Re: [hlds_linux] NET_GetLong attacks

Tue, 03 Sep 2013 00:11:30 -0700

This would drop packets with a length of 53, which are generally standard source engine queries, so your server would never appear online. 


----- Original Message ----- 
From: "Oskar Levin" <[email protected]>
To: "'Half-Life dedicated Linux server mailing list'" 
<[email protected]>

Sent: Tuesday, September 03, 2013 3:05 AM
Subject: Re: [hlds_linux] NET_GetLong attacks



You could do something like this, given that your INPUT chain has default
ACCEPT.


 iptables -A INPUT -i eth0 -p udp --dport 27015 -m length --length 
564:1248

-j ACCEPT
 iptables -A INPUT -i eth0 -p udp --dport 27015 -j DROP

--
Best regeards
Oskar Levin

-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Weasel
Sent: den 3 september 2013 14:55
To: [email protected]
Subject: Re: [hlds_linux] NET_GetLong attacks


If the "Valid Size" is always in the range 564-1248, is there a way to 
have

IP tables block anything that is EITHER above or below that size limit? or

will that interfere with the game? (i.e. are there other LEGIT 
game-related

packets outside the range to be expected?).

______________________________________________________


Re: [hlds_linux] NET_GetLong attacks
Calvin Judy Mon, 02 Sep 2013 03:09:16 -0700

Rating limiting the a2s queries will still make the server appear offline,
if you read your log that you posted, it gives you the size, and the
acceptable size, you should be able to tailor a rule to fit your needs.

Log:

NET_GetLong: Split packet from 157.208.132.148:54712 with invalid split 
size

(number 99/ count 114) where size 8293 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 61.52.31.78:45086 with invalid split size
(number 99/ count 114) where size 8293 is out of valid range [564 - 1248 ]

Size: 8293
Valid Size: 564-1248

Rule:
iptables -A INPUT -i eth0 -p udp --dport 27015 -m length --length 8293 -j
DROP

Make sure you also update the destination port if it's different. (I just
tried this rule on my machine and it's working.)

_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux


_______________________________________________

To unsubscribe, edit your list preferences, or view the list archives, 
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux 



_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux























					Reply via email to