The IP's in the dump originate from China, but as it's UDP it could very well be spoofed.
Looking at the payload in the packets, each new packet only has 1 character change from the previous packet. Bruteforce, or perhaps signature scanning evasion? Saint K. ________________________________________ From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:15 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack I haven't looked at the tcpdump, but I have been getting attacks too, they're SYN floods, 300 - 400 mbps in size and always coming from local/reserved (0.x) ip's. All started soem time after we set up our mvm serves. > From: sai...@specialattack.net > To: hlds_linux@list.valvesoftware.com > Date: Tue, 27 Nov 2012 10:56:28 +0100 > Subject: [hlds_linux] Incoming DoS attack > > Hi, > > We've been having DoS attacks aimed at one of our MvM servers. > > Anyone have any idea what they're attempting to do here? It is just to make > the server unreachable, or are the actually trying to exploit srcds somehow? > > Here's a tcpdump made for about 30 seconds during the attack (which is still > ongoing); > > http://www.specialattack.net/downloads/dump.rar > > Saint K. > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
