Re: [hlds_linux] tf2 ddos - again - please do something
Most of the attacks directed at my server are exactly 30 seconds long and designed to freeze the server long enough to drop all players. This attack seems to be no longer effective on my server due to filtering and limiting the amount of packets/sec. Yesterday the season finals of ETF2L were played and the first gameservers were attacked and brought down. For some reason my servers were able to withstand the attack, but I'm not sure why since at least one of the gameservers that was attacked earlier uses similar protection. During the match both the relays and gameservers kept getting attacked but the firewall was effective in keeping the server safe this time. This is the current (ruby) script I use to generate the firewall rules and set up 'querycache' to deal with A2S_INFO floods. https://github.com/Arie/tf2scripts/blob/master/rate-limit-iptables-querycache.rb About a week ago Ronny of nice-servers.com and I contacted Robin Walker about the DoS attacks we were seeing then. These were the A2S_INFO/A2S_PLAYER/A2S_RULES attacks. Hi guys. Our dedicated server folks are now fully up-to-speed on the issue, and hope to get to it soon. Robin. Recently we've been seeing attacks using udp packets starting with ff, but unlike a normal A2S packet like ff54, these ones had random numbers after. An orangebox server seems to invest some CPU time in any packet starting with ff. Below is a log of a 30-second attack. Jan 20 22:17:50 FLOOD 27025 SRC=68.180.244.207 DST=80.84.250.224 LEN=53 TOS=00 PREC=0x00 TTL=61 ID=35101 CE PROTO=UDP SPT=2925 DPT=27025 LEN=33 SNIP- Jan 20 22:18:19 FLOOD 27025 SRC=159.142.163.232 DST=80.84.250.224 LEN=53 TOS=00 PREC=0x00 TTL=61 ID=35537 CE PROTO=UDP SPT=60706 DPT=27025 LEN=33 On 25 January 2011 08:58, gamead...@127001.org wrote: Our servers aren't CRASHING, but they're freezing for the 30 seconds long enough to drop every single player -Original Message- From: hlds_linux-boun...@list.valvesoftware.com [mailto:hlds_linux- boun...@list.valvesoftware.com] On Behalf Of Marco Padovan Sent: 24 January 2011 23:33 To: hlds_linux@list.valvesoftware.com Subject: [hlds_linux] tf2 ddos - again - please do something Looks like there's another kind of crafted packed around flooding tf2 servers and crashing them... how does this new pattern looks like? ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] tf2 ddos - again - please do something
Ever notice that when you use the querycache that your server doesn't show in the master server list and if you try to query it with steam it retrieves no information. HLSW works to query though. Do you have this problem too? On Tue, Jan 25, 2011 at 5:37 AM, Arie nos...@ariekanarie.nl wrote: Most of the attacks directed at my server are exactly 30 seconds long and designed to freeze the server long enough to drop all players. This attack seems to be no longer effective on my server due to filtering and limiting the amount of packets/sec. Yesterday the season finals of ETF2L were played and the first gameservers were attacked and brought down. For some reason my servers were able to withstand the attack, but I'm not sure why since at least one of the gameservers that was attacked earlier uses similar protection. During the match both the relays and gameservers kept getting attacked but the firewall was effective in keeping the server safe this time. This is the current (ruby) script I use to generate the firewall rules and set up 'querycache' to deal with A2S_INFO floods. https://github.com/Arie/tf2scripts/blob/master/rate-limit-iptables-querycache.rb About a week ago Ronny of nice-servers.com and I contacted Robin Walker about the DoS attacks we were seeing then. These were the A2S_INFO/A2S_PLAYER/A2S_RULES attacks. Hi guys. Our dedicated server folks are now fully up-to-speed on the issue, and hope to get to it soon. Robin. Recently we've been seeing attacks using udp packets starting with ff, but unlike a normal A2S packet like ff54, these ones had random numbers after. An orangebox server seems to invest some CPU time in any packet starting with ff. Below is a log of a 30-second attack. Jan 20 22:17:50 FLOOD 27025 SRC=68.180.244.207 DST=80.84.250.224 LEN=53 TOS=00 PREC=0x00 TTL=61 ID=35101 CE PROTO=UDP SPT=2925 DPT=27025 LEN=33 SNIP- Jan 20 22:18:19 FLOOD 27025 SRC=159.142.163.232 DST=80.84.250.224 LEN=53 TOS=00 PREC=0x00 TTL=61 ID=35537 CE PROTO=UDP SPT=60706 DPT=27025 LEN=33 On 25 January 2011 08:58, gamead...@127001.org wrote: Our servers aren't CRASHING, but they're freezing for the 30 seconds long enough to drop every single player -Original Message- From: hlds_linux-boun...@list.valvesoftware.com [mailto:hlds_linux- boun...@list.valvesoftware.com] On Behalf Of Marco Padovan Sent: 24 January 2011 23:33 To: hlds_linux@list.valvesoftware.com Subject: [hlds_linux] tf2 ddos - again - please do something Looks like there's another kind of crafted packed around flooding tf2 servers and crashing them... how does this new pattern looks like? ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] tf2 ddos - again - please do something
What about this one: http://code.google.com/p/querycache/ ? (it report the server as public even if it's private) PS: thanks Arie ;) extended the filtering to all those other packets :) Il 25/01/2011 15:14, Chris ha scritto: Ever notice that when you use the querycache that your server doesn't show in the master server list and if you try to query it with steam it retrieves no information. HLSW works to query though. Do you have this problem too? On Tue, Jan 25, 2011 at 5:37 AM, Arienos...@ariekanarie.nl wrote: Most of the attacks directed at my server are exactly 30 seconds long and designed to freeze the server long enough to drop all players. This attack seems to be no longer effective on my server due to filtering and limiting the amount of packets/sec. Yesterday the season finals of ETF2L were played and the first gameservers were attacked and brought down. For some reason my servers were able to withstand the attack, but I'm not sure why since at least one of the gameservers that was attacked earlier uses similar protection. During the match both the relays and gameservers kept getting attacked but the firewall was effective in keeping the server safe this time. This is the current (ruby) script I use to generate the firewall rules and set up 'querycache' to deal with A2S_INFO floods. https://github.com/Arie/tf2scripts/blob/master/rate-limit-iptables-querycache.rb About a week ago Ronny of nice-servers.com and I contacted Robin Walker about the DoS attacks we were seeing then. These were the A2S_INFO/A2S_PLAYER/A2S_RULES attacks. Hi guys. Our dedicated server folks are now fully up-to-speed on the issue, and hope to get to it soon. Robin. Recently we've been seeing attacks using udp packets starting with ff, but unlike a normal A2S packet like ff54, these ones had random numbers after. An orangebox server seems to invest some CPU time in any packet starting with ff. Below is a log of a 30-second attack. Jan 20 22:17:50 FLOOD 27025 SRC=68.180.244.207 DST=80.84.250.224 LEN=53 TOS=00 PREC=0x00 TTL=61 ID=35101 CE PROTO=UDP SPT=2925 DPT=27025 LEN=33 SNIP- Jan 20 22:18:19 FLOOD 27025 SRC=159.142.163.232 DST=80.84.250.224 LEN=53 TOS=00 PREC=0x00 TTL=61 ID=35537 CE PROTO=UDP SPT=60706 DPT=27025 LEN=33 On 25 January 2011 08:58,gamead...@127001.org wrote: Our servers aren't CRASHING, but they're freezing for the 30 seconds long enough to drop every single player -Original Message- From: hlds_linux-boun...@list.valvesoftware.com [mailto:hlds_linux- boun...@list.valvesoftware.com] On Behalf Of Marco Padovan Sent: 24 January 2011 23:33 To: hlds_linux@list.valvesoftware.com Subject: [hlds_linux] tf2 ddos - again - please do something Looks like there's another kind of crafted packed around flooding tf2 servers and crashing them... how does this new pattern looks like? ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] tf2 ddos - again - please do something
I thought I was the only one suffering from the 30second client drop attacks. This has been happening for about a month now (The 30second attacks, it's no longer constant like it was before), hopefully something is done about it soon. Kyle. On Tue, Jan 25, 2011 at 2:37 AM, Arie nos...@ariekanarie.nl wrote: Most of the attacks directed at my server are exactly 30 seconds long and designed to freeze the server long enough to drop all players. This attack seems to be no longer effective on my server due to filtering and limiting the amount of packets/sec. Yesterday the season finals of ETF2L were played and the first gameservers were attacked and brought down. For some reason my servers were able to withstand the attack, but I'm not sure why since at least one of the gameservers that was attacked earlier uses similar protection. During the match both the relays and gameservers kept getting attacked but the firewall was effective in keeping the server safe this time. This is the current (ruby) script I use to generate the firewall rules and set up 'querycache' to deal with A2S_INFO floods. https://github.com/Arie/tf2scripts/blob/master/rate-limit-iptables-querycache.rb About a week ago Ronny of nice-servers.com and I contacted Robin Walker about the DoS attacks we were seeing then. These were the A2S_INFO/A2S_PLAYER/A2S_RULES attacks. Hi guys. Our dedicated server folks are now fully up-to-speed on the issue, and hope to get to it soon. Robin. Recently we've been seeing attacks using udp packets starting with ff, but unlike a normal A2S packet like ff54, these ones had random numbers after. An orangebox server seems to invest some CPU time in any packet starting with ff. Below is a log of a 30-second attack. Jan 20 22:17:50 FLOOD 27025 SRC=68.180.244.207 DST=80.84.250.224 LEN=53 TOS=00 PREC=0x00 TTL=61 ID=35101 CE PROTO=UDP SPT=2925 DPT=27025 LEN=33 SNIP- Jan 20 22:18:19 FLOOD 27025 SRC=159.142.163.232 DST=80.84.250.224 LEN=53 TOS=00 PREC=0x00 TTL=61 ID=35537 CE PROTO=UDP SPT=60706 DPT=27025 LEN=33 On 25 January 2011 08:58, gamead...@127001.org wrote: Our servers aren't CRASHING, but they're freezing for the 30 seconds long enough to drop every single player -Original Message- From: hlds_linux-boun...@list.valvesoftware.com [mailto:hlds_linux- boun...@list.valvesoftware.com] On Behalf Of Marco Padovan Sent: 24 January 2011 23:33 To: hlds_linux@list.valvesoftware.com Subject: [hlds_linux] tf2 ddos - again - please do something Looks like there's another kind of crafted packed around flooding tf2 servers and crashing them... how does this new pattern looks like? ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
[hlds_linux] tf2 ddos - again - please do something
Looks like there's another kind of crafted packed around flooding tf2 servers and crashing them... how does this new pattern looks like? ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] tf2 ddos - again - please do something
Our servers aren't CRASHING, but they're freezing for the 30 seconds long enough to drop every single player -Original Message- From: hlds_linux-boun...@list.valvesoftware.com [mailto:hlds_linux- boun...@list.valvesoftware.com] On Behalf Of Marco Padovan Sent: 24 January 2011 23:33 To: hlds_linux@list.valvesoftware.com Subject: [hlds_linux] tf2 ddos - again - please do something Looks like there's another kind of crafted packed around flooding tf2 servers and crashing them... how does this new pattern looks like? ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux