Re: [Csgo_servers] qconnect attacks wreaking havoc on community servers, getting more and more common, Valve please fix this exploit
This is an old issue, it was being exploited in TF2 years ago too... Lately (past 4 weeks) I've seen it being frequently used against csgo too with the 54 and ff packets. nsfocus, arbor and so on does nothing in our case, we had resort filtering those attacks with proper ratelimits by using iptables On Sun, Mar 22, 2015 at 8:06 AM, Alberts S c...@tirlins.com wrote: Hey! By any chance could you share a few .pcap logs? Best Regards, Alberts Saulitis Kevin Bassi @ rakstīja: Srcds for the longest time has sucked at handling a decent amount of packets per second, it appears to crumble under itself whenever you send a high volume of packets per second. We have a NSFOCUS hardware mitigation setup in Dallas where they're hosted, and the mitigation is doing it's job by keeping these machines online during the attack, we never disconnect from the machine but the target servers on the machine seem to timeout even though only about 10mbps of the attack is actually getting through. Here's a detailed post containing some qconnect packet dumps: http://csgodev.com/qconnect-attacks/ There's another attack somewhat like the qconnect packet attack that just sends a decent volume of packets that don't contain any information, the problem with blocking these are that the payload is randomly generated, the source port falls within the query port range of srcds, and the source port is randomized. So if we block them, we also prevent anyone from seeing the server, or connecting. None of the integrated features, like the host_ show players and info parameters, and the allowed packet window, etc seem to make srcds anymore stable during these attacks. Unfortunately I think this is all going to come down to SRCDS just suffering under high packet load, and I do not know how you can fix this. All I can do is provide information on how these attacks enter and disrupt our network, I have ~120 quite large packet dumps from random attacks I'd be more than happy to upload for you guys to inspect. And an unrelated note: steam voice chat needs to go. I can't imagine anyone using it without being in lobbies or something, and this is how a bunch of people are grabbing other people's IP addresses over steam. Since you can call people without even being on their friends list, just by joining a group with them. Just an option to disable voice chat that has to be opted into would be great. If you need anymore information to pass along, feel free to let me know. Thank you! ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] qconnect attacks wreaking havoc on community servers, getting more and more common, Valve please fix this exploit
I am also getting attacked on my csgo servers, on a daily basis. Date: Sun, 22 Mar 2015 15:03:40 +0100 From: e...@evcz.tk To: csgo_servers@list.valvesoftware.com Subject: Re: [Csgo_servers] qconnect attacks wreaking havoc on community servers, getting more and more common, Valve please fix this exploit This is an old issue, it was being exploited in TF2 years ago too... Lately (past 4 weeks) I've seen it being frequently used against csgo too with the 54 and ff packets. nsfocus, arbor and so on does nothing in our case, we had resort filtering those attacks with proper ratelimits by using iptables On Sun, Mar 22, 2015 at 8:06 AM, Alberts S c...@tirlins.com wrote: Hey! By any chance could you share a few .pcap logs? Best Regards, Alberts Saulitis Kevin Bassi @ rakstīja: Srcds for the longest time has sucked at handling a decent amount of packets per second, it appears to crumble under itself whenever you send a high volume of packets per second. We have a NSFOCUS hardware mitigation setup in Dallas where they're hosted, and the mitigation is doing it's job by keeping these machines online during the attack, we never disconnect from the machine but the target servers on the machine seem to timeout even though only about 10mbps of the attack is actually getting through. Here's a detailed post containing some qconnect packet dumps: http://csgodev.com/qconnect-attacks/ There's another attack somewhat like the qconnect packet attack that just sends a decent volume of packets that don't contain any information, the problem with blocking these are that the payload is randomly generated, the source port falls within the query port range of srcds, and the source port is randomized. So if we block them, we also prevent anyone from seeing the server, or connecting. None of the integrated features, like the host_ show players and info parameters, and the allowed packet window, etc seem to make srcds anymore stable during these attacks. Unfortunately I think this is all going to come down to SRCDS just suffering under high packet load, and I do not know how you can fix this. All I can do is provide information on how these attacks enter and disrupt our network, I have ~120 quite large packet dumps from random attacks I'd be more than happy to upload for you guys to inspect. And an unrelated note: steam voice chat needs to go. I can't imagine anyone using it without being in lobbies or something, and this is how a bunch of people are grabbing other people's IP addresses over steam. Since you can call people without even being on their friends list, just by joining a group with them. Just an option to disable voice chat that has to be opted into would be great. If you need anymore information to pass along, feel free to let me know. Thank you! ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] qconnect attacks wreaking havoc on community servers, getting more and more common, Valve please fix this exploit
