Looks like a mixture of a2sinfo spam and that splitpacket spam. If you look at the dump you can see they keep sending \xFF\xFF\xFF\xFFTSource Engine Query\x00 and \xFE\xFF\xFF\xFFTSource Engine Query\x00
Here's a version of serversecure3 vsp that doesn't change sv_max_queries_sec_global and sv_max_queries_sec_global. Try tweaking those convars and see if it helps. https://mega.co.nz/#!gkYHjTYD!A_NvDATFev2VvaGp21dSnCXk_DEooveB-OSnIOWbOno On Sun, Sep 1, 2013 at 2:25 PM, Violent Crimes < [email protected]> wrote: > http://vps.convictgaming.com/**sample.zip<http://vps.convictgaming.com/sample.zip> > > > > On 9/1/2013 5:12 PM, Bottiger wrote: > >> It would be helpful if you recorded the attack. >> >> http://www.winpcap.org/**windump/install/default.htm<http://www.winpcap.org/windump/install/default.htm> >> >> >> On Sun, Sep 1, 2013 at 1:12 PM, Violent Crimes < >> violentcrimes@convictgaming.**com <[email protected]>> >> wrote: >> >> I am having the same issue took down 6 boxes over 50 servers. >>> >>> >>> On 9/1/2013 4:09 PM, Michael Johansen wrote: >>> >>> They should, yeah. But until then, I need to find a way to block the >>>> attack. >>>> >>>> Date: Sun, 1 Sep 2013 23:06:19 +0300 >>>> >>>>> From: [email protected] >>>>> To: [email protected].****com<hlds_linux@list.** >>>>> valvesoftware.com <[email protected]>> >>>>> >>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>> >>>>> I've seen the same thing once. The attack rises CPU usage and causes >>>>> lag >>>>> due to that. I only monitored while someone tried it, did cause some >>>>> harm but not too much. Perhaps the attacker was unexperienced at that >>>>> time. >>>>> >>>>> I guess Valve should look into this. >>>>> >>>>> -ics >>>>> >>>>> Michael Johansen kirjoitti: >>>>> >>>>> Hi. >>>>>> For the past two days we've been hit by a skid trying to show off by >>>>>> taking our servers down by sending them malformed packets and faked >>>>>> Source >>>>>> Engine Queries. The messages look like this:http://pastie.org/** >>>>>> private/**kknzt5acoom8enl5bouwxq<http://**pastie.org/private/** >>>>>> kknzt5acoom8enl5bouwxq<http://pastie.org/private/kknzt5acoom8enl5bouwxq> >>>>>> > >>>>>> >>>>>> We have tried blocking the attack using iptables without success. The >>>>>> length of the packets varies, the source address and port varies, >>>>>> everything varies. What can we do to stop this? >>>>>> >>>>>> ______________________________****_________________ >>>>>> >>>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>>> please visit: >>>>>> https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/*** >>>>>> *hlds_linux<https://list.**valvesoftware.com/cgi-bin/** >>>>>> mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>> > >>>>>> >>>>>> ______________________________****_________________ >>>>> >>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>> please visit: >>>>> https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/*** >>>>> *hlds_linux<https://list.**valvesoftware.com/cgi-bin/** >>>>> mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>> > >>>>> >>>>> ______________________________****_________________ >>>> >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/*** >>>> *hlds_linux<https://list.**valvesoftware.com/cgi-bin/** >>>> mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>> > >>>> >>>> >>>> ______________________________****_________________ >>> >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/*** >>> *hlds_linux<https://list.**valvesoftware.com/cgi-bin/** >>> mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>> > >>> >>> ______________________________**_________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >> >> > > ______________________________**_________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
