Re: [hlds_linux] NET_GetLong attacks

[Calvin Judy]

Okay, the number you provided (53) is the size of the string, the entire 
packet size is either 60 or 67 depending on the query. (there's 2 queries 
that are repeating.)

Try these rules:
iptables -A INPUT -p udp --dport 27135 -m length --length 60 -j DROP
iptables -A INPUT -p udp --dport 27135 -m length --length 67 -j DROP
I just tried these locally and they do not stop the valid queries from the 
steam browser.


----- Original Message ----- 
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list" 
<hlds_linux@list.valvesoftware.com>
Sent: Monday, September 02, 2013 6:57 AM
Subject: Re: [hlds_linux] NET_GetLong attacks


http://replays.blackoutgaming.org/attack1.cap

This is from an attack. You should be able to open it using WireShark.
From: evo...@gmail.com
To: hlds_linux@list.valvesoftware.com
Date: Mon, 2 Sep 2013 06:44:46 -0400
Subject: Re: [hlds_linux] NET_GetLong attacks

Post the tcpdump so we can look at it.

----- Original Message ----- 
From: "Michael Johansen" <michs...@live.no>
To: "Half-Life dedicated Linux server mailing list"
<hlds_linux@list.valvesoftware.com>
Sent: Monday, September 02, 2013 6:38 AM
Subject: Re: [hlds_linux] NET_GetLong attacks


>I tried that too, and the servers stopped showing in both server browser
>and SourceBans. It looks like the only way to stop this is with a plugin 
>or
>extension on the servers.
>> From: evo...@gmail.com
>> To: hlds_linux@list.valvesoftware.com
>> Date: Mon, 2 Sep 2013 06:35:04 -0400
>> Subject: Re: [hlds_linux] NET_GetLong attacks
>>
>> Modify the packet size in the rule I gave you to match what tcpdump is
>> showing then, see if that works.
>>
>>
>> ----- Original Message ----- 
>> From: "Michael Johansen" <michs...@live.no>
>> To: "Half-Life dedicated Linux server mailing list"
>> <hlds_linux@list.valvesoftware.com>
>> Sent: Monday, September 02, 2013 6:32 AM
>> Subject: Re: [hlds_linux] NET_GetLong attacks
>>
>>
>> >I don't know how SRCDS find that range, but tcpdump claims the packet 
>> >is
>> >53
>> >bytes. And I'll have to take back what I said that the server lag was
>> >gone - it still lags badly whenever the attack hits. The cache takes
>> >quite
>> >a bit of it, but it still lags.
>> >
>> >> From: evo...@gmail.com
>> >> To: hlds_linux@list.valvesoftware.com
>> >> Date: Mon, 2 Sep 2013 06:07:49 -0400
>> >> Subject: Re: [hlds_linux] NET_GetLong attacks
>> >>
>> >> Rating limiting the a2s queries will still make the server appear
>> >> offline,
>> >> if you read your log that you posted, it gives you the size, and 
>> >> the
>> >> acceptable size, you should be able to tailor a rule to fit your
>> >> needs.
>> >>
>> >> Log:
>> >> NET_GetLong:  Split packet from 157.208.132.148:54712 with invalid
>> >> split
>> >> size (number 99/ count 114) where size 8293 is out of valid range
>> >> [564 -
>> >> 1248 ]
>> >> NET_GetLong:  Split packet from 61.52.31.78:45086 with invalid 
>> >> split
>> >> size
>> >> (number 99/ count 114) where size 8293 is out of valid range [564 -
>> >> 1248 ]
>> >>
>> >> Size: 8293
>> >> Valid Size: 564-1248
>> >>
>> >> Rule:
>> >> iptables -A INPUT -i eth0 -p udp --dport 27015 -m length --length
>> >> 8293 -j
>> >> DROP
>> >>
>> >> Make sure you also update the destination port if it's different. 
>> >> (I
>> >> just
>> >> tried this rule on my machine and it's working.)
>> >>
>> >>
>> >> ----- Original Message ----- 
>> >> From: "Michael Johansen" <michs...@live.no>
>> >> To: "Half-Life dedicated Linux server mailing list"
>> >> <hlds_linux@list.valvesoftware.com>
>> >> Sent: Monday, September 02, 2013 5:12 AM
>> >> Subject: Re: [hlds_linux] NET_GetLong attacks
>> >>
>> >>
>> >> > I've tried that, and it doesn't work. For now the solution is to 
>> >> > run
>> >> > Query
>> >> > Cache to make the server playable, it will still disappear from 
>> >> > the
>> >> > serverbrowser though. Is there a solution to that? Somehow
>> >> > rate-limiting
>> >> > A2S queries?
>> >> >
>> >> >> From: evo...@gmail.com
>> >> >> To: hlds_linux@list.valvesoftware.com
>> >> >> Date: Mon, 2 Sep 2013 04:10:15 -0400
>> >> >> Subject: Re: [hlds_linux] NET_GetLong attacks
>> >> >>
>> >> >> Yes, it was mentioned on the other thread titled "steam server
>> >> >> ports."
>> >> >>
>> >> >> http://forums.alliedmods.net/showthread.php?t=151551
>> >> >>
>> >> >> The 4th section from the top is dealing with attacks like this.
>> >> >>
>> >> >> ----- Original Message ----- 
>> >> >> From: "Michael Johansen" <michs...@live.no>
>> >> >> To: "Half-Life dedicated Linux server mailing list"
>> >> >> <hlds_linux@list.valvesoftware.com>
>> >> >> Sent: Monday, September 02, 2013 2:38 AM
>> >> >> Subject: Re: [hlds_linux] NET_GetLong attacks
>> >> >>
>> >> >>
>> >> >> > Is it possible to stop this attack using iptables? Usually 
>> >> >> > using
>> >> >> > the
>> >> >> > "Valve-way" of stopping the attacks won't work very well.
>> >> >> >> Date: Sun, 1 Sep 2013 23:45:23 -0400
>> >> >> >> From: violentcri...@convictgaming.com
>> >> >> >> To: hlds_linux@list.valvesoftware.com
>> >> >> >> Subject: Re: [hlds_linux] NET_GetLong attacks
>> >> >> >>
>> >> >> >> That might have worked with the other filtering we are doing. 
>> >> >> >> If
>> >> >> >> it
>> >> >> >> does
>> >> >> >> I will send you the money. Send me a private email with your
>> >> >> >> steam
>> >> >> >> user.
>> >> >> >>
>> >> >> >>
>> >> >> >> On 9/1/2013 11:11 PM, Bottiger wrote:
>> >> >> >> > If you used the version I posted it should not have set 
>> >> >> >> > your
>> >> >> >> > sv_max_queries_sec_global
>> >> >> >> > so high.
>> >> >> >> >
>> >> >> >> > You are supposed to lower that number until it becomes
>> >> >> >> > playable
>> >> >> >> > and
>> >> >> >> > raise
>> >> >> >> > the window.
>> >> >> >> >
>> >> >> >> >
>> >> >> >
>> >> >> > _______________________________________________
>> >> >> > To unsubscribe, edit your list preferences, or view the list
>> >> >> > archives,
>> >> >> > please visit:
>> >> >> > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
>> >> >>
>> >> >>
>> >> >> _______________________________________________
>> >> >> To unsubscribe, edit your list preferences, or view the list
>> >> >> archives,
>> >> >> please visit:
>> >> >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
>> >> >
>> >> > _______________________________________________
>> >> > To unsubscribe, edit your list preferences, or view the list
>> >> > archives,
>> >> > please visit:
>> >> > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
>> >>
>> >>
>> >> _______________________________________________
>> >> To unsubscribe, edit your list preferences, or view the list 
>> >> archives,
>> >> please visit:
>> >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
>> >
>> > _______________________________________________
>> > To unsubscribe, edit your list preferences, or view the list 
>> > archives,
>> > please visit:
>> > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
>> >
>>
>>
>> _______________________________________________
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
>
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux


_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, 
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux

_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, 
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux 


_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux