Hi, what rules did you setup to block the syn packets in iptables? After enabling syn cookies it helped for a while but now its not helping.
Thanks. ________________________________ From: Michael Johansen <michs...@live.no> To: hlds_linux@list.valvesoftware.com Sent: Wednesday, November 28, 2012 3:57:54 AM Subject: Re: [hlds_linux] Incoming DoS attack Syn cookies didn't help for me sadly. Had to tune sysctl a tad more. Bumping up the maximum values for nf_conntrack module and all sorts of things. Now I'm using a couple of iptables rules to block all SYN-packets going over 5 per second. I've blocked ~800k packets the last days since enabling it. It's quite stable for now, but you never know when you're in for a larger attack unfortunantly. > Date: Wed, 28 Nov 2012 00:55:20 -0800 > From: my_azz...@yahoo.com > To: hlds_linux@list.valvesoftware.com > Subject: Re: [hlds_linux] Incoming DoS attack > > Yea lol tell me about it! I have been constantly attacked on and off for the > past 4 months due to my servers being in the top 20 on gametracker for CS1.6 > I must have seen all kinds of ddos attacks out there. > > For those on linux and getting syn floods, a nice preventative thing you can > do is enable syn cookies. read more: > http://baheyeldin.com/technology/linux/detecting-and-preventing-syn-flood-attacks-web-servers-running-linux.html > > > > > ________________________________ > From: Michael Johansen <michs...@live.no> > To: hlds_linux@list.valvesoftware.com > Sent: Wednesday, November 28, 2012 3:45:26 AM > Subject: Re: [hlds_linux] Incoming DoS attack > > > The funny thing is, you can actually do so on the IP. Some skid has made a > "Booter" as it's |called in their community| which you can use to take down > shit. Send an abuse report to Santrex and block this ip in your software > firewall if you are on gigabit, it's only capable of pushing out ~300 mbit/s. > IP: 46.166.130.152. Could also block every packet whos data contains "flood" > or is 1024 bytes. > > Date: Wed, 28 Nov 2012 00:40:14 -0800 > > From: my_azz...@yahoo.com > > To: hlds_linux@list.valvesoftware.com > > Subject: Re: [hlds_linux] Incoming DoS attack > > > > These days any 12 year old with their mommy's credit card can buy botnets > > and booters to do attacks. > > > > > > > > > > ________________________________ > > From: Marco Padovan <e...@evcz.tk> > > To: hlds_linux@list.valvesoftware.com > > Sent: Tuesday, November 27, 2012 8:34:28 AM > > Subject: Re: [hlds_linux] Incoming DoS attack > > > > when you have fat pipes (1gbit or 10gbit uplinks) people need fatpipes > > too to spooffrom and take you down... > > > > but, IIRC, that well knonw .EU isp that allows spoofing let people do > > that only on the 100mbit network no on the gbit network. > > > > Therefore here comes the amplification (mostly DNS (udp 53) and chargen > > (UDP 19) ).... reporting those amplifiers (open resolvers) is very > > important;) > > > > Il 27/11/2012 14.29, Saint K. ha scritto: > > > That's kind of pointless in case of UDP attacks, chances are very high > > > that the IP's simply are spoofed. > > > > > > Saint K. > > > ________________________________________ > > > From: hlds_linux-boun...@list.valvesoftware.com > > > [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan > > > [e...@evcz.tk] > > > Sent: 27 November 2012 14:27 > > > To: hlds_linux@list.valvesoftware.com > > > Subject: Re: [hlds_linux] Incoming DoS attack > > > > > > ihih, nice :) > > > > > > the most important thing while being ddosed is to report to the relevant > > > abuse desks so they can clean up their networks ;) > > > > > > Il 27/11/2012 14.26, Michael Johansen ha scritto: > > >> I am indeed. Thank you for all your help :) > > >>> Date: Tue, 27 Nov 2012 14:25:24 +0100 > > >>> From: e...@evcz.tk > > >>> To: hlds_linux@list.valvesoftware.com > > >>> Subject: Re: [hlds_linux] Incoming DoS attack > > >>> > > >>> Hi, > > >>> > > >>> are you the Mike on WHT? > > >>> > > >>> I was the one replying in there :D > > >>> > > >>> Il 27/11/2012 13.54, Michael Johansen ha scritto: > > >>>> My face when, I just analyzed my own tcpdump and I had over ~150 > > >>>> Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. > > >>>>> From: sai...@specialattack.net > > >>>>> To: hlds_linux@list.valvesoftware.com > > >>>>> Date: Tue, 27 Nov 2012 11:29:01 +0100 > > >>>>> Subject: Re: [hlds_linux] Incoming DoS attack > > >>>>> > > >>>>> We have no control over the upstream network. All I can do is filter > > >>>>> the packets at the machine, but that wouldn't prevent the link from > > >>>>> still being overloaded. > > >>>>> > > >>>>> Currently a null-route is in place to stop the attack at the network > > >>>>> boarder. > > >>>>> > > >>>>> Saint K. > > >>>>> ________________________________________ > > >>>>> From: hlds_linux-boun...@list.valvesoftware.com > > >>>>> [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael > > >>>>> Johansen [michs...@live.no] > > >>>>> Sent: 27 November 2012 11:26 > > >>>>> To: hlds_linux@list.valvesoftware.com > > >>>>> Subject: Re: [hlds_linux] Incoming DoS attack > > >>>>> > > >>>>> Just took a look at the tcpdump, doesn't look like the attacks I'm > > >>>>> having. I may be stupid now, but wouldn't it work just by blocking > > >>>>> packets with the size of 50? > > >>>>> > > >>>>>> From: sai...@specialattack.net > > >>>>>> To: hlds_linux@list.valvesoftware.com > > >>>>>> Date: Tue, 27 Nov 2012 11:19:08 +0100 > > >>>>>> Subject: Re: [hlds_linux] Incoming DoS attack > > >>>>>> > > >>>>>> The IP's in the dump originate from China, but as it's UDP it could > > >>>>>> very well be spoofed. > > >>>>>> > > >>>>>> Looking at the payload in the packets, each new packet only has 1 > > >>>>>> character change from the previous packet. > > >>>>>> > > >>>>>> Bruteforce, or perhaps signature scanning evasion? > > >>>>>> > > >>>>>> Saint K. > > >>>>>> ________________________________________ > > >>>>>> From: hlds_linux-boun...@list.valvesoftware.com > > >>>>>> [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael > > >>>>>> Johansen [michs...@live.no] > > >>>>>> Sent: 27 November 2012 11:15 > > >>>>>> To: hlds_linux@list.valvesoftware.com > > >>>>>> Subject: Re: [hlds_linux] Incoming DoS attack > > >>>>>> > > >>>>>> I haven't looked at the tcpdump, but I have been getting attacks > > >>>>>> too, they're SYN floods, 300 - 400 mbps in size and always coming > > >>>>>> from local/reserved (0.x) ip's. All started soem time after we set > > >>>>>> up our mvm serves. > > >>>>>>> From: sai...@specialattack.net > > >>>>>>> To: hlds_linux@list.valvesoftware.com > > >>>>>>> Date: Tue, 27 Nov 2012 10:56:28 +0100 > > >>>>>>> Subject: [hlds_linux] Incoming DoS attack > > >>>>>>> > > >>>>>>> Hi, > > >>>>>>> > > >>>>>>> We've been having DoS attacks aimed at one of our MvM servers. > > >>>>>>> > > >>>>>>> Anyone have any idea what they're attempting to do here? It is just > > >>>>>>> to make the server unreachable, or are the actually trying to > > >>>>>>> exploit srcds somehow? > > >>>>>>> > > >>>>>>> Here's a tcpdump made for about 30 seconds during the attack (which > > >>>>>>> is still ongoing); > > >>>>>>> > > >>>>>>> http://www.specialattack.net/downloads/dump.rar > > >>>>>>> > > >>>>>>> Saint K. > > >>>>>>> _______________________________________________ > > >>>>>>> To unsubscribe, edit your list preferences, or view the list > > >>>>>>> archives, please visit: > > >>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >>>>>> _______________________________________________ > > >>>>>> To unsubscribe, edit your list preferences, or view the list > > >>>>>> archives, please visit: > > >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >>>>>> > > >>>>>> _______________________________________________ > > >>>>>> To unsubscribe, edit your list preferences, or view the list > > >>>>>> archives, please visit: > > >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >>>>> _______________________________________________ > > >>>>> To unsubscribe, edit your list preferences, or view the list > > >>>>> archives, please visit: > > >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >>>>> > > >>>>> _______________________________________________ > > >>>>> To unsubscribe, edit your list preferences, or view the list > > >>>>> archives, please visit: > > >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >>>> _______________________________________________ > > >>>> To unsubscribe, edit your list preferences, or view the list archives, > > >>>> please visit: > > >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >>> _______________________________________________ > > >>> To unsubscribe, edit your list preferences, or view the list archives, > > >>> please visit: > > >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >> _______________________________________________ > > >> To unsubscribe, edit your list preferences, or view the list archives, > > >> please visit: > > >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list archives, > > > please visit: > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > > > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list archives, > > > please visit: > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux