Hi, you should ratelimit that traffic
On Thu, Mar 23, 2017 at 10:44 PM, John <lists.va...@nuclearfallout.net> wrote: > If you're seeing packets from port 28960, you're most likely seeing a > reflected query DDoS that is coming from CoDx servers (you can tell for > certain by looking at the contents of captured packets -- look for the > string 'statusResponse') -- not a direct query/connection flood, and likely > not spoofed. You can safely block traffic from port 28960, or do a more > thorough filter to block that traffic. This is an example rule to just > block the port. > > iptables -I INPUT -p udp --sport 28960 -j DROP > > -John > > > On 3/23/2017 2:33 PM, Mathias wrote: > > Thanks John. > > Could you guide/send me the Iptables? > > My server is on port 27115 and the attack comes in on port 28960 - But it > wont work block the port (Have tried) > > "IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246 > buckets). > > IP rate limit under distributed packet load (1205 buckets, 15001 global > count), rejecting 8.59.18.221:28960. > > IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets). > > IP rate limit under distributed packet load (1210 buckets, 15001 global > count), rejecting 154.112.126.3:28960. > > IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 > buckets). > > IP rate limit under distributed packet load (1152 buckets, 15001 global > count), rejecting 84.3.222.161:28960. > > IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets). > > IP rate limit under distributed packet load (1176 buckets, 16663 global > count), rejecting 88.131.51.148:28960." > > > 2017-03-23 22:27 GMT+01:00 John <lists.va...@nuclearfallout.net>: > >> On 3/23/2017 1:34 PM, Mathias wrote: >> >>> My server's getting flood with VSE DDoS Attack. My server have DDoS >>> Protection but it wont take it. any other DDoS Attack does it takes so what >>> can i do? i'm on Linux Ubuntu 16.04. >>> >>> Here is server logs - http://pastebin.com/Q2dbcEMt >>> >>> I also got how the script works (VSE DDoS Attack) - Found on a forum via >>> Google >>> >>> Any idea to stop it with Iptables? Packet limit? >>> >> >> The term "VSE" ("Valve Source Exploit") that the attackers like to use is >> a misnomer because there isn't an exploit involved. These attacks just >> flood a server with spoofed queries and/or connection attempts from random >> sources, and Source can't handle the volume. >> >> Currently the most effective general-purpose way to deal with these is to >> whitelist real player IPs and rate-limit queries and connection attempts >> from all other sources (down to around 1000/s). This can be done with >> iptables using a combination of the ipset, hashlimit, and bpf/u32/string >> modules. >> >> Ideally, the game would be redesigned to using TCP for queries and the >> very first part of the connection, offloading the first-contact tasks to >> the OS, which has established methods for combating high-rate spoofed TCP >> SYN floods. Internally, it could then straight drop all UDP packets that >> don't correspond to a currently connected player. >> >> -John >> >> _______________________________________________ >> Csgo_servers mailing list >> Csgo_servers@list.valvesoftware.com >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers > > > > > _______________________________________________ > Csgo_servers mailing > listCsgo_servers@list.valvesoftware.comhttps://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers > > > > _______________________________________________ > Csgo_servers mailing list > Csgo_servers@list.valvesoftware.com > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >
_______________________________________________ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
