I'm late and couldn't download the file. Could you please publish it again? You can even reach me privately
On Mon, Sep 2, 2013 at 12:57 PM, Michael Johansen <[email protected]> wrote: > http://replays.blackoutgaming.org/attack1.cap > > This is from an attack. You should be able to open it using WireShark. > > From: [email protected] > > To: [email protected] > > Date: Mon, 2 Sep 2013 06:44:46 -0400 > > Subject: Re: [hlds_linux] NET_GetLong attacks > > > > Post the tcpdump so we can look at it. > > > > ----- Original Message ----- > > From: "Michael Johansen" <[email protected]> > > To: "Half-Life dedicated Linux server mailing list" > > <[email protected]> > > Sent: Monday, September 02, 2013 6:38 AM > > Subject: Re: [hlds_linux] NET_GetLong attacks > > > > > > >I tried that too, and the servers stopped showing in both server browser > > >and SourceBans. It looks like the only way to stop this is with a > plugin or > > >extension on the servers. > > >> From: [email protected] > > >> To: [email protected] > > >> Date: Mon, 2 Sep 2013 06:35:04 -0400 > > >> Subject: Re: [hlds_linux] NET_GetLong attacks > > >> > > >> Modify the packet size in the rule I gave you to match what tcpdump is > > >> showing then, see if that works. > > >> > > >> > > >> ----- Original Message ----- > > >> From: "Michael Johansen" <[email protected]> > > >> To: "Half-Life dedicated Linux server mailing list" > > >> <[email protected]> > > >> Sent: Monday, September 02, 2013 6:32 AM > > >> Subject: Re: [hlds_linux] NET_GetLong attacks > > >> > > >> > > >> >I don't know how SRCDS find that range, but tcpdump claims the > packet is > > >> >53 > > >> >bytes. And I'll have to take back what I said that the server lag was > > >> >gone - it still lags badly whenever the attack hits. The cache takes > > >> >quite > > >> >a bit of it, but it still lags. > > >> > > > >> >> From: [email protected] > > >> >> To: [email protected] > > >> >> Date: Mon, 2 Sep 2013 06:07:49 -0400 > > >> >> Subject: Re: [hlds_linux] NET_GetLong attacks > > >> >> > > >> >> Rating limiting the a2s queries will still make the server appear > > >> >> offline, > > >> >> if you read your log that you posted, it gives you the size, and > the > > >> >> acceptable size, you should be able to tailor a rule to fit your > > >> >> needs. > > >> >> > > >> >> Log: > > >> >> NET_GetLong: Split packet from 157.208.132.148:54712 with invalid > > >> >> split > > >> >> size (number 99/ count 114) where size 8293 is out of valid range > > >> >> [564 - > > >> >> 1248 ] > > >> >> NET_GetLong: Split packet from 61.52.31.78:45086 with invalid > split > > >> >> size > > >> >> (number 99/ count 114) where size 8293 is out of valid range [564 - > > >> >> 1248 ] > > >> >> > > >> >> Size: 8293 > > >> >> Valid Size: 564-1248 > > >> >> > > >> >> Rule: > > >> >> iptables -A INPUT -i eth0 -p udp --dport 27015 -m length --length > > >> >> 8293 -j > > >> >> DROP > > >> >> > > >> >> Make sure you also update the destination port if it's different. > (I > > >> >> just > > >> >> tried this rule on my machine and it's working.) > > >> >> > > >> >> > > >> >> ----- Original Message ----- > > >> >> From: "Michael Johansen" <[email protected]> > > >> >> To: "Half-Life dedicated Linux server mailing list" > > >> >> <[email protected]> > > >> >> Sent: Monday, September 02, 2013 5:12 AM > > >> >> Subject: Re: [hlds_linux] NET_GetLong attacks > > >> >> > > >> >> > > >> >> > I've tried that, and it doesn't work. For now the solution is to > run > > >> >> > Query > > >> >> > Cache to make the server playable, it will still disappear from > the > > >> >> > serverbrowser though. Is there a solution to that? Somehow > > >> >> > rate-limiting > > >> >> > A2S queries? > > >> >> > > > >> >> >> From: [email protected] > > >> >> >> To: [email protected] > > >> >> >> Date: Mon, 2 Sep 2013 04:10:15 -0400 > > >> >> >> Subject: Re: [hlds_linux] NET_GetLong attacks > > >> >> >> > > >> >> >> Yes, it was mentioned on the other thread titled "steam server > > >> >> >> ports." > > >> >> >> > > >> >> >> http://forums.alliedmods.net/showthread.php?t=151551 > > >> >> >> > > >> >> >> The 4th section from the top is dealing with attacks like this. > > >> >> >> > > >> >> >> ----- Original Message ----- > > >> >> >> From: "Michael Johansen" <[email protected]> > > >> >> >> To: "Half-Life dedicated Linux server mailing list" > > >> >> >> <[email protected]> > > >> >> >> Sent: Monday, September 02, 2013 2:38 AM > > >> >> >> Subject: Re: [hlds_linux] NET_GetLong attacks > > >> >> >> > > >> >> >> > > >> >> >> > Is it possible to stop this attack using iptables? Usually > using > > >> >> >> > the > > >> >> >> > "Valve-way" of stopping the attacks won't work very well. > > >> >> >> >> Date: Sun, 1 Sep 2013 23:45:23 -0400 > > >> >> >> >> From: [email protected] > > >> >> >> >> To: [email protected] > > >> >> >> >> Subject: Re: [hlds_linux] NET_GetLong attacks > > >> >> >> >> > > >> >> >> >> That might have worked with the other filtering we are > doing. If > > >> >> >> >> it > > >> >> >> >> does > > >> >> >> >> I will send you the money. Send me a private email with your > > >> >> >> >> steam > > >> >> >> >> user. > > >> >> >> >> > > >> >> >> >> > > >> >> >> >> On 9/1/2013 11:11 PM, Bottiger wrote: > > >> >> >> >> > If you used the version I posted it should not have set > your > > >> >> >> >> > sv_max_queries_sec_global > > >> >> >> >> > so high. > > >> >> >> >> > > > >> >> >> >> > You are supposed to lower that number until it becomes > > >> >> >> >> > playable > > >> >> >> >> > and > > >> >> >> >> > raise > > >> >> >> >> > the window. > > >> >> >> >> > > > >> >> >> >> > > > >> >> >> > > > >> >> >> > _______________________________________________ > > >> >> >> > To unsubscribe, edit your list preferences, or view the list > > >> >> >> > archives, > > >> >> >> > please visit: > > >> >> >> > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >> >> >> > > >> >> >> > > >> >> >> _______________________________________________ > > >> >> >> To unsubscribe, edit your list preferences, or view the list > > >> >> >> archives, > > >> >> >> please visit: > > >> >> >> > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >> >> > > > >> >> > _______________________________________________ > > >> >> > To unsubscribe, edit your list preferences, or view the list > > >> >> > archives, > > >> >> > please visit: > > >> >> > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >> >> > > >> >> > > >> >> _______________________________________________ > > >> >> To unsubscribe, edit your list preferences, or view the list > archives, > > >> >> please visit: > > >> >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >> > > > >> > _______________________________________________ > > >> > To unsubscribe, edit your list preferences, or view the list > archives, > > >> > please visit: > > >> > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > >> > > > >> > > >> > > >> _______________________________________________ > > >> To unsubscribe, edit your list preferences, or view the list archives, > > >> please visit: > > >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > > > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list archives, > > > please visit: > > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux

