These recent attacks all work by overloading the server with UDP packets. Most effective are the A2S_INFO and similar attacks using valid packets. It's very cheap in terms of CPU and bandwidth to craft a packet that asks a gameserver for it's information. It takes a number of times more CPU power to generate the response. It only takes a simple connection with about 3Mbit upstream to take down any OrangeBox gameserver.
The A2S_INFO attack has been known for quite a while, and that's why querycache was developed. This caches the response to A2S_INFO, so only one A2S_INFO request will hit the gameserver, the rest will be served from cache. Because querycache was very effective in blocking the A2S_INFO attacks, the attackers switched the kind of packet they used and started sending A2S_PLAYER and other valid A2S_ packets. After writing a firewall script specifically limiting these known A2S packets, the attackers changed their tactic again, and started using invalid A2S packets. They're similar to A2S packets, as they start with ffffff, but are followed by a random number instead of one of the known ones. The gameserver still spends time working on these invalid packets, causing the lag. The only effective solution I know of is rate-limiting the amount of ffffff packets that get to your server. We've experimented with a few values and found a limit of 60/sec has no side-effects and can withstand the DoS attacks. Also, these attacks seem to be semi-automated. Attacking passworded servers with players on it. If you're not running a public server you can set "hide_server 1" in your server.cfg to not be shown on the master server list. This is effective unless something knows your server ip:port and attacks it manually. On 27 January 2011 07:44, Rodrigo Peña <yo....@korrupzion.com> wrote: > Hello, > > Many server admins are reporting to have their servers attacked. There are > several methods used to attack a srcds servers: > > -UDP Flood: A packet specially crafted could make pings raise in the > server. Search SRCDS DoS Fix in google, I don't remember the exact names > now, but I currently use one from sourceop.com > > -A2S Queries flood: an A2S Query UDP packet with random source ip is > flooded making the server freeze for not being able to handle that large > amount of queries. This attack must be done with a high bandwidth connection > (not sure). This can be partially fixed using 'A2S Query Cache' or IPTables > > I suggest you to look to the simmilar threads in this mailing list > > -Rodrigo > > > > El 27-01-2011 3:24, PryMaL escribió: > > Afternoon (at least for me it is at the moment) all, >> >> We've had some issues on CSS servers the last 2 days with what appears to >> be targeted attacks (ie. DDoS) on our servers. Approximately the same time, >> for a few minutes and the attack is based on the IP. >> >> Just wondering if anyone's aware of anything that may be causing this from >> the game server side? or if we're actually being attacked... >> I suspect/believe the latter. >> >> > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
