So earlier today one of my servers was lagging - badly. By time I showed up the lag had cleared. Then again. Then again. Each time for about 5-10 minutes it would lag, and by time I'd shown up, it was gone. Finally, I caught the lag happening directly. No unusual FPS or CPU usage spikes, so i ran a tcpdump for about 5 seconds. It captured 230,000 packets. Holy shit!
A quick analysis shows that '206.63.226.12' was flooding the server with almost exactly *32,000* packets per second, each containing the bytes 'flood', followed by 295 null bytes, for a total of 300 bytes. With IP overhead this is is about 88 megabits/second, or suspiciously close to 100megs/second. I have a gigabit connection, however, srcds itself cannot handle 88mbs of invalid packets without going to lagsville. I'm emailing an abuse report to his host now, but everyone should have a heads up that this is occuring. The fact that it was going on for 5 minutes at a time a few times an hour suggests he has some script making the rounds against popular servers, or some such. As for this attack in general, using iptables or a similar tool to limit UDP traffic to server ports to 100/second or so with a small burst should prevent any traffic at a higher rate than normal game traffic from hitting the process, though if you have a 100mbit or less connection the classic DoS aspect of it might lag you out anyway. - Neph ** Begin internet detective ** IP: 206.63.226.12 Resolves to: bigboomer.thaiguy.net Host: cet.com IPs in this netblock (all belonging to cet.com): 206.63.224.0 - 206.63.231.255 thaiguy.net is 206.63.81.2 This, uncoincidentally, also belongs to cet.com in the block: 206.63.80.0 - 206.63.87.0 And in what I'm sure is a huge coincidence: 206.63.81.1: gateway.thaiguy.net 206.63.81.2: thaiguy.net 206.63.81.3: dayofdefeat.thaiguy.net 206.63.81.4: teamspeak.st3games.com 206.63.81.5: battlefield1942.thaiguy.net 206.63.81.6: st3-webhost.cet.com 206.63.81.7: dcon.st3games.com 206.63.81.8: zmod.st3games.com (CSS Server: "Zombie Mayhem! #1") 206.63.81.8: (CSS Server: "[ST3Gaming.com] GG Advanced - Home of gK?") 206.63.81.15: database.thaiguy.net 206.63.81.18: (TF2 Server: "[ST3Gaming.com] 24/7 DustBowl/Stats/InstaSpawn/") (( Did I mention the server has was attacking of mine was 24/7 dustbowl? )) 206.63.81.20: ns0.thaiguy.net 206.63.81.21: ns1.thaiguy.net Gee, tf2 servers on his netblock. Of the same type as the one he was attacking. What's all this st3games.com stuff? Oh, they have forums and a steamgroup. http://steamcommunity.com/groups/ST3 Oh, and the forum head admin username is "Novikane". Weird that: http://steamcommunity.com/id/novikane Is an admin of this group. ** End internet detective ** _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
