If you're seeing packets from port 28960, you're most likely seeing a
reflected query DDoS that is coming from CoDx servers (you can tell for
certain by looking at the contents of captured packets -- look for the
string 'statusResponse') -- not a direct query/connection flood, and
likely not spoofed. You can safely block traffic from port 28960, or do
a more thorough filter to block that traffic. This is an example rule to
just block the port.
iptables -I INPUT -p udp --sport 28960 -j DROP
-John
On 3/23/2017 2:33 PM, Mathias wrote:
Thanks John.
Could you guide/send me the Iptables?
My server is on port 27115 and the attack comes in on port 28960 - But
it wont work block the port (Have tried)
"IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246
buckets).
IP rate limit under distributed packet load (1205 buckets, 15001
global count), rejecting 8.59.18.221:28960 <http://8.59.18.221:28960>.
IP rate limit sustained 78411 distributed packets at 2613.7 pps (943
buckets).
IP rate limit under distributed packet load (1210 buckets, 15001
global count), rejecting 154.112.126.3:28960 <http://154.112.126.3:28960>.
IP rate limit sustained 104375 distributed packets at 3479.2 pps (968
buckets).
IP rate limit under distributed packet load (1152 buckets, 15001
global count), rejecting 84.3.222.161:28960 <http://84.3.222.161:28960>.
IP rate limit sustained 78941 distributed packets at 2631.4 pps (795
buckets).
IP rate limit under distributed packet load (1176 buckets, 16663
global count), rejecting 88.131.51.148:28960
<http://88.131.51.148:28960>."
2017-03-23 22:27 GMT+01:00 John <lists.va...@nuclearfallout.net
<mailto:lists.va...@nuclearfallout.net>>:
On 3/23/2017 1:34 PM, Mathias wrote:
My server's getting flood with VSE DDoS Attack. My server have
DDoS Protection but it wont take it. any other DDoS Attack
does it takes so what can i do? i'm on Linux Ubuntu 16.04.
Here is server logs - http://pastebin.com/Q2dbcEMt
I also got how the script works (VSE DDoS Attack) - Found on a
forum via Google
Any idea to stop it with Iptables? Packet limit?
The term "VSE" ("Valve Source Exploit") that the attackers like to
use is a misnomer because there isn't an exploit involved. These
attacks just flood a server with spoofed queries and/or connection
attempts from random sources, and Source can't handle the volume.
Currently the most effective general-purpose way to deal with
these is to whitelist real player IPs and rate-limit queries and
connection attempts from all other sources (down to around
1000/s). This can be done with iptables using a combination of the
ipset, hashlimit, and bpf/u32/string modules.
Ideally, the game would be redesigned to using TCP for queries and
the very first part of the connection, offloading the
first-contact tasks to the OS, which has established methods for
combating high-rate spoofed TCP SYN floods. Internally, it could
then straight drop all UDP packets that don't correspond to a
currently connected player.
-John
_______________________________________________
Csgo_servers mailing list
Csgo_servers@list.valvesoftware.com
<mailto:Csgo_servers@list.valvesoftware.com>
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers>
_______________________________________________
Csgo_servers mailing list
Csgo_servers@list.valvesoftware.com
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
_______________________________________________
Csgo_servers mailing list
Csgo_servers@list.valvesoftware.com
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
