You'd be blocking any new players from seeing your server. Also, if you're using iptables you'd want to list the IPs you want to allow first and then deny all others. Iptable rules are applied in order.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Matt Stanton Sent: Saturday, August 08, 2009 12:33 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] TF2 Crashes (Alec Sanger) This may be a completely stupid idea, but keep in mind I do not know the capabilities of SQL or of the linux kernel firewall. Would it be feasable to DENY all UDP, then add ALLOWs for each ip address in a HLStatsX database? I know we have roughly 100,000 players logged by HLStatsX, so it seems like this would be far too many ips to have in a firewall to get any sort of quick response, and would likely jack latency up to a very extreme amount. If everything *is* fast enough to handle that amount of information, then you could institute an DENY all rule when an attack is detected, quickly add the ips of everyone who is currently on the server to the ALLOW rules, then start adding ips in the HLStatsX database to the ALLOW rules. You may also consider only adding ips with a certain threshold of time spent on the servers. Once the attack has died down, you could just go back to the normal firewall rules. It would be a nasty big coding job, but someone on this list is bound to be able to do it if it's feasable. Kyle Sanderson wrote: > Sorry for my previous negligence this just started with my server 2 nights > ago, I didn't realise it until now but it is the exact same thing that is > happening with was was mentioned previously (Extremely high pings, players > ingame start skipping all over the place, etc.) > > If anyone has anymore information on how to block this attack please do not > hesitate to email me, > Kyle. > On Thu, Aug 6, 2009 at 4:35 PM, Tony Paloma <[email protected]> wrote: > > >> It's different IPs. Random IPs. Like I said, it's spoofed. Changing the max >> queries cvar will only change when source engine decides to stop giving >> replies but doesn't seem to help the lag. An iptables rule will prevent >> server lag but still have the same no-reply problem which prevents players >> from seeing your server. >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Kenny Loggins >> Sent: Thursday, August 06, 2009 4:22 PM >> To: Half-Life dedicated Win32 server mailing list >> Subject: Re: [hlds] TF2 Crashes (Alec Sanger) >> >> Is it the same IP or does it change? Would changing sv_max_queries_max >> do anything? >> >> >> On Aug 6, 2009, at 6:04 PM, "Tony Paloma" <[email protected]> >> wrote: >> >> >>> Not with any currently available utilities. You can limit the number >>> of >>> queries allowed per second using an iptables rule, but it will also >>> prevent >>> regular players from seeing your server during an attack. >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Kenny >>> Loggins >>> Sent: Thursday, August 06, 2009 3:57 PM >>> To: Half-Life dedicated Win32 server mailing list >>> Subject: Re: [hlds] TF2 Crashes (Alec Sanger) >>> >>> So it's not possible to block this? >>> >>> ClanAO.com >>> >>> On Aug 6, 2009, at 5:34 PM, "Tony Paloma" <[email protected]> >>> wrote: >>> >>> >>>> From earlier in the thread: >>>> It's A2S_INFO query spam on spoofed IP addresses >>>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] On Behalf Of Kenny >>>> Loggins >>>> Sent: Thursday, August 06, 2009 3:17 PM >>>> To: Half-Life dedicated Win32 server mailing list >>>> Subject: Re: [hlds] TF2 Crashes (Alec Sanger) >>>> >>>> Cam you give us more info on this? What type of attack is this? >>>> >>>> >>>> On Aug 6, 2009, at 4:56 PM, "Tony Paloma" <[email protected]> >>>> wrote: >>>> >>>> >>>>> That plugin does nothing to prevent attack I (and others) have been >>>>> experiencing nor does this have anything to do with running console >>>>> commands >>>>> before entering the game. >>>>> >>>>> -----Original Message----- >>>>> From: [email protected] >>>>> [mailto:[email protected]] On Behalf Of Kyle >>>>> Sanderson >>>>> Sent: Thursday, August 06, 2009 2:12 PM >>>>> To: Half-Life dedicated Win32 server mailing list >>>>> Subject: Re: [hlds] TF2 Crashes (Alec Sanger) >>>>> >>>>> I installed that new RconLock and my server is still going strong. >>>>> If you >>>>> don't want all the features that come with it, download the source >>>>> like I >>>>> did and strip it down. >>>>> >>>>> RconLock: https://forums.alliedmods.net/showthread.php?t=93934 >>>>> The kid who was crashing my server a month ago / exploit: >>>>> >>>>> >> http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html >> >>>>> Kyle >>>>> >>>>> On Thu, Aug 6, 2009 at 8:32 AM, Tony Paloma >>>>> <[email protected]> wrote: >>>>> >>>>> >>>>>> Ya attack has been ongoing for a couple hours now on my server. >>>>>> >>>>>> -----Original Message----- >>>>>> From: [email protected] >>>>>> [mailto:[email protected]] On Behalf Of 1nsane >>>>>> Sent: Thursday, August 06, 2009 8:00 AM >>>>>> To: Half-Life dedicated Win32 server mailing list >>>>>> Subject: Re: [hlds] TF2 Crashes (Alec Sanger) >>>>>> >>>>>> Oh fun, some of my servers are empty. >>>>>> >>>>>> Guess it was only a matter of time until some shitface figured it >>>>>> out. >>>>>> >>>>>> On Wed, Aug 5, 2009 at 3:57 AM, Tony Paloma >>>>>> <[email protected]> >>>>>> wrote: >>>>>> >>>>>> >>>>>>> It is an attack. It's A2S_INFO query spam on spoofed IP addresses >>>>>>> and >>>>>>> >>>>>> it's >>>>>> >>>>>>> happening to tons of servers. I think some community is trying to >>>>>>> fill >>>>>>> their >>>>>>> servers by emptying out a ton of others. >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: [email protected] >>>>>>> [mailto:[email protected]] On Behalf Of Kenny >>>>>>> Loggins >>>>>>> Sent: Wednesday, August 05, 2009 12:24 AM >>>>>>> To: 'Half-Life dedicated Win32 server mailing list' >>>>>>> Subject: Re: [hlds] TF2 Crashes (Alec Sanger) >>>>>>> >>>>>>> This is some attack for sure I have not had any issues myself but >>>>>>> everything >>>>>>> points to a person doing it server by server. The network traffic >>>>>>> meter >>>>>>> shows a slow steady drop in traffic. After looking in the logs I >>>>>>> notice >>>>>>> people talking about it a few other times today any remember >>>>>>> noticing a >>>>>>> server drop out and come back up quick (I didn't have time to look >>>>>>> more >>>>>>> into >>>>>>> it) no problems at all before the exploit was pointed out today. >>>>>>> Not >>>>>>> >>>>>> saying >>>>>> >>>>>>> that's bad I just hope they can be remedy this quick as I'm sure >>>>>>> it's >>>>>>> >>>>> not >>>>> >>>>>>> going to stop with just our servers. >>>>>>> >>>>>>> I was on my forums at the time and didn't even notice this was >>>>>>> going on >>>>>>> >>>>>> no >>>>>> >>>>>>> network issues at all. >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>> archives, >>>>>>> please visit: >>>>>>> http://list.valvesoftware.com/mailman/listinfo/hlds >>>>>>> _______________________________________________ >>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>> archives, >>>>>>> please visit: >>>>>>> http://list.valvesoftware.com/mailman/listinfo/hlds >>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>> archives, >>>>>> please visit: >>>>>> http://list.valvesoftware.com/mailman/listinfo/hlds >>>>>> _______________________________________________ >>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>> archives, >>>>>> please visit: >>>>>> http://list.valvesoftware.com/mailman/listinfo/hlds >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> To unsubscribe, edit your list preferences, or view the list >>>>> archives, >>>>> please visit: >>>>> http://list.valvesoftware.com/mailman/listinfo/hlds >>>>> >>>>> >>>>> _______________________________________________ >>>>> To unsubscribe, edit your list preferences, or view the list >>>>> archives, please visit: >>>>> http://list.valvesoftware.com/mailman/listinfo/hlds >>>>> >>>> _______________________________________________ >>>> To unsubscribe, edit your list preferences, or view the list >>>> archives, >>>> please visit: >>>> http://list.valvesoftware.com/mailman/listinfo/hlds >>>> >>>> >>>> _______________________________________________ >>>> To unsubscribe, edit your list preferences, or view the list >>>> archives, please visit: >>>> http://list.valvesoftware.com/mailman/listinfo/hlds >>>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list >>> archives, please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds >>> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds >> >> > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
