Re: [hlds_linux] Incoming DoS attack

Michael Johansen Wed, 28 Nov 2012 04:37:05 -0800
IIRC Hetzner are all automated right? Would be good for them to have a 
automatic blocking system, so they dont have to spend money on people manning 
their NOC (if they even have one).
> From: riem...@binkey.nl
> Date: Wed, 28 Nov 2012 13:34:22 +0100
> To: hlds_linux@list.valvesoftware.com
> Subject: Re: [hlds_linux] Incoming DoS attack
> 
> I am not a promoter, but with Hetzner if an attack is on my server, I just
> get an email with the list of ip's that where doing the ddos stating they
> stopped them from coming through.
> 
> -----Original Message-----
> From: hlds_linux-boun...@list.valvesoftware.com
> [mailto:hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael
> Johansen
> Sent: woensdag 28 november 2012 11:35
> To: hlds_linux@list.valvesoftware.com
> Subject: Re: [hlds_linux] Incoming DoS attack
> 
> 
> If you're with a ISP/provider that actually takes care of their customers
> they |can| just blackhole the ip's that are attacking, or the signature of
> the attack in their routers, problem is that it takes time and it takes a
> lot of CPU, and there may also be like 20k IP's and then you're out of
> luck :(
> > From: sai...@specialattack.net
> > To: hlds_linux@list.valvesoftware.com
> > Date: Wed, 28 Nov 2012 11:18:23 +0100
> > Subject: Re: [hlds_linux] Incoming DoS attack
> >
> > Our other server yesterday got hit by the so called "DNS response DDoS".
> So I'm guessing right now the attack wasn't aimed at exploiting SRCDS
> itself, but simply to put down our services.
> >
> > Not much you can do but wait for the attacks to die out.
> >
> > (If every ISP would just implement ip source guard you could at least
> > actually block IP addresses knowing they come from a real source....
> > meh) ________________________________________
> > From: hlds_linux-boun...@list.valvesoftware.com
> > [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael
> > Johansen [michs...@live.no]
> > Sent: 28 November 2012 09:57
> > To: hlds_linux@list.valvesoftware.com
> > Subject: Re: [hlds_linux] Incoming DoS attack
> >
> > Syn cookies didn't help for me sadly. Had to tune sysctl a tad more.
> Bumping up the maximum values for nf_conntrack module and all sorts of
> things. Now I'm using a couple of iptables rules to block all SYN-packets
> going over 5 per second. I've blocked ~800k packets the last days since
> enabling it. It's quite stable for now, but you never know when you're in
> for a larger attack unfortunantly.
> >
> > > Date: Wed, 28 Nov 2012 00:55:20 -0800
> > > From: my_azz...@yahoo.com
> > > To: hlds_linux@list.valvesoftware.com
> > > Subject: Re: [hlds_linux] Incoming DoS attack
> > >
> > > Yea lol tell me about it! I have been constantly attacked on and off
> for the past 4 months due to my servers being in the top 20 on gametracker
> for CS1.6 I must have seen all kinds of ddos attacks out there.
> > >
> > > For those on linux and getting syn floods, a nice preventative thing
> > > you can do is enable syn cookies. read more:
> > > http://baheyeldin.com/technology/linux/detecting-and-preventing-syn-
> > > flood-attacks-web-servers-running-linux.html
> > >
> > >
> > >
> > >
> > > ________________________________
> > >  From: Michael Johansen <michs...@live.no>
> > > To: hlds_linux@list.valvesoftware.com
> > > Sent: Wednesday, November 28, 2012 3:45:26 AM
> > > Subject: Re: [hlds_linux] Incoming DoS attack
> > >
> > >
> > > The funny thing is, you can actually do so on the IP. Some skid has
> made a "Booter" as it's |called in their community| which you can use to
> take down shit. Send an abuse report to Santrex and block this ip in your
> software firewall if you are on gigabit, it's only capable of pushing out
> ~300 mbit/s. IP: 46.166.130.152. Could also block every packet whos data
> contains "flood" or is 1024 bytes.
> > > > Date: Wed, 28 Nov 2012 00:40:14 -0800
> > > > From: my_azz...@yahoo.com
> > > > To: hlds_linux@list.valvesoftware.com
> > > > Subject: Re: [hlds_linux] Incoming DoS attack
> > > >
> > > > These days any 12 year old with their mommy's credit card can buy
> botnets and booters to do attacks.
