Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[DLinkOZ]

I assure you, it's purely reactive.  The very first response to me was
condescending, so I responded in turn.  Nothing more.



-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of In Hyuk Seo
Sent: Sunday, January 24, 2010 8:12 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival
servers

I don't think anybody appreciates your condescending tone DLinkOZ...

2010/1/24 DLinkOZ 

> Right, so call your provider, ask to put in the null route and enjoy your
> weekend.  I honestly did not think I'd have to go into such obvious detail
> to make a simple statement.  If you aren't in a position to perform such a
> task, then you make a phone call.  I suppose I assumed that was obviously
> simple and didn't need explanation...
>
>
>
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Blood Letter
>  Sent: Sunday, January 24, 2010 2:42 PM
> To: hlds@list.valvesoftware.com
> Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival
> servers
>
>
> Uh, null routing is simply a routing rule that indicates that packet
should
> be dropped without any further processing.
>
> The suggestion was to " just null route the source and enjoy the weekend".
> You can't do it at the ISP level unless you talk to your ISP.
>
>
> > From: dlin...@fragonline.net
> > To: hlds@list.valvesoftware.com
> > Date: Sun, 24 Jan 2010 14:28:56 -0600
> > Subject: Re: [hlds] ST3Gaming.com using 100mbit connectionto
DoS
> rival   servers
> >
> > Seriously?  Do you not know what null routing is?  It's exactly what you
> > said later in your email.  Your bandwidth provider routes that source
> > straight to the nowhere.  Not sure why you think it's done on the
server.
>
> >
> >
> >
> > -Original Message-
> > From: hlds-boun...@list.valvesoftware.com
> > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Blood Letter
> > Sent: Sunday, January 24, 2010 2:08 PM
> > To: hlds@list.valvesoftware.com
> > Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival
> > servers
> >
> >
> > Uh, because the packets come over the wire and your NIC has to handle
> them
> > all regardless of HOW you handle them?
> >
> > You can NOT solve a DoS attack through ANY use of firewalling or routing
> at
> > the target end.
> > You MUST cut the attack off as close to the source as possible.
> >
> > An attack like the one described here is simple enough to fend off
> because
> > it's coming from a single source over a relatively low bandwidth pipe.
> > Your ISP should be able to block it at their border routers and the
> constant
> > knocking shouldn't put any load on their equipment.
> > If it continues, and if they get around to it, they can then report the
> > activity to their peering partners (other ISPs) to get them to block the
> > traffic at their end.  If the behavior persists, this continues until
> > eventually the source is cut off.
> >
> > A distributed attack is much harder to cut off, because it has many
> sources.
> > A distributed attack can bring down major connections.
> >
> >
> >
> > > From: dlin...@fragonline.net
> > > To: hlds@list.valvesoftware.com
> > > Date: Sun, 24 Jan 2010 13:43:57 -0600
> > > Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS
> > rival servers
> > >
> > > Why not just null route the source and enjoy the weekend?
> >
> > _
> > Hotmail: Powerful Free email with security by Microsoft.
> > http://clk.atdmt.com/GBL/go/196390710/direct/01/
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> > please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
> >
> >
> >
> >
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
>
> _
> Hotmail: Free, trusted and rich email service.
> http://clk.atdmt.com/GBL/go/196390708/direct/01/
> ___
> To unsubscribe, edit your list preferences, or view the list archi

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[In Hyuk Seo]

I don't think anybody appreciates your condescending tone DLinkOZ...

2010/1/24 DLinkOZ 

> Right, so call your provider, ask to put in the null route and enjoy your
> weekend.  I honestly did not think I'd have to go into such obvious detail
> to make a simple statement.  If you aren't in a position to perform such a
> task, then you make a phone call.  I suppose I assumed that was obviously
> simple and didn't need explanation...
>
>
>
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Blood Letter
>  Sent: Sunday, January 24, 2010 2:42 PM
> To: hlds@list.valvesoftware.com
> Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival
> servers
>
>
> Uh, null routing is simply a routing rule that indicates that packet should
> be dropped without any further processing.
>
> The suggestion was to " just null route the source and enjoy the weekend".
> You can't do it at the ISP level unless you talk to your ISP.
>
>
> > From: dlin...@fragonline.net
> > To: hlds@list.valvesoftware.com
> > Date: Sun, 24 Jan 2010 14:28:56 -0600
> > Subject: Re: [hlds] ST3Gaming.com using 100mbit connectionto  DoS
> rival   servers
> >
> > Seriously?  Do you not know what null routing is?  It's exactly what you
> > said later in your email.  Your bandwidth provider routes that source
> > straight to the nowhere.  Not sure why you think it's done on the server.
>
> >
> >
> >
> > -Original Message-
> > From: hlds-boun...@list.valvesoftware.com
> > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Blood Letter
> > Sent: Sunday, January 24, 2010 2:08 PM
> > To: hlds@list.valvesoftware.com
> > Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival
> > servers
> >
> >
> > Uh, because the packets come over the wire and your NIC has to handle
> them
> > all regardless of HOW you handle them?
> >
> > You can NOT solve a DoS attack through ANY use of firewalling or routing
> at
> > the target end.
> > You MUST cut the attack off as close to the source as possible.
> >
> > An attack like the one described here is simple enough to fend off
> because
> > it's coming from a single source over a relatively low bandwidth pipe.
> > Your ISP should be able to block it at their border routers and the
> constant
> > knocking shouldn't put any load on their equipment.
> > If it continues, and if they get around to it, they can then report the
> > activity to their peering partners (other ISPs) to get them to block the
> > traffic at their end.  If the behavior persists, this continues until
> > eventually the source is cut off.
> >
> > A distributed attack is much harder to cut off, because it has many
> sources.
> > A distributed attack can bring down major connections.
> >
> >
> >
> > > From: dlin...@fragonline.net
> > > To: hlds@list.valvesoftware.com
> > > Date: Sun, 24 Jan 2010 13:43:57 -0600
> > > Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS
> > rival servers
> > >
> > > Why not just null route the source and enjoy the weekend?
> >
> > _
> > Hotmail: Powerful Free email with security by Microsoft.
> > http://clk.atdmt.com/GBL/go/196390710/direct/01/
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> > please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
> >
> >
> >
> >
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
>
> _
> Hotmail: Free, trusted and rich email service.
> http://clk.atdmt.com/GBL/go/196390708/direct/01/
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
>
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[DLinkOZ]

Right, so call your provider, ask to put in the null route and enjoy your
weekend.  I honestly did not think I'd have to go into such obvious detail
to make a simple statement.  If you aren't in a position to perform such a
task, then you make a phone call.  I suppose I assumed that was obviously
simple and didn't need explanation...



-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Blood Letter
Sent: Sunday, January 24, 2010 2:42 PM
To: hlds@list.valvesoftware.com
Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival
servers


Uh, null routing is simply a routing rule that indicates that packet should
be dropped without any further processing.

The suggestion was to " just null route the source and enjoy the weekend".
You can't do it at the ISP level unless you talk to your ISP.


> From: dlin...@fragonline.net
> To: hlds@list.valvesoftware.com
> Date: Sun, 24 Jan 2010 14:28:56 -0600
> Subject: Re: [hlds] ST3Gaming.com using 100mbit connectionto  DoS
rival   servers
> 
> Seriously?  Do you not know what null routing is?  It's exactly what you
> said later in your email.  Your bandwidth provider routes that source
> straight to the nowhere.  Not sure why you think it's done on the server.

> 
> 
> 
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Blood Letter
> Sent: Sunday, January 24, 2010 2:08 PM
> To: hlds@list.valvesoftware.com
> Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival
> servers
> 
> 
> Uh, because the packets come over the wire and your NIC has to handle them
> all regardless of HOW you handle them?
> 
> You can NOT solve a DoS attack through ANY use of firewalling or routing
at
> the target end.
> You MUST cut the attack off as close to the source as possible.
> 
> An attack like the one described here is simple enough to fend off because
> it's coming from a single source over a relatively low bandwidth pipe.
> Your ISP should be able to block it at their border routers and the
constant
> knocking shouldn't put any load on their equipment.
> If it continues, and if they get around to it, they can then report the
> activity to their peering partners (other ISPs) to get them to block the
> traffic at their end.  If the behavior persists, this continues until
> eventually the source is cut off.
> 
> A distributed attack is much harder to cut off, because it has many
sources.
> A distributed attack can bring down major connections.
> 
> 
> 
> > From: dlin...@fragonline.net
> > To: hlds@list.valvesoftware.com
> > Date: Sun, 24 Jan 2010 13:43:57 -0600
> > Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS
> rival servers
> > 
> > Why not just null route the source and enjoy the weekend?
> 
> _
> Hotmail: Powerful Free email with security by Microsoft.
> http://clk.atdmt.com/GBL/go/196390710/direct/01/
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
> 
> 
> 
> 
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
  
_
Hotmail: Free, trusted and rich email service.
http://clk.atdmt.com/GBL/go/196390708/direct/01/
___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds




___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[Nephyrin Zey]

Update on this -

I got a response from cet.com claiming that the owner of the
thaiguy.net/st3gaming server had given shell access to a friend who
had then abused the privilege by running a flood script. This seems
like a rather fishy explanation to me, given that i've found logs of
'thaiguy' playing in the DoS'd server, but I'll leave it at that for
now.

> dumb question, but how can you (read I) tell if a DOS attack is happening
> and how do you obtain their IP. Thanks

The server was lagging horribly (nearly unplayable), on a server that
is usually near perfect. The lag abbruptly stopped minutes later, then
a few more ~5-10 minute lag episodes occured. Finding no other issues,
and no other affected servers, i suspected an attack (like the old
query packet spam) and setup tcpdump (e.g. tcpdump -w dumpfile -i
eth1). Next time it happened I took a look at the packet dump (as in,
compress it, download it, open it in wireshark) and found that 80% of
all traffic was 300byte packets from one ip.

- Neph

On Sun, Jan 24, 2010 at 12:10 AM, Nephyrin Zey  wrote:
> So earlier today one of my servers was lagging - badly. By time I showed up
> the lag had cleared. Then again. Then again. Each time for about 5-10
> minutes it would lag, and by time I'd shown up, it was gone. Finally, I
> caught the lag happening directly. No unusual FPS or CPU usage spikes, so i
> ran a tcpdump for about 5 seconds. It captured 230,000 packets. Holy shit!
>
> A quick analysis shows that '206.63.226.12' was flooding the server with
> almost exactly *32,000* packets per second, each containing the bytes
> 'flood', followed by 295 null bytes, for a total of 300 bytes. With IP
> overhead this is is about 88 megabits/second, or suspiciously close to
> 100megs/second. I have a gigabit connection, however, srcds itself cannot
> handle 88mbs of invalid packets without going to lagsville.
>
> I'm emailing an abuse report to his host now, but everyone should have a
> heads up that this is occuring. The fact that it was going on for 5 minutes
> at a time a few times an hour suggests he has some script making the rounds
> against popular servers, or some such.
>
> As for this attack in general, using iptables or a similar tool to limit UDP
> traffic to server ports to 100/second or so with a small burst should
> prevent any traffic at a higher rate than normal game traffic from hitting
> the process, though if you have a 100mbit or less connection the classic DoS
> aspect of it might lag you out anyway.
>
> - Neph
>
> ** Begin internet detective **
> IP: 206.63.226.12
> Resolves to: bigboomer.thaiguy.net
> Host: cet.com
> IPs in this netblock (all belonging to cet.com): 206.63.224.0 -
> 206.63.231.255
>
> thaiguy.net is 206.63.81.2
> This, uncoincidentally, also belongs to cet.com in the block: 206.63.80.0 -
> 206.63.87.0
>
> And in what I'm sure is a huge coincidence:
>
> 206.63.81.1: gateway.thaiguy.net
> 206.63.81.2: thaiguy.net
> 206.63.81.3: dayofdefeat.thaiguy.net
> 206.63.81.4: teamspeak.st3games.com
> 206.63.81.5: battlefield1942.thaiguy.net
> 206.63.81.6: st3-webhost.cet.com
> 206.63.81.7: dcon.st3games.com
> 206.63.81.8: zmod.st3games.com (CSS Server: "Zombie Mayhem! #1")
> 206.63.81.8: (CSS Server: "[ST3Gaming.com] GG Advanced - Home of gK?")
> 206.63.81.15: database.thaiguy.net
> 206.63.81.18: (TF2 Server: "[ST3Gaming.com] 24/7
> DustBowl/Stats/InstaSpawn/") (( Did I mention the server has was attacking
> of mine was 24/7 dustbowl? ))
> 206.63.81.20: ns0.thaiguy.net
> 206.63.81.21: ns1.thaiguy.net
>
> Gee, tf2 servers on his netblock. Of the same type as the one he was
> attacking. What's all this st3games.com stuff? Oh, they have forums and a
> steamgroup.
>
> http://steamcommunity.com/groups/ST3
> Oh, and the forum head admin username is "Novikane". Weird that:
> http://steamcommunity.com/id/novikane
> Is an admin of this group.
> ** End internet detective **
>

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[Blood Letter]

Uh, null routing is simply a routing rule that indicates that packet should be 
dropped without any further processing.

The suggestion was to " just null route the source and enjoy the weekend".
You can't do it at the ISP level unless you talk to your ISP.


> From: dlin...@fragonline.net
> To: hlds@list.valvesoftware.com
> Date: Sun, 24 Jan 2010 14:28:56 -0600
> Subject: Re: [hlds] ST3Gaming.com using 100mbit connection    to  DoS 
> rival   servers
> 
> Seriously?  Do you not know what null routing is?  It's exactly what you
> said later in your email.  Your bandwidth provider routes that source
> straight to the nowhere.  Not sure why you think it's done on the server.  
> 
> 
> 
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Blood Letter
> Sent: Sunday, January 24, 2010 2:08 PM
> To: hlds@list.valvesoftware.com
> Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival
> servers
> 
> 
> Uh, because the packets come over the wire and your NIC has to handle them
> all regardless of HOW you handle them?
> 
> You can NOT solve a DoS attack through ANY use of firewalling or routing at
> the target end.
> You MUST cut the attack off as close to the source as possible.
> 
> An attack like the one described here is simple enough to fend off because
> it's coming from a single source over a relatively low bandwidth pipe.
> Your ISP should be able to block it at their border routers and the constant
> knocking shouldn't put any load on their equipment.
> If it continues, and if they get around to it, they can then report the
> activity to their peering partners (other ISPs) to get them to block the
> traffic at their end.  If the behavior persists, this continues until
> eventually the source is cut off.
> 
> A distributed attack is much harder to cut off, because it has many sources.
> A distributed attack can bring down major connections.
> 
> 
> 
> > From: dlin...@fragonline.net
> > To: hlds@list.valvesoftware.com
> > Date: Sun, 24 Jan 2010 13:43:57 -0600
> > Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS
> rival servers
> > 
> > Why not just null route the source and enjoy the weekend?
> 
> _
> Hotmail: Powerful Free email with security by Microsoft.
> http://clk.atdmt.com/GBL/go/196390710/direct/01/
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
> 
> 
> 
> 
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
  
_
Hotmail: Free, trusted and rich email service.
http://clk.atdmt.com/GBL/go/196390708/direct/01/
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[DLinkOZ]

Seriously?  Do you not know what null routing is?  It's exactly what you
said later in your email.  Your bandwidth provider routes that source
straight to the nowhere.  Not sure why you think it's done on the server.  



-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Blood Letter
Sent: Sunday, January 24, 2010 2:08 PM
To: hlds@list.valvesoftware.com
Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival
servers


Uh, because the packets come over the wire and your NIC has to handle them
all regardless of HOW you handle them?

You can NOT solve a DoS attack through ANY use of firewalling or routing at
the target end.
You MUST cut the attack off as close to the source as possible.

An attack like the one described here is simple enough to fend off because
it's coming from a single source over a relatively low bandwidth pipe.
Your ISP should be able to block it at their border routers and the constant
knocking shouldn't put any load on their equipment.
If it continues, and if they get around to it, they can then report the
activity to their peering partners (other ISPs) to get them to block the
traffic at their end.  If the behavior persists, this continues until
eventually the source is cut off.

A distributed attack is much harder to cut off, because it has many sources.
A distributed attack can bring down major connections.



> From: dlin...@fragonline.net
> To: hlds@list.valvesoftware.com
> Date: Sun, 24 Jan 2010 13:43:57 -0600
> Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS
rival   servers
> 
> Why not just null route the source and enjoy the weekend?
  
_
Hotmail: Powerful Free email with security by Microsoft.
http://clk.atdmt.com/GBL/go/196390710/direct/01/
___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds




___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[Tony Paloma]

You should probably look up null route and then try replying again.
Unfortunately, most of us don't have the power to mess with the routers on
our network.

-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Blood Letter
Sent: Sunday, January 24, 2010 12:08 PM
To: hlds@list.valvesoftware.com
Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival
servers


Uh, because the packets come over the wire and your NIC has to handle them
all regardless of HOW you handle them?

You can NOT solve a DoS attack through ANY use of firewalling or routing at
the target end.
You MUST cut the attack off as close to the source as possible.

An attack like the one described here is simple enough to fend off because
it's coming from a single source over a relatively low bandwidth pipe.
Your ISP should be able to block it at their border routers and the constant
knocking shouldn't put any load on their equipment.
If it continues, and if they get around to it, they can then report the
activity to their peering partners (other ISPs) to get them to block the
traffic at their end.  If the behavior persists, this continues until
eventually the source is cut off.

A distributed attack is much harder to cut off, because it has many sources.
A distributed attack can bring down major connections.



> From: dlin...@fragonline.net
> To: hlds@list.valvesoftware.com
> Date: Sun, 24 Jan 2010 13:43:57 -0600
> Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS
rival   servers
> 
> Why not just null route the source and enjoy the weekend?
  
_
Hotmail: Powerful Free email with security by Microsoft.
http://clk.atdmt.com/GBL/go/196390710/direct/01/
___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[Blood Letter]

Uh, because the packets come over the wire and your NIC has to handle them all 
regardless of HOW you handle them?

You can NOT solve a DoS attack through ANY use of firewalling or routing at the 
target end.
You MUST cut the attack off as close to the source as possible.

An attack like the one described here is simple enough to fend off because it's 
coming from a single source over a relatively low bandwidth pipe.
Your ISP should be able to block it at their border routers and the constant 
knocking shouldn't put any load on their equipment.
If it continues, and if they get around to it, they can then report the 
activity to their peering partners (other ISPs) to get them to block the 
traffic at their end.  If the behavior persists, this continues until 
eventually the source is cut off.

A distributed attack is much harder to cut off, because it has many sources.  A 
distributed attack can bring down major connections.



> From: dlin...@fragonline.net
> To: hlds@list.valvesoftware.com
> Date: Sun, 24 Jan 2010 13:43:57 -0600
> Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival   
> servers
> 
> Why not just null route the source and enjoy the weekend?
  
_
Hotmail: Powerful Free email with security by Microsoft.
http://clk.atdmt.com/GBL/go/196390710/direct/01/
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[Christoffer Madsen]

That would be a good idea.

---

Samuel Goldwyn<http://www.brainyquote.com/quotes/authors/s/samuel_goldwyn.html>
- "I don't think anyone should write their autobiography until after
they're dead."

On Sun, Jan 24, 2010 at 8:43 PM, DLinkOZ  wrote:

> Why not just null route the source and enjoy the weekend?
>
>
>
> -Original Message-
> From: hlds-boun...@list.valvesoftware.com
> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Donnie Newlove
> Sent: Sunday, January 24, 2010 1:02 PM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival
> servers
>
> MS? I really hope you don't mean Microsoft...
>
> On Sun, Jan 24, 2010 at 5:03 PM, Christoffer Pedersen
>  wrote:
> > That's right, its a MS problem. This would also be called ICMP-
> > flooding (when a host is being flooded with ping requests).
> >
> > Analyze the IP-addresses, and blacklist them. You could also block the
> > whole subnet for that IP-address.
> >
> > Med venlig hilsen
> >
> > Christoffer Pedersen
> > Adm. Direktør
> > ScanServers
> > christof...@scanservers.eu
> > www.scanservers.eu
> >
> > On 24/01/2010, at 16.24, Mike Stiehm  wrote:
> >
> >> None of that's will help with traffic flood and connection DOS has
> >> nothing
> >> to do with valve or SRCDS.
> >>
> >> ClanAO.com
> >>
> >> On Jan 24, 2010 8:51 AM, "Matthew Gottlieb" <
> matthew.j.gottl...@gmail.com
> >> >
> >> wrote:
> >>
> >> IP black listing :-\
> >>
> >> On Sun, Jan 24, 2010 at 7:47 AM, Christoffer Madsen
> >> 
> >> wrote: > Maybe you could bl...
> >> ___
> >> To unsubscribe, edit your list preferences, or view the list
> >> archives, please visit:
> >> http://list.valvesoftware.com/mailman/listinfo/hlds
> >
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
> >
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
>
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[DLinkOZ]

Why not just null route the source and enjoy the weekend?



