Hi, are you the Mike on WHT?
I was the one replying in there :D Il 27/11/2012 13.54, Michael Johansen ha scritto: > My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s > traffic on UDP, where as my SYN stood for about 50k pps. >> From: sai...@specialattack.net >> To: hlds_linux@list.valvesoftware.com >> Date: Tue, 27 Nov 2012 11:29:01 +0100 >> Subject: Re: [hlds_linux] Incoming DoS attack >> >> We have no control over the upstream network. All I can do is filter the >> packets at the machine, but that wouldn't prevent the link from still being >> overloaded. >> >> Currently a null-route is in place to stop the attack at the network boarder. >> >> Saint K. >> ________________________________________ >> From: hlds_linux-boun...@list.valvesoftware.com >> [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen >> [michs...@live.no] >> Sent: 27 November 2012 11:26 >> To: hlds_linux@list.valvesoftware.com >> Subject: Re: [hlds_linux] Incoming DoS attack >> >> Just took a look at the tcpdump, doesn't look like the attacks I'm having. I >> may be stupid now, but wouldn't it work just by blocking packets with the >> size of 50? >> >>> From: sai...@specialattack.net >>> To: hlds_linux@list.valvesoftware.com >>> Date: Tue, 27 Nov 2012 11:19:08 +0100 >>> Subject: Re: [hlds_linux] Incoming DoS attack >>> >>> The IP's in the dump originate from China, but as it's UDP it could very >>> well be spoofed. >>> >>> Looking at the payload in the packets, each new packet only has 1 character >>> change from the previous packet. >>> >>> Bruteforce, or perhaps signature scanning evasion? >>> >>> Saint K. >>> ________________________________________ >>> From: hlds_linux-boun...@list.valvesoftware.com >>> [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen >>> [michs...@live.no] >>> Sent: 27 November 2012 11:15 >>> To: hlds_linux@list.valvesoftware.com >>> Subject: Re: [hlds_linux] Incoming DoS attack >>> >>> I haven't looked at the tcpdump, but I have been getting attacks too, >>> they're SYN floods, 300 - 400 mbps in size and always coming from >>> local/reserved (0.x) ip's. All started soem time after we set up our mvm >>> serves. >>>> From: sai...@specialattack.net >>>> To: hlds_linux@list.valvesoftware.com >>>> Date: Tue, 27 Nov 2012 10:56:28 +0100 >>>> Subject: [hlds_linux] Incoming DoS attack >>>> >>>> Hi, >>>> >>>> We've been having DoS attacks aimed at one of our MvM servers. >>>> >>>> Anyone have any idea what they're attempting to do here? It is just to >>>> make the server unreachable, or are the actually trying to exploit srcds >>>> somehow? >>>> >>>> Here's a tcpdump made for about 30 seconds during the attack (which is >>>> still ongoing); >>>> >>>> http://www.specialattack.net/downloads/dump.rar >>>> >>>> Saint K. >>>> _______________________________________________ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux