Re: [hlds_linux] CSS Server flooding or attack?
On Fri, Jan 28, 2011 at 04:27:21PM +1030, PryMaL wrote: They've got soemthing in the region of 300 megabit at their disposal... not too many single sources (outside data centers) have that kind of bandwidth. So my guess still lies at DDoS Todays update seems to have helped a bit. Are you implying that it's hard or expensive to get a 300Mbit+ box? Any skid could easily get that for less than 40 Euro. I doubt someone would use a botnet for attacking a server with the bug, instead of doing trivial UDP spoofing on a single box. :) ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] CSS Server flooding or attack?
On 28/01/2011 10:48 PM, Harry Strongburg wrote: Are you implying that it's hard or expensive to get a 300Mbit+ box? Any skid could easily get that for less than 40 Euro. I doubt someone would use a botnet for attacking a server with the bug, instead of doing trivial UDP spoofing on a single box.:) anything more than a 100mb connection is difficult to obtain let alone expensive in Australia. I guess I'm still in the mindset of bandwidth costs $$ thanks to our major infrastructure failings. -- PryMaL Email: pry...@geekout.info Twitter: prymal81 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] CSS Server flooding or attack?
On Fri, Jan 28, 2011 at 11:01:56PM +1030, PryMaL wrote: anything more than a 100mb connection is difficult to obtain let alone expensive in Australia. It's less than 100 euro per month in ... Europe. However that doesn't mean you can use it for attacks. You can try but it will be a rather short lived fun. Your server will be shut down with the first abuse report or even before that. It's easier to write a small Windows program and upload it somewhere, you wouldn't believe the number of idiots who download and execute .exe files that do funny things... put it on 4chan with an unrelated image next to it and you have a botnet with a million clients. Bandwidth: unlimited Price: free That's unfortunately pretty much how it works... Regards frostschutz ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] CSS Server flooding or attack?
You will find that it will be ordered through some kiddy host offering gig ports and then paid for with a bent credit card will use if for a week till it gets yanked and by which time they are long gone. Also if they have spoofed the IP then unlieky anyone can submit an abuse report about it to the right people . Simon Simon Gunton Support Analyst INX-Gaming.com Phone: 01733 687699 EMail: si...@inx-gaming.co.uk mailto:si...@inx-gaming.co.uk Support: http://support.inx-network.com http://support.inx-network.com/ This e-mail and any attachments are confidential. If you are not the intended recipient, please contact the sender. Please then delete the email and do not disclose the contents to anyone. Any views or opinions presented in this email or its attachments are solely those of the author and do not necessarily represent those of INX-Network Limited On 28/01/2011 12:53, frostschutz wrote: On Fri, Jan 28, 2011 at 11:01:56PM +1030, PryMaL wrote: anything more than a 100mb connection is difficult to obtain let alone expensive in Australia. It's less than 100 euro per month in ... Europe. However that doesn't mean you can use it for attacks. You can try but it will be a rather short lived fun. Your server will be shut down with the first abuse report or even before that. It's easier to write a small Windows program and upload it somewhere, you wouldn't believe the number of idiots who download and execute .exe files that do funny things... put it on 4chan with an unrelated image next to it and you have a botnet with a million clients. Bandwidth: unlimited Price: free That's unfortunately pretty much how it works... Regards frostschutz ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] CSS Server flooding or attack?
there are big attacks (gbit?) dos coming from gameservers hosters too... People exploiting Q3 based games and hoster letting them abuse their hosted services... ( http://www.lemuria.org/security/application-drdos.html ) Unfortunatly it's not just kids with gbit ports :( Il 28/01/2011 14:04, Simon Gunton ha scritto: You will find that it will be ordered through some kiddy host offering gig ports and then paid for with a bent credit card will use if for a week till it gets yanked and by which time they are long gone. Also if they have spoofed the IP then unlieky anyone can submit an abuse report about it to the right people . Simon Simon Gunton Support Analyst INX-Gaming.com Phone: 01733 687699 EMail: si...@inx-gaming.co.uk mailto:si...@inx-gaming.co.uk Support: http://support.inx-network.com http://support.inx-network.com/ This e-mail and any attachments are confidential. If you are not the intended recipient, please contact the sender. Please then delete the email and do not disclose the contents to anyone. Any views or opinions presented in this email or its attachments are solely those of the author and do not necessarily represent those of INX-Network Limited On 28/01/2011 12:53, frostschutz wrote: On Fri, Jan 28, 2011 at 11:01:56PM +1030, PryMaL wrote: anything more than a 100mb connection is difficult to obtain let alone expensive in Australia. It's less than 100 euro per month in ... Europe. However that doesn't mean you can use it for attacks. You can try but it will be a rather short lived fun. Your server will be shut down with the first abuse report or even before that. It's easier to write a small Windows program and upload it somewhere, you wouldn't believe the number of idiots who download and execute .exe files that do funny things... put it on 4chan with an unrelated image next to it and you have a botnet with a million clients. Bandwidth: unlimited Price: free That's unfortunately pretty much how it works... Regards frostschutz ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] CSS Server flooding or attack?
These recent attacks all work by overloading the server with UDP packets. Most effective are the A2S_INFO and similar attacks using valid packets. It's very cheap in terms of CPU and bandwidth to craft a packet that asks a gameserver for it's information. It takes a number of times more CPU power to generate the response. It only takes a simple connection with about 3Mbit upstream to take down any OrangeBox gameserver. The A2S_INFO attack has been known for quite a while, and that's why querycache was developed. This caches the response to A2S_INFO, so only one A2S_INFO request will hit the gameserver, the rest will be served from cache. Because querycache was very effective in blocking the A2S_INFO attacks, the attackers switched the kind of packet they used and started sending A2S_PLAYER and other valid A2S_ packets. After writing a firewall script specifically limiting these known A2S packets, the attackers changed their tactic again, and started using invalid A2S packets. They're similar to A2S packets, as they start with ff, but are followed by a random number instead of one of the known ones. The gameserver still spends time working on these invalid packets, causing the lag. The only effective solution I know of is rate-limiting the amount of ff packets that get to your server. We've experimented with a few values and found a limit of 60/sec has no side-effects and can withstand the DoS attacks. Also, these attacks seem to be semi-automated. Attacking passworded servers with players on it. If you're not running a public server you can set hide_server 1 in your server.cfg to not be shown on the master server list. This is effective unless something knows your server ip:port and attacks it manually. On 27 January 2011 07:44, Rodrigo Peña yo@korrupzion.com wrote: Hello, Many server admins are reporting to have their servers attacked. There are several methods used to attack a srcds servers: -UDP Flood: A packet specially crafted could make pings raise in the server. Search SRCDS DoS Fix in google, I don't remember the exact names now, but I currently use one from sourceop.com -A2S Queries flood: an A2S Query UDP packet with random source ip is flooded making the server freeze for not being able to handle that large amount of queries. This attack must be done with a high bandwidth connection (not sure). This can be partially fixed using 'A2S Query Cache' or IPTables I suggest you to look to the simmilar threads in this mailing list -Rodrigo El 27-01-2011 3:24, PryMaL escribió: Afternoon (at least for me it is at the moment) all, We've had some issues on CSS servers the last 2 days with what appears to be targeted attacks (ie. DDoS) on our servers. Approximately the same time, for a few minutes and the attack is based on the IP. Just wondering if anyone's aware of anything that may be causing this from the game server side? or if we're actually being attacked... I suspect/believe the latter. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] CSS Server flooding or attack?
On 27/01/2011 8:25 PM, Arie wrote: These recent attacks all work by overloading the server with UDP packets. Most effective are the A2S_INFO and similar attacks using valid packets. It's very cheap in terms of CPU and bandwidth to craft a packet that asks a gameserver for it's information. It takes a number of times more CPU power to generate the response. It only takes a simple connection with about 3Mbit upstream to take down any OrangeBox gameserver. does this form of attack use the game ports? or just hammer the IP? Reason I ask is the attacks appear to be simply hammering many different ports and coming from hundreds of IP's simultaneously. For all I can see, it's a DDoS... -- PryMaL Email: pry...@geekout.info Twitter: prymal81 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] CSS Server flooding or attack?
Gameserver port. The attack appearing to come from hundreds of IPs means nothing as it's trivial to spoof the source IP with UDP. On 27 January 2011 11:12, PryMaL pry...@geekout.info wrote: On 27/01/2011 8:25 PM, Arie wrote: These recent attacks all work by overloading the server with UDP packets. Most effective are the A2S_INFO and similar attacks using valid packets. It's very cheap in terms of CPU and bandwidth to craft a packet that asks a gameserver for it's information. It takes a number of times more CPU power to generate the response. It only takes a simple connection with about 3Mbit upstream to take down any OrangeBox gameserver. does this form of attack use the game ports? or just hammer the IP? Reason I ask is the attacks appear to be simply hammering many different ports and coming from hundreds of IP's simultaneously. For all I can see, it's a DDoS... -- PryMaL Email: pry...@geekout.info Twitter: prymal81 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] CSS Server flooding or attack?
On 27/01/2011 8:48 PM, Arie wrote: The attack appearing to come from hundreds of IPs means nothing as it's trivial to spoof the source IP with UDP. They've got soemthing in the region of 300 megabit at their disposal... not too many single sources (outside data centers) have that kind of bandwidth. So my guess still lies at DDoS Todays update seems to have helped a bit. -- PryMaL email: pry...@geekout.info twitter: prymal1981 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] CSS Server flooding or attack?
Hello, Many server admins are reporting to have their servers attacked. There are several methods used to attack a srcds servers: -UDP Flood: A packet specially crafted could make pings raise in the server. Search SRCDS DoS Fix in google, I don't remember the exact names now, but I currently use one from sourceop.com -A2S Queries flood: an A2S Query UDP packet with random source ip is flooded making the server freeze for not being able to handle that large amount of queries. This attack must be done with a high bandwidth connection (not sure). This can be partially fixed using 'A2S Query Cache' or IPTables I suggest you to look to the simmilar threads in this mailing list -Rodrigo El 27-01-2011 3:24, PryMaL escribió: Afternoon (at least for me it is at the moment) all, We've had some issues on CSS servers the last 2 days with what appears to be targeted attacks (ie. DDoS) on our servers. Approximately the same time, for a few minutes and the attack is based on the IP. Just wondering if anyone's aware of anything that may be causing this from the game server side? or if we're actually being attacked... I suspect/believe the latter. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