-Original Message-
From: hlds-boun...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Donnie Newlove
Sent: Sunday, January 24, 2010 1:02 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival
servers

MS? I really hope you don't mean Microsoft...

On Sun, Jan 24, 2010 at 5:03 PM, Christoffer Pedersen
 wrote:
> That's right, its a MS problem. This would also be called ICMP-
> flooding (when a host is being flooded with ping requests).
>
> Analyze the IP-addresses, and blacklist them. You could also block the
> whole subnet for that IP-address.
>
> Med venlig hilsen
>
> Christoffer Pedersen
> Adm. Direktør
> ScanServers
> christof...@scanservers.eu
> www.scanservers.eu
>
> On 24/01/2010, at 16.24, Mike Stiehm  wrote:
>
>> None of that's will help with traffic flood and connection DOS has
>> nothing
>> to do with valve or SRCDS.
>>
>> ClanAO.com
>>
>> On Jan 24, 2010 8:51 AM, "Matthew Gottlieb" > >
>> wrote:
>>
>> IP black listing :-\
>>
>> On Sun, Jan 24, 2010 at 7:47 AM, Christoffer Madsen
>> 
>> wrote: > Maybe you could bl...
>> ___
>> To unsubscribe, edit your list preferences, or view the list
>> archives, please visit:
>> http://list.valvesoftware.com/mailman/listinfo/hlds
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>

___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds




___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[k e]

dumb question, but how can you (read I) tell if a DOS attack is happening
and how do you obtain their IP. Thanks

On Sun, Jan 24, 2010 at 2:02 PM, Donnie Newlove wrote:

> MS? I really hope you don't mean Microsoft...
>
> On Sun, Jan 24, 2010 at 5:03 PM, Christoffer Pedersen
>  wrote:
> > That's right, its a MS problem. This would also be called ICMP-
> > flooding (when a host is being flooded with ping requests).
> >
> > Analyze the IP-addresses, and blacklist them. You could also block the
> > whole subnet for that IP-address.
> >
> > Med venlig hilsen
> >
> > Christoffer Pedersen
> > Adm. Direktør
> > ScanServers
> > christof...@scanservers.eu
> > www.scanservers.eu
> >
> > On 24/01/2010, at 16.24, Mike Stiehm  wrote:
> >
> >> None of that's will help with traffic flood and connection DOS has
> >> nothing
> >> to do with valve or SRCDS.
> >>
> >> ClanAO.com
> >>
> >> On Jan 24, 2010 8:51 AM, "Matthew Gottlieb" <
> matthew.j.gottl...@gmail.com
> >> >
> >> wrote:
> >>
> >> IP black listing :-\
> >>
> >> On Sun, Jan 24, 2010 at 7:47 AM, Christoffer Madsen
> >> 
> >> wrote: > Maybe you could bl...
> >> ___
> >> To unsubscribe, edit your list preferences, or view the list
> >> archives, please visit:
> >> http://list.valvesoftware.com/mailman/listinfo/hlds
> >
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
> >
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[Donnie Newlove]

MS? I really hope you don't mean Microsoft...

On Sun, Jan 24, 2010 at 5:03 PM, Christoffer Pedersen
 wrote:
> That's right, its a MS problem. This would also be called ICMP-
> flooding (when a host is being flooded with ping requests).
>
> Analyze the IP-addresses, and blacklist them. You could also block the
> whole subnet for that IP-address.
>
> Med venlig hilsen
>
> Christoffer Pedersen
> Adm. Direktør
> ScanServers
> christof...@scanservers.eu
> www.scanservers.eu
>
> On 24/01/2010, at 16.24, Mike Stiehm  wrote:
>
>> None of that's will help with traffic flood and connection DOS has
>> nothing
>> to do with valve or SRCDS.
>>
>> ClanAO.com
>>
>> On Jan 24, 2010 8:51 AM, "Matthew Gottlieb" > >
>> wrote:
>>
>> IP black listing :-\
>>
>> On Sun, Jan 24, 2010 at 7:47 AM, Christoffer Madsen
>> 
>> wrote: > Maybe you could bl...
>> ___
>> To unsubscribe, edit your list preferences, or view the list
>> archives, please visit:
>> http://list.valvesoftware.com/mailman/listinfo/hlds
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[Christoffer Pedersen]

That's right, its a MS problem. This would also be called ICMP- 
flooding (when a host is being flooded with ping requests).

