[hlds] ST3Gaming.com using 100mbit connection to DoS rival servers
So earlier today one of my servers was lagging - badly. By time I showed up the lag had cleared. Then again. Then again. Each time for about 5-10 minutes it would lag, and by time I'd shown up, it was gone. Finally, I caught the lag happening directly. No unusual FPS or CPU usage spikes, so i ran a tcpdump for about 5 seconds. It captured 230,000 packets. Holy shit! A quick analysis shows that '206.63.226.12' was flooding the server with almost exactly *32,000* packets per second, each containing the bytes 'flood', followed by 295 null bytes, for a total of 300 bytes. With IP overhead this is is about 88 megabits/second, or suspiciously close to 100megs/second. I have a gigabit connection, however, srcds itself cannot handle 88mbs of invalid packets without going to lagsville. I'm emailing an abuse report to his host now, but everyone should have a heads up that this is occuring. The fact that it was going on for 5 minutes at a time a few times an hour suggests he has some script making the rounds against popular servers, or some such. As for this attack in general, using iptables or a similar tool to limit UDP traffic to server ports to 100/second or so with a small burst should prevent any traffic at a higher rate than normal game traffic from hitting the process, though if you have a 100mbit or less connection the classic DoS aspect of it might lag you out anyway. - Neph ** Begin internet detective ** IP: 206.63.226.12 Resolves to: bigboomer.thaiguy.net Host: cet.com IPs in this netblock (all belonging to cet.com): 206.63.224.0 - 206.63.231.255 thaiguy.net is 206.63.81.2 This, uncoincidentally, also belongs to cet.com in the block: 206.63.80.0 - 206.63.87.0 And in what I'm sure is a huge coincidence: 206.63.81.1: gateway.thaiguy.net 206.63.81.2: thaiguy.net 206.63.81.3: dayofdefeat.thaiguy.net 206.63.81.4: teamspeak.st3games.com 206.63.81.5: battlefield1942.thaiguy.net 206.63.81.6: st3-webhost.cet.com 206.63.81.7: dcon.st3games.com 206.63.81.8: zmod.st3games.com (CSS Server: Zombie Mayhem! #1) 206.63.81.8: (CSS Server: [ST3Gaming.com] GG Advanced - Home of gK?) 206.63.81.15: database.thaiguy.net 206.63.81.18: (TF2 Server: [ST3Gaming.com] 24/7 DustBowl/Stats/InstaSpawn/) (( Did I mention the server has was attacking of mine was 24/7 dustbowl? )) 206.63.81.20: ns0.thaiguy.net 206.63.81.21: ns1.thaiguy.net Gee, tf2 servers on his netblock. Of the same type as the one he was attacking. What's all this st3games.com stuff? Oh, they have forums and a steamgroup. http://steamcommunity.com/groups/ST3 Oh, and the forum head admin username is Novikane. Weird that: http://steamcommunity.com/id/novikane Is an admin of this group. ** End internet detective ** ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers
Makes perfect sense other than the dramatisation. VALVe are completely dropping the ball when it comes to server protection. Fair call that they are primarily game designers, but surely they can spent some manhours at least making their product able to withstand the most basic of DoS and security exploits... On 24/01/2010 5:53 PM, k wrote: that doesn't make sense On Sun, Jan 24, 2010 at 10:38 PM, w4rezzw4r...@gmail.com wrote: Doesnt matter, there are more server's admins what are attacking rival servers, its what Valve want, becouse they dont care about fixes. you must install tons of 3rd party plugins what should be unstable and you are not still secured. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers
Maybe you could block the domain from accessing your server? --- Ted Turner http://www.brainyquote.com/quotes/authors/t/ted_turner.html - Sports is like a war without the killing. On Sun, Jan 24, 2010 at 1:59 PM, Shane Arnold clontar...@iinet.net.auwrote: Makes perfect sense other than the dramatisation. VALVe are completely dropping the ball when it comes to server protection. Fair call that they are primarily game designers, but surely they can spent some manhours at least making their product able to withstand the most basic of DoS and security exploits... On 24/01/2010 5:53 PM, k wrote: that doesn't make sense On Sun, Jan 24, 2010 at 10:38 PM, w4rezzw4r...@gmail.com wrote: Doesnt matter, there are more server's admins what are attacking rival servers, its what Valve want, becouse they dont care about fixes. you must install tons of 3rd party plugins what should be unstable and you are not still secured. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers
Uh, null routing is simply a routing rule that indicates that packet should be dropped without any further processing. The suggestion was to just null route the source and enjoy the weekend. You can't do it at the ISP level unless you talk to your ISP. From: dlin...@fragonline.net To: hlds@list.valvesoftware.com Date: Sun, 24 Jan 2010 14:28:56 -0600 Subject: Re: [hlds] ST3Gaming.com using 100mbit connectionto DoS rival servers Seriously? Do you not know what null routing is? It's exactly what you said later in your email. Your bandwidth provider routes that source straight to the nowhere. Not sure why you think it's done on the server. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Blood Letter Sent: Sunday, January 24, 2010 2:08 PM To: hlds@list.valvesoftware.com Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers Uh, because the packets come over the wire and your NIC has to handle them all regardless of HOW you handle them? You can NOT solve a DoS attack through ANY use of firewalling or routing at the target end. You MUST cut the attack off as close to the source as possible. An attack like the one described here is simple enough to fend off because it's coming from a single source over a relatively low bandwidth pipe. Your ISP should be able to block it at their border routers and the constant knocking shouldn't put any load on their equipment. If it continues, and if they get around to it, they can then report the activity to their peering partners (other ISPs) to get them to block the traffic at their end. If the behavior persists, this continues until eventually the source is cut off. A distributed attack is much harder to cut off, because it has many sources. A distributed attack can bring down major connections. From: dlin...@fragonline.net To: hlds@list.valvesoftware.com Date: Sun, 24 Jan 2010 13:43:57 -0600 Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers Why not just null route the source and enjoy the weekend? _ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/196390710/direct/01/ ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds _ Hotmail: Free, trusted and rich email service. http://clk.atdmt.com/GBL/go/196390708/direct/01/ ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers
Update on this - I got a response from cet.com claiming that the owner of the thaiguy.net/st3gaming server had given shell access to a friend who had then abused the privilege by running a flood script. This seems like a rather fishy explanation to me, given that i've found logs of 'thaiguy' playing in the DoS'd server, but I'll leave it at that for now. dumb question, but how can you (read I) tell if a DOS attack is happening and how do you obtain their IP. Thanks The server was lagging horribly (nearly unplayable), on a server that is usually near perfect. The lag abbruptly stopped minutes later, then a few more ~5-10 minute lag episodes occured. Finding no other issues, and no other affected servers, i suspected an attack (like the old query packet spam) and setup tcpdump (e.g. tcpdump -w dumpfile -i eth1). Next time it happened I took a look at the packet dump (as in, compress it, download it, open it in wireshark) and found that 80% of all traffic was 300byte packets from one ip. - Neph On Sun, Jan 24, 2010 at 12:10 AM, Nephyrin Zey nephy...@doublezen.net wrote: So earlier today one of my servers was lagging - badly. By time I showed up the lag had cleared. Then again. Then again. Each time for about 5-10 minutes it would lag, and by time I'd shown up, it was gone. Finally, I caught the lag happening directly. No unusual FPS or CPU usage spikes, so i ran a tcpdump for about 5 seconds. It captured 230,000 packets. Holy shit! A quick analysis shows that '206.63.226.12' was flooding the server with almost exactly *32,000* packets per second, each containing the bytes 'flood', followed by 295 null bytes, for a total of 300 bytes. With IP overhead this is is about 88 megabits/second, or suspiciously close to 100megs/second. I have a gigabit connection, however, srcds itself cannot handle 88mbs of invalid packets without going to lagsville. I'm emailing an abuse report to his host now, but everyone should have a heads up that this is occuring. The fact that it was going on for 5 minutes at a time a few times an hour suggests he has some script making the rounds against popular servers, or some such. As for this attack in general, using iptables or a similar tool to limit UDP traffic to server ports to 100/second or so with a small burst should prevent any traffic at a higher rate than normal game traffic from hitting the process, though if you have a 100mbit or less connection the classic DoS aspect of it might lag you out anyway. - Neph ** Begin internet detective ** IP: 206.63.226.12 Resolves to: bigboomer.thaiguy.net Host: cet.com IPs in this netblock (all belonging to cet.com): 206.63.224.0 - 206.63.231.255 thaiguy.net is 206.63.81.2 This, uncoincidentally, also belongs to cet.com in the block: 206.63.80.0 - 206.63.87.0 And in what I'm sure is a huge coincidence: 206.63.81.1: gateway.thaiguy.net 206.63.81.2: thaiguy.net 206.63.81.3: dayofdefeat.thaiguy.net 206.63.81.4: teamspeak.st3games.com 206.63.81.5: battlefield1942.thaiguy.net 206.63.81.6: st3-webhost.cet.com 206.63.81.7: dcon.st3games.com 206.63.81.8: zmod.st3games.com (CSS Server: Zombie Mayhem! #1) 206.63.81.8: (CSS Server: [ST3Gaming.com] GG Advanced - Home of gK?) 206.63.81.15: database.thaiguy.net 206.63.81.18: (TF2 Server: [ST3Gaming.com] 24/7 DustBowl/Stats/InstaSpawn/) (( Did I mention the server has was attacking of mine was 24/7 dustbowl? )) 206.63.81.20: ns0.thaiguy.net 206.63.81.21: ns1.thaiguy.net Gee, tf2 servers on his netblock. Of the same type as the one he was attacking. What's all this st3games.com stuff? Oh, they have forums and a steamgroup. http://steamcommunity.com/groups/ST3 Oh, and the forum head admin username is Novikane. Weird that: http://steamcommunity.com/id/novikane Is an admin of this group. ** End internet detective ** ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers
Right, so call your provider, ask to put in the null route and enjoy your weekend. I honestly did not think I'd have to go into such obvious detail to make a simple statement. If you aren't in a position to perform such a task, then you make a phone call. I suppose I assumed that was obviously simple and didn't need explanation... -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Blood Letter Sent: Sunday, January 24, 2010 2:42 PM To: hlds@list.valvesoftware.com Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers Uh, null routing is simply a routing rule that indicates that packet should be dropped without any further processing. The suggestion was to just null route the source and enjoy the weekend. You can't do it at the ISP level unless you talk to your ISP. From: dlin...@fragonline.net To: hlds@list.valvesoftware.com Date: Sun, 24 Jan 2010 14:28:56 -0600 Subject: Re: [hlds] ST3Gaming.com using 100mbit connectionto DoS rival servers Seriously? Do you not know what null routing is? It's exactly what you said later in your email. Your bandwidth provider routes that source straight to the nowhere. Not sure why you think it's done on the server. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Blood Letter Sent: Sunday, January 24, 2010 2:08 PM To: hlds@list.valvesoftware.com Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers Uh, because the packets come over the wire and your NIC has to handle them all regardless of HOW you handle them? You can NOT solve a DoS attack through ANY use of firewalling or routing at the target end. You MUST cut the attack off as close to the source as possible. An attack like the one described here is simple enough to fend off because it's coming from a single source over a relatively low bandwidth pipe. Your ISP should be able to block it at their border routers and the constant knocking shouldn't put any load on their equipment. If it continues, and if they get around to it, they can then report the activity to their peering partners (other ISPs) to get them to block the traffic at their end. If the behavior persists, this continues until eventually the source is cut off. A distributed attack is much harder to cut off, because it has many sources. A distributed attack can bring down major connections. From: dlin...@fragonline.net To: hlds@list.valvesoftware.com Date: Sun, 24 Jan 2010 13:43:57 -0600 Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers Why not just null route the source and enjoy the weekend? _ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/196390710/direct/01/ ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds _ Hotmail: Free, trusted and rich email service. http://clk.atdmt.com/GBL/go/196390708/direct/01/ ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers
I don't think anybody appreciates your condescending tone DLinkOZ... 2010/1/24 DLinkOZ dlin...@fragonline.net Right, so call your provider, ask to put in the null route and enjoy your weekend. I honestly did not think I'd have to go into such obvious detail to make a simple statement. If you aren't in a position to perform such a task, then you make a phone call. I suppose I assumed that was obviously simple and didn't need explanation... -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Blood Letter Sent: Sunday, January 24, 2010 2:42 PM To: hlds@list.valvesoftware.com Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers Uh, null routing is simply a routing rule that indicates that packet should be dropped without any further processing. The suggestion was to just null route the source and enjoy the weekend. You can't do it at the ISP level unless you talk to your ISP. From: dlin...@fragonline.net To: hlds@list.valvesoftware.com Date: Sun, 24 Jan 2010 14:28:56 -0600 Subject: Re: [hlds] ST3Gaming.com using 100mbit connectionto DoS rival servers Seriously? Do you not know what null routing is? It's exactly what you said later in your email. Your bandwidth provider routes that source straight to the nowhere. Not sure why you think it's done on the server. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Blood Letter Sent: Sunday, January 24, 2010 2:08 PM To: hlds@list.valvesoftware.com Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers Uh, because the packets come over the wire and your NIC has to handle them all regardless of HOW you handle them? You can NOT solve a DoS attack through ANY use of firewalling or routing at the target end. You MUST cut the attack off as close to the source as possible. An attack like the one described here is simple enough to fend off because it's coming from a single source over a relatively low bandwidth pipe. Your ISP should be able to block it at their border routers and the constant knocking shouldn't put any load on their equipment. If it continues, and if they get around to it, they can then report the activity to their peering partners (other ISPs) to get them to block the traffic at their end. If the behavior persists, this continues until eventually the source is cut off. A distributed attack is much harder to cut off, because it has many sources. A distributed attack can bring down major connections. From: dlin...@fragonline.net To: hlds@list.valvesoftware.com Date: Sun, 24 Jan 2010 13:43:57 -0600 Subject: Re: [hlds] ST3Gaming.com using 100mbit connection to DoS rival servers Why not just null route the source and enjoy the weekend? _ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/196390710/direct/01/ ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds _ Hotmail: Free, trusted and rich email service. http://clk.atdmt.com/GBL/go/196390708/direct/01/ ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds