Re: [hlds_linux] NET_GetLong attacks

Tue, 03 Sep 2013 00:10:30 -0700

The numbers coming from the logs in srcds appear to be wrong, the packet size it lists (8293) is incorrect even if the packet is being split, and the valid size that it's giving, I'm not actually sure how it's calculating that. It's probably coming from one of these convars, net_maxroutable, net_splitrate, net_maxfragments. (But still not accurate.) 


----- Original Message ----- 
From: "Weasel" <[email protected]>

To: <[email protected]>
Sent: Tuesday, September 03, 2013 2:54 AM
Subject: Re: [hlds_linux] NET_GetLong attacks



If the "Valid Size" is always in the range 564-1248, is there a way to 
have IP tables block anything that is EITHER above or below that size 
limit? or will that interfere with the game? (i.e. are there other LEGIT 
game-related packets outside the range to be expected?).


______________________________________________________


Re: [hlds_linux] NET_GetLong attacks
Calvin Judy Mon, 02 Sep 2013 03:09:16 -0700


Rating limiting the a2s queries will still make the server appear offline, 
if you read your log that you posted, it gives you the size, and the 
acceptable size, you should be able to tailor a rule to fit your needs.


Log:

NET_GetLong: Split packet from 157.208.132.148:54712 with invalid split 
size (number 99/ count 114) where size 8293 is out of valid range [564 - 
1248 ] NET_GetLong: Split packet from 61.52.31.78:45086 with invalid split 
size (number 99/ count 114) where size 8293 is out of valid range [564 - 
1248 ]


Size: 8293
Valid Size: 564-1248

Rule:

iptables -A INPUT -i eth0 -p udp --dport 27015 -m length --length 8293 -j 
DROP



Make sure you also update the destination port if it's different. (I just 
tried this rule on my machine and it's working.)


_______________________________________________

To unsubscribe, edit your list preferences, or view the list archives, 
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux 



_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux























					Reply via email to