I think i am experiencing the same thing atm - since yesterday evening my server gets hits.
I used tcpdump and in my case they'Re flooding the 27015 with : 11:31:13.305474 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305476 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305479 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305481 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305484 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305525 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305528 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305530 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305532 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305534 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305537 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305539 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305541 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305568 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305571 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305573 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305575 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305578 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305580 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305582 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305584 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305626 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305629 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305631 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305633 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305635 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:13.305637 IP 66-7-210-223.gamezservers.org.9355 > my.server.hostename.27015: UDP, length 5 11:31:20.798319 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798351 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798354 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798356 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798358 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798360 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798362 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798364 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798367 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798401 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798404 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798410 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798413 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798415 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798417 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798420 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798422 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798424 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798427 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798504 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798507 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798509 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798511 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798513 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:20.798515 IP 223.25.244.205.10101 > my.server.hostename.27015: UDP, length 5 11:31:50.514987 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.514989 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.514992 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.514995 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.514997 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515000 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515003 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515046 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515049 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515051 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515053 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515056 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515059 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515061 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515064 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515067 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515069 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515083 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515086 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515088 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515091 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515094 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515096 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515128 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515131 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515133 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515136 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515138 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515140 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515142 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515145 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515147 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515149 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515152 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515155 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515157 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515160 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515163 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515169 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515172 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515175 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515178 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515273 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515276 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515279 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 11:31:50.515282 IP cpe-75-186-43-2.cinci.res.rr.com.3074 > my.server.hostename.27015: UDP, length 5 And so on - i tried with iptables-rules like: iptables -I INPUT -p udp -m length --length 5 -j DROP iptables -A INPUT -p udp -m length --length 5 -j DROP But no luck :*( Am 04.08.2012 04:50, schrieb LocalStrike | Live your game!: > i read this from a forum and at this time we have the same situation here! > please we need a fix asap! > > -- > > I am writing to inform you about a new very dangerous exploit in the HLDS > engine. Briefly, the exploit allows the attacker to send packets over every > hlds server to a predefined destination. This way all HLDS servers make an > unstoppable "botnet" which can attack the destination which is chosen. > > The attack originally started a month and a half ago in Bulgaria, and since > then many big server chains are attacked and still no solution is found. The > attack is so strong that even Internet Service Providers say that it harms > the connection of their users near the hlds server location. > > Explaination of the attack: > We know that the attack is made through the UDP protocol from hundreds of > IPs that are real counter strike 1.6 servers (hlds). It comes from the > server port, and almost always hits port 27005. > The most common length of the packets is 1400, but there are also less > packets with different length. However, there is no point in dropping the > packets with this length because the whole international and inbound > channels are filled and the server still cannot be reached. > Also the HEX of the packets contains a part of the server configuration. > I've noticed a packet which HEX prints "You have been banned from this > server!". This makes me think that some bot connects to a chosen server and > makes the server send a UDP packet to the predefined destination. > > We've managed to log full information of the attack. I have 15 gigabytes of > logs with this attack which are made for only 10 minutes. I will attach a > short part of my logs, and some other logs from other server administrators > who have experienced the same attack. > > One of the server administrators says: > "I am writing to say that I have received the same attack against my > machines and since I work as a system administrator in coorporate hosting > company, my machines are colocated in the company's server room, with this I > want to say that my resources are a lot bigger than my mate @talibana's and > I managed to localize the attack or at least I think so. > > The flood was directed to UDP port 27005, after a while the enourmous flood > managed to fill my international channel and I had to work jointly with our > ISP, after I asked them to block port 27005 only 4 ip addresses started to > show on my machine, 3 of which were Russian and 1 Greek, which didn't make a > lot of traffic or big number of packets, just to say they were "listening" > to the final point - my IP address. After I have blocked these IPs from the > routing machine (Gateway) the flood totally dissapeared." > And also: > "We talk about a vurnarability in the Engine, which allows the generation of > packets from unauthorized people, which are being sent where the 'bad guy' > wants." > > The above "story" was sent to Valve, with a view of finding a solution to > the problem. Since the attack reached its peak we can't just wait, watching > our servers getting ruined. I post this topic so that more experienced > people can say what they think and to figure out what kind of attack it is > together so that a fix could be implemented. You can dowload logs and other > things at the end of the post. > > I will update this post with the most recent information about the attack. > > A small discovery: A system administrator noticed that HLSW is receiving > exactly the same packets, as the flooder sends from other HL1 servers to the > "victim". This packet cotains information about the server vars and mod > information. We think that this is the same packet which can be send to > every server to request the info. (A2S_INFO) The question that appears is > how the attacker manages to request this information from the infected > servers and forward it to a specified ip adress? > > What we tried ? > We tried to stop the international traffic which "solved" the problem with > 1400 length packets, but another flood appeared which attacks the server > ports (27015/6/7..): > > Logs and pics: > A very short part of the flood attack (40 mb) - > http://www.multiupload.nl/7ECR925FM2 > Traffic extreme: > http://desmond.imageshack.us/Himg228/scale...amp;res=landing > > I really hope that here we will find solution! If you have any questions I > will tell you what you want. > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
