If the "Valid Size" is always in the range 564-1248, is there a way to have IP
tables block anything that is EITHER above or below that size limit? or will
that interfere with the game? (i.e. are there other LEGIT game-related packets
outside the range to be expected?).
So then how are we supposed to share solutions? Anyway, I'll try IP tables.
Disregard my IP suggestion. #HideMyAss
On Mon, Sep 2, 2013 at 2:05 PM, Calvin Judy wrote:
> Rate limiting isn't the way to go about it, you can block all the invalid
> source packets.
>
> But there's no reason to post
Rate limiting isn't the way to go about it, you can block all the invalid
source packets.
But there's no reason to post the solution publicly because the user
launching the attacks is monitoring the mailing list.
- Original Message -
From: "Vitor F. - Killall"
To: "Half-Life dedica
Try the hashlimit module.
Example: limit the input of srcds server on port 27015 up to 100 packets
per second/ip
iptables -A INPUT -p udp --destination-port 27015 -m hashlimit -m udp
--hashlimit-burst 15 --hashlimit-upto 100 --hashlimit-mode srcip
--hashlimit-name srcdsin -j ACCEPT
iptables -A I
On 9/2/2013 7:25 AM, Michael Johansen wrote:
Blocked those and the attack still persists.
From: evo...@gmail.com
To: hlds_linux@list.valvesoftware.com
Date: Mon, 2 Sep 2013 07:14:43 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks
Okay, the number you provided (53) is the size of the string
13:38:36.184323 IP (tos 0x0, ttl 121, id 2374, offset 0, flags [none],
proto UDP (17), length 53)
68.100.82.97.54516 > 108.61.51.100.27015: [udp sum ok] UDP, length 25
0x: e840 f2d1 dd77 748e f848 a340 0800 4500 .@...wt..H.@..E.
0x0010: 0035 0946 7911 020c 4464 5261
I tried using the ip tables and it didn't work.
On 9/2/2013 1:22 PM, Calvin Judy wrote:
You can solve it with iptables if you're running linux.
An upgrade on bandwidth isn't going to do anything, it's srcds query
attacks, uses about as much bandwidth as gametracker.
And reporting it to valv
The attack i saw didn't raise bandwidth usage, only CPU. Load average
went 4-5 times higher than it usually is and cores were more loaded. It
also wasn't the same culprit shown here.
-ics
Calvin Judy kirjoitti:
You can solve it with iptables if you're running linux.
An upgrade on bandwidth i
You can solve it with iptables if you're running linux.
An upgrade on bandwidth isn't going to do anything, it's srcds query
attacks, uses about as much bandwidth as gametracker.
And reporting it to valve probably isn't going to work unless there's some
strong evidence to prove he's doing it.
Right officials won't do a thing since he hasn't caused thousands in damage.
If anything, get his IP address, everyone who's been attacked by him gather
all their proof, and report him to his ISP.
On Mon, Sep 2, 2013 at 1:19 PM, ElitePowered . wrote:
> How about you report his ip to the right of
Michael's issue has been solved with iptables rules. I still recommend you
load a linux vm on your windows server and do the same.
- Original Message -
From: "Violent Crimes"
To:
Sent: Monday, September 02, 2013 12:26 PM
Subject: Re: [hlds_linux] NET_GetLong attacks
Hey I know who
How about you report his ip to the right officals. That'll do a much better
job than a steam id. It'll take a while to process but he'll be dealt with.
For now, i think a lot of us are being affected by this attack. And it's
more than 1 person. I'm seeing IPs from many places. Best solution is to
r
Hey I know who is attacking you its the same guy who is attacking me.
http://bans.blackoutgaming.org/index.php?p=banlist&advSearch=STEAM_0:1:43055663&advType=steamid
STEAM_0:1:43055663
On 9/2/2013 7:25 AM, Michael Johansen wrote:
Blocked those and the attack still persists.
From: evo...@
Blocked those and the attack still persists.
> From: evo...@gmail.com
> To: hlds_linux@list.valvesoftware.com
> Date: Mon, 2 Sep 2013 07:14:43 -0400
> Subject: Re: [hlds_linux] NET_GetLong attacks
>
> Okay, the number you provided (53) is the size of the string, the entire
> packet size is eith
Okay, the number you provided (53) is the size of the string, the entire
packet size is either 60 or 67 depending on the query. (there's 2 queries
that are repeating.)
Try these rules:
iptables -A INPUT -p udp --dport 27135 -m length --length 60 -j DROP
iptables -A INPUT -p udp --dport 27135 -m
http://replays.blackoutgaming.org/attack1.cap
This is from an attack. You should be able to open it using WireShark.
> From: evo...@gmail.com
> To: hlds_linux@list.valvesoftware.com
> Date: Mon, 2 Sep 2013 06:44:46 -0400
> Subject: Re: [hlds_linux] NET_GetLong attacks
>
> Post the tcpdump so we
Post the tcpdump so we can look at it.
- Original Message -
From: "Michael Johansen"
To: "Half-Life dedicated Linux server mailing list"
Sent: Monday, September 02, 2013 6:38 AM
Subject: Re: [hlds_linux] NET_GetLong attacks
I tried that too, and the servers stopped showing in both
I tried that too, and the servers stopped showing in both server browser and
SourceBans. It looks like the only way to stop this is with a plugin or
extension on the servers.
> From: evo...@gmail.com
> To: hlds_linux@list.valvesoftware.com
> Date: Mon, 2 Sep 2013 06:35:04 -0400
> Subject: Re: [h
Modify the packet size in the rule I gave you to match what tcpdump is
showing then, see if that works.
- Original Message -
From: "Michael Johansen"
To: "Half-Life dedicated Linux server mailing list"
Sent: Monday, September 02, 2013 6:32 AM
Subject: Re: [hlds_linux] NET_GetLong a
I don't know how SRCDS find that range, but tcpdump claims the packet is 53
bytes. And I'll have to take back what I said that the server lag was gone - it
still lags badly whenever the attack hits. The cache takes quite a bit of it,
but it still lags.
> From: evo...@gmail.com
> To: hlds_linux@
Rating limiting the a2s queries will still make the server appear offline,
if you read your log that you posted, it gives you the size, and the
acceptable size, you should be able to tailor a rule to fit your needs.
Log:
NET_GetLong: Split packet from 157.208.132.148:54712 with invalid split
If you run a tcpdump and upload it somewhere we can see the exact content...
you can ratelimit A2S queries using hashlimit but that can affect new
players connections.
Seeing your log it looks like a spoofed attack... double check the TTL...
generally spoofed packets are easily detected due to th
I've tried that, and it doesn't work. For now the solution is to run Query
Cache to make the server playable, it will still disappear from the
serverbrowser though. Is there a solution to that? Somehow rate-limiting A2S
queries?
> From: evo...@gmail.com
> To: hlds_linux@list.valvesoftware.com
>
Yes, it was mentioned on the other thread titled "steam server ports."
http://forums.alliedmods.net/showthread.php?t=151551
The 4th section from the top is dealing with attacks like this.
- Original Message -
From: "Michael Johansen"
To: "Half-Life dedicated Linux server mailing list"
24 matches
Mail list logo
