Re: [hlds_linux] DoS Attack to SRCDS with TCP packets

Mon, 17 Oct 2011 13:30:33 -0700

Looks much like some-prog-that-i-wont-say-out-loud-from-4chan-sute output, with just modified message. Looks like idiots have found it and started using it. 

-ics

17.10.2011 23:09, Marco Padovan kirjoitti:

Additionally: set a very strict rate limiting to new connections (10new
connections every 20seconds?) and drop anything that's not "estabilished"...

Il 17/10/2011 21:15, ?????? ?????? [Nikita Bulaev] ha scritto:

Hi, firends!

Some our clients are under stupid attack by tcp packets with length 1480
bytes.

=============
22:25:17.613625 IP (tos 0x0, ttl 124, id 5073, offset 0, flags [DF], proto
TCP (6), length 1480)
     188.186.18.151.50325>  188.64.170.100.27019: Flags [P.], cksum 0x3c63
(correct), seq 39288:40728, ack 1, win 64800, length 1440

         0x0000:  0025 901a fd64 0026 9806 ddc1 0800 4500  .%...d.&......E.
         0x0010:  05c8 13d1 4000 7c06 af68 bcba 1297 bc40  ....@.|..h.....@
         0x0020:  aa64 c495 698b c6b8 4281 3531 d72b 5018  .d..i...B.51.+P.
         0x0030:  fd20 3c63 0000 6e65 2074 6f6f 2e20 4465  ..<c..ne.too..De
         0x0040:  7375 6465 7375 6465 7375 7e41 2063 6174  sudesudesu~A.cat
         0x0050:  2069 7320 6669 6e65 2074 6f6f 2e20 4465  .is.fine.too..De
         0x0060:  7375 6465 7375 6465 7375 7e41 2063 6174  sudesudesu~A.cat
         0x0070:  2069 7320 6669 6e65 2074 6f6f 2e20 4465  .is.fine.too..De
         0x0080:  7375 6465 7375 6465 7375 7e41 2063 6174  sudesudesu~A.cat
         0x0090:  2069 7320 6669 6e65 2074 6f6f 2e20 4465  .is.fine.too..De
         0x00a0:  7375 6465 7375 6465 7375 7e41 2063 6174  sudesudesu~A.cat
         0x00b0:  2069 7320 6669 6e65 2074 6f6f 2e20 4465  .is.fine.too..De
         0x00c0:  7375 6465 7375 6465 7375 7e41 2063 6174  sudesudesu~A.cat
         0x00d0:  2069 7320 6669 6e65 2074 6f6f 2e20 4465  .is.fine.too..De
         0x00e0:  7375 6465 7375 6465 7375 7e41 2063 6174  sudesudesu~A.cat
=================

And so on...

The tcpdump can be found here:
http://188.64.170.86/bulkin/files/dos_vsplay.zip

So is there a way to prevent it by Iptables?

Nikita Bulaev
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux

_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux



_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux

Reply via email to