Cool, thanks!! Should i install this on the same server as Game server or another smaller server?
2017-03-23 23:13 GMT+01:00 / UGC- Gaming.net / <[email protected]>: > https://github.com/pavel-odintsov/fastnetmon > > # collect a full dump of the attack with full payload in pcap compatible > format > collect_attack_pcap_dumps = on > # Execute Deep Packet Inspection on captured PCAP packets > process_pcap_attack_dumps_with_dpi = on > > On Fri, Mar 24, 2017 at 12:08 AM, Mathias <[email protected]> wrote: > >> Thanks. How does tcpdump work? And setup? :) >> >> 2017-03-23 22:59 GMT+01:00 / UGC- Gaming.net / <[email protected]>: >> >>> tcpdump needed :) >>> >>> On Thu, Mar 23, 2017 at 11:54 PM, Mathias <[email protected]> wrote: >>> >>>> How Marco? CSGO Cvar? Iptables? >>>> >>>> 2017-03-23 22:53 GMT+01:00 Mathias <[email protected]>: >>>> >>>>> Thanks for this awesome help John! This kind of "Attack" have been >>>>> attacking me for days without stopping. >>>>> >>>>> So i block the port everytime they attack on new port? And what if >>>>> they attack on the port directly? There must be a kind of filter possible >>>>> on Linux with Iptables. Anything i can tell me datacenter to fix this >>>>> attack permanent? >>>>> >>>>> >>>>> >>>>> 2017-03-23 22:44 GMT+01:00 John <[email protected]>: >>>>> >>>>>> If you're seeing packets from port 28960, you're most likely seeing a >>>>>> reflected query DDoS that is coming from CoDx servers (you can tell for >>>>>> certain by looking at the contents of captured packets -- look for the >>>>>> string 'statusResponse') -- not a direct query/connection flood, and >>>>>> likely >>>>>> not spoofed. You can safely block traffic from port 28960, or do a more >>>>>> thorough filter to block that traffic. This is an example rule to just >>>>>> block the port. >>>>>> >>>>>> iptables -I INPUT -p udp --sport 28960 -j DROP >>>>>> >>>>>> -John >>>>>> >>>>>> >>>>>> On 3/23/2017 2:33 PM, Mathias wrote: >>>>>> >>>>>> Thanks John. >>>>>> >>>>>> Could you guide/send me the Iptables? >>>>>> >>>>>> My server is on port 27115 and the attack comes in on port 28960 - >>>>>> But it wont work block the port (Have tried) >>>>>> >>>>>> "IP rate limit sustained 79085 distributed packets at 2636.2 pps >>>>>> (1246 buckets). >>>>>> >>>>>> IP rate limit under distributed packet load (1205 buckets, 15001 global >>>>>> count), rejecting 8.59.18.221:28960. >>>>>> >>>>>> IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 >>>>>> buckets). >>>>>> >>>>>> IP rate limit under distributed packet load (1210 buckets, 15001 global >>>>>> count), rejecting 154.112.126.3:28960. >>>>>> >>>>>> IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 >>>>>> buckets). >>>>>> >>>>>> IP rate limit under distributed packet load (1152 buckets, 15001 global >>>>>> count), rejecting 84.3.222.161:28960. >>>>>> >>>>>> IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 >>>>>> buckets). >>>>>> >>>>>> IP rate limit under distributed packet load (1176 buckets, 16663 global >>>>>> count), rejecting 88.131.51.148:28960." >>>>>> >>>>>> >>>>>> 2017-03-23 22:27 GMT+01:00 John <[email protected]>: >>>>>> >>>>>>> On 3/23/2017 1:34 PM, Mathias wrote: >>>>>>> >>>>>>>> My server's getting flood with VSE DDoS Attack. My server have DDoS >>>>>>>> Protection but it wont take it. any other DDoS Attack does it takes so >>>>>>>> what >>>>>>>> can i do? i'm on Linux Ubuntu 16.04. >>>>>>>> >>>>>>>> Here is server logs - http://pastebin.com/Q2dbcEMt >>>>>>>> >>>>>>>> I also got how the script works (VSE DDoS Attack) - Found on a >>>>>>>> forum via Google >>>>>>>> >>>>>>>> Any idea to stop it with Iptables? Packet limit? >>>>>>>> >>>>>>> >>>>>>> The term "VSE" ("Valve Source Exploit") that the attackers like to >>>>>>> use is a misnomer because there isn't an exploit involved. These attacks >>>>>>> just flood a server with spoofed queries and/or connection attempts from >>>>>>> random sources, and Source can't handle the volume. >>>>>>> >>>>>>> Currently the most effective general-purpose way to deal with these >>>>>>> is to whitelist real player IPs and rate-limit queries and connection >>>>>>> attempts from all other sources (down to around 1000/s). This can be >>>>>>> done >>>>>>> with iptables using a combination of the ipset, hashlimit, and >>>>>>> bpf/u32/string modules. >>>>>>> >>>>>>> Ideally, the game would be redesigned to using TCP for queries and >>>>>>> the very first part of the connection, offloading the first-contact >>>>>>> tasks >>>>>>> to the OS, which has established methods for combating high-rate spoofed >>>>>>> TCP SYN floods. Internally, it could then straight drop all UDP packets >>>>>>> that don't correspond to a currently connected player. >>>>>>> >>>>>>> -John >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Csgo_servers mailing list >>>>>>> [email protected] >>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Csgo_servers mailing >>>>>> [email protected]https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Csgo_servers mailing list >>>>>> [email protected] >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >>>>>> >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Csgo_servers mailing list >>>> [email protected] >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >>>> >>> >>> >>> _______________________________________________ >>> Csgo_servers mailing list >>> [email protected] >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >>> >> >> >> _______________________________________________ >> Csgo_servers mailing list >> [email protected] >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >> > > > _______________________________________________ > Csgo_servers mailing list > [email protected] > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >
_______________________________________________ Csgo_servers mailing list [email protected] https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