> > > >
> > > >
> > > >
> > > >
> > > > ________________________________
> > > >  From: Marco Padovan <e...@evcz.tk>
> > > > To: hlds_linux@list.valvesoftware.com
> > > > Sent: Tuesday, November 27, 2012 8:34:28 AM
> > > > Subject: Re: [hlds_linux] Incoming DoS attack
> > > >
> > > > when you have fat pipes (1gbit or 10gbit uplinks) people need
> > > > fatpipes too to spooffrom and take you down...
> > > >
> > > > but, IIRC, that well knonw .EU isp that allows spoofing let people
> > > > do that only on the 100mbit network no on the gbit network.
> > > >
> > > > Therefore here comes the amplification (mostly DNS (udp 53) and
> > > > chargen (UDP 19) ).... reporting those amplifiers (open resolvers)
> > > > is very
> > > > important;)
> > > >
> > > > Il 27/11/2012 14.29, Saint K. ha scritto:
> > > > > That's kind of pointless in case of UDP attacks, chances are very
> high that the IP's simply are spoofed.
> > > > >
> > > > > Saint K.
> > > > > ________________________________________
> > > > > From: hlds_linux-boun...@list.valvesoftware.com
> > > > > [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco
> > > > > Padovan [e...@evcz.tk]
> > > > > Sent: 27 November 2012 14:27
> > > > > To: hlds_linux@list.valvesoftware.com
> > > > > Subject: Re: [hlds_linux] Incoming DoS attack
> > > > >
> > > > > ihih, nice :)
> > > > >
> > > > > the most important thing while being ddosed is to report to the
> > > > > relevant abuse desks so they can clean up their networks ;)
> > > > >
> > > > > Il 27/11/2012 14.26, Michael Johansen ha scritto:
> > > > >> I am indeed. Thank you for all your help :)
> > > > >>> Date: Tue, 27 Nov 2012 14:25:24 +0100
> > > > >>> From: e...@evcz.tk
> > > > >>> To: hlds_linux@list.valvesoftware.com
> > > > >>> Subject: Re: [hlds_linux] Incoming DoS attack
> > > > >>>
> > > > >>> Hi,
> > > > >>>
> > > > >>> are you the Mike on WHT?
> > > > >>>
> > > > >>> I was the one replying in there :D
> > > > >>>
> > > > >>> Il 27/11/2012 13.54, Michael Johansen ha scritto:
> > > > >>>> My face when, I just analyzed my own tcpdump and I had over
> ~150 Mbit/s traffic on UDP, where as my SYN stood for about 50k pps.
> > > > >>>>> From: sai...@specialattack.net
> > > > >>>>> To: hlds_linux@list.valvesoftware.com
> > > > >>>>> Date: Tue, 27 Nov 2012 11:29:01 +0100
> > > > >>>>> Subject: Re: [hlds_linux] Incoming DoS attack
> > > > >>>>>
> > > > >>>>> We have no control over the upstream network. All I can do is
> filter the packets at the machine, but that wouldn't prevent the link from
> still being overloaded.
> > > > >>>>>
> > > > >>>>> Currently a null-route is in place to stop the attack at the
> network boarder.
> > > > >>>>>
> > > > >>>>> Saint K.
> > > > >>>>> ________________________________________
> > > > >>>>> From: hlds_linux-boun...@list.valvesoftware.com
> > > > >>>>> [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of
> > > > >>>>> Michael Johansen [michs...@live.no]
> > > > >>>>> Sent: 27 November 2012 11:26
> > > > >>>>> To: hlds_linux@list.valvesoftware.com
> > > > >>>>> Subject: Re: [hlds_linux] Incoming DoS attack
> > > > >>>>>
> > > > >>>>> Just took a look at the tcpdump, doesn't look like the attacks
> I'm having. I may be stupid now, but wouldn't it work just by blocking
> packets with the size of 50?
> > > > >>>>>
> > > > >>>>>> From: sai...@specialattack.net
> > > > >>>>>> To: hlds_linux@list.valvesoftware.com
> > > > >>>>>> Date: Tue, 27 Nov 2012 11:19:08 +0100
> > > > >>>>>> Subject: Re: [hlds_linux] Incoming DoS attack
> > > > >>>>>>
> > > > >>>>>> The IP's in the dump originate from China, but as it's UDP it
> could very well be spoofed.
> > > > >>>>>>
> > > > >>>>>> Looking at the payload in the packets, each new packet only
> has 1 character change from the previous packet.
> > > > >>>>>>
> > > > >>>>>> Bruteforce, or perhaps signature scanning evasion?
> > > > >>>>>>
> > > > >>>>>> Saint K.
> > > > >>>>>> ________________________________________
> > > > >>>>>> From: hlds_linux-boun...@list.valvesoftware.com
> > > > >>>>>> [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of
> > > > >>>>>> Michael Johansen [michs...@live.no]
> > > > >>>>>> Sent: 27 November 2012 11:15
> > > > >>>>>> To: hlds_linux@list.valvesoftware.com
> > > > >>>>>> Subject: Re: [hlds_linux] Incoming DoS attack
> > > > >>>>>>
> > > > >>>>>> I haven't looked at the tcpdump, but I have been getting
> attacks too, they're SYN floods, 300 - 400 mbps in size and always coming
> from local/reserved (0.x) ip's. All started soem time after we set up our
> mvm serves.
> > > > >>>>>>> From: sai...@specialattack.net
> > > > >>>>>>> To: hlds_linux@list.valvesoftware.com
> > > > >>>>>>> Date: Tue, 27 Nov 2012 10:56:28 +0100
> > > > >>>>>>> Subject: [hlds_linux] Incoming DoS attack
> > > > >>>>>>>
> > > > >>>>>>> Hi,
> > > > >>>>>>>
> > > > >>>>>>> We've been having DoS attacks aimed at one of our MvM
> servers.
> > > > >>>>>>>
> > > > >>>>>>> Anyone have any idea what they're attempting to do here? It
> is just to make the server unreachable, or are the actually trying to
> exploit srcds somehow?
> > > > >>>>>>>
> > > > >>>>>>> Here's a tcpdump made for about 30 seconds during the
> > > > >>>>>>> attack (which is still ongoing);
> > > > >>>>>>>
> > > > >>>>>>> http://www.specialattack.net/downloads/dump.rar
> > > > >>>>>>>
> > > > >>>>>>> Saint K.
> > > > >>>>>>> _______________________________________________
> > > > >>>>>>> To unsubscribe, edit your list preferences, or view the list
> archives, please visit:
> > > > >>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hl
> > > > >>>>>>> ds_linux
> > > > >>>>>> _______________________________________________
> > > > >>>>>> To unsubscribe, edit your list preferences, or view the list
> archives, please visit:
> > > > >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hld
> > > > >>>>>> s_linux
> > > > >>>>>>
> > > > >>>>>> _______________________________________________
> > > > >>>>>> To unsubscribe, edit your list preferences, or view the list
> archives, please visit:
> > > > >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hld
> > > > >>>>>> s_linux
> > > > >>>>> _______________________________________________
> > > > >>>>> To unsubscribe, edit your list preferences, or view the list
> archives, please visit:
> > > > >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
> > > > >>>>> _linux
> > > > >>>>>
> > > > >>>>> _______________________________________________
> > > > >>>>> To unsubscribe, edit your list preferences, or view the list
> archives, please visit:
> > > > >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
> > > > >>>>> _linux
> > > > >>>> _______________________________________________
> > > > >>>> To unsubscribe, edit your list preferences, or view the list
> archives, please visit:
> > > > >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_
> > > > >>>> linux
> > > > >>> _______________________________________________
> > > > >>> To unsubscribe, edit your list preferences, or view the list
> archives, please visit:
> > > > >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_l
> > > > >>> inux
> > > > >> _______________________________________________
> > > > >> To unsubscribe, edit your list preferences, or view the list
> archives, please visit:
> > > > >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_li
> > > > >> nux
> > > > > _______________________________________________
> > > > > To unsubscribe, edit your list preferences, or view the list
> archives, please visit:
> > > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_lin
> > > > > ux
> > > > >
> > > > > _______________________________________________
> > > > > To unsubscribe, edit your list preferences, or view the list
> archives, please visit:
> > > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_lin
> > > > > ux
> > > >
> > > > _______________________________________________
> > > > To unsubscribe, edit your list preferences, or view the list
> archives, please visit:
> > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> > > > _______________________________________________
> > > > To unsubscribe, edit your list preferences, or view the list
> archives, please visit:
> > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> > >
> > > _______________________________________________
> > > To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> > > _______________________________________________
> > > To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> >
> > _______________________________________________
> > To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> >
> > _______________________________________________
> > To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
>                                       
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> 
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
                                          
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Re: [hlds_linux] Incoming DoS attack

Reply via email to