confirmed On Sun, Mar 22, 2015 at 10:04 AM, Michael Loveless mloveless1...@gmail.com wrote: Confirmed as well. Pretty much on a daily basis. On Sun, Mar 22, 2015 at 12:55 PM, Mohammed Khalik mohammed_kha...@hotmail.com wrote: I am also getting attacked on my csgo servers, on a daily basis. -- Date: Sun, 22 Mar 2015 15:03:40 +0100 From: e...@evcz.tk To: csgo_servers@list.valvesoftware.com Subject: Re: [Csgo_servers] qconnect attacks wreaking havoc on community servers, getting more and more common, Valve please fix this exploit This is an old issue, it was being exploited in TF2 years ago too... Lately (past 4 weeks) I've seen it being frequently used against csgo too with the 54 and ff packets. nsfocus, arbor and so on does nothing in our case, we had resort filtering those attacks with proper ratelimits by using iptables On Sun, Mar 22, 2015 at 8:06 AM, Alberts S c...@tirlins.com wrote: Hey! By any chance could you share a few .pcap logs? Best Regards, Alberts Saulitis Kevin Bassi @ rakstīja: Srcds for the longest time has sucked at handling a decent amount of packets per second, it appears to crumble under itself whenever you send a high volume of packets per second. We have a NSFOCUS hardware mitigation setup in Dallas where they're hosted, and the mitigation is doing it's job by keeping these machines online during the attack, we never disconnect from the machine but the target servers on the machine seem to timeout even though only about 10mbps of the attack is actually getting through. Here's a detailed post containing some qconnect packet dumps: http://csgodev.com/qconnect-attacks/ There's another attack somewhat like the qconnect packet attack that just sends a decent volume of packets that don't contain any information, the problem with blocking these are that the payload is randomly generated, the source port falls within the query port range of srcds, and the source port is randomized. So if we block them, we also prevent anyone from seeing the server, or connecting. None of the integrated features, like the host_ show players and info parameters, and the allowed packet window, etc seem to make srcds anymore stable during these attacks. Unfortunately I think this is all going to come down to SRCDS just suffering under high packet load, and I do not know how you can fix this. All I can do is provide information on how these attacks enter and disrupt our network, I have ~120 quite large packet dumps from random attacks I'd be more than happy to upload for you guys to inspect. And an unrelated note: steam voice chat needs to go. I can't imagine anyone using it without being in lobbies or something, and this is how a bunch of people are grabbing other people's IP addresses over steam. Since you can call people without even being on their friends list, just by joining a group with them. Just an option to disable voice chat that has to be opted into would be great. If you need anymore information to pass along, feel free to let me know. Thank you! ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] qconnect attacks wreaking havoc on community servers, getting more and more common, Valve please fix this exploit
Confirmed as well. Pretty much on a daily basis. On Sun, Mar 22, 2015 at 12:55 PM, Mohammed Khalik mohammed_kha...@hotmail.com wrote: I am also getting attacked on my csgo servers, on a daily basis. -- Date: Sun, 22 Mar 2015 15:03:40 +0100 From: e...@evcz.tk To: csgo_servers@list.valvesoftware.com Subject: Re: [Csgo_servers] qconnect attacks wreaking havoc on community servers, getting more and more common, Valve please fix this exploit This is an old issue, it was being exploited in TF2 years ago too... Lately (past 4 weeks) I've seen it being frequently used against csgo too with the 54 and ff packets. nsfocus, arbor and so on does nothing in our case, we had resort filtering those attacks with proper ratelimits by using iptables On Sun, Mar 22, 2015 at 8:06 AM, Alberts S c...@tirlins.com wrote: Hey! By any chance could you share a few .pcap logs? Best Regards, Alberts Saulitis Kevin Bassi @ rakstīja: Srcds for the longest time has sucked at handling a decent amount of packets per second, it appears to crumble under itself whenever you send a high volume of packets per second. We have a NSFOCUS hardware mitigation setup in Dallas where they're hosted, and the mitigation is doing it's job by keeping these machines online during the attack, we never disconnect from the machine but the target servers on the machine seem to timeout even though only about 10mbps of the attack is actually getting through. Here's a detailed post containing some qconnect packet dumps: http://csgodev.com/qconnect-attacks/ There's another attack somewhat like the qconnect packet attack that just sends a decent volume of packets that don't contain any information, the problem with blocking these are that the payload is randomly generated, the source port falls within the query port range of srcds, and the source port is randomized. So if we block them, we also prevent anyone from seeing the server, or connecting. None of the integrated features, like the host_ show players and info parameters, and the allowed packet window, etc seem to make srcds anymore stable during these attacks. Unfortunately I think this is all going to come down to SRCDS just suffering under high packet load, and I do not know how you can fix this. All I can do is provide information on how these attacks enter and disrupt our network, I have ~120 quite large packet dumps from random attacks I'd be more than happy to upload for you guys to inspect. And an unrelated note: steam voice chat needs to go. I can't imagine anyone using it without being in lobbies or something, and this is how a bunch of people are grabbing other people's IP addresses over steam. Since you can call people without even being on their friends list, just by joining a group with them. Just an option to disable voice chat that has to be opted into would be great. If you need anymore information to pass along, feel free to let me know. Thank you! ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] qconnect attacks wreaking havoc on community servers, getting more and more common, Valve please fix this exploit
Whitelisting is not possible with the system we have, not to mention it's a lazy method like rate limiting. And it's not just qconnect, we only got hit with qconnect a couple of times, the only attacks slipping through are the ones that contain source engine source query ports. The csgo devs really need to take note and do something since this is the first he was hearing of it. Either way these either way qconnect/reflexion/query exploit attacks needs to be fixed or slowly they will ruin community servers. I know valve probably doesnt care about community servers but community servers are what give CS games long life spams, ALOT of the csgo population play on community servers. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/qconnect-attacks-wreaking-havoc-on-community-servers-getting-more-and-more-common-Valve-please-fix-tt-tp9027p9033.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] qconnect attacks wreaking havoc on community servers, getting more and more common, Valve please fix this exploit
Hey! By any chance could you share a few .pcap logs? Best Regards, Alberts Saulitis Kevin Bassi @ rakstīja: Srcds for the longest time has sucked at handling a decent amount of packets per second, it appears to crumble under itself whenever you send a high volume of packets per second. We have a NSFOCUS hardware mitigation setup in Dallas where they're hosted, and the mitigation is doing it's job by keeping these machines online during the attack, we never disconnect from the machine but the target servers on the machine seem to timeout even though only about 10mbps of the attack is actually getting through. Here's a detailed post containing some qconnect packet dumps: http://csgodev.com/qconnect-attacks/ There's another attack somewhat like the qconnect packet attack that just sends a decent volume of packets that don't contain any information, the problem with blocking these are that the payload is randomly generated, the source port falls within the query port range of srcds, and the source port is randomized. So if we block them, we also prevent anyone from seeing the server, or connecting. None of the integrated features, like the host_ show players and info parameters, and the allowed packet window, etc seem to make srcds anymore stable during these attacks. Unfortunately I think this is all going to come down to SRCDS just suffering under high packet load, and I do not know how you can fix this. All I can do is provide information on how these attacks enter and disrupt our network, I have ~120 quite large packet dumps from random attacks I'd be more than happy to upload for you guys to inspect. And an unrelated note: steam voice chat needs to go. I can't imagine anyone using it without being in lobbies or something, and this is how a bunch of people are grabbing other people's IP addresses over steam. Since you can call people without even being on their friends list, just by joining a group with them. Just an option to disable voice chat that has to be opted into would be great. If you need anymore information to pass along, feel free to let me know. Thank you! ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
[Csgo_servers] server registry since update
Has anyone noticed a significant decrease in between the client and server registries? since the last updates? ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
