Ok I am not sure if anyone else is getting this attack but after 3 days of hard work I have blocked this asshole from crashing my server. Seems he was crashing my servers by spamming fake rcon passwords.... (rcon from "93.167.245.178:59832": Bad Password
rcon from "93.167.245.178:53264": Bad Password rcon from "93.167.245.178:59350": Bad Password rcon from "93.167.245.178:58142": Bad Password rcon from "93.167.245.178:33116": Bad Password) The server while trying to ban the ip crashes apparently... You guys just have to secure your rcon passwords and make sure that the server isn't banning fake tries...... at least not while its being spammed by multiple ip's at one time. > From: [email protected] > Subject: hlds Digest, Vol 22, Issue 90 > To: [email protected] > Date: Tue, 29 Dec 2009 12:00:01 -0800 > > Send hlds mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://list.valvesoftware.com/mailman/listinfo/hlds > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of hlds digest..." > > > Today's Topics: > > 1. Re: Spam Connecting Crashing Server (Kyle Sanderson) > 2. Re: Spam Connecting Crashing Server (Kyle Sanderson) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 29 Dec 2009 06:28:52 -0800 > From: Kyle Sanderson <[email protected]> > Subject: Re: [hlds] Spam Connecting Crashing Server > To: Half-Life dedicated Win32 server mailing list > <[email protected]> > Message-ID: > <[email protected]> > Content-Type: text/plain; charset=UTF-8 > > I've been trying to do this for more than 2 years and have brought it up on > this list multiple times, if you know how, by all means write a SourcePawn > script. > > Kyle. > > On Tue, Dec 29, 2009 at 3:26 AM, Jeff Sugar <[email protected]> wrote: > > > Well, you could still set it to block an IP for _x_ minutes if it tries to > > join more than _y_ connection attempts in _z_ seconds, yeah? > > > > > > On Tue, Dec 29, 2009 at 2:22 AM, Kyle Sanderson <[email protected]> > > wrote: > > > > > If these are players on our ban list, this would indeed work. However > > from > > > reviewing my server logs they don't even connect long enough for the > > server > > > to resolve their steamid. They wouldn't even need to own the game and > > could > > > use some pirated copy, a VAC banned account, anything really. > > > > > > It's absolutely absurd that this hasn't been fixed yet. > > > Kyle. > > > > > > On Tue, Dec 29, 2009 at 1:34 AM, Jeff Sugar <[email protected]> wrote: > > > > > > > There's a sourcemod plugin that blocks connects from a banned user via > > IP > > > > for a short while (5min i think?) after their first attempt. After the > > > > limit > > > > wears off, they can do so once more. No spam, no worries! :) I'm sure > > you > > > > could probably modify yit to also work on non-banned people who try > > > > connections to closely together > > > > > > > > One sec, I'll look for it now > > > > > > > > [moments pass aka ninja edit or whatever :v] > > > > > > > > Alright -- the one I'm using is this: > > > > http://forums.alliedmods.net/showthread.php?p=863444 > > > > > > > > There's also this one, which looks like the same thing but with a bit > > of > > > > unnecessary config options: > > > > http://forums.alliedmods.net/showthread.php?p=923828 > > > > > > > > Hope this helps! > > > > > > > > -Jeff/Atreus > > > > > > > > > > > > On Tue, Dec 29, 2009 at 1:26 AM, Attaul N <[email protected]> > > wrote: > > > > > > > > > > > > > > I am running TF2 servers. This is what I was told once I asked what > > > > exploit > > > > > he is using. > > > > > ( BOOM! Server Crash: a.) I will not tell anyone what it is || BOOM! > > > > Server > > > > > Crash: b.) If I tell you then you will prolly leak it out || BOOM! > > > Server > > > > > Crash: and c.) There are a few CS:S servers that have a patch for it > > > but > > > > not > > > > > many ) Now i am not sure which exact exploit hes got but for now he > > has > > > > > agreet to stop attacks if I unban a player who plays on my servers > > with > > > > the > > > > > name "ADOLF HITLER"......... > > > > > > > > > > _________________________________________________________________ > > > > > Windows Live: Make it easier for your friends to see what you?re up > > to > > > on > > > > > Facebook. > > > > > http://go.microsoft.com/?linkid=9691816 > > > > > _______________________________________________ > > > > > To unsubscribe, edit your list preferences, or view the list > > archives, > > > > > please visit: > > > > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > > > > _______________________________________________ > > > > To unsubscribe, edit your list preferences, or view the list archives, > > > > please visit: > > > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list archives, > > > please visit: > > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > ------------------------------ > > Message: 2 > Date: Tue, 29 Dec 2009 06:30:20 -0800 > From: Kyle Sanderson <[email protected]> > Subject: Re: [hlds] Spam Connecting Crashing Server > To: Half-Life dedicated Win32 server mailing list > <[email protected]> > Message-ID: > <[email protected]> > Content-Type: text/plain; charset=UTF-8 > > How did you manage to fix the flooding? Would you be willing to share the > plugin that you/your community wrote? > > Kyle. > > On Tue, Dec 29, 2009 at 3:34 AM, Alistair Cockeram <[email protected]> wrote: > > > See below; > > > > On Mon, Dec 28, 2009 at 06:36:31PM -0800, Kyle Sanderson wrote: > > > *Joins the club* > > > L 12/29/2009 - 01:59:44: " S e r v e r D o w n i n 3 > > > <157><STEAM_ID_PENDING><>" connected, address "69.29.20.21:27005" > > > L 12/29/2009 - 01:59:44: " S e r v e r D o w n i n 3 > > > <157><STEAM_ID_PENDING><>" disconnected (reason "Connection closing") > > [...] > > > > Trouble is, there is an crash exploit where flooding is not required: > > > > L 12/28/2009 - 23:35:33: "ThIs SeRvEr Is GoInG > > DoWn<1794><STEAM_ID_PENDING><>" connected, address "213.89.98.184:27005" > > Client "ThIs SeRvEr Is GoInG DoWn" connected (213.89.98.184:27005). > > Segmentation fault > > Add "-debug" to the ./srcds_run command line to generate a debug.log to > > help with solving this problem > > > > Single connection there and it goes straight down. We put a fix in place > > to stop the join flood exploits. > > Note we also firewall rcon off completely as we also got tired of the rcon > > crash exploits. > > > > To my knowledge there is no fix for the above. > > > > -- > > Alistair Cockeram > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > ------------------------------ > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > End of hlds Digest, Vol 22, Issue 90 > ************************************ _________________________________________________________________ Windows Live: Make it easier for your friends to see what you’re up to on Facebook. http://go.microsoft.com/?linkid=9691816 _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