Analyze the IP-addresses, and blacklist them. You could also block the  
whole subnet for that IP-address.

Med venlig hilsen

Christoffer Pedersen
Adm. Direktør
ScanServers
christof...@scanservers.eu
www.scanservers.eu

On 24/01/2010, at 16.24, Mike Stiehm  wrote:

> None of that's will help with traffic flood and connection DOS has  
> nothing
> to do with valve or SRCDS.
>
> ClanAO.com
>
> On Jan 24, 2010 8:51 AM, "Matthew Gottlieb"  >
> wrote:
>
> IP black listing :-\
>
> On Sun, Jan 24, 2010 at 7:47 AM, Christoffer Madsen  
> 
> wrote: > Maybe you could bl...
> ___
> To unsubscribe, edit your list preferences, or view the list  
> archives, please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[Mike Stiehm]

None of that's will help with traffic flood and connection DOS has nothing
to do with valve or SRCDS.

ClanAO.com

On Jan 24, 2010 8:51 AM, "Matthew Gottlieb" 
wrote:

IP black listing :-\

On Sun, Jan 24, 2010 at 7:47 AM, Christoffer Madsen 
wrote: > Maybe you could bl...
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[Mike Stiehm]

ClanAO.com

On Jan 24, 2010 8:51 AM, "Matthew Gottlieb" 
wrote:

IP black listing :-\

On Sun, Jan 24, 2010 at 7:47 AM, Christoffer Madsen 
wrote: > Maybe you could bl...
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[Matthew Gottlieb]

IP black listing :-\

On Sun, Jan 24, 2010 at 7:47 AM, Christoffer Madsen  wrote:
> Maybe you could block the domain from accessing your server?
>
> ---
>
> Ted Turner   -
> "Sports is like a war without the killing."
>
> On Sun, Jan 24, 2010 at 1:59 PM, Shane Arnold wrote:
>
>> Makes perfect sense other than the dramatisation. VALVe are completely
>> dropping the ball when it comes to server protection. Fair call that
>> they are primarily game designers, but surely they can spent some
>> manhours at least making their product able to withstand the most basic
>> of DoS and security exploits...
>>
>> On 24/01/2010 5:53 PM, k wrote:
>> > that doesn't make sense
>> >
>> > On Sun, Jan 24, 2010 at 10:38 PM, w4rezz  wrote:
>> >
>> >
>> >> Doesnt matter, there are more server's admins what are attacking rival
>> >> servers, its what Valve want, becouse they dont care about fixes. you
>> >> must install tons of 3rd party plugins what should be unstable and you
>> >> are not still secured.
>> >>
>> >> ___
>> >> To unsubscribe, edit your list preferences, or view the list archives,
>> >> please visit:
>> >> http://list.valvesoftware.com/mailman/listinfo/hlds
>> >>
>> >>
>> > ___
>> > To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> > http://list.valvesoftware.com/mailman/listinfo/hlds
>> >
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> http://list.valvesoftware.com/mailman/listinfo/hlds
>>
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[Christoffer Madsen]

Maybe you could block the domain from accessing your server?

---

Ted Turner   -
"Sports is like a war without the killing."

On Sun, Jan 24, 2010 at 1:59 PM, Shane Arnold wrote:

> Makes perfect sense other than the dramatisation. VALVe are completely
> dropping the ball when it comes to server protection. Fair call that
> they are primarily game designers, but surely they can spent some
> manhours at least making their product able to withstand the most basic
> of DoS and security exploits...
>
> On 24/01/2010 5:53 PM, k wrote:
> > that doesn't make sense
> >
> > On Sun, Jan 24, 2010 at 10:38 PM, w4rezz  wrote:
> >
> >
> >> Doesnt matter, there are more server's admins what are attacking rival
> >> servers, its what Valve want, becouse they dont care about fixes. you
> >> must install tons of 3rd party plugins what should be unstable and you
> >> are not still secured.
> >>
> >> ___
> >> To unsubscribe, edit your list preferences, or view the list archives,
> >> please visit:
> >> http://list.valvesoftware.com/mailman/listinfo/hlds
> >>
> >>
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds
> >
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[Shane Arnold]

Makes perfect sense other than the dramatisation. VALVe are completely 
dropping the ball when it comes to server protection. Fair call that 
they are primarily game designers, but surely they can spent some 
manhours at least making their product able to withstand the most basic 
of DoS and security exploits...

