's IP/port to avoid 
confusing requester.

Right now I have one daemon per server, each looks like it's getting 
exactly 3000 queries/second, none of them have broke 1% CPU or 336kb ram

- Neph

___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Saul Rennison]

I didn't mention "Doesn't" in my reply? :D

Thanks,
- Saul.


2009/9/5 Nephyrin Zey 

> On 09/05/2009 02:36 PM, Saul Rennison wrote:
> > This is why A2S_INFO requires a challenge :|
> >
> > Thanks,
> > - Saul.
> >
>
> Doesn't*
>
> Should*
>
> - Neph
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Nephyrin Zey]

On 09/05/2009 02:28 PM, Shizzle Nizzle wrote:
> can you explain how you went about fixing this nephyrin or provide more
> details?
>

Daemon responds to queries using information retrieved from the server 
~once/second. iptables captures incoming server queries and redirects 
them to daemon, daemon responds using real server's IP/port to avoid 
confusing requester.

Right now I have one daemon per server, each looks like it's getting 
exactly 3000 queries/second, none of them have broke 1% CPU or 336kb ram

- Neph

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Nephyrin Zey]

On 09/05/2009 02:36 PM, Saul Rennison wrote:
> This is why A2S_INFO requires a challenge :|
>
> Thanks,
> - Saul.
>

Doesn't*

Should*

- Neph

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Saul Rennison]

This is why A2S_INFO requires a challenge :|

Thanks,
- Saul.


2009/9/5 Matt Stanton 

> If these attacks are coming from ips that are outside of the range of
> your standard users' network range, then it's possible you could filter
> out requests from unallocated ip blocks and ip blocks from areas of the
> internet that are gnerally too far away to have decent latency on your
> server.  Unfortunately, this would mean building a database of ip blocks
> that are allocated to networks that are within a reasonable distance of
> your server's network and checking every A2S_INFO packet that comes in
> against this database, which would likely eat a decent amount of CPU.
>
> Nephyrin Zey wrote:
> > The bandwidth involved in this attack is tiny. The issue is srcds chokes
> > on large numbers of A2S_INFO packets, its not the traffic that's doing
> > machines in. I'd reckon a single residential connection could take down
> > a server this way. Once you fix the srcds issue, the problem stops. I
> > have a daemon that intercepts server queries and handles them itself.
> > It's currently handling this attacker hammering on two servers without
> > breaking 1% CPU or making a single-pixel dent in my bandwidth graphs,
> > and my tf2 servers continue to run just fine.
> >
> > And if you actually examine the attack, it's very obviously a single
> > source with spoofed IPs. I rather doubt someone has a million-strong
> > botnet containing nearly 30% unallocated IP ranges, that all happen to
> > have the same exact path length.
> >
> > - Neph
> >
> > On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
> >
> >> This... actually isn't a bad idea.  It's a pain to implement, though,
> for a
> >> couple of reasons.
> >>
> >> First, the assumption by most on this thread is that it's a single guy
> >> operating from a single (or just a handful) of computers.  They further
> >> assume that he's forging the source IP addresses so the requests look
> like
> >> they're coming from many many different machines.  If this is true,
> there's
> >> no way to trace or block him based upon the information included in the
> >> packets he's creating.  I think this assumption is wrong, as I'll
> explain
> >> below.
> >>
> >> Second, if this assumption is incorrect you need to find a way to
> identify
> >> each and every source and block them one at a time.  Netblocks are at
> best a
> >> crude measure which risks blocking many legitimate clients.  Such a
> process
> >> needs to be automated as much as possible or it's not effective.
> >>
> >> Now, why do I think that this is probably not coming from just a handful
> of
> >> sources?  Simple.  DDoS stands for Distributed Denial of Service, after
> >> all.  Botnets are reaching incredible proportions.  It's easy to rent as
> >> many as a quarter million compromised machines if you want to and you
> have
> >> the cash.
> >>
> >> Too cheap or too poor to rent someone else's network of infected PCs?
>  No
> >> problem.  Tools exist to build new malware and they're easy to come by
> if
> >> you're willing to start looking in the right places.  All you have to do
> is
> >> build your bot code and figure out a way to get it loaded on 5,000,
> 10,000,
> >> or more PCs.  After that, DDoS to your heart's content.  Script kiddies
> do
> >> this _all_ _the_ _time_.
> >>
> >> So, when under attack your choices are:
> >>
> >> *  Wait it out.
> >>
> >> *  Work with your vendor to figure out a way block the attack in the
> first
> >> place.  (Valve, obviously, in this case.)
> >>
> >> *  Automate the process of identifying sources and filtering them out.
> >>
> >> *  Cry a lot.
> >>
> >> Generally, I settle for a combination of the first and second options.
>  If
> >> an attack gets bad enough, I work with my local ISP to implement the
> third.
> >> (My server is co-located in their datacenter and they're really good
> guys to
> >> work with.)  Generally, some combination of tcpwrapper, netfilter, and
> >> iptables will do the job on my Linux server.  Sometimes we find it
> easier to
> >> just block it at one of their routers so they don't have to deal with
> the
> >> traffic on their network.
> >>
> >> Every now and again, I find myself following the fourth option until I
> >> figure out what's going on and fall back on some combination of the
> first
> >> three options.  :-)
> >>
> >> HTH.
> >>
> >> =JpS=SgtRock
> >>
> >>
> >
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
> >
> >
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Matt Stanton]

If these attacks are coming from ips that are outside of the range of 
your standard users' network range, then it's possible you could filter 
out requests from unallocated ip blocks and ip blocks from areas of the 
internet that are gnerally too far away to have decent latency on your 
server.  Unfortunately, this would mean building a database of ip blocks 
that are allocated to networks that are within a reasonable distance of 
your server's network and checking every A2S_INFO packet that comes in 
against this database, which would likely eat a decent amount of CPU.

Nephyrin Zey wrote:
> The bandwidth involved in this attack is tiny. The issue is srcds chokes 
> on large numbers of A2S_INFO packets, its not the traffic that's doing 
> machines in. I'd reckon a single residential connection could take down 
> a server this way. Once you fix the srcds issue, the problem stops. I 
> have a daemon that intercepts server queries and handles them itself. 
> It's currently handling this attacker hammering on two servers without 
> breaking 1% CPU or making a single-pixel dent in my bandwidth graphs, 
> and my tf2 servers continue to run just fine.
>
> And if you actually examine the attack, it's very obviously a single 
> source with spoofed IPs. I rather doubt someone has a million-strong 
> botnet containing nearly 30% unallocated IP ranges, that all happen to 
> have the same exact path length.
>
> - Neph
>
> On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
>   
>> This... actually isn't a bad idea.  It's a pain to implement, though, for a
>> couple of reasons.
>>
>> First, the assumption by most on this thread is that it's a single guy
>> operating from a single (or just a handful) of computers.  They further
>> assume that he's forging the source IP addresses so the requests look like
>> they're coming from many many different machines.  If this is true, there's
>> no way to trace or block him based upon the information included in the
>> packets he's creating.  I think this assumption is wrong, as I'll explain
>> below.
>>
>> Second, if this assumption is incorrect you need to find a way to identify
>> each and every source and block them one at a time.  Netblocks are at best a
>> crude measure which risks blocking many legitimate clients.  Such a process
>> needs to be automated as much as possible or it's not effective.
>>
>> Now, why do I think that this is probably not coming from just a handful of
>> sources?  Simple.  DDoS stands for Distributed Denial of Service, after
>> all.  Botnets are reaching incredible proportions.  It's easy to rent as
>> many as a quarter million compromised machines if you want to and you have
>> the cash.
>>
>> Too cheap or too poor to rent someone else's network of infected PCs?  No
>> problem.  Tools exist to build new malware and they're easy to come by if
>> you're willing to start looking in the right places.  All you have to do is
>> build your bot code and figure out a way to get it loaded on 5,000, 10,000,
>> or more PCs.  After that, DDoS to your heart's content.  Script kiddies do
>> this _all_ _the_ _time_.
>>
>> So, when under attack your choices are:
>>
>> *  Wait it out.
>>
>> *  Work with your vendor to figure out a way block the attack in the first
>> place.  (Valve, obviously, in this case.)
>>
>> *  Automate the process of identifying sources and filtering them out.
>>
>> *  Cry a lot.
>>
>> Generally, I settle for a combination of the first and second options.  If
>> an attack gets bad enough, I work with my local ISP to implement the third.
>> (My server is co-located in their datacenter and they're really good guys to
>> work with.)  Generally, some combination of tcpwrapper, netfilter, and
>> iptables will do the job on my Linux server.  Sometimes we find it easier to
>> just block it at one of their routers so they don't have to deal with the
>> traffic on their network.
>>
>> Every now and again, I find myself following the fourth option until I
>> figure out what's going on and fall back on some combination of the first
>> three options.  :-)
>>
>> HTH.
>>
>> =JpS=SgtRock
>>
>> 
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
>   


