https://github.com/pavel-odintsov/fastnetmon
# collect a full dump of the attack with full payload in pcap compatible format collect_attack_pcap_dumps = on # Execute Deep Packet Inspection on captured PCAP packets process_pcap_attack_dumps_with_dpi = on On Fri, Mar 24, 2017 at 12:08 AM, Mathias <[email protected]> wrote: > Thanks. How does tcpdump work? And setup? :) > > 2017-03-23 22:59 GMT+01:00 / UGC- Gaming.net / <[email protected]>: > >> tcpdump needed :) >> >> On Thu, Mar 23, 2017 at 11:54 PM, Mathias <[email protected]> wrote: >> >>> How Marco? CSGO Cvar? Iptables? >>> >>> 2017-03-23 22:53 GMT+01:00 Mathias <[email protected]>: >>> >>>> Thanks for this awesome help John! This kind of "Attack" have been >>>> attacking me for days without stopping. >>>> >>>> So i block the port everytime they attack on new port? And what if they >>>> attack on the port directly? There must be a kind of filter possible on >>>> Linux with Iptables. Anything i can tell me datacenter to fix this attack >>>> permanent? >>>> >>>> >>>> >>>> 2017-03-23 22:44 GMT+01:00 John <[email protected]>: >>>> >>>>> If you're seeing packets from port 28960, you're most likely seeing a >>>>> reflected query DDoS that is coming from CoDx servers (you can tell for >>>>> certain by looking at the contents of captured packets -- look for the >>>>> string 'statusResponse') -- not a direct query/connection flood, and >>>>> likely >>>>> not spoofed. You can safely block traffic from port 28960, or do a more >>>>> thorough filter to block that traffic. This is an example rule to just >>>>> block the port. >>>>> >>>>> iptables -I INPUT -p udp --sport 28960 -j DROP >>>>> >>>>> -John >>>>> >>>>> >>>>> On 3/23/2017 2:33 PM, Mathias wrote: >>>>> >>>>> Thanks John. >>>>> >>>>> Could you guide/send me the Iptables? >>>>> >>>>> My server is on port 27115 and the attack comes in on port 28960 - But >>>>> it wont work block the port (Have tried) >>>>> >>>>> "IP rate limit sustained 79085 distributed packets at 2636.2 pps >>>>> (1246 buckets). >>>>> >>>>> IP rate limit under distributed packet load (1205 buckets, 15001 global >>>>> count), rejecting 8.59.18.221:28960. >>>>> >>>>> IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 >>>>> buckets). >>>>> >>>>> IP rate limit under distributed packet load (1210 buckets, 15001 global >>>>> count), rejecting 154.112.126.3:28960. >>>>> >>>>> IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 >>>>> buckets). >>>>> >>>>> IP rate limit under distributed packet load (1152 buckets, 15001 global >>>>> count), rejecting 84.3.222.161:28960. >>>>> >>>>> IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 >>>>> buckets). >>>>> >>>>> IP rate limit under distributed packet load (1176 buckets, 16663 global >>>>> count), rejecting 88.131.51.148:28960." >>>>> >>>>> >>>>> 2017-03-23 22:27 GMT+01:00 John <[email protected]>: >>>>> >>>>>> On 3/23/2017 1:34 PM, Mathias wrote: >>>>>> >>>>>>> My server's getting flood with VSE DDoS Attack. My server have DDoS >>>>>>> Protection but it wont take it. any other DDoS Attack does it takes so >>>>>>> what >>>>>>> can i do? i'm on Linux Ubuntu 16.04. >>>>>>> >>>>>>> Here is server logs - http://pastebin.com/Q2dbcEMt >>>>>>> >>>>>>> I also got how the script works (VSE DDoS Attack) - Found on a forum >>>>>>> via Google >>>>>>> >>>>>>> Any idea to stop it with Iptables? Packet limit? >>>>>>> >>>>>> >>>>>> The term "VSE" ("Valve Source Exploit") that the attackers like to >>>>>> use is a misnomer because there isn't an exploit involved. These attacks >>>>>> just flood a server with spoofed queries and/or connection attempts from >>>>>> random sources, and Source can't handle the volume. >>>>>> >>>>>> Currently the most effective general-purpose way to deal with these >>>>>> is to whitelist real player IPs and rate-limit queries and connection >>>>>> attempts from all other sources (down to around 1000/s). This can be done >>>>>> with iptables using a combination of the ipset, hashlimit, and >>>>>> bpf/u32/string modules. >>>>>> >>>>>> Ideally, the game would be redesigned to using TCP for queries and >>>>>> the very first part of the connection, offloading the first-contact tasks >>>>>> to the OS, which has established methods for combating high-rate spoofed >>>>>> TCP SYN floods. Internally, it could then straight drop all UDP packets >>>>>> that don't correspond to a currently connected player. >>>>>> >>>>>> -John >>>>>> >>>>>> _______________________________________________ >>>>>> Csgo_servers mailing list >>>>>> [email protected] >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Csgo_servers mailing >>>>> [email protected]https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Csgo_servers mailing list >>>>> [email protected] >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >>>>> >>>> >>>> >>> >>> _______________________________________________ >>> Csgo_servers mailing list >>> [email protected] >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >>> >> >> >> _______________________________________________ >> Csgo_servers mailing list >> [email protected] >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >> > > > _______________________________________________ > Csgo_servers mailing list > [email protected] > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >
_______________________________________________ Csgo_servers mailing list [email protected] https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
