This is an "old" issue, it was being exploited in TF2 years ago too...
Lately (past 4 weeks) I've seen it being frequently used against csgo too with the ffffffff54 and ffffffffff packets. nsfocus, arbor and so on does nothing in our case, we had resort filtering those attacks with proper ratelimits by using iptables On Sun, Mar 22, 2015 at 8:06 AM, Alberts S <c...@tirlins.com> wrote: > Hey! By any chance could you share a few .pcap logs? > > Best Regards, > Alberts Saulitis > > Kevin Bassi @ rakstīja: > >> Srcds for the longest time has sucked at handling a decent amount of >> packets per second, it appears to crumble under itself whenever you >> send a high volume of packets per second. We have a NSFOCUS hardware >> mitigation setup in Dallas where they're hosted, and the mitigation is >> doing it's job by keeping these machines online during the attack, we >> never disconnect from the machine but the target servers on the >> machine seem to "timeout" even though only about 10mbps of the attack >> is actually getting through. >> >> Here's a detailed post containing some qconnect packet dumps: >> http://csgodev.com/qconnect-attacks/ >> >> There's another attack somewhat like the qconnect packet attack that >> just sends a decent volume of packets that don't contain any >> information, the problem with blocking these are that the payload is >> randomly generated, the source port falls within the query port range >> of srcds, and the source port is randomized. So if we block them, we >> also prevent anyone from seeing the server, or connecting. >> >> None of the integrated features, like the "host_" show players and >> info parameters, and the allowed packet window, etc seem to make srcds >> anymore stable during these attacks. >> >> Unfortunately I think this is all going to come down to SRCDS just >> suffering under high packet load, and I do not know how you can fix >> this. All I can do is provide information on how these attacks enter >> and disrupt our network, I have ~120 quite large packet dumps from >> random attacks I'd be more than happy to upload for you guys to >> inspect. >> >> And an unrelated note: steam voice chat needs to go. I can't imagine >> anyone using it without being in lobbies or something, and this is how >> a bunch of people are grabbing other people's IP addresses over steam. >> Since you can call people without even being on their friends list, >> just by joining a group with them. Just an option to disable voice >> chat that has to be opted into would be great. >> >> If you need anymore information to pass along, feel free to let me >> know. >> >> Thank you! >> >> >> _______________________________________________ >> Csgo_servers mailing list >> Csgo_servers@list.valvesoftware.com >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >> > > _______________________________________________ > Csgo_servers mailing list > Csgo_servers@list.valvesoftware.com > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
_______________________________________________ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
