So then how are we supposed to share solutions? Anyway, I'll try IP tables. Disregard my IP suggestion. #HideMyAss
On Mon, Sep 2, 2013 at 2:05 PM, Calvin Judy <[email protected]> wrote: > Rate limiting isn't the way to go about it, you can block all the invalid > source packets. > > But there's no reason to post the solution publicly because the user > launching the attacks is monitoring the mailing list. > > > ----- Original Message ----- From: "Vitor F. - Killall" <[email protected]> > To: "Half-Life dedicated Linux server mailing list" <hlds_linux@list.** > valvesoftware.com <[email protected]>> > Sent: Monday, September 02, 2013 2:02 PM > > Subject: Re: [hlds_linux] NET_GetLong attacks > > > Try the hashlimit module. >> >> Example: limit the input of srcds server on port 27015 up to 100 packets >> per second/ip >> >> iptables -A INPUT -p udp --destination-port 27015 -m hashlimit -m udp >> --hashlimit-burst 15 --hashlimit-upto 100 --hashlimit-mode srcip >> --hashlimit-name srcdsin -j ACCEPT >> >> iptables -A INPUT -p udp -j DROP >> >> >> 2013/9/2 Violent Crimes >> <violentcrimes@convictgaming.**com<[email protected]> >> > >> >> On 9/2/2013 7:25 AM, Michael Johansen wrote: >>> >>> Blocked those and the attack still persists. >>>> >>>> From: [email protected] >>>> >>>>> To: [email protected].****com<hlds_linux@list.** >>>>> valvesoftware.com <[email protected]>> >>>>> Date: Mon, 2 Sep 2013 07:14:43 -0400 >>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>> >>>>> Okay, the number you provided (53) is the size of the string, the >>>>> entire >>>>> packet size is either 60 or 67 depending on the query. (there's 2 >>>>> queries >>>>> that are repeating.) >>>>> >>>>> Try these rules: >>>>> iptables -A INPUT -p udp --dport 27135 -m length --length 60 -j DROP >>>>> iptables -A INPUT -p udp --dport 27135 -m length --length 67 -j DROP >>>>> >>>>> I just tried these locally and they do not stop the valid queries from >>>>> the >>>>> steam browser. >>>>> >>>>> >>>>> ----- Original Message ----- >>>>> From: "Michael Johansen" <[email protected]> >>>>> To: "Half-Life dedicated Linux server mailing list" >>>>> <hlds_linux@list.**valvesoftwa**re.com <http://valvesoftware.com> < >>>>> hlds_linux@list.**valvesoftware.com<[email protected]> >>>>> > >>>>> > >>>>> Sent: Monday, September 02, 2013 6:57 AM >>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>> >>>>> >>>>> >>>>> http://replays.blackoutgaming.****org/attack1.cap<http://** >>>>> replays.blackoutgaming.org/**attack1.cap<http://replays.blackoutgaming.org/attack1.cap> >>>>> > >>>>> >>>>>> >>>>>> This is from an attack. You should be able to open it using WireShark. >>>>>> >>>>>> From: [email protected] >>>>>>> To: [email protected].****com<hlds_linux@list.** >>>>>>> valvesoftware.com <[email protected]>> >>>>>>> Date: Mon, 2 Sep 2013 06:44:46 -0400 >>>>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>>>> >>>>>>> Post the tcpdump so we can look at it. >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>> From: "Michael Johansen" <[email protected]> >>>>>>> To: "Half-Life dedicated Linux server mailing list" >>>>>>> <hlds_linux@list.**valvesoftwa**re.com <http://valvesoftware.com>< >>>>>>> hlds_linux@list.**valvesoftware.com<[email protected]> >>>>>>> > >>>>>>> > >>>>>>> Sent: Monday, September 02, 2013 6:38 AM >>>>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>>>> >>>>>>> >>>>>>> I tried that too, and the servers stopped showing in both server >>>>>>> >>>>>>>> browser >>>>>>>> and SourceBans. It looks like the only way to stop this is with a >>>>>>>> plugin >>>>>>>> or >>>>>>>> extension on the servers. >>>>>>>> >>>>>>>> From: [email protected] >>>>>>>>> To: [email protected].****com<hlds_linux@list.** >>>>>>>>> valvesoftware.com <[email protected]>> >>>>>>>>> Date: Mon, 2 Sep 2013 06:35:04 -0400 >>>>>>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>>>>>> >>>>>>>>> Modify the packet size in the rule I gave you to match what tcpdump >>>>>>>>> is >>>>>>>>> showing then, see if that works. >>>>>>>>> >>>>>>>>> >>>>>>>>> ----- Original Message ----- >>>>>>>>> From: "Michael Johansen" <[email protected]> >>>>>>>>> To: "Half-Life dedicated Linux server mailing list" >>>>>>>>> <hlds_linux@list.**valvesoftwa**re.com <http://valvesoftware.com>< >>>>>>>>> hlds_linux@list.**valvesoftware.com<[email protected]> >>>>>>>>> > >>>>>>>>> > >>>>>>>>> Sent: Monday, September 02, 2013 6:32 AM >>>>>>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>>>>>> >>>>>>>>> >>>>>>>>> I don't know how SRCDS find that range, but tcpdump claims the >>>>>>>>> >>>>>>>>>> packet >>>>>>>>>> is >>>>>>>>>> 53 >>>>>>>>>> bytes. And I'll have to take back what I said that the server lag >>>>>>>>>> was >>>>>>>>>> gone - it still lags badly whenever the attack hits. The cache >>>>>>>>>> takes >>>>>>>>>> quite >>>>>>>>>> a bit of it, but it still lags. >>>>>>>>>> >>>>>>>>>> From: [email protected] >>>>>>>>>> >>>>>>>>>>> To: [email protected].****com<hlds_linux@list.** >>>>>>>>>>> valvesoftware.com <[email protected]>> >>>>>>>>>>> Date: Mon, 2 Sep 2013 06:07:49 -0400 >>>>>>>>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>>>>>>>> >>>>>>>>>>> Rating limiting the a2s queries will still make the server appear >>>>>>>>>>> offline, >>>>>>>>>>> if you read your log that you posted, it gives you the size, and >>>>>>>>>>> the >>>>>>>>>>> acceptable size, you should be able to tailor a rule to fit your >>>>>>>>>>> needs. >>>>>>>>>>> >>>>>>>>>>> Log: >>>>>>>>>>> NET_GetLong: Split packet from 157.208.132.148:54712 with >>>>>>>>>>> invalid >>>>>>>>>>> split >>>>>>>>>>> size (number 99/ count 114) where size 8293 is out of valid range >>>>>>>>>>> [564 - >>>>>>>>>>> 1248 ] >>>>>>>>>>> NET_GetLong: Split packet from 61.52.31.78:45086 with invalid >>>>>>>>>>> split >>>>>>>>>>> size >>>>>>>>>>> (number 99/ count 114) where size 8293 is out of valid range >>>>>>>>>>> [564 - >>>>>>>>>>> 1248 ] >>>>>>>>>>> >>>>>>>>>>> Size: 8293 >>>>>>>>>>> Valid Size: 564-1248 >>>>>>>>>>> >>>>>>>>>>> Rule: >>>>>>>>>>> iptables -A INPUT -i eth0 -p udp --dport 27015 -m length --length >>>>>>>>>>> 8293 -j >>>>>>>>>>> DROP >>>>>>>>>>> >>>>>>>>>>> Make sure you also update the destination port if it's different. >>>>>>>>>>> (I >>>>>>>>>>> just >>>>>>>>>>> tried this rule on my machine and it's working.) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ----- Original Message ----- >>>>>>>>>>> From: "Michael Johansen" <[email protected]> >>>>>>>>>>> To: "Half-Life dedicated Linux server mailing list" >>>>>>>>>>> <hlds_linux@list.**valvesoftwa**re.com<http://valvesoftware.com> >>>>>>>>>>> <hlds_linux@list.**valvesoftware.com<[email protected]> >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> Sent: Monday, September 02, 2013 5:12 AM >>>>>>>>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I've tried that, and it doesn't work. For now the solution is to >>>>>>>>>>> >>>>>>>>>>>> run >>>>>>>>>>>> Query >>>>>>>>>>>> Cache to make the server playable, it will still disappear from >>>>>>>>>>>> the >>>>>>>>>>>> serverbrowser though. Is there a solution to that? Somehow >>>>>>>>>>>> rate-limiting >>>>>>>>>>>> A2S queries? >>>>>>>>>>>> >>>>>>>>>>>> From: [email protected] >>>>>>>>>>>> >>>>>>>>>>>>> To: [email protected].****com<hlds_linux@list.** >>>>>>>>>>>>> valvesoftware.com <[email protected]>> >>>>>>>>>>>>> Date: Mon, 2 Sep 2013 04:10:15 -0400 >>>>>>>>>>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>>>>>>>>>> >>>>>>>>>>>>> Yes, it was mentioned on the other thread titled "steam server >>>>>>>>>>>>> ports." >>>>>>>>>>>>> >>>>>>>>>>>>> http://forums.alliedmods.net/****showthread.php?t=151551<http://forums.alliedmods.net/**showthread.php?t=151551> >>>>>>>>>>>>> <http:**//forums.alliedmods.net/**showthread.php?t=151551<http://forums.alliedmods.net/showthread.php?t=151551> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>> The 4th section from the top is dealing with attacks like this. >>>>>>>>>>>>> >>>>>>>>>>>>> ----- Original Message ----- >>>>>>>>>>>>> From: "Michael Johansen" <[email protected]> >>>>>>>>>>>>> To: "Half-Life dedicated Linux server mailing list" >>>>>>>>>>>>> <hlds_linux@list.**valvesoftwa**re.com<http://valvesoftware.com> >>>>>>>>>>>>> <hlds_linux@list.**valvesoftware.com<[email protected]> >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> Sent: Monday, September 02, 2013 2:38 AM >>>>>>>>>>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Is it possible to stop this attack using iptables? Usually >>>>>>>>>>>>> >>>>>>>>>>>>>> using >>>>>>>>>>>>>> the >>>>>>>>>>>>>> "Valve-way" of stopping the attacks won't work very well. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Date: Sun, 1 Sep 2013 23:45:23 -0400 >>>>>>>>>>>>>>> From: violentcrimes@convictgaming.****com<violentcrimes@** >>>>>>>>>>>>>>> convictgaming.com <[email protected]>> >>>>>>>>>>>>>>> To: [email protected].****com<hlds_linux@list.** >>>>>>>>>>>>>>> valvesoftware.com <[email protected]>> >>>>>>>>>>>>>>> Subject: Re: [hlds_linux] NET_GetLong attacks >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> That might have worked with the other filtering we are doing. >>>>>>>>>>>>>>> If >>>>>>>>>>>>>>> it >>>>>>>>>>>>>>> does >>>>>>>>>>>>>>> I will send you the money. Send me a private email with your >>>>>>>>>>>>>>> steam >>>>>>>>>>>>>>> user. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 9/1/2013 11:11 PM, Bottiger wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> If you used the version I posted it should not have set >>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>> sv_max_queries_sec_global >>>>>>>>>>>>>>>> so high. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> You are supposed to lower that number until it becomes >>>>>>>>>>>>>>>> playable >>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>> raise >>>>>>>>>>>>>>>> the window. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ______________________________****_________________ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>>>>>>> archives, >>>>>>>>>>>>>> please visit: >>>>>>>>>>>>>> https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/* >>>>>>>>>>>>>> *** >>>>>>>>>>>>>> hlds_linux<https://list.**valvesoftware.com/cgi-bin/** >>>>>>>>>>>>>> mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>>>>>>>>>> > >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> ______________________________****_________________ >>>>>>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>>>>>> archives, >>>>>>>>>>>>> please visit: >>>>>>>>>>>>> https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/** >>>>>>>>>>>>> ** >>>>>>>>>>>>> hlds_linux<https://list.**valvesoftware.com/cgi-bin/** >>>>>>>>>>>>> mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>> ______________________________****_________________ >>>>>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>>>>> archives, >>>>>>>>>>>> please visit: >>>>>>>>>>>> https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/*** >>>>>>>>>>>> * >>>>>>>>>>>> hlds_linux<https://list.**valvesoftware.com/cgi-bin/** >>>>>>>>>>>> mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> ______________________________****_________________ >>>>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>>>> archives, >>>>>>>>>>> please visit: >>>>>>>>>>> https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/**** >>>>>>>>>>> hlds_linux<https://list.**valvesoftware.com/cgi-bin/** >>>>>>>>>>> mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>>> ______________________________****_________________ >>>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>>> archives, >>>>>>>>>> please visit: >>>>>>>>>> https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/**** >>>>>>>>>> hlds_linux<https://list.**valvesoftware.com/cgi-bin/** >>>>>>>>>> mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ______________________________****_________________ >>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>> archives, >>>>>>>>> please visit: >>>>>>>>> https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/**** >>>>>>>>> hlds_linux<https://list.**valvesoftware.com/cgi-bin/** >>>>>>>>> mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>>>>> > >>>>>>>>> >>>>>>>>> ______________________________****_________________ >>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>> archives, >>>>>>>> please visit: >>>>>>>> https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/**** >>>>>>>> hlds_linux<https://list.**valvesoftware.com/cgi-bin/** >>>>>>>> mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>>>> > >>>>>>>> >>>>>>>> >>>>>>> ______________________________****_________________ >>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>> archives, >>>>>>> please visit: >>>>>>> https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/*** >>>>>>> *hlds_linux<https://list.**valvesoftware.com/cgi-bin/** >>>>>>> mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>>> > >>>>>>> >>>>>>> ______________________________****_________________ >>>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>>> please visit: >>>>>> https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/*** >>>>>> *hlds_linux<https://list.**valvesoftware.com/cgi-bin/** >>>>>> mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>>> > >>>>>> >>>>>> >>>>> ______________________________****_________________ >>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>> please visit: >>>>> https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/*** >>>>> *hlds_linux<https://list.**valvesoftware.com/cgi-bin/** >>>>> mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>>> > >>>>> >>>>> >>>> ______________________________****_________________ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/*** >>>> *hlds_linux<https://list.**valvesoftware.com/cgi-bin/** >>>> mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>> > >>>> >>>> >>>> >>> ______________________________****_________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> https://list.valvesoftware.****com/cgi-bin/mailman/listinfo/*** >>> *hlds_linux<https://list.**valvesoftware.com/cgi-bin/** >>> mailman/listinfo/hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>> > >>> >>> ______________________________**_________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >> > > > ______________________________**_________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
