Re: [Csgo_servers] Server brought down by attack
Since qconnect shouldn't be blocked, I would rate limit instead of blocking. You can find a lot of iptable examples for rate limiting a port. On 5 November 2014 07:25, Slaven24 sla...@team-sw.eu wrote: Has someone a script for the iptables rules?? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8296.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
This will block legitimate traffic. On 11/5/2014 6:19 AM, José Santos wrote: Since qconnect shouldn't be blocked, I would rate limit instead of blocking. You can find a lot of iptable examples for rate limiting a port. On 5 November 2014 07:25, Slaven24 sla...@team-sw.eu mailto:sla...@team-sw.eu wrote: Has someone a script for the iptables rules?? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8296.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com mailto:Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
Yeah there's no real point staying up if we're not even on the browser list. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8299.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
The attack you're under is actually pretty advanced, especially with spoofed IPs. I don't know of any countermeasure. The only real thing you can do: Go to the police (or whoever is the right person in your country) and try to get them investigating. The next thing is simply letting the server running. There is not much you can do, sadly. Am 5. November 2014 15:06:10 schrieb p0stpwned getmeabeerwo...@hotmail.com: Yeah there's no real point staying up if we're not even on the browser list. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8299.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
Aren't there any kind of retry implemented into the client game? Why not just drop the first 3 packets and then allow if it keeps trying? On Wed, Nov 5, 2014 at 3:24 PM, Moritz Uehling f...@flysoftiii.de wrote: The attack you're under is actually pretty advanced, especially with spoofed IPs. I don't know of any countermeasure. The only real thing you can do: Go to the police (or whoever is the right person in your country) and try to get them investigating. The next thing is simply letting the server running. There is not much you can do, sadly. Am 5. November 2014 15:06:10 schrieb p0stpwned getmeabeerwo...@hotmail.com: Yeah there's no real point staying up if we're not even on the browser list. -- View this message in context: http://csgo-servers.1073505. n5.nabble.com/Server-brought-down-by-attack-tp8280p8299.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
You can use dnat based on string to send query to a caching software. Le 5 nov. 2014 16:51, Marco Padovan e...@evcz.tk a écrit : Aren't there any kind of retry implemented into the client game? Why not just drop the first 3 packets and then allow if it keeps trying? On Wed, Nov 5, 2014 at 3:24 PM, Moritz Uehling f...@flysoftiii.de wrote: The attack you're under is actually pretty advanced, especially with spoofed IPs. I don't know of any countermeasure. The only real thing you can do: Go to the police (or whoever is the right person in your country) and try to get them investigating. The next thing is simply letting the server running. There is not much you can do, sadly. Am 5. November 2014 15:06:10 schrieb p0stpwned getmeabeerwo...@hotmail.com: Yeah there's no real point staying up if we're not even on the browser list. -- View this message in context: http://csgo-servers.1073505. n5.nabble.com/Server-brought-down-by-attack-tp8280p8299.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
I don't know if this has been asked yet but have you determined if this attack is directly at your community and your server(s) as some vendetta some disgruntled user has against you or would it appear to just be some random asshole spamming an attack at your ip just because they can? If it is just seemingly random I'd talk to your host about moving servers/ip addresses and just hope for the best. If the attack is going to follow you then, unfortunately you're kinda out of luck. On Nov 5, 2014 10:11 AM, Zaretti Steve kosso...@gmail.com wrote: You can use dnat based on string to send query to a caching software. Le 5 nov. 2014 16:51, Marco Padovan e...@evcz.tk a écrit : Aren't there any kind of retry implemented into the client game? Why not just drop the first 3 packets and then allow if it keeps trying? On Wed, Nov 5, 2014 at 3:24 PM, Moritz Uehling f...@flysoftiii.de wrote: The attack you're under is actually pretty advanced, especially with spoofed IPs. I don't know of any countermeasure. The only real thing you can do: Go to the police (or whoever is the right person in your country) and try to get them investigating. The next thing is simply letting the server running. There is not much you can do, sadly. Am 5. November 2014 15:06:10 schrieb p0stpwned getmeabeerwo...@hotmail.com: Yeah there's no real point staying up if we're not even on the browser list. -- View this message in context: http://csgo-servers.1073505. n5.nabble.com/Server-brought-down-by-attack-tp8280p8299.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
This is possible I guess Am 5. November 2014 16:51:35 schrieb Marco Padovan e...@evcz.tk: Aren't there any kind of retry implemented into the client game? Why not just drop the first 3 packets and then allow if it keeps trying? On Wed, Nov 5, 2014 at 3:24 PM, Moritz Uehling f...@flysoftiii.de wrote: The attack you're under is actually pretty advanced, especially with spoofed IPs. I don't know of any countermeasure. The only real thing you can do: Go to the police (or whoever is the right person in your country) and try to get them investigating. The next thing is simply letting the server running. There is not much you can do, sadly. Am 5. November 2014 15:06:10 schrieb p0stpwned getmeabeerwo...@hotmail.com: Yeah there's no real point staying up if we're not even on the browser list. -- View this message in context: http://csgo-servers.1073505. n5.nabble.com/Server-brought-down-by-attack-tp8280p8299.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers -- ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
This attack has been launched by a rival pub that for some reason declared WAR on our server, so I'm guessing the attack will follow us. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8305.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
I'd try reporting the others to their GSP (if they're using one) with whatever evidence you have On 6/11/2014 3:52 AM, p0stpwned wrote: This attack has been launched by a rival pub that for some reason declared WAR on our server, so I'm guessing the attack will follow us. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8305.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
I talked about rate-limit qconnect, not A2S_INFO so server would appear in serverlist. About rate-limiting qconnect, it could affect legit players when an attack occurs but I think it's better to try connect a couple of times than don't be able to play. So I would recommend try this before a better solution is available iptables -I INPUT 10 -p udp -m udp --dport 27015 -m string --algo bm --string qconnect -m limit --limit 3/s --limit-burst 10 -j ACCEPT iptables -I INPUT 11 -p udp -m udp --dport 27015 -m string --algo bm --string qconnect -j DROP On 5 November 2014 13:12, Kevin C s...@serveredirect.com wrote: This will block legitimate traffic. On 11/5/2014 6:19 AM, José Santos wrote: Since qconnect shouldn't be blocked, I would rate limit instead of blocking. You can find a lot of iptable examples for rate limiting a port. On 5 November 2014 07:25, Slaven24 sla...@team-sw.eu wrote: Has someone a script for the iptables rules?? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8296.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing listCsgo_servers@list.valvesoftware.comhttps://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
The problem is there are like hundreds of these coming in per second, so if I limit them that much how is anyone going to get in at all, even with multiple retries? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8309.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
The attacks against us eventually stopped after a few days. The only solution we came up with was our IP whitelist. Unfortunately you need to have a list of IPs already to do this. I would recommend running the tracker plugin I linked a few messages ago when your server is back up so you can whitelist if this happens again. There is probably something limiting the amount of responses that can be given in the engine. Valve implied the limitation after removing sv_max_queries_sec_global should be CPU, but our CPU usage was only 1-2% while still not allowing players to join the server. On 11/5/2014 5:02 PM, p0stpwned wrote: The problem is there are like hundreds of these coming in per second, so if I limit them that much how is anyone going to get in at all, even with multiple retries? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8309.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers