I've posted this here before, but as a reply to another thread, and maybe because of that it was slightly ignored. But the problem happened again, so I am bringing this back IN BIG BOLD LETTERS !
for the third time I've found that my hlds service coredumped without a plausible reason. I was at the server room showing things around to a friend of mine when I noticed that the system kernel was reducing the response to net queries to 200 packets per second (bold letters on the console to show you that there is something wrong). this only happens when there is something wrong. Tipically a port scan or something alike. The only "detail" is that this server is behind a firewall that masquerades that server and reroutes (NATs) only the UDP/27015 traffic from the public address to the HLDS dedicated server, that has a reserverd IP 10.x.y.z. There is nobody else on the LAN, which means this is not an internal work. A supposed general DoS attack would be affecting the firewall computer, and not the HLDS machine behind it; In other words, the firewall computer should be screaming about a DoS/portscan type attack, but it did not, while the HLDS machine did. As I see, this proves that the HLDS server is probably being attacked by people that knows what they are doing. Whenever this happens (the kernel message stating the reduction in the reply rate) my hlds process cores, and a new server instance is brought up by the hlds_run script. So far I was not able to reproduce it myself, but am looking for means to do it. I attempted using standard portscan programs on the server with above-the-average solicitation rates, on the udp/27015 port only, and it did not cause the problem. The next logical step it submitting this to the group and asking for help. If this turns out to be a problem/vulnerability (as I think it is) then VALVe should be warned, so that this can be corrected on 1.6. By now I will be reducing the reply rate from my server to the minimum acceptable by the hlds server, so that I can assure playability and prompt response from the outside world, hoping that this minimum, combined with the OSs built in protections will stop this (net.inet.icmp.icmplim). _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
