Re: [hlds_linux] NET_GetLong attacks

Mon, 02 Sep 2013 03:46:43 -0700 

Post the tcpdump so we can look at it.
----- Original Message ----- From: "Michael Johansen" <[email protected]> To: "Half-Life dedicated Linux server mailing list" <[email protected]> 
Sent: Monday, September 02, 2013 6:38 AM
Subject: Re: [hlds_linux] NET_GetLong attacks
I tried that too, and the servers stopped showing in both server browser and SourceBans. It looks like the only way to stop this is with a plugin or extension on the servers. 
From: [email protected]
To: [email protected]
Date: Mon, 2 Sep 2013 06:35:04 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks

Modify the packet size in the rule I gave you to match what tcpdump is
showing then, see if that works.
----- Original Message ----- From: "Michael Johansen" <[email protected]> 
To: "Half-Life dedicated Linux server mailing list"
<[email protected]>
Sent: Monday, September 02, 2013 6:32 AM
Subject: Re: [hlds_linux] NET_GetLong attacks
>I don't know how SRCDS find that range, but tcpdump claims the packet is >53 
>bytes. And I'll have to take back what I said that the server lag was
>gone - it still lags badly whenever the attack hits. The cache takes >quite 
>a bit of it, but it still lags.
>
>> From: [email protected]
>> To: [email protected]
>> Date: Mon, 2 Sep 2013 06:07:49 -0400
>> Subject: Re: [hlds_linux] NET_GetLong attacks
>>
>> Rating limiting the a2s queries will still make the server appear
>> offline,
>> if you read your log that you posted, it gives you the size, and the
>> acceptable size, you should be able to tailor a rule to fit your >> needs. 
>>
>> Log:
>> NET_GetLong: Split packet from 157.208.132.148:54712 with invalid >> split >> size (number 99/ count 114) where size 8293 is out of valid range >> [564 - 
>> 1248 ]
>> NET_GetLong: Split packet from 61.52.31.78:45086 with invalid split >> size 
>> (number 99/ count 114) where size 8293 is out of valid range [564 -
>> 1248 ]
>>
>> Size: 8293
>> Valid Size: 564-1248
>>
>> Rule:
>> iptables -A INPUT -i eth0 -p udp --dport 27015 -m length --length >> 8293 -j 
>> DROP
>>
>> Make sure you also update the destination port if it's different. (I >> just 
>> tried this rule on my machine and it's working.)
>>
>>
>> ----- Original Message ----- >> From: "Michael Johansen" <[email protected]> 
>> To: "Half-Life dedicated Linux server mailing list"
>> <[email protected]>
>> Sent: Monday, September 02, 2013 5:12 AM
>> Subject: Re: [hlds_linux] NET_GetLong attacks
>>
>>
>> > I've tried that, and it doesn't work. For now the solution is to run
>> > Query
>> > Cache to make the server playable, it will still disappear from the
>> > serverbrowser though. Is there a solution to that? Somehow
>> > rate-limiting
>> > A2S queries?
>> >
>> >> From: [email protected]
>> >> To: [email protected]
>> >> Date: Mon, 2 Sep 2013 04:10:15 -0400
>> >> Subject: Re: [hlds_linux] NET_GetLong attacks
>> >>
>> >> Yes, it was mentioned on the other thread titled "steam server >> >> ports." 
>> >>
>> >> http://forums.alliedmods.net/showthread.php?t=151551
>> >>
>> >> The 4th section from the top is dealing with attacks like this.
>> >>
>> >> ----- Original Message ----- >> >> From: "Michael Johansen" <[email protected]> 
>> >> To: "Half-Life dedicated Linux server mailing list"
>> >> <[email protected]>
>> >> Sent: Monday, September 02, 2013 2:38 AM
>> >> Subject: Re: [hlds_linux] NET_GetLong attacks
>> >>
>> >>
>> >> > Is it possible to stop this attack using iptables? Usually using >> >> > the 
>> >> > "Valve-way" of stopping the attacks won't work very well.
>> >> >> Date: Sun, 1 Sep 2013 23:45:23 -0400
>> >> >> From: [email protected]
>> >> >> To: [email protected]
>> >> >> Subject: Re: [hlds_linux] NET_GetLong attacks
>> >> >>
>> >> >> That might have worked with the other filtering we are doing. If >> >> >> it 
>> >> >> does
>> >> >> I will send you the money. Send me a private email with your >> >> >> steam 
>> >> >> user.
>> >> >>
>> >> >>
>> >> >> On 9/1/2013 11:11 PM, Bottiger wrote:
>> >> >> > If you used the version I posted it should not have set your
>> >> >> > sv_max_queries_sec_global
>> >> >> > so high.
>> >> >> >
>> >> >> > You are supposed to lower that number until it becomes >> >> >> > playable 
>> >> >> > and
>> >> >> > raise
>> >> >> > the window.
>> >> >> >
>> >> >> >
>> >> >
>> >> > _______________________________________________
>> >> > To unsubscribe, edit your list preferences, or view the list
>> >> > archives,
>> >> > please visit:
>> >> > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
>> >>
>> >>
>> >> _______________________________________________
>> >> To unsubscribe, edit your list preferences, or view the list >> >> archives, 
>> >> please visit:
>> >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
>> >
>> > _______________________________________________
>> > To unsubscribe, edit your list preferences, or view the list >> > archives, 
>> > please visit:
>> > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
>>
>>
>> _______________________________________________
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
>
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
>


_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please visit: 
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux


_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux 


_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux

Reply via email to