You can use tcpdump or Wireshark to identify extraneous traffic. It can be a bit complicated if you don't have any guidance, though. Just look for a lot of traffic that isn't coming from your typical client port (27005).
On Wed, Apr 4, 2012 at 12:20 PM, Erik-jan Riemers <[email protected]> wrote: > I think what people would want is a simple and effective tool to check it > in a easy way. Sure you can check your bandwith and see more incoming, but > what then? What would a person do to identify the ip or packets to quickly > diagnose and block that person. > > Usually by the time i want to investigate they stop, or my isp sends me an > email that they blocked certain ips because of a attack (they do as long as > it doesn't impact the segment) > > Op 4 april 2012 17:38 schreef Emil Larsson <[email protected]> het > volgende: > > > Severeal ways, unuseal high ingoing bandwidth usage, extreme server > > lag and/or flood of repetive/strange packets (use a packet > > analyzer/sniffer like Ethereal). A few years ago I identified someone > > DOS'ing our servers by simple looking for strange packets (the old but > > now fixed zero data exploit). To our amusement, we managed to identify > > the DOS'er with some help, and it turned out to be a server admin from > > another community :|. > > > > On 4/4/12, Tyler Davies <[email protected]> wrote: > > > How are you able to tell you're being attacked? I have a feeling my > > servers > > > are being attacked as well, but I'm not sure how to be sure. > > > > > > On Tue, Apr 3, 2012 at 2:34 PM, Mihály Rácz <[email protected]> wrote: > > > > > >> Hi. > > >> > > >> Its maybe helpfull. > > >> > > >> http://www.wolffiles.de/index.php?forum-showposts-44-p1#131 > > >> > > >> 2012. április 3. 19:26 Oskar Levin írta, <[email protected]>: > > >> > > >> > I can confirm this as a big problem. I'm getting attacked by various > > >> > Call > > >> > of Duty 4 servers with big UDP packets. Someone spoofs my IP address > > and > > >> > the reply of getstatus (or something similar) is sent to me. The > > packet > > >> > which requests the info isn't big, but the reply is very large as > this > > >> > contains player information etc. > > >> > > > >> > Best regards > > >> > Oskar Levin > > >> > [email protected] > > >> > > > >> > -----Ursprungligt meddelande----- > > >> > Från: [email protected] [mailto: > > >> > [email protected]] För Kyle Sanderson > > >> > Skickat: den 3 april 2012 19:10 > > >> > Till: Half-Life dedicated Linux server mailing list > > >> > Ämne: Re: [hlds_linux] LOIC and UDP flood. How to protect? > > >> > > > >> > http://www.securityfocus.com/archive/1/522076 > > >> > > > >> > Isn't just LOIC... But yes, it's a bit ridiculous that you can take > > down > > >> a > > >> > server with just 1Mbit/s of traffic. Not much that can be done about > > it > > >> > either. > > >> > > > >> > Hope for TCP, at least that way it's slightly more difficult to hide > > the > > >> > spoofed sender from the destination. > > >> > Kyle. > > >> > > > >> > 2012/4/3 Никита Булаев [Nikita Bulaev] <[email protected]> > > >> > > > >> > > The problem NOT in bandwidth. It's possible to kill server just in > > >> 1Mbit. > > >> > > > > >> > > 3 апреля 2012 г. 20:05 пользователь > > >> > > <[email protected]> написал: > > >> > > > Message: 5 > > >> > > > Date: Tue, 3 Apr 2012 10:07:09 +0200 > > >> > > > From: lwf <[email protected]> > > >> > > > To: Half-Life dedicated Linux server mailing list > > >> > > > <[email protected]> > > >> > > > Subject: Re: [hlds_linux] LOIC and UDP flood. How to protect? > > >> > > > Message-ID: > > >> > > > < > > >> > > > ca++kgkr9cot1d7f+ddsfsrt9jwcs2gw+oitscblsikmzuqc...@mail.gmail.com> > > >> > > > Content-Type: text/plain; charset=KOI8-R > > >> > > > > > >> > > > Without any help from your ISP there is nothing you can do > about a > > >> > > > bandwidth attack. > > >> > > > > > >> > > > 2012/4/3 [Nikita Bulaev] <[email protected]>: > > >> > > >> In fact - no. Hoster, where we plase our root servers, wont > > filter > > >> > > >> DoS and Flood, it just can do this for money. But this kind of > > >> > > >> service is very expensive. > > >> > > >> > > >> > > >> <[email protected]> > > >> > > >>> Message: 8 > > >> > > >>> Date: Tue, 3 Apr 2012 13:22:49 +0800 > > >> > > >>> From: "dmex" <[email protected]> > > >> > > >>> To: "'Half-Life dedicated Linux server mailing list'" > > >> > > >>> ? ? ? ?<[email protected]> > > >> > > >>> Subject: Re: [hlds_linux] LOIC and UDP flood. How to protect? > > >> > > >>> Message-ID: <[email protected] > > >> > > > > > >> > > > > > >> > > >>> > > >> > > >>>> > > >> > > >>> Content-Type: text/plain; ? ? ? charset="us-ascii" > > >> > > >>> > > >> > > >>> DoS protection is the responsibility of your service provider, > > >> > > >>> there's > > >> > > not > > >> > > >>> much Valve or even you can do to prevent attacks. > > >> > > >>> > > >> > > >>> -----Original Message----- > > >> > > >>> From: [email protected] > > >> > > >>> [mailto:[email protected]] On Behalf > Of > > >> > > >>> [Nikita Bulaev] > > >> > > >>> Sent: Tuesday, April 03, 2012 12:32 PM > > >> > > >>> To: [email protected] > > >> > > >>> Subject: [hlds_linux] LOIC and UDP flood. How to protect? > > >> > > >>> > > >> > > >>> Well, for now DoSers are using LOIC in UDP-mode. There is no > use > > >> > > >>> to > > >> > > silent > > >> > > >>> this. > > >> > > >>> > > >> > > >>> The problem is that L4D1/2 servers are lagging while sending > to > > >> > > >>> them > > >> > > UDP > > >> > > >>> packets at 32-bit lengh by LOIC. > > >> > > >>> This utility is using now almost by every DoSer and as for now > > >> > > >>> there > > >> > > is no > > >> > > >>> defense from this, even by IPTABLES. The only way is using > > >> > > >>> firewall > > >> > > before > > >> > > >>> root game servers. > > >> > > >>> > > >> > > >>> Friends! I'd like to be wrong! So is there a real working > > desigion > > >> > > >>> to protect from LOIC UDP? > > >> > > >>> > > >> > > >>> Best regards, > > >> > > >>> Nikita Bulaev > > >> > > > > >> > > _______________________________________________ > > >> > > To unsubscribe, edit your list preferences, or view the list > > archives, > > >> > > please visit: > > >> > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >> > > > > >> > _______________________________________________ > > >> > To unsubscribe, edit your list preferences, or view the list > archives, > > >> > please visit: > > >> > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >> > > > >> > > > >> > _______________________________________________ > > >> > To unsubscribe, edit your list preferences, or view the list > archives, > > >> > please visit: > > >> > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >> > > > >> _______________________________________________ > > >> To unsubscribe, edit your list preferences, or view the list archives, > > >> please visit: > > >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >> > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list archives, > > > please visit: > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux

