On Tue, 14 Jan 2003, Capriotti wrote: > I've posted this here before, but as a reply to another thread, and maybe > because of that it was slightly ignored. But the problem happened again, so > I am bringing this back IN BIG BOLD LETTERS ! > > for the third time I've found that my hlds service coredumped without a > plausible reason. > > I was at the server room showing things around to a friend of mine when I > noticed that the system kernel was reducing the response to net queries to > 200 packets per second (bold letters on the console to show you that there > is something wrong). this only happens when there is something wrong. > Tipically a port scan or something alike. > > The only "detail" is that this server is behind a firewall that masquerades > that server and reroutes (NATs) only the UDP/27015 traffic from the public > address to the HLDS dedicated server, that has a reserverd IP 10.x.y.z. > > There is nobody else on the LAN, which means this is not an internal work. > > A supposed general DoS attack would be affecting the firewall computer, and > not the HLDS machine behind it; In other words, the firewall computer > should be screaming about a DoS/portscan type attack, but it did not, while > the HLDS machine did. > > As I see, this proves that the HLDS server is probably being attacked by > people that knows what they are doing. Whenever this happens (the kernel > message stating the reduction in the reply rate) my hlds process cores, and > a new server instance is brought up by the hlds_run script. > > So far I was not able to reproduce it myself, but am looking for means to > do it. > > I attempted using standard portscan programs on the server with > above-the-average solicitation rates, on the udp/27015 port only, and it > did not cause the problem. > > The next logical step it submitting this to the group and asking for help. > If this turns out to be a problem/vulnerability (as I think it is) then > VALVe should be warned, so that this can be corrected on 1.6. > > By now I will be reducing the reply rate from my server to the minimum > acceptable by the hlds server, so that I can assure playability and prompt > response from the outside world, hoping that this minimum, combined with > the OSs built in protections will stop this (net.inet.icmp.icmplim). >
Could this be coused by disconnecting users or if the port suddenly is unavailable for a second? If you want to reprocuce it... have a full server.. and press crtl-c in the hlds console.. you will see the same result.. at least you get it if the server is on a "real" network... could it be that the NAT or firewall is suddenly unavailable, the server tries to send all the data and gets a lot of icmp-hostunreach? !!! log everything that the kern.* and security.* is reporting !!! the limit responce is logged in kern.* Jan 4 20:22:21 myhost /kernel: Limiting icmp unreach response from 54 to 20 packets per second /Bjorn Favourite Comment: Programming is an art form that fights back. _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