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Shizzle Nizzle]

can you explain how you went about fixing this nephyrin or provide more
details?

On Sat, Sep 5, 2009 at 4:20 PM, Nephyrin Zey  wrote:

> The bandwidth involved in this attack is tiny. The issue is srcds chokes
> on large numbers of A2S_INFO packets, its not the traffic that's doing
> machines in. I'd reckon a single residential connection could take down
> a server this way. Once you fix the srcds issue, the problem stops. I
> have a daemon that intercepts server queries and handles them itself.
> It's currently handling this attacker hammering on two servers without
> breaking 1% CPU or making a single-pixel dent in my bandwidth graphs,
> and my tf2 servers continue to run just fine.
>
> And if you actually examine the attack, it's very obviously a single
> source with spoofed IPs. I rather doubt someone has a million-strong
> botnet containing nearly 30% unallocated IP ranges, that all happen to
> have the same exact path length.
>
> - Neph
>
> On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
> > This... actually isn't a bad idea.  It's a pain to implement, though, for
> a
> > couple of reasons.
> >
> > First, the assumption by most on this thread is that it's a single guy
> > operating from a single (or just a handful) of computers.  They further
> > assume that he's forging the source IP addresses so the requests look
> like
> > they're coming from many many different machines.  If this is true,
> there's
> > no way to trace or block him based upon the information included in the
> > packets he's creating.  I think this assumption is wrong, as I'll explain
> > below.
> >
> > Second, if this assumption is incorrect you need to find a way to
> identify
> > each and every source and block them one at a time.  Netblocks are at
> best a
> > crude measure which risks blocking many legitimate clients.  Such a
> process
> > needs to be automated as much as possible or it's not effective.
> >
> > Now, why do I think that this is probably not coming from just a handful
> of
> > sources?  Simple.  DDoS stands for Distributed Denial of Service, after
> > all.  Botnets are reaching incredible proportions.  It's easy to rent as
> > many as a quarter million compromised machines if you want to and you
> have
> > the cash.
> >
> > Too cheap or too poor to rent someone else's network of infected PCs?  No
> > problem.  Tools exist to build new malware and they're easy to come by if
> > you're willing to start looking in the right places.  All you have to do
> is
> > build your bot code and figure out a way to get it loaded on 5,000,
> 10,000,
> > or more PCs.  After that, DDoS to your heart's content.  Script kiddies
> do
> > this _all_ _the_ _time_.
> >
> > So, when under attack your choices are:
> >
> > *  Wait it out.
> >
> > *  Work with your vendor to figure out a way block the attack in the
> first
> > place.  (Valve, obviously, in this case.)
> >
> > *  Automate the process of identifying sources and filtering them out.
> >
> > *  Cry a lot.
> >
> > Generally, I settle for a combination of the first and second options.
>  If
> > an attack gets bad enough, I work with my local ISP to implement the
> third.
> > (My server is co-located in their datacenter and they're really good guys
> to
> > work with.)  Generally, some combination of tcpwrapper, netfilter, and
> > iptables will do the job on my Linux server.  Sometimes we find it easier
> to
> > just block it at one of their routers so they don't have to deal with the
> > traffic on their network.
> >
> > Every now and again, I find myself following the fourth option until I
> > figure out what's going on and fall back on some combination of the first
> > three options.  :-)
> >
> > HTH.
> >
> > =JpS=SgtRock
> >
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Nephyrin Zey]

The bandwidth involved in this attack is tiny. The issue is srcds chokes 
on large numbers of A2S_INFO packets, its not the traffic that's doing 
machines in. I'd reckon a single residential connection could take down 
a server this way. Once you fix the srcds issue, the problem stops. I 
have a daemon that intercepts server queries and handles them itself. 
It's currently handling this attacker hammering on two servers without 
breaking 1% CPU or making a single-pixel dent in my bandwidth graphs, 
and my tf2 servers continue to run just fine.

And if you actually examine the attack, it's very obviously a single 
source with spoofed IPs. I rather doubt someone has a million-strong 
botnet containing nearly 30% unallocated IP ranges, that all happen to 
have the same exact path length.

- Neph

On 09/05/2009 12:50 PM, jps.sgtr...@gmail.com wrote:
> This... actually isn't a bad idea.  It's a pain to implement, though, for a
> couple of reasons.
>
> First, the assumption by most on this thread is that it's a single guy
> operating from a single (or just a handful) of computers.  They further
> assume that he's forging the source IP addresses so the requests look like
> they're coming from many many different machines.  If this is true, there's
> no way to trace or block him based upon the information included in the
> packets he's creating.  I think this assumption is wrong, as I'll explain
> below.
>
> Second, if this assumption is incorrect you need to find a way to identify
> each and every source and block them one at a time.  Netblocks are at best a
> crude measure which risks blocking many legitimate clients.  Such a process
> needs to be automated as much as possible or it's not effective.
>
> Now, why do I think that this is probably not coming from just a handful of
> sources?  Simple.  DDoS stands for Distributed Denial of Service, after
> all.  Botnets are reaching incredible proportions.  It's easy to rent as
> many as a quarter million compromised machines if you want to and you have
> the cash.
>
> Too cheap or too poor to rent someone else's network of infected PCs?  No
> problem.  Tools exist to build new malware and they're easy to come by if
> you're willing to start looking in the right places.  All you have to do is
> build your bot code and figure out a way to get it loaded on 5,000, 10,000,
> or more PCs.  After that, DDoS to your heart's content.  Script kiddies do
> this _all_ _the_ _time_.
>
> So, when under attack your choices are:
>
> *  Wait it out.
>
> *  Work with your vendor to figure out a way block the attack in the first
> place.  (Valve, obviously, in this case.)
>
> *  Automate the process of identifying sources and filtering them out.
>
> *  Cry a lot.
>
> Generally, I settle for a combination of the first and second options.  If
> an attack gets bad enough, I work with my local ISP to implement the third.
> (My server is co-located in their datacenter and they're really good guys to
> work with.)  Generally, some combination of tcpwrapper, netfilter, and
> iptables will do the job on my Linux server.  Sometimes we find it easier to
> just block it at one of their routers so they don't have to deal with the
> traffic on their network.
>
> Every now and again, I find myself following the fourth option until I
> figure out what's going on and fall back on some combination of the first
> three options.  :-)
>
> HTH.
>
> =JpS=SgtRock
>

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Richard Eid]

I have no idea if this is related to this thread or not, but it looks like
visitors of the Steampowered Forums have identified an individual that is
performing attacks similar to what people here are experiencing.  I figured
I'd pass along what seemed to be some relevant information:

http://forums.steampowered.com/forums/showthread.php?t=950413

-Richard Eid


On Sat, Sep 5, 2009 at 3:50 PM,  wrote:

> This... actually isn't a bad idea.  It's a pain to implement, though, for a
> couple of reasons.
>
> First, the assumption by most on this thread is that it's a single guy
> operating from a single (or just a handful) of computers.  They further
> assume that he's forging the source IP addresses so the requests look like
> they're coming from many many different machines.  If this is true, there's
> no way to trace or block him based upon the information included in the
> packets he's creating.  I think this assumption is wrong, as I'll explain
> below.
>
> Second, if this assumption is incorrect you need to find a way to identify
> each and every source and block them one at a time.  Netblocks are at best
> a
> crude measure which risks blocking many legitimate clients.  Such a process
> needs to be automated as much as possible or it's not effective.
>
> Now, why do I think that this is probably not coming from just a handful of
> sources?  Simple.  DDoS stands for Distributed Denial of Service, after
> all.  Botnets are reaching incredible proportions.  It's easy to rent as
> many as a quarter million compromised machines if you want to and you have
> the cash.
>
> Too cheap or too poor to rent someone else's network of infected PCs?  No
> problem.  Tools exist to build new malware and they're easy to come by if
> you're willing to start looking in the right places.  All you have to do is
> build your bot code and figure out a way to get it loaded on 5,000, 10,000,
> or more PCs.  After that, DDoS to your heart's content.  Script kiddies do
> this _all_ _the_ _time_.
>
> So, when under attack your choices are:
>
> *  Wait it out.
>
> *  Work with your vendor to figure out a way block the attack in the first
> place.  (Valve, obviously, in this case.)
>
> *  Automate the process of identifying sources and filtering them out.
>
> *  Cry a lot.
>
> Generally, I settle for a combination of the first and second options.  If
> an attack gets bad enough, I work with my local ISP to implement the third.
> (My server is co-located in their datacenter and they're really good guys
> to
> work with.)  Generally, some combination of tcpwrapper, netfilter, and
> iptables will do the job on my Linux server.  Sometimes we find it easier
> to
> just block it at one of their routers so they don't have to deal with the
> traffic on their network.
>
> Every now and again, I find myself following the fourth option until I
> figure out what's going on and fall back on some combination of the first
> three options.  :-)
>
> HTH.
>
> =JpS=SgtRock
>
>
> > Date: Sat, 5 Sep 2009 11:33:44 -0700
> > From: Kyle Sanderson 
> > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> > To: Half-Life dedicated Win32 server mailing list
> >
> > Message-ID:
> >
> > Content-Type: text/plain; charset=UTF-8
> >
> > If you guys have root access, why are you not using netstat to grab his
> IP
> > and table him? I've done this in the past and it's worked out pretty well
> > for me.
> >
> > Kyle.
> >
> > On Sat, Sep 5, 2009 at 11:26 AM, Kenny Loggins  > >wrote:
> >
> > > This guys ISP has to know dam well what he's doing. Its not had to see
> > that
> > > packets that leave your network originate from IP's that are not even
> on
> > > your network. Maybe we need to track down the ISP and go after him..
> > >
> > > -Original Message-
> > > From: hlds-boun...@list.valvesoftware.com
> > > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio
> > Beretta
> > > Sent: Saturday, September 05, 2009 12:57 PM
> > > To: Half-Life dedicated Win32 server mailing list
> > > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> > >
> > > Or someone willing to take down a server.. and taking down other
> > > random ones just to avoid giving away his intentions.
> > > When did this attack started on your server? On mine it started at 4PM
> > > CEST (2PM UTC)
> > >
> > > BTW, this guy must be using spoofed addresses, since I'

Re: [hlds] TF2 DDOS AS2_INFO attack

[jps . sgtrock]

This... actually isn't a bad idea.  It's a pain to implement, though, for a
couple of reasons.

First, the assumption by most on this thread is that it's a single guy
operating from a single (or just a handful) of computers.  They further
assume that he's forging the source IP addresses so the requests look like
they're coming from many many different machines.  If this is true, there's
no way to trace or block him based upon the information included in the
packets he's creating.  I think this assumption is wrong, as I'll explain
below.

Second, if this assumption is incorrect you need to find a way to identify
each and every source and block them one at a time.  Netblocks are at best a
crude measure which risks blocking many legitimate clients.  Such a process
needs to be automated as much as possible or it's not effective.

Now, why do I think that this is probably not coming from just a handful of
sources?  Simple.  DDoS stands for Distributed Denial of Service, after
all.  Botnets are reaching incredible proportions.  It's easy to rent as
many as a quarter million compromised machines if you want to and you have
the cash.

Too cheap or too poor to rent someone else's network of infected PCs?  No
problem.  Tools exist to build new malware and they're easy to come by if
you're willing to start looking in the right places.  All you have to do is
build your bot code and figure out a way to get it loaded on 5,000, 10,000,
or more PCs.  After that, DDoS to your heart's content.  Script kiddies do
this _all_ _the_ _time_.

So, when under attack your choices are:

*  Wait it out.

*  Work with your vendor to figure out a way block the attack in the first
place.  (Valve, obviously, in this case.)

*  Automate the process of identifying sources and filtering them out.

*  Cry a lot.

Generally, I settle for a combination of the first and second options.  If
an attack gets bad enough, I work with my local ISP to implement the third.
(My server is co-located in their datacenter and they're really good guys to
work with.)  Generally, some combination of tcpwrapper, netfilter, and
iptables will do the job on my Linux server.  Sometimes we find it easier to
just block it at one of their routers so they don't have to deal with the
traffic on their network.

Every now and again, I find myself following the fourth option until I
figure out what's going on and fall back on some combination of the first
three options.  :-)

HTH.

=JpS=SgtRock


> Date: Sat, 5 Sep 2009 11:33:44 -0700
> From: Kyle Sanderson 
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> To: Half-Life dedicated Win32 server mailing list
>
> Message-ID:
>
> Content-Type: text/plain; charset=UTF-8
>
> If you guys have root access, why are you not using netstat to grab his IP
> and table him? I've done this in the past and it's worked out pretty well
> for me.
>
> Kyle.
>
> On Sat, Sep 5, 2009 at 11:26 AM, Kenny Loggins  >wrote:
>
> > This guys ISP has to know dam well what he's doing. Its not had to see
> that
> > packets that leave your network originate from IP's that are not even on
> > your network. Maybe we need to track down the ISP and go after him..
> >
> > -Original Message-
> > From: hlds-boun...@list.valvesoftware.com
> > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio
> Beretta
> > Sent: Saturday, September 05, 2009 12:57 PM
> > To: Half-Life dedicated Win32 server mailing list
> > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> >
> > Or someone willing to take down a server.. and taking down other
> > random ones just to avoid giving away his intentions.
> > When did this attack started on your server? On mine it started at 4PM
> > CEST (2PM UTC)
> >
> > BTW, this guy must be using spoofed addresses, since I'm being hit by
> > approx 8 AS2_INFO requests every 5 minutes from unique IP
> > addresses.
> >
> >
> > On Sat, Sep 5, 2009 at 7:25 PM, Kenny Loggins
> > wrote:
> > > Same here he's hitting one of my server also... I'm up for painting the
> > > wall's red with this guy when I find him... My guess is some new
> > > inexperienced server admin looking to take down the poplar servers so
> he
> > can
> > > get people into his server... He'll make some good red paint!
> > >
> > >
> > > -Original Message-
> > > From: hlds-boun...@list.valvesoftware.com
> > > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry Ilverz
> > > Sent: Saturday, September 05, 2009 11:30 AM
> > > To: Half-Life dedicated Win32 server mailing list
> > > Subject: Re: [h

Re: [hlds] TF2 DDOS AS2_INFO attack

[Ketil A]

My groups webserver is back up aswell as all the gameservers not on port 27015, 
Changed to port 27016 as a temporarily fix
Hope the attacker gets tired soon, almost impossible to get all the regulars to 
update their favs with the new port

> From: kenny.logg...@clanao.com
> To: hlds@list.valvesoftware.com
> Date: Sat, 5 Sep 2009 13:47:44 -0500
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> 
> It's more like this guy it breaking the law and if its across state lines I
> believe this could be a felony but I'm not sure. I would hope that most ISP
> would be willing to help out.
> 
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Shane Arnold
> Sent: Saturday, September 05, 2009 1:46 PM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> 
> How many packets, let alone routed IPs, do you think pass through even 
> just one router on an ISP backbone. 80k packets in 5 minutes is so 
> ridiculously small it wouldn't even warrant a raised eyebrow.
> 
> Best thing to do with DDoS'ers is wait till they get bored and move on.
> 
> Kenny Loggins wrote:
> > This guys ISP has to know dam well what he's doing. Its not had to see
> that
> > packets that leave your network originate from IP's that are not even on
> > your network. Maybe we need to track down the ISP and go after him..
> > 
> > -Original Message-
> > From: hlds-boun...@list.valvesoftware.com
> > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
> > Sent: Saturday, September 05, 2009 12:57 PM
> > To: Half-Life dedicated Win32 server mailing list
> > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> > 
> > Or someone willing to take down a server.. and taking down other
> > random ones just to avoid giving away his intentions.
> > When did this attack started on your server? On mine it started at 4PM
> > CEST (2PM UTC)
> > 
> > BTW, this guy must be using spoofed addresses, since I'm being hit by
> > approx 8 AS2_INFO requests every 5 minutes from unique IP
> > addresses.
> > 
> > 
> > On Sat, Sep 5, 2009 at 7:25 PM, Kenny Loggins
> > wrote:
> >> Same here he's hitting one of my server also... I'm up for painting the
> >> wall's red with this guy when I find him... My guess is some new
> >> inexperienced server admin looking to take down the poplar servers so he
> > can
> >> get people into his server... He'll make some good red paint!
> >>
> >>
> >> -Original Message-
> >> From: hlds-boun...@list.valvesoftware.com
> >> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry Ilverz
> >> Sent: Saturday, September 05, 2009 11:30 AM
> >> To: Half-Life dedicated Win32 server mailing list
> >> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> >>
> >> My server is also under this type of attack.. So Valve hasnt fixed it ..
> > Or
> >> it is some new exploit. sv_max_queries_sec_global 1 doesnt help. Server's
> >> fps is still dropping and its lagging like hell :(
> >>
> >> On Sat, Sep 5, 2009 at 7:23 PM, Saul Rennison
> >> wrote:
> >>
> >>> sv_max_queries_sec_global 1?
> >>>
> >>> Will make your server appear unresponsive to the Server Browser while
> >> being
> >>> DDoS'd but saves the lag.
> >>>
> >>> Thanks,
> >>> - Saul.
> >>>
> > 
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> > please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
> > 
> > 
> > 
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
> 
> 
> 
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
> 
> 
> 
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds

_
Learn how to add other email accounts to Hotmail in 3 easy steps.
http://clk.atdmt.com/UKM/go/167688463/direct/01/
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kenny Loggins]

It's more like this guy it breaking the law and if its across state lines I
believe this could be a felony but I'm not sure. I would hope that most ISP
would be willing to help out.

-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Shane Arnold
Sent: Saturday, September 05, 2009 1:46 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] TF2 DDOS AS2_INFO attack

How many packets, let alone routed IPs, do you think pass through even 
just one router on an ISP backbone. 80k packets in 5 minutes is so 
ridiculously small it wouldn't even warrant a raised eyebrow.

Best thing to do with DDoS'ers is wait till they get bored and move on.

Kenny Loggins wrote:
> This guys ISP has to know dam well what he's doing. Its not had to see
that
> packets that leave your network originate from IP's that are not even on
> your network. Maybe we need to track down the ISP and go after him..
> 
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
> Sent: Saturday, September 05, 2009 12:57 PM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> 
> Or someone willing to take down a server.. and taking down other
> random ones just to avoid giving away his intentions.
> When did this attack started on your server? On mine it started at 4PM
> CEST (2PM UTC)
> 
> BTW, this guy must be using spoofed addresses, since I'm being hit by
> approx 8 AS2_INFO requests every 5 minutes from unique IP
> addresses.
> 
> 
> On Sat, Sep 5, 2009 at 7:25 PM, Kenny Loggins
> wrote:
>> Same here he's hitting one of my server also... I'm up for painting the
>> wall's red with this guy when I find him... My guess is some new
>> inexperienced server admin looking to take down the poplar servers so he
> can
>> get people into his server... He'll make some good red paint!
>>
>>
>> -Original Message-
>> From: hlds-boun...@list.valvesoftware.com
>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry Ilverz
>> Sent: Saturday, September 05, 2009 11:30 AM
>> To: Half-Life dedicated Win32 server mailing list
>> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>>
>> My server is also under this type of attack.. So Valve hasnt fixed it ..
> Or
>> it is some new exploit. sv_max_queries_sec_global 1 doesnt help. Server's
>> fps is still dropping and its lagging like hell :(
>>
>> On Sat, Sep 5, 2009 at 7:23 PM, Saul Rennison
>> wrote:
>>
>>> sv_max_queries_sec_global 1?
>>>
>>> Will make your server appear unresponsive to the Server Browser while
>> being
>>> DDoS'd but saves the lag.
>>>
>>> Thanks,
>>> - Saul.
>>>
> 
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
> 
> 
> 
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds



___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds



___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kenny Loggins]

Someone that can get the cooperation of their datacenter can start to
possibly track this down (highly unlikely).. If everyone helps out we might
be able to lock it down to a general group of providers.