On 24/01/2010 5:53 PM, k wrote:
> that doesn't make sense
>
> On Sun, Jan 24, 2010 at 10:38 PM, w4rezz  wrote:
>
>
>> Doesnt matter, there are more server's admins what are attacking rival
>> servers, its what Valve want, becouse they dont care about fixes. you
>> must install tons of 3rd party plugins what should be unstable and you
>> are not still secured.
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> http://list.valvesoftware.com/mailman/listinfo/hlds
>>
>>  
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[k]

that doesn't make sense

On Sun, Jan 24, 2010 at 10:38 PM, w4rezz  wrote:

> Doesnt matter, there are more server's admins what are attacking rival
> servers, its what Valve want, becouse they dont care about fixes. you
> must install tons of 3rd party plugins what should be unstable and you
> are not still secured.
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[w4rezz]

Doesnt matter, there are more server's admins what are attacking rival
servers, its what Valve want, becouse they dont care about fixes. you
must install tons of 3rd party plugins what should be unstable and you
are not still secured.

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

[hlds] ST3Gaming.com using 100mbit connection to DoS rival servers

[Nephyrin Zey]

So earlier today one of my servers was lagging - badly. By time I showed 
up the lag had cleared. Then again. Then again. Each time for about 5-10 
minutes it would lag, and by time I'd shown up, it was gone. Finally, I 
caught the lag happening directly. No unusual FPS or CPU usage spikes, 
so i ran a tcpdump for about 5 seconds. It captured 230,000 packets. 
Holy shit!

A quick analysis shows that '206.63.226.12' was flooding the server with 
almost exactly *32,000* packets per second, each containing the bytes 
'flood', followed by 295 null bytes, for a total of 300 bytes. With IP 
overhead this is is about 88 megabits/second, or suspiciously close to 
100megs/second. I have a gigabit connection, however, srcds itself 
cannot handle 88mbs of invalid packets without going to lagsville.

I'm emailing an abuse report to his host now, but everyone should have a 
heads up that this is occuring. The fact that it was going on for 5 
minutes at a time a few times an hour suggests he has some script making 
the rounds against popular servers, or some such.

As for this attack in general, using iptables or a similar tool to limit 
UDP traffic to server ports to 100/second or so with a small burst 
should prevent any traffic at a higher rate than normal game traffic 
from hitting the process, though if you have a 100mbit or less 
connection the classic DoS aspect of it might lag you out anyway.

- Neph

** Begin internet detective **
IP: 206.63.226.12
Resolves to: bigboomer.thaiguy.net
Host: cet.com
IPs in this netblock (all belonging to cet.com): 206.63.224.0 - 
206.63.231.255

thaiguy.net is 206.63.81.2
This, uncoincidentally, also belongs to cet.com in the block: 
206.63.80.0 - 206.63.87.0

And in what I'm sure is a huge coincidence:

206.63.81.1: gateway.thaiguy.net
206.63.81.2: thaiguy.net
206.63.81.3: dayofdefeat.thaiguy.net
206.63.81.4: teamspeak.st3games.com
206.63.81.5: battlefield1942.thaiguy.net
206.63.81.6: st3-webhost.cet.com
206.63.81.7: dcon.st3games.com
206.63.81.8: zmod.st3games.com (CSS Server: "Zombie Mayhem! #1")
206.63.81.8: (CSS Server: "[ST3Gaming.com] GG Advanced - Home of gK?")
206.63.81.15: database.thaiguy.net
206.63.81.18: (TF2 Server: "[ST3Gaming.com] 24/7 
DustBowl/Stats/InstaSpawn/") (( Did I mention the server has was 
attacking of mine was 24/7 dustbowl? ))
206.63.81.20: ns0.thaiguy.net
206.63.81.21: ns1.thaiguy.net

Gee, tf2 servers on his netblock. Of the same type as the one he was 
attacking. What's all this st3games.com stuff? Oh, they have forums and 
a steamgroup.

http://steamcommunity.com/groups/ST3
Oh, and the forum head admin username is "Novikane". Weird that:
http://steamcommunity.com/id/novikane
Is an admin of this group.
** End internet detective **

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds