That might have worked with the other filtering we are doing. If it does
I will send you the money. Send me a private email with your steam user.
On 9/1/2013 11:11 PM, Bottiger wrote:
If you used the version I posted it should not have set your
sv_max_queries_sec_global
so high.
You are supposed to lower that number until it becomes playable and raise
the window.
On Sun, Sep 1, 2013 at 8:03 PM, Violent Crimes <
[email protected]> wrote:
23:02:46 "sv_max_queries_window" = "1" ( def. "30" )
- Window over which to average queries per second averages.
Also he is spoofing the ip.
On 9/1/2013 10:57 PM, Nomaan Ahmad wrote:
Maybe he meant sv_max_queries_window
On 2 September 2013 03:37, Violent Crimes
<violentcrimes@convictgaming.**com <[email protected]>
wrote:
"sv_max_queries_sec_global and sv_max_queries_sec_global" did you mean
something else?
"sv_max_queries_sec_global" = "99999999" ( def. "3000" )
- Maximum queries per second to respond to from anywhere.
On 9/1/2013 10:28 PM, Bottiger wrote:
I'm not sure what you mean by older version. Serversecure3 is the newest
version and has never been publicly released in compiled form. I have
checked the source code and it handles both types of attacks when
combined
with those 2 convars.
Given that the original serversecure worked, I have no reason to believe
the newest version doesn't work. But since we only host on Linux where
we
can easily implement the same logic in iptables, we can't test it.
On Sun, Sep 1, 2013 at 5:11 PM, Violent Crimes <
violentcrimes@convictgaming.****com
<violentcrimes@convictgaming.**com<[email protected]>
wrote:
Older version doesn't work
On 9/1/2013 6:25 PM, Bottiger wrote:
It should be noted that you probably won't be able to prevent a2sinfo
spam
from occasionally dropping your server from the browser, but your
server
should be playable.
That problem can only be solved when Valve makes another version of
a2sinfo
that requires a challenge. I recommend that they do so and phase out
the
old a2sinfo by creating a sv_max_queries_sec_info_old and setting it
to
a
very low number.
On Sun, Sep 1, 2013 at 3:16 PM, Bottiger <[email protected]>
wrote:
Looks like a mixture of a2sinfo spam and that splitpacket spam. If
you
look at the dump you can see they keep sending
\xFF\xFF\xFF\xFFTSource
Engine Query\x00 and \xFE\xFF\xFF\xFFTSource Engine Query\x00
Here's a version of serversecure3 vsp that doesn't change
sv_max_queries_sec_global and sv_max_queries_sec_global. Try tweaking
those
convars and see if it helps.
https://mega.co.nz/#!gkYHjTYD!******A_NvDATFev2VvaGp21dSnCXk_****<https://mega.co.nz/#!gkYHjTYD!****A_NvDATFev2VvaGp21dSnCXk_**>
<https://mega.co.nz/#!**gkYHjTYD!**A_**NvDATFev2VvaGp21dSnCXk_**<https://mega.co.nz/#!gkYHjTYD!**A_NvDATFev2VvaGp21dSnCXk_**>
DEooveB-OSnIOWbOno<https://**m**ega.co.nz/#!gkYHjTYD!A_**<http://mega.co.nz/#!gkYHjTYD!A_**>
NvDATFev2VvaGp21dSnCXk_****DEooveB-OSnIOWbOno<https://**
mega.co.nz/#!gkYHjTYD!A_**NvDATFev2VvaGp21dSnCXk_**
DEooveB-OSnIOWbOno<https://mega.co.nz/#!gkYHjTYD!A_NvDATFev2VvaGp21dSnCXk_DEooveB-OSnIOWbOno>
On Sun, Sep 1, 2013 at 2:25 PM, Violent Crimes <
violentcrimes@convictgaming.******com <violentcrimes@convictgaming.*
***com<violentcrimes@**convictgaming.com<[email protected]>
wrote:
http://vps.convictgaming.com/********sample.zip<http://vps.convictgaming.com/******sample.zip>
<http://vps.**convictgaming.com/****sample.**zip<http://vps.convictgaming.com/****sample.zip>
<http://vps.**convictgaming.**com/**sample.zip<http://convictgaming.com/**sample.zip>
<http://vps.**convictgaming.com/**sample.zip<http://vps.convictgaming.com/**sample.zip>
**>
**>
<http://vps.**convictgaming.****com/sample.zip<http://**
convictgaming.com/sample.zip <http://convictgaming.com/sample.zip>>
<http://vps.**convictgaming.**com/sample.zip<http://convictgaming.com/sample.zip>
<http://vps.**convictgaming.com/sample.zip<http://vps.convictgaming.com/sample.zip>
On 9/1/2013 5:12 PM, Bottiger wrote:
It would be helpful if you recorded the attack.
http://www.winpcap.org/********windump/install/default.htm<http://www.winpcap.org/******windump/install/default.htm>
<ht**tp://www.winpcap.org/******windump/install/default.htm<http://www.winpcap.org/****windump/install/default.htm>
<ht**tp://www.winpcap.org/******windump/install/default.htm<http://www.winpcap.org/****windump/install/default.htm>
<ht**tp://www.winpcap.org/****windump/install/default.htm<http://www.winpcap.org/**windump/install/default.htm>
<ht**tp://www.winpcap.org/****windump/**install/default.htm<http://www.winpcap.org/**windump/**install/default.htm>
<**http://www.winpcap.org/**windump/**install/default.htm<http://www.winpcap.org/windump/**install/default.htm>
<**http://www.winpcap.org/****windump/install/default.htm<http://www.winpcap.org/**windump/install/default.htm>
<ht**tp://www.winpcap.org/windump/**install/default.htm<http://www.winpcap.org/windump/install/default.htm>
On Sun, Sep 1, 2013 at 1:12 PM, Violent Crimes <
violentcrimes@convictgaming.********com
<violentcrimes@convictgaming.*
***com<violentcrimes@**convict**gaming.com<http://convictgaming.com>
<violentcrimes@**convictgaming.com<[email protected]>
wrote:
I am having the same issue took down 6 boxes over 50 servers.
On 9/1/2013 4:09 PM, Michael Johansen wrote:
They should, yeah. But until then, I need to find a way to
block
the
attack.
Date: Sun, 1 Sep 2013 23:06:19 +0300
From: [email protected]
To: [email protected].**
********com<hlds_linux@list.**
valvesoftware.com <hlds_linux@list.****valvesoftwa**re.com<
http://**valvesoftware.com <http://valvesoftware.com>>
<hlds_linux@list.**valvesoftwa**re.com<http://valvesoftware.com>
<hlds_linux@list.**valvesoftware.com<[email protected]>
Subject: Re: [hlds_linux] NET_GetLong attacks
I've seen the same thing once. The attack rises CPU usage and
causes
lag
due to that. I only monitored while someone tried it, did cause
some
harm but not too much. Perhaps the attacker was unexperienced at
that
time.
I guess Valve should look into this.
-ics
Michael Johansen kirjoitti:
Hi.
For the past two days we've been hit by a skid trying to show
off
by
taking our servers down by sending them malformed packets and
faked
Source
Engine Queries. The messages look like this:
http://pastie.org/**
private/********kknzt5acoom8enl5bouwxq<http://********
pastie.org/private/**
kknzt5acoom8enl5bouwxq<http://******pastie.org/private/**
kknzt5acoom8enl5bouwxq<http://****pastie.org/private/**
kknzt5acoom8enl5bouwxq<http://**pastie.org/private/**
kknzt5acoom8enl5bouwxq<http://pastie.org/private/kknzt5acoom8enl5bouwxq>
We have tried blocking the attack using iptables without
success.
The
length of the packets varies, the source address and port
varies,
everything varies. What can we do to stop this?
______________________________**********_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**********com/cgi-bin/mailman/**
listinfo/**
***
*hlds_linux<https://list.******val**vesoftware.com/cgi-bin/***
*** <http://vesoftware.com/cgi-bin/****><
http://valvesoftware.com/cgi-****bin/**<http://valvesoftware.com/cgi-**bin/**>
<http://valvesoftware.**com/cgi-bin/**<http://valvesoftware.com/cgi-bin/**>
mailman/listinfo/hlds_linux<****ht**tps://list.valvesoftware.*
***
com/** <http://list.valvesoftware.**com/**<http://list.valvesoftware.com/**>
cgi-bin/mailman/listinfo/hlds_******linux<https://list.**
valvesoftware.com/cgi-bin/****mailman/listinfo/hlds_linux<http://valvesoftware.com/cgi-bin/**mailman/listinfo/hlds_linux>
<ht**tps://list.valvesoftware.com/**
cgi-bin/mailman/listinfo/hlds_**linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________**********_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**********com/cgi-bin/mailman/**
listinfo/*****
*hlds_linux<https://list.******val**vesoftware.com/cgi-bin/****
** <http://vesoftware.com/cgi-bin/****><
http://valvesoftware.com/cgi-****bin/**<http://valvesoftware.com/cgi-**bin/**>
<http://valvesoftware.**com/cgi-bin/**<http://valvesoftware.com/cgi-bin/**>
mailman/listinfo/hlds_linux<****ht**tps://list.valvesoftware.**
**
com/** <http://list.valvesoftware.**com/**<http://list.valvesoftware.com/**>
cgi-bin/mailman/listinfo/hlds_******linux<https://list.**
valvesoftware.com/cgi-bin/****mailman/listinfo/hlds_linux<http://valvesoftware.com/cgi-bin/**mailman/listinfo/hlds_linux>
<ht**tps://list.valvesoftware.com/**
cgi-bin/mailman/listinfo/hlds_**linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________**********_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**********com/cgi-bin/mailman/**
listinfo/*****
*hlds_linux<https://list.******val**vesoftware.com/cgi-bin/****
** <http://vesoftware.com/cgi-bin/****><
http://valvesoftware.com/cgi-****bin/**<http://valvesoftware.com/cgi-**bin/**>
<http://valvesoftware.**com/cgi-bin/**<http://valvesoftware.com/cgi-bin/**>
mailman/listinfo/hlds_linux<****ht**tps://list.valvesoftware.***
*
com/** <http://list.valvesoftware.**com/**<http://list.valvesoftware.com/**>
cgi-bin/mailman/listinfo/hlds_******linux<https://list.**
valvesoftware.com/cgi-bin/****mailman/listinfo/hlds_linux<http://valvesoftware.com/cgi-bin/**mailman/listinfo/hlds_linux>
<ht**tps://list.valvesoftware.com/**
cgi-bin/mailman/listinfo/hlds_**linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________**********_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.**********com/cgi-bin/mailman/**
listinfo/*****
*hlds_linux<https://list.******val**vesoftware.com/cgi-bin/******<http://vesoftware.com/cgi-bin/****>
<
http://valvesoftware.com/cgi-****bin/**<http://valvesoftware.com/cgi-**bin/**>
<http://valvesoftware.**com/cgi-bin/**<http://valvesoftware.com/cgi-bin/**>
mailman/listinfo/hlds_linux<****ht**tps://list.valvesoftware.***
*com/**<http://list.**valvesoftware.com/**<http://list.valvesoftware.com/**>
cgi-bin/mailman/listinfo/hlds_******linux<https://list.**
valvesoftware.com/cgi-bin/****mailman/listinfo/hlds_linux<http://valvesoftware.com/cgi-bin/**mailman/listinfo/hlds_linux>
<ht**tps://list.valvesoftware.com/**
cgi-bin/mailman/listinfo/hlds_**linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________********_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.********com/cgi-bin/mailman/**
listinfo/*****
*hlds_linux<https://list.****val**vesoftware.com/cgi-bin/****<
http://valvesoftware.com/cgi-**bin/**<http://valvesoftware.com/cgi-bin/**>
mailman/listinfo/hlds_linux<**ht**tps://list.valvesoftware.**
com/** <http://list.valvesoftware.com/**>
cgi-bin/mailman/listinfo/hlds_****linux<https://list.**
valvesoftware.com/cgi-bin/**mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________********_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.********com/cgi-bin/mailman/**
listinfo/*****
*hlds_linux<https://list.****val**vesoftware.com/cgi-bin/****<
http://valvesoftware.com/cgi-**bin/**<http://valvesoftware.com/cgi-bin/**>
mailman/listinfo/hlds_linux<**ht**tps://list.valvesoftware.**com/**<http://list.valvesoftware.com/**>
cgi-bin/mailman/listinfo/hlds_****linux<https://list.**
valvesoftware.com/cgi-bin/**mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________******_________________
To unsubscribe, edit your list preferences, or view the list
archives,
please visit:
https://list.valvesoftware.******com/cgi-bin/mailman/listinfo/*****
*hlds_linux<https://list.**val**vesoftware.com/cgi-bin/**<http://valvesoftware.com/cgi-bin/**>
mailman/listinfo/hlds_linux<ht**tps://list.valvesoftware.com/**
cgi-bin/mailman/listinfo/hlds_**linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________******_________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.******com/cgi-bin/mailman/listinfo/*****
*hlds_linux<https://list.**val**vesoftware.com/cgi-bin/**<http://valvesoftware.com/cgi-bin/**>
mailman/listinfo/hlds_linux<ht**tps://list.valvesoftware.com/**
cgi-bin/mailman/listinfo/hlds_**linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________****_________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/***
*hlds_linux<https://list.**valvesoftware.com/cgi-bin/**
mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________****_________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/***
*hlds_linux<https://list.**valvesoftware.com/cgi-bin/**
mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________**_________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
______________________________**_________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
