Re: [hlds_linux] new kind of ddos / reflect ddos?
Thanks for this clarification. From what I saw there were a lot of servers all around the world receiving those packets... the source (spoofed) was down probably due to the reflection... If it's confirmed 00 isn't a valid challenge I'll filter it out... ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] new kind of ddos / reflect ddos?
Yep, the server was exactly that one :) ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] new kind of ddos / reflect ddos?
If you happen to be online right now check your current network flow with: tcpdump -nnvvXS src 64.34.181.243 On Fri, Mar 25, 2011 at 1:31 AM, Marco Padovan evolutioncr...@gmail.com wrote: I'm getting a lot of 20bytes requests with this content: 0x71 (content: 0x7130 3030 3030 3030 3030 3030 3030 30 = q00) they look like some sort of dos reflect attack (with low multiplication factor) They appear as reflection because they looks like to come from other steam servers... so those servers gets flooded with replies. Are you seeing them too? what is FF 71 used for? why are the orangebox servers replying to those requests with a 39bytes packet? ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] new kind of ddos / reflect ddos?
This is the first packet sent to servers by connecting clients. The server responds with a challenge number and some other info about the server. However, a client challenge number is supposed to be included with this packet (before the 0's -- this was a semi-recent change), so I'd guess you're getting hit with some kind of outdated denial of service tool. -Original Message- From: hlds_linux-boun...@list.valvesoftware.com [mailto:hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan Sent: Thursday, March 24, 2011 5:31 PM To: Half-Life dedicated Linux server mailing list Subject: [hlds_linux] new kind of ddos / reflect ddos? I'm getting a lot of 20bytes requests with this content: 0x71 (content: 0x7130 3030 3030 3030 3030 3030 3030 30 = q00) they look like some sort of dos reflect attack (with low multiplication factor) They appear as reflection because they looks like to come from other steam servers... so those servers gets flooded with replies. Are you seeing them too? what is FF 71 used for? why are the orangebox servers replying to those requests with a 39bytes packet? ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] new kind of ddos / reflect ddos?
I am getting these packets too. The source address appears to be a srcds server, probably spoofed to cause denial of service. 64.34.181.243:27015 On Thu, Mar 24, 2011 at 8:07 PM, Tony Paloma drunkenf...@hotmail.com wrote: This is the first packet sent to servers by connecting clients. The server responds with a challenge number and some other info about the server. However, a client challenge number is supposed to be included with this packet (before the 0's -- this was a semi-recent change), so I'd guess you're getting hit with some kind of outdated denial of service tool. -Original Message- From: hlds_linux-boun...@list.valvesoftware.com [mailto:hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan Sent: Thursday, March 24, 2011 5:31 PM To: Half-Life dedicated Linux server mailing list Subject: [hlds_linux] new kind of ddos / reflect ddos? I'm getting a lot of 20bytes requests with this content: 0x71 (content: 0x7130 3030 3030 3030 3030 3030 3030 30 = q00) they look like some sort of dos reflect attack (with low multiplication factor) They appear as reflection because they looks like to come from other steam servers... so those servers gets flooded with replies. Are you seeing them too? what is FF 71 used for? why are the orangebox servers replying to those requests with a 39bytes packet? ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