-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Ketil A
Sent: Saturday, September 05, 2009 1:39 PM
To: hlds@list.valvesoftware.com
Subject: [hlds] TF2 DDOS AS2_INFO attack


My server group is under attack aswell, all our tf2 servers + our 1 left 4
dead server is down aswell as our seperate webserver
The attack started around 4-5 hours ago with only a couple of the
gameservers which we then changed the port of after we failed at blocking
it. 
Then around 2 hours ago our webserver started to lag and then 1 hour ago the
webserver aswell as all the gameservers went down.
May be the same guy that tried to attack us some weeks ago where we ended up
blocking TCP 27015 and using a whitelist for those that needed to use rcon
which stopped him for a while

> From: kenny.logg...@clanao.com
> To: hlds@list.valvesoftware.com
> Date: Sat, 5 Sep 2009 13:23:16 -0500
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> 
> Few of us have been dealing with this guy for awhile now. I think he
started
> on my server at about 8:30am cst and I have really had it with this guy..
> I'm willing to drive or fly anywhere and this guy should pray that I never
> find him because I'd be going to jail shortly after our confrontation.
> 
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
> Sent: Saturday, September 05, 2009 12:57 PM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> 
> Or someone willing to take down a server.. and taking down other
> random ones just to avoid giving away his intentions.
> When did this attack started on your server? On mine it started at 4PM
> CEST (2PM UTC)
> 
> BTW, this guy must be using spoofed addresses, since I'm being hit by
> approx 8 AS2_INFO requests every 5 minutes from unique IP
> addresses.
> 
> 
> On Sat, Sep 5, 2009 at 7:25 PM, Kenny Loggins
> wrote:
> > Same here he's hitting one of my server also... I'm up for painting the
> > wall's red with this guy when I find him... My guess is some new
> > inexperienced server admin looking to take down the poplar servers so he
> can
> > get people into his server... He'll make some good red paint!
> >
> >
> > -Original Message-
> > From: hlds-boun...@list.valvesoftware.com
> > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry Ilverz
> > Sent: Saturday, September 05, 2009 11:30 AM
> > To: Half-Life dedicated Win32 server mailing list
> > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> >
> > My server is also under this type of attack.. So Valve hasnt fixed it ..
> Or
> > it is some new exploit. sv_max_queries_sec_global 1 doesnt help.
Server's
> > fps is still dropping and its lagging like hell :(
> >
> > On Sat, Sep 5, 2009 at 7:23 PM, Saul Rennison
> > wrote:
> >
> >> sv_max_queries_sec_global 1?
> >>
> >> Will make your server appear unresponsive to the Server Browser while
> > being
> >> DDoS'd but saves the lag.
> >>
> >> Thanks,
> >> - Saul.
> >>
> 
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
> 
> 
> 
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds

_
Save time by using Hotmail to access your other email accounts.
http://clk.atdmt.com/UKM/go/167688463/direct/01/
___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds



___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Shane Arnold]

How many packets, let alone routed IPs, do you think pass through even 
just one router on an ISP backbone. 80k packets in 5 minutes is so 
ridiculously small it wouldn't even warrant a raised eyebrow.

Best thing to do with DDoS'ers is wait till they get bored and move on.

Kenny Loggins wrote:
> This guys ISP has to know dam well what he's doing. Its not had to see that
> packets that leave your network originate from IP's that are not even on
> your network. Maybe we need to track down the ISP and go after him..
> 
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
> Sent: Saturday, September 05, 2009 12:57 PM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> 
> Or someone willing to take down a server.. and taking down other
> random ones just to avoid giving away his intentions.
> When did this attack started on your server? On mine it started at 4PM
> CEST (2PM UTC)
> 
> BTW, this guy must be using spoofed addresses, since I'm being hit by
> approx 8 AS2_INFO requests every 5 minutes from unique IP
> addresses.
> 
> 
> On Sat, Sep 5, 2009 at 7:25 PM, Kenny Loggins
> wrote:
>> Same here he's hitting one of my server also... I'm up for painting the
>> wall's red with this guy when I find him... My guess is some new
>> inexperienced server admin looking to take down the poplar servers so he
> can
>> get people into his server... He'll make some good red paint!
>>
>>
>> -Original Message-
>> From: hlds-boun...@list.valvesoftware.com
>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry Ilverz
>> Sent: Saturday, September 05, 2009 11:30 AM
>> To: Half-Life dedicated Win32 server mailing list
>> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>>
>> My server is also under this type of attack.. So Valve hasnt fixed it ..
> Or
>> it is some new exploit. sv_max_queries_sec_global 1 doesnt help. Server's
>> fps is still dropping and its lagging like hell :(
>>
>> On Sat, Sep 5, 2009 at 7:23 PM, Saul Rennison
>> wrote:
>>
>>> sv_max_queries_sec_global 1?
>>>
>>> Will make your server appear unresponsive to the Server Browser while
>> being
>>> DDoS'd but saves the lag.
>>>
>>> Thanks,
>>> - Saul.
>>>
> 
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
> 
> 
> 
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds



___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

[hlds] TF2 DDOS AS2_INFO attack

[Ketil A]

My server group is under attack aswell, all our tf2 servers + our 1 left 4 dead 
server is down aswell as our seperate webserver
The attack started around 4-5 hours ago with only a couple of the gameservers 
which we then changed the port of after we failed at blocking it. 
Then around 2 hours ago our webserver started to lag and then 1 hour ago the 
webserver aswell as all the gameservers went down.
May be the same guy that tried to attack us some weeks ago where we ended up 
blocking TCP 27015 and using a whitelist for those that needed to use rcon
which stopped him for a while

> From: kenny.logg...@clanao.com
> To: hlds@list.valvesoftware.com
> Date: Sat, 5 Sep 2009 13:23:16 -0500
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> 
> Few of us have been dealing with this guy for awhile now. I think he started
> on my server at about 8:30am cst and I have really had it with this guy..
> I'm willing to drive or fly anywhere and this guy should pray that I never
> find him because I'd be going to jail shortly after our confrontation.
> 
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
> Sent: Saturday, September 05, 2009 12:57 PM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> 
> Or someone willing to take down a server.. and taking down other
> random ones just to avoid giving away his intentions.
> When did this attack started on your server? On mine it started at 4PM
> CEST (2PM UTC)
> 
> BTW, this guy must be using spoofed addresses, since I'm being hit by
> approx 8 AS2_INFO requests every 5 minutes from unique IP
> addresses.
> 
> 
> On Sat, Sep 5, 2009 at 7:25 PM, Kenny Loggins
> wrote:
> > Same here he's hitting one of my server also... I'm up for painting the
> > wall's red with this guy when I find him... My guess is some new
> > inexperienced server admin looking to take down the poplar servers so he
> can
> > get people into his server... He'll make some good red paint!
> >
> >
> > -Original Message-
> > From: hlds-boun...@list.valvesoftware.com
> > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry Ilverz
> > Sent: Saturday, September 05, 2009 11:30 AM
> > To: Half-Life dedicated Win32 server mailing list
> > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> >
> > My server is also under this type of attack.. So Valve hasnt fixed it ..
> Or
> > it is some new exploit. sv_max_queries_sec_global 1 doesnt help. Server's
> > fps is still dropping and its lagging like hell :(
> >
> > On Sat, Sep 5, 2009 at 7:23 PM, Saul Rennison
> > wrote:
> >
> >> sv_max_queries_sec_global 1?
> >>
> >> Will make your server appear unresponsive to the Server Browser while
> > being
> >> DDoS'd but saves the lag.
> >>
> >> Thanks,
> >> - Saul.
> >>
> 
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
> 
> 
> 
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds

_
Save time by using Hotmail to access your other email accounts.
http://clk.atdmt.com/UKM/go/167688463/direct/01/
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Claudio Beretta]

SPOOFED addresses.
google ip spoofing


On Sat, Sep 5, 2009 at 8:33 PM, Kyle Sanderson wrote:
> If you guys have root access, why are you not using netstat to grab his IP
> and table him? I've done this in the past and it's worked out pretty well
> for me.
>
> Kyle.
>
> On Sat, Sep 5, 2009 at 11:26 AM, Kenny Loggins 
> wrote:
>
>> This guys ISP has to know dam well what he's doing. Its not had to see that
>> packets that leave your network originate from IP's that are not even on
>> your network. Maybe we need to track down the ISP and go after him..
>>
>> -Original Message-
>> From: hlds-boun...@list.valvesoftware.com
>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
>> Sent: Saturday, September 05, 2009 12:57 PM
>> To: Half-Life dedicated Win32 server mailing list
>> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>>
>> Or someone willing to take down a server.. and taking down other
>> random ones just to avoid giving away his intentions.
>> When did this attack started on your server? On mine it started at 4PM
>> CEST (2PM UTC)
>>
>> BTW, this guy must be using spoofed addresses, since I'm being hit by
>> approx 8 AS2_INFO requests every 5 minutes from unique IP
>> addresses.
>>
>>
>> On Sat, Sep 5, 2009 at 7:25 PM, Kenny Loggins
>> wrote:
>> > Same here he's hitting one of my server also... I'm up for painting the
>> > wall's red with this guy when I find him... My guess is some new
>> > inexperienced server admin looking to take down the poplar servers so he
>> can
>> > get people into his server... He'll make some good red paint!
>> >
>> >
>> > -----Original Message-----
>> > From: hlds-boun...@list.valvesoftware.com
>> > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry Ilverz
>> > Sent: Saturday, September 05, 2009 11:30 AM
>> > To: Half-Life dedicated Win32 server mailing list
>> > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>> >
>> > My server is also under this type of attack.. So Valve hasnt fixed it ..
>> Or
>> > it is some new exploit. sv_max_queries_sec_global 1 doesnt help. Server's
>> > fps is still dropping and its lagging like hell :(
>> >
>> > On Sat, Sep 5, 2009 at 7:23 PM, Saul Rennison
>> > wrote:
>> >
>> >> sv_max_queries_sec_global 1?
>> >>
>> >> Will make your server appear unresponsive to the Server Browser while
>> > being
>> >> DDoS'd but saves the lag.
>> >>
>> >> Thanks,
>> >> - Saul.
>> >>
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> http://list.valvesoftware.com/mailman/listinfo/hlds
>>
>>
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> http://list.valvesoftware.com/mailman/listinfo/hlds
>>
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kenny Loggins]

It's a spoofed ip and random source port


Claudio Beretta [beretta.clau...@gmail.com]
> this is a DDOS attack, probably made from spoofed addresses



-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Kyle Sanderson
Sent: Saturday, September 05, 2009 1:34 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] TF2 DDOS AS2_INFO attack

If you guys have root access, why are you not using netstat to grab his IP
and table him? I've done this in the past and it's worked out pretty well
for me.

Kyle.

On Sat, Sep 5, 2009 at 11:26 AM, Kenny Loggins
wrote:

> This guys ISP has to know dam well what he's doing. Its not had to see
that
> packets that leave your network originate from IP's that are not even on
> your network. Maybe we need to track down the ISP and go after him..
>
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
> Sent: Saturday, September 05, 2009 12:57 PM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>
> Or someone willing to take down a server.. and taking down other
> random ones just to avoid giving away his intentions.
> When did this attack started on your server? On mine it started at 4PM
> CEST (2PM UTC)
>
> BTW, this guy must be using spoofed addresses, since I'm being hit by
> approx 8 AS2_INFO requests every 5 minutes from unique IP
> addresses.
>
>
> On Sat, Sep 5, 2009 at 7:25 PM, Kenny Loggins
> wrote:
> > Same here he's hitting one of my server also... I'm up for painting the
> > wall's red with this guy when I find him... My guess is some new
> > inexperienced server admin looking to take down the poplar servers so he
> can
> > get people into his server... He'll make some good red paint!
> >
> >
> > -Original Message-
> > From: hlds-boun...@list.valvesoftware.com
> > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry Ilverz
> > Sent: Saturday, September 05, 2009 11:30 AM
> > To: Half-Life dedicated Win32 server mailing list
> > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> >
> > My server is also under this type of attack.. So Valve hasnt fixed it ..
> Or
> > it is some new exploit. sv_max_queries_sec_global 1 doesnt help.
Server's
> > fps is still dropping and its lagging like hell :(
> >
> > On Sat, Sep 5, 2009 at 7:23 PM, Saul Rennison
> > wrote:
> >
> >> sv_max_queries_sec_global 1?
> >>
> >> Will make your server appear unresponsive to the Server Browser while
> > being
> >> DDoS'd but saves the lag.
> >>
> >> Thanks,
> >> - Saul.
> >>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds



___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[1nsane]

Because he's spoofing a shitload of ips?

On Sat, Sep 5, 2009 at 2:33 PM, Kyle Sanderson  wrote:

> If you guys have root access, why are you not using netstat to grab his IP
> and table him? I've done this in the past and it's worked out pretty well
> for me.
>
> Kyle.
>
> On Sat, Sep 5, 2009 at 11:26 AM, Kenny Loggins  >wrote:
>
> > This guys ISP has to know dam well what he's doing. Its not had to see
> that
> > packets that leave your network originate from IP's that are not even on
> > your network. Maybe we need to track down the ISP and go after him..
> >
> > -Original Message-
> > From: hlds-boun...@list.valvesoftware.com
> > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio
> Beretta
> > Sent: Saturday, September 05, 2009 12:57 PM
> > To: Half-Life dedicated Win32 server mailing list
> > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> >
> > Or someone willing to take down a server.. and taking down other
> > random ones just to avoid giving away his intentions.
> > When did this attack started on your server? On mine it started at 4PM
> > CEST (2PM UTC)
> >
> > BTW, this guy must be using spoofed addresses, since I'm being hit by
> > approx 8 AS2_INFO requests every 5 minutes from unique IP
> > addresses.
> >
> >
> > On Sat, Sep 5, 2009 at 7:25 PM, Kenny Loggins
> > wrote:
> > > Same here he's hitting one of my server also... I'm up for painting the
> > > wall's red with this guy when I find him... My guess is some new
> > > inexperienced server admin looking to take down the poplar servers so
> he
> > can
> > > get people into his server... He'll make some good red paint!
> > >
> > >
> > > -Original Message-
> > > From: hlds-boun...@list.valvesoftware.com
> > > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry Ilverz
> > > Sent: Saturday, September 05, 2009 11:30 AM
> > > To: Half-Life dedicated Win32 server mailing list
> > > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> > >
> > > My server is also under this type of attack.. So Valve hasnt fixed it
> ..
> > Or
> > > it is some new exploit. sv_max_queries_sec_global 1 doesnt help.
> Server's
> > > fps is still dropping and its lagging like hell :(
> > >
> > > On Sat, Sep 5, 2009 at 7:23 PM, Saul Rennison
> > > wrote:
> > >
> > >> sv_max_queries_sec_global 1?
> > >>
> > >> Will make your server appear unresponsive to the Server Browser while
> > > being
> > >> DDoS'd but saves the lag.
> > >>
> > >> Thanks,
> > >> - Saul.
> > >>
> >
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> > please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
> >
> >
> >
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> > please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
> >
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kyle Sanderson]

If you guys have root access, why are you not using netstat to grab his IP
and table him? I've done this in the past and it's worked out pretty well
for me.

Kyle.

On Sat, Sep 5, 2009 at 11:26 AM, Kenny Loggins wrote:

> This guys ISP has to know dam well what he's doing. Its not had to see that
> packets that leave your network originate from IP's that are not even on
> your network. Maybe we need to track down the ISP and go after him..
>
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
> Sent: Saturday, September 05, 2009 12:57 PM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>
> Or someone willing to take down a server.. and taking down other
> random ones just to avoid giving away his intentions.
> When did this attack started on your server? On mine it started at 4PM
> CEST (2PM UTC)
>
> BTW, this guy must be using spoofed addresses, since I'm being hit by
> approx 8 AS2_INFO requests every 5 minutes from unique IP
> addresses.
>
>
> On Sat, Sep 5, 2009 at 7:25 PM, Kenny Loggins
> wrote:
> > Same here he's hitting one of my server also... I'm up for painting the
> > wall's red with this guy when I find him... My guess is some new
> > inexperienced server admin looking to take down the poplar servers so he
> can
> > get people into his server... He'll make some good red paint!
> >
> >
> > -Original Message-
> > From: hlds-boun...@list.valvesoftware.com
> > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry Ilverz
> > Sent: Saturday, September 05, 2009 11:30 AM
> > To: Half-Life dedicated Win32 server mailing list
> > Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
> >
> > My server is also under this type of attack.. So Valve hasnt fixed it ..
> Or
> > it is some new exploit. sv_max_queries_sec_global 1 doesnt help. Server's
> > fps is still dropping and its lagging like hell :(
> >
> > On Sat, Sep 5, 2009 at 7:23 PM, Saul Rennison
> > wrote:
> >
> >> sv_max_queries_sec_global 1?
> >>
> >> Will make your server appear unresponsive to the Server Browser while
> > being
> >> DDoS'd but saves the lag.
> >>
> >> Thanks,
> >> - Saul.
> >>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kenny Loggins]

This guys ISP has to know dam well what he's doing. Its not had to see that
packets that leave your network originate from IP's that are not even on
your network. Maybe we need to track down the ISP and go after him..

-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
Sent: Saturday, September 05, 2009 12:57 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] TF2 DDOS AS2_INFO attack

Or someone willing to take down a server.. and taking down other
random ones just to avoid giving away his intentions.
When did this attack started on your server? On mine it started at 4PM
CEST (2PM UTC)

BTW, this guy must be using spoofed addresses, since I'm being hit by
approx 8 AS2_INFO requests every 5 minutes from unique IP
addresses.


On Sat, Sep 5, 2009 at 7:25 PM, Kenny Loggins
wrote:
> Same here he's hitting one of my server also... I'm up for painting the
> wall's red with this guy when I find him... My guess is some new
> inexperienced server admin looking to take down the poplar servers so he
can
> get people into his server... He'll make some good red paint!
>
>
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry Ilverz
> Sent: Saturday, September 05, 2009 11:30 AM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>
> My server is also under this type of attack.. So Valve hasnt fixed it ..
Or
> it is some new exploit. sv_max_queries_sec_global 1 doesnt help. Server's
> fps is still dropping and its lagging like hell :(
>
> On Sat, Sep 5, 2009 at 7:23 PM, Saul Rennison
> wrote:
>
>> sv_max_queries_sec_global 1?
>>
>> Will make your server appear unresponsive to the Server Browser while
> being
>> DDoS'd but saves the lag.
>>
>> Thanks,
>> - Saul.
>>

___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds



___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kenny Loggins]

Few of us have been dealing with this guy for awhile now. I think he started
on my server at about 8:30am cst and I have really had it with this guy..
I'm willing to drive or fly anywhere and this guy should pray that I never
find him because I'd be going to jail shortly after our confrontation.

-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
Sent: Saturday, September 05, 2009 12:57 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] TF2 DDOS AS2_INFO attack

Or someone willing to take down a server.. and taking down other
random ones just to avoid giving away his intentions.
When did this attack started on your server? On mine it started at 4PM
CEST (2PM UTC)

BTW, this guy must be using spoofed addresses, since I'm being hit by
approx 8 AS2_INFO requests every 5 minutes from unique IP
addresses.


On Sat, Sep 5, 2009 at 7:25 PM, Kenny Loggins
wrote:
> Same here he's hitting one of my server also... I'm up for painting the
> wall's red with this guy when I find him... My guess is some new
> inexperienced server admin looking to take down the poplar servers so he
can
> get people into his server... He'll make some good red paint!
>
>
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry Ilverz
> Sent: Saturday, September 05, 2009 11:30 AM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>
> My server is also under this type of attack.. So Valve hasnt fixed it ..
Or
> it is some new exploit. sv_max_queries_sec_global 1 doesnt help. Server's
> fps is still dropping and its lagging like hell :(
>
> On Sat, Sep 5, 2009 at 7:23 PM, Saul Rennison
> wrote:
>
>> sv_max_queries_sec_global 1?
>>
>> Will make your server appear unresponsive to the Server Browser while
> being
>> DDoS'd but saves the lag.
>>
>> Thanks,
>> - Saul.
>>

___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds



___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Claudio Beretta]

Or someone willing to take down a server.. and taking down other
random ones just to avoid giving away his intentions.
When did this attack started on your server? On mine it started at 4PM
CEST (2PM UTC)

BTW, this guy must be using spoofed addresses, since I'm being hit by
approx 8 AS2_INFO requests every 5 minutes from unique IP
addresses.


On Sat, Sep 5, 2009 at 7:25 PM, Kenny Loggins wrote:
> Same here he's hitting one of my server also... I'm up for painting the
> wall's red with this guy when I find him... My guess is some new
> inexperienced server admin looking to take down the poplar servers so he can
> get people into his server... He'll make some good red paint!
>
>
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry Ilverz
> Sent: Saturday, September 05, 2009 11:30 AM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] TF2 DDOS AS2_INFO attack
>
> My server is also under this type of attack.. So Valve hasnt fixed it .. Or
> it is some new exploit. sv_max_queries_sec_global 1 doesnt help. Server's
> fps is still dropping and its lagging like hell :(
>
> On Sat, Sep 5, 2009 at 7:23 PM, Saul Rennison
> wrote:
>
>> sv_max_queries_sec_global 1?
>>
>> Will make your server appear unresponsive to the Server Browser while
> being
>> DDoS'd but saves the lag.
>>
>> Thanks,
>> - Saul.
>>

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Kenny Loggins]

Same here he's hitting one of my server also... I'm up for painting the
wall's red with this guy when I find him... My guess is some new
inexperienced server admin looking to take down the poplar servers so he can
get people into his server... He'll make some good red paint!


-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry Ilverz
Sent: Saturday, September 05, 2009 11:30 AM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] TF2 DDOS AS2_INFO attack

My server is also under this type of attack.. So Valve hasnt fixed it .. Or
it is some new exploit. sv_max_queries_sec_global 1 doesnt help. Server's
fps is still dropping and its lagging like hell :(

On Sat, Sep 5, 2009 at 7:23 PM, Saul Rennison
wrote:

> sv_max_queries_sec_global 1?
>
> Will make your server appear unresponsive to the Server Browser while
being
> DDoS'd but saves the lag.
>
> Thanks,
> - Saul.
>
>
> 2009/9/5 Claudio Beretta 
>
> > my v1.0.6.8 TF2 server says it isn't :)
> >
> >
> > On Sat, Sep 5, 2009 at 6:09 PM, AnAkIn . wrote:
> > > Well, from what I can read here:
> > >
> > > http://code.devicenull.org/index.php?title=Misc:HL2_Exploits
> > >
> > > This appears to be fixed..
> > >
> >
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> > please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
> >
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds



___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Garry Ilverz]

My server is also under this type of attack.. So Valve hasnt fixed it .. Or
it is some new exploit. sv_max_queries_sec_global 1 doesnt help. Server's
fps is still dropping and its lagging like hell :(

On Sat, Sep 5, 2009 at 7:23 PM, Saul Rennison wrote:

> sv_max_queries_sec_global 1?
>
> Will make your server appear unresponsive to the Server Browser while being
> DDoS'd but saves the lag.
>
> Thanks,
> - Saul.
>
>
> 2009/9/5 Claudio Beretta 
>
> > my v1.0.6.8 TF2 server says it isn't :)
> >
> >
> > On Sat, Sep 5, 2009 at 6:09 PM, AnAkIn . wrote:
> > > Well, from what I can read here:
> > >
> > > http://code.devicenull.org/index.php?title=Misc:HL2_Exploits
> > >
> > > This appears to be fixed..
> > >
> >
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> > please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
> >
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Claudio Beretta]

thanks. tried that, but CPU usage still skyrokets to 12% (100% of the
core) and the server remains laggy.


On Sat, Sep 5, 2009 at 6:23 PM, Saul Rennison wrote:
> sv_max_queries_sec_global 1?
>
> Will make your server appear unresponsive to the Server Browser while being
> DDoS'd but saves the lag.
>
> Thanks,
> - Saul.
>
>
> 2009/9/5 Claudio Beretta 
>
>> my v1.0.6.8 TF2 server says it isn't :)
>>
>>
>> On Sat, Sep 5, 2009 at 6:09 PM, AnAkIn . wrote:
>> > Well, from what I can read here:
>> >
>> > http://code.devicenull.org/index.php?title=Misc:HL2_Exploits
>> >
>> > This appears to be fixed..
>> >
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> http://list.valvesoftware.com/mailman/listinfo/hlds
>>
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Saul Rennison]

sv_max_queries_sec_global 1?

Will make your server appear unresponsive to the Server Browser while being
DDoS'd but saves the lag.

Thanks,
- Saul.


2009/9/5 Claudio Beretta 

> my v1.0.6.8 TF2 server says it isn't :)
>
>
> On Sat, Sep 5, 2009 at 6:09 PM, AnAkIn . wrote:
> > Well, from what I can read here:
> >
> > http://code.devicenull.org/index.php?title=Misc:HL2_Exploits
> >
> > This appears to be fixed..
> >
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Claudio Beretta]

my v1.0.6.8 TF2 server says it isn't :)


On Sat, Sep 5, 2009 at 6:09 PM, AnAkIn . wrote:
> Well, from what I can read here:
>
> http://code.devicenull.org/index.php?title=Misc:HL2_Exploits
>
> This appears to be fixed..
>

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[AnAkIn .]

Well, from what I can read here:

http://code.devicenull.org/index.php?title=Misc:HL2_Exploits

This appears to be fixed..

2009/9/5 Claudio Beretta 

> it is already to 3, just reduced to 1, but no change.
> As I already stated this is a DDOS attack, probably made from spoofed
> addresses, so this cvar cannot help
>
>
> On Sat, Sep 5, 2009 at 5:53 PM, Andreas Grimm wrote:
> > Hi,
> >
> > perhaps this cvar is your friend?
> >
> > "sv_max_queries_sec" = "3.0" ( def. "3.0" )
> >  - Maximum queries per second to respond to from a single IP address.
> >
> > -Original Message-
> > From: hlds-boun...@list.valvesoftware.com [mailto:
> hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
> > Sent: Saturday, September 05, 2009 5:45 PM
> > To: hlds@list.valvesoftware.com
> > Subject: [hlds] TF2 DDOS AS2_INFO attack
> >
> > Hi
> > one of my TF2 server is under a DDOS attack. It is receiving hundreds
> > of requests from zombie/spoofed addresses with content "TSource
> > Engine Query".
> > Blocking that query from the router will mean blocking people from
> > joing from the server browser. Increasing sv_max_queries_sec_global to
> > ridicously high values such as 9000 makes the server laggy.
> > Already using sourceop's DoS Attack Fixer. plugin_print confirms it is
> loaded.
> > I'm on Windows 2003 EE
> >
> > What shall I do?
> > thanks
> >
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
> >
> >
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
> >
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Claudio Beretta]

it is already to 3, just reduced to 1, but no change.
As I already stated this is a DDOS attack, probably made from spoofed
addresses, so this cvar cannot help


On Sat, Sep 5, 2009 at 5:53 PM, Andreas Grimm wrote:
> Hi,
>
> perhaps this cvar is your friend?
>
> "sv_max_queries_sec" = "3.0" ( def. "3.0" )
>  - Maximum queries per second to respond to from a single IP address.
>
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com 
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
> Sent: Saturday, September 05, 2009 5:45 PM
> To: hlds@list.valvesoftware.com
> Subject: [hlds] TF2 DDOS AS2_INFO attack
>
> Hi
> one of my TF2 server is under a DDOS attack. It is receiving hundreds
> of requests from zombie/spoofed addresses with content "TSource
> Engine Query".
> Blocking that query from the router will mean blocking people from
> joing from the server browser. Increasing sv_max_queries_sec_global to
> ridicously high values such as 9000 makes the server laggy.
> Already using sourceop's DoS Attack Fixer. plugin_print confirms it is loaded.
> I'm on Windows 2003 EE
>
> What shall I do?
> thanks
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] TF2 DDOS AS2_INFO attack

[Andreas Grimm]

Hi,

perhaps this cvar is your friend?

"sv_max_queries_sec" = "3.0" ( def. "3.0" )
  - Maximum queries per second to respond to from a single IP address.

-Original Message-
From: hlds-boun...@list.valvesoftware.com 
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Claudio Beretta
Sent: Saturday, September 05, 2009 5:45 PM
To: hlds@list.valvesoftware.com
Subject: [hlds] TF2 DDOS AS2_INFO attack

Hi
one of my TF2 server is under a DDOS attack. It is receiving hundreds
of requests from zombie/spoofed addresses with content "TSource
Engine Query".
Blocking that query from the router will mean blocking people from
joing from the server browser. Increasing sv_max_queries_sec_global to
ridicously high values such as 9000 makes the server laggy.
Already using sourceop's DoS Attack Fixer. plugin_print confirms it is loaded.
I'm on Windows 2003 EE

What shall I do?
thanks

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

[hlds] TF2 DDOS AS2_INFO attack

[Claudio Beretta]

Hi
one of my TF2 server is under a DDOS attack. It is receiving hundreds
of requests from zombie/spoofed addresses with content "TSource
Engine Query".
Blocking that query from the router will mean blocking people from
joing from the server browser. Increasing sv_max_queries_sec_global to
ridicously high values such as 9000 makes the server laggy.
Already using sourceop's DoS Attack Fixer. plugin_print confirms it is loaded.
I'm on Windows 2003 EE

What shall I do?
thanks

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds