subject:"\[Csgo_servers\] DDoS Attack \(VSE\)"

Re: [Csgo_servers] DDoS Attack (VSE)

2017-03-23 Thread John

You'll have to respond to each type of attack separately. There are 
hundreds of types of attacks that can be used, and some can't be 
filtered without also blocking legitimate traffic.


Your specific type of reflection attack is one of the easiest types to 
block, since you can even do a simple port-based filter and get all of 
it, with only a very small number of false-positives. There's no need to 
have your upstream filter it for you on their end unless you are seeing 
enough traffic to flood out your network adapter (check your bandwidth 
graph to see if that's the case).


Marco is mistaken; you shouldn't use a rate-limit for this type of 
attack, because you don't need any of it to get through. Rate-limits are 
only needed when there's a reasonable chance of false positives with the 
filter, in order to eliminate collateral damage when an attack is not in 
progress.


You don't need any special tool to get a packet capture with tcpdump, 
and you shouldn't try to send us a pcap file. Just run it directly. 
Capture 10 packets from your current attack with this, for instance:


tcpdump -nvXp -c 10 udp and src port 28960

A good GSP will have a mitigation system to block attacks like this one 
out-of-the-box upstream, and they should provide tools for capturing 
and/or filtering traffic through their control panel. Good GSPs also 
have extensive experience with mitigating many other types of attacks. 
If you haven't already spoken to your host, I recommend opening a ticket 
with them.


-John

On 3/23/2017 2:53 PM, Mathias wrote:
Thanks for this awesome help John! This kind of "Attack" have been 
attacking me for days without stopping.


So i block the port everytime they attack on new port? And what if 
they attack on the port directly? There must be a kind of filter 
possible on Linux with Iptables. Anything i can tell me datacenter to 
fix this attack permanent?




2017-03-23 22:44 GMT+01:00 John >:


If you're seeing packets from port 28960, you're most likely
seeing a reflected query DDoS that is coming from CoDx servers
(you can tell for certain by looking at the contents of captured
packets -- look for the string 'statusResponse') -- not a direct
query/connection flood, and likely not spoofed. You can safely
block traffic from port 28960, or do a more thorough filter to
block that traffic. This is an example rule to just block the port.

iptables -I INPUT -p udp --sport 28960 -j DROP

-John


On 3/23/2017 2:33 PM, Mathias wrote:

Thanks John.

Could you guide/send me the Iptables?

My server is on port 27115 and the attack comes in on port 28960
- But it wont work block the port (Have tried)

"IP rate limit sustained 79085 distributed packets at 2636.2 pps
(1246 buckets).
IP rate limit under distributed packet load (1205 buckets, 15001
global count), rejecting 8.59.18.221:28960
.
IP rate limit sustained 78411 distributed packets at 2613.7 pps
(943 buckets).
IP rate limit under distributed packet load (1210 buckets, 15001
global count), rejecting 154.112.126.3:28960
.
IP rate limit sustained 104375 distributed packets at 3479.2 pps
(968 buckets).
IP rate limit under distributed packet load (1152 buckets, 15001
global count), rejecting 84.3.222.161:28960
.
IP rate limit sustained 78941 distributed packets at 2631.4 pps
(795 buckets).
IP rate limit under distributed packet load (1176 buckets, 16663
global count), rejecting 88.131.51.148:28960
."

2017-03-23 22:27 GMT+01:00 John >:

On 3/23/2017 1:34 PM, Mathias wrote:

My server's getting flood with VSE DDoS Attack. My server
have DDoS Protection but it wont take it. any other DDoS
Attack does it takes so what can i do? i'm on Linux
Ubuntu 16.04.

Here is server logs - http://pastebin.com/Q2dbcEMt

I also got how the script works (VSE DDoS Attack) - Found
on a forum via Google

Any idea to stop it with Iptables? Packet limit?


The term "VSE" ("Valve Source Exploit") that the attackers
like to use is a misnomer because there isn't an exploit
involved. These attacks just flood a server with spoofed
queries and/or connection attempts from random sources, and
Source can't handle the volume.

Currently the most effective general-purpose way to deal with
these is to whitelist real player IPs and rate-limit queries
and connection attempts from all other sources (down to
around 1000/s). This can be done with iptables using a
combination of the ipset, hashlimit, and bpf/u32/string

Re: [Csgo_servers] DDoS Attack (VSE)

2017-03-23 Thread Mathias

Cool, thanks!!

Should i install this on the same server as Game server or another smaller
server?

2017-03-23 23:13 GMT+01:00 / UGC- Gaming.net / :

> https://github.com/pavel-odintsov/fastnetmon
>
> # collect a full dump of the attack with full payload in pcap compatible
> format
> collect_attack_pcap_dumps = on
> # Execute Deep Packet Inspection on captured PCAP packets
> process_pcap_attack_dumps_with_dpi = on
>
> On Fri, Mar 24, 2017 at 12:08 AM, Mathias  wrote:
>
>> Thanks. How does tcpdump work? And setup? :)
>>
>> 2017-03-23 22:59 GMT+01:00 / UGC- Gaming.net / :
>>
>>> tcpdump needed :)
>>>
>>> On Thu, Mar 23, 2017 at 11:54 PM, Mathias  wrote:
>>>
 How Marco? CSGO Cvar? Iptables?

 2017-03-23 22:53 GMT+01:00 Mathias :

> Thanks for this awesome help John! This kind of "Attack" have been
> attacking me for days without stopping.
>
> So i block the port everytime they attack on new port? And what if
> they attack on the port directly? There must be a kind of filter possible
> on Linux with Iptables. Anything i can tell me datacenter to fix this
> attack permanent?
>
>
>
> 2017-03-23 22:44 GMT+01:00 John :
>
>> If you're seeing packets from port 28960, you're most likely seeing a
>> reflected query DDoS that is coming from CoDx servers (you can tell for
>> certain by looking at the contents of captured packets -- look for the
>> string 'statusResponse') -- not a direct query/connection flood, and 
>> likely
>> not spoofed. You can safely block traffic from port 28960, or do a more
>> thorough filter to block that traffic. This is an example rule to just
>> block the port.
>>
>> iptables -I INPUT -p udp --sport 28960 -j DROP
>>
>> -John
>>
>>
>> On 3/23/2017 2:33 PM, Mathias wrote:
>>
>> Thanks John.
>>
>> Could you guide/send me the Iptables?
>>
>> My server is on port 27115 and the attack comes in on port 28960 -
>> But it wont work block the port (Have tried)
>>
>> "IP rate limit sustained 79085 distributed packets at 2636.2 pps
>> (1246 buckets).
>>
>> IP rate limit under distributed packet load (1205 buckets, 15001 global 
>> count), rejecting 8.59.18.221:28960.
>>
>> IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 
>> buckets).
>>
>> IP rate limit under distributed packet load (1210 buckets, 15001 global 
>> count), rejecting 154.112.126.3:28960.
>>
>> IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 
>> buckets).
>>
>> IP rate limit under distributed packet load (1152 buckets, 15001 global 
>> count), rejecting 84.3.222.161:28960.
>>
>> IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 
>> buckets).
>>
>> IP rate limit under distributed packet load (1176 buckets, 16663 global 
>> count), rejecting 88.131.51.148:28960."
>>
>>
>> 2017-03-23 22:27 GMT+01:00 John :
>>
>>> On 3/23/2017 1:34 PM, Mathias wrote:
>>>
 My server's getting flood with VSE DDoS Attack. My server have DDoS
 Protection but it wont take it. any other DDoS Attack does it takes so 
 what
 can i do? i'm on Linux Ubuntu 16.04.

 Here is server logs - http://pastebin.com/Q2dbcEMt

 I also got how the script works (VSE DDoS Attack) - Found on a
 forum via Google

 Any idea to stop it with Iptables? Packet limit?

>>>
>>> The term "VSE" ("Valve Source Exploit") that the attackers like to
>>> use is a misnomer because there isn't an exploit involved. These attacks
>>> just flood a server with spoofed queries and/or connection attempts from
>>> random sources, and Source can't handle the volume.
>>>
>>> Currently the most effective general-purpose way to deal with these
>>> is to whitelist real player IPs and rate-limit queries and connection
>>> attempts from all other sources (down to around 1000/s). This can be 
>>> done
>>> with iptables using a combination of the ipset, hashlimit, and
>>> bpf/u32/string modules.
>>>
>>> Ideally, the game would be redesigned to using TCP for queries and
>>> the very first part of the connection, offloading the first-contact 
>>> tasks
>>> to the OS, which has established methods for combating high-rate spoofed
>>> TCP SYN floods. Internally, it could then straight drop all UDP packets
>>> that don't correspond to a currently connected player.
>>>
>>> -John
>>>
>>> ___
>>> Csgo_servers mailing list
>>> Csgo_servers@list.valvesoftware.com
>>>

Re: [Csgo_servers] DDoS Attack (VSE)

2017-03-23 Thread / UGC- Gaming.net /

https://github.com/pavel-odintsov/fastnetmon

# collect a full dump of the attack with full payload in pcap compatible
format
collect_attack_pcap_dumps = on
# Execute Deep Packet Inspection on captured PCAP packets
process_pcap_attack_dumps_with_dpi = on

On Fri, Mar 24, 2017 at 12:08 AM, Mathias  wrote:

> Thanks. How does tcpdump work? And setup? :)
>
> 2017-03-23 22:59 GMT+01:00 / UGC- Gaming.net / :
>
>> tcpdump needed :)
>>
>> On Thu, Mar 23, 2017 at 11:54 PM, Mathias  wrote:
>>
>>> How Marco? CSGO Cvar? Iptables?
>>>
>>> 2017-03-23 22:53 GMT+01:00 Mathias :
>>>
 Thanks for this awesome help John! This kind of "Attack" have been
 attacking me for days without stopping.

 So i block the port everytime they attack on new port? And what if they
 attack on the port directly? There must be a kind of filter possible on
 Linux with Iptables. Anything i can tell me datacenter to fix this attack
 permanent?



 2017-03-23 22:44 GMT+01:00 John :

> If you're seeing packets from port 28960, you're most likely seeing a
> reflected query DDoS that is coming from CoDx servers (you can tell for
> certain by looking at the contents of captured packets -- look for the
> string 'statusResponse') -- not a direct query/connection flood, and 
> likely
> not spoofed. You can safely block traffic from port 28960, or do a more
> thorough filter to block that traffic. This is an example rule to just
> block the port.
>
> iptables -I INPUT -p udp --sport 28960 -j DROP
>
> -John
>
>
> On 3/23/2017 2:33 PM, Mathias wrote:
>
> Thanks John.
>
> Could you guide/send me the Iptables?
>
> My server is on port 27115 and the attack comes in on port 28960 - But
> it wont work block the port (Have tried)
>
> "IP rate limit sustained 79085 distributed packets at 2636.2 pps
> (1246 buckets).
>
> IP rate limit under distributed packet load (1205 buckets, 15001 global 
> count), rejecting 8.59.18.221:28960.
>
> IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 
> buckets).
>
> IP rate limit under distributed packet load (1210 buckets, 15001 global 
> count), rejecting 154.112.126.3:28960.
>
> IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 
> buckets).
>
> IP rate limit under distributed packet load (1152 buckets, 15001 global 
> count), rejecting 84.3.222.161:28960.
>
> IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 
> buckets).
>
> IP rate limit under distributed packet load (1176 buckets, 16663 global 
> count), rejecting 88.131.51.148:28960."
>
>
> 2017-03-23 22:27 GMT+01:00 John :
>
>> On 3/23/2017 1:34 PM, Mathias wrote:
>>
>>> My server's getting flood with VSE DDoS Attack. My server have DDoS
>>> Protection but it wont take it. any other DDoS Attack does it takes so 
>>> what
>>> can i do? i'm on Linux Ubuntu 16.04.
>>>
>>> Here is server logs - http://pastebin.com/Q2dbcEMt
>>>
>>> I also got how the script works (VSE DDoS Attack) - Found on a forum
>>> via Google
>>>
>>> Any idea to stop it with Iptables? Packet limit?
>>>
>>
>> The term "VSE" ("Valve Source Exploit") that the attackers like to
>> use is a misnomer because there isn't an exploit involved. These attacks
>> just flood a server with spoofed queries and/or connection attempts from
>> random sources, and Source can't handle the volume.
>>
>> Currently the most effective general-purpose way to deal with these
>> is to whitelist real player IPs and rate-limit queries and connection
>> attempts from all other sources (down to around 1000/s). This can be done
>> with iptables using a combination of the ipset, hashlimit, and
>> bpf/u32/string modules.
>>
>> Ideally, the game would be redesigned to using TCP for queries and
>> the very first part of the connection, offloading the first-contact tasks
>> to the OS, which has established methods for combating high-rate spoofed
>> TCP SYN floods. Internally, it could then straight drop all UDP packets
>> that don't correspond to a currently connected player.
>>
>> -John
>>
>> ___
>> Csgo_servers mailing list
>> Csgo_servers@list.valvesoftware.com
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
>
>
>
> ___
> Csgo_servers mailing 
> listCsgo_servers@list.valvesoftware.comhttps://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
>
>
>

Re: [Csgo_servers] DDoS Attack (VSE)

2017-03-23 Thread Mathias

Thanks. How does tcpdump work? And setup? :)

2017-03-23 22:59 GMT+01:00 / UGC- Gaming.net / :

> tcpdump needed :)
>
> On Thu, Mar 23, 2017 at 11:54 PM, Mathias  wrote:
>
>> How Marco? CSGO Cvar? Iptables?
>>
>> 2017-03-23 22:53 GMT+01:00 Mathias :
>>
>>> Thanks for this awesome help John! This kind of "Attack" have been
>>> attacking me for days without stopping.
>>>
>>> So i block the port everytime they attack on new port? And what if they
>>> attack on the port directly? There must be a kind of filter possible on
>>> Linux with Iptables. Anything i can tell me datacenter to fix this attack
>>> permanent?
>>>
>>>
>>>
>>> 2017-03-23 22:44 GMT+01:00 John :
>>>
 If you're seeing packets from port 28960, you're most likely seeing a
 reflected query DDoS that is coming from CoDx servers (you can tell for
 certain by looking at the contents of captured packets -- look for the
 string 'statusResponse') -- not a direct query/connection flood, and likely
 not spoofed. You can safely block traffic from port 28960, or do a more
 thorough filter to block that traffic. This is an example rule to just
 block the port.

 iptables -I INPUT -p udp --sport 28960 -j DROP

 -John


 On 3/23/2017 2:33 PM, Mathias wrote:

 Thanks John.

 Could you guide/send me the Iptables?

 My server is on port 27115 and the attack comes in on port 28960 - But
 it wont work block the port (Have tried)

 "IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246
 buckets).

 IP rate limit under distributed packet load (1205 buckets, 15001 global 
 count), rejecting 8.59.18.221:28960.

 IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 
 buckets).

 IP rate limit under distributed packet load (1210 buckets, 15001 global 
 count), rejecting 154.112.126.3:28960.

 IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 
 buckets).

 IP rate limit under distributed packet load (1152 buckets, 15001 global 
 count), rejecting 84.3.222.161:28960.

 IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 
 buckets).

 IP rate limit under distributed packet load (1176 buckets, 16663 global 
 count), rejecting 88.131.51.148:28960."


 2017-03-23 22:27 GMT+01:00 John :

> On 3/23/2017 1:34 PM, Mathias wrote:
>
>> My server's getting flood with VSE DDoS Attack. My server have DDoS
>> Protection but it wont take it. any other DDoS Attack does it takes so 
>> what
>> can i do? i'm on Linux Ubuntu 16.04.
>>
>> Here is server logs - http://pastebin.com/Q2dbcEMt
>>
>> I also got how the script works (VSE DDoS Attack) - Found on a forum
>> via Google
>>
>> Any idea to stop it with Iptables? Packet limit?
>>
>
> The term "VSE" ("Valve Source Exploit") that the attackers like to use
> is a misnomer because there isn't an exploit involved. These attacks just
> flood a server with spoofed queries and/or connection attempts from random
> sources, and Source can't handle the volume.
>
> Currently the most effective general-purpose way to deal with these is
> to whitelist real player IPs and rate-limit queries and connection 
> attempts
> from all other sources (down to around 1000/s). This can be done with
> iptables using a combination of the ipset, hashlimit, and bpf/u32/string
> modules.
>
> Ideally, the game would be redesigned to using TCP for queries and the
> very first part of the connection, offloading the first-contact tasks to
> the OS, which has established methods for combating high-rate spoofed TCP
> SYN floods. Internally, it could then straight drop all UDP packets that
> don't correspond to a currently connected player.
>
> -John
>
> ___
> Csgo_servers mailing list
> Csgo_servers@list.valvesoftware.com
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers




 ___
 Csgo_servers mailing 
 listCsgo_servers@list.valvesoftware.comhttps://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers



 ___
 Csgo_servers mailing list
 Csgo_servers@list.valvesoftware.com
 https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

>>>
>>>
>>
>> ___
>> Csgo_servers mailing list
>> Csgo_servers@list.valvesoftware.com
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>
>
>
> ___
> Csgo_servers

Re: [Csgo_servers] DDoS Attack (VSE)

2017-03-23 Thread / UGC- Gaming.net /

tcpdump needed :)

On Thu, Mar 23, 2017 at 11:54 PM, Mathias  wrote:

> How Marco? CSGO Cvar? Iptables?
>
> 2017-03-23 22:53 GMT+01:00 Mathias :
>
>> Thanks for this awesome help John! This kind of "Attack" have been
>> attacking me for days without stopping.
>>
>> So i block the port everytime they attack on new port? And what if they
>> attack on the port directly? There must be a kind of filter possible on
>> Linux with Iptables. Anything i can tell me datacenter to fix this attack
>> permanent?
>>
>>
>>
>> 2017-03-23 22:44 GMT+01:00 John :
>>
>>> If you're seeing packets from port 28960, you're most likely seeing a
>>> reflected query DDoS that is coming from CoDx servers (you can tell for
>>> certain by looking at the contents of captured packets -- look for the
>>> string 'statusResponse') -- not a direct query/connection flood, and likely
>>> not spoofed. You can safely block traffic from port 28960, or do a more
>>> thorough filter to block that traffic. This is an example rule to just
>>> block the port.
>>>
>>> iptables -I INPUT -p udp --sport 28960 -j DROP
>>>
>>> -John
>>>
>>>
>>> On 3/23/2017 2:33 PM, Mathias wrote:
>>>
>>> Thanks John.
>>>
>>> Could you guide/send me the Iptables?
>>>
>>> My server is on port 27115 and the attack comes in on port 28960 - But
>>> it wont work block the port (Have tried)
>>>
>>> "IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246
>>> buckets).
>>>
>>> IP rate limit under distributed packet load (1205 buckets, 15001 global 
>>> count), rejecting 8.59.18.221:28960.
>>>
>>> IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 
>>> buckets).
>>>
>>> IP rate limit under distributed packet load (1210 buckets, 15001 global 
>>> count), rejecting 154.112.126.3:28960.
>>>
>>> IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 
>>> buckets).
>>>
>>> IP rate limit under distributed packet load (1152 buckets, 15001 global 
>>> count), rejecting 84.3.222.161:28960.
>>>
>>> IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 
>>> buckets).
>>>
>>> IP rate limit under distributed packet load (1176 buckets, 16663 global 
>>> count), rejecting 88.131.51.148:28960."
>>>
>>>
>>> 2017-03-23 22:27 GMT+01:00 John :
>>>
 On 3/23/2017 1:34 PM, Mathias wrote:

> My server's getting flood with VSE DDoS Attack. My server have DDoS
> Protection but it wont take it. any other DDoS Attack does it takes so 
> what
> can i do? i'm on Linux Ubuntu 16.04.
>
> Here is server logs - http://pastebin.com/Q2dbcEMt
>
> I also got how the script works (VSE DDoS Attack) - Found on a forum
> via Google
>
> Any idea to stop it with Iptables? Packet limit?
>

 The term "VSE" ("Valve Source Exploit") that the attackers like to use
 is a misnomer because there isn't an exploit involved. These attacks just
 flood a server with spoofed queries and/or connection attempts from random
 sources, and Source can't handle the volume.

 Currently the most effective general-purpose way to deal with these is
 to whitelist real player IPs and rate-limit queries and connection attempts
 from all other sources (down to around 1000/s). This can be done with
 iptables using a combination of the ipset, hashlimit, and bpf/u32/string
 modules.

 Ideally, the game would be redesigned to using TCP for queries and the
 very first part of the connection, offloading the first-contact tasks to
 the OS, which has established methods for combating high-rate spoofed TCP
 SYN floods. Internally, it could then straight drop all UDP packets that
 don't correspond to a currently connected player.

 -John

 ___
 Csgo_servers mailing list
 Csgo_servers@list.valvesoftware.com
 https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>
>>>
>>>
>>>
>>> ___
>>> Csgo_servers mailing 
>>> listCsgo_servers@list.valvesoftware.comhttps://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>
>>>
>>>
>>> ___
>>> Csgo_servers mailing list
>>> Csgo_servers@list.valvesoftware.com
>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>
>>
>>
>
> ___
> Csgo_servers mailing list
> Csgo_servers@list.valvesoftware.com
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
___
Csgo_servers mailing list
Csgo_servers@list.valvesoftware.com
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

Re: [Csgo_servers] DDoS Attack (VSE)

2017-03-23 Thread Mathias

How Marco? CSGO Cvar? Iptables?

2017-03-23 22:53 GMT+01:00 Mathias :

> Thanks for this awesome help John! This kind of "Attack" have been
> attacking me for days without stopping.
>
> So i block the port everytime they attack on new port? And what if they
> attack on the port directly? There must be a kind of filter possible on
> Linux with Iptables. Anything i can tell me datacenter to fix this attack
> permanent?
>
>
>
> 2017-03-23 22:44 GMT+01:00 John :
>
>> If you're seeing packets from port 28960, you're most likely seeing a
>> reflected query DDoS that is coming from CoDx servers (you can tell for
>> certain by looking at the contents of captured packets -- look for the
>> string 'statusResponse') -- not a direct query/connection flood, and likely
>> not spoofed. You can safely block traffic from port 28960, or do a more
>> thorough filter to block that traffic. This is an example rule to just
>> block the port.
>>
>> iptables -I INPUT -p udp --sport 28960 -j DROP
>>
>> -John
>>
>>
>> On 3/23/2017 2:33 PM, Mathias wrote:
>>
>> Thanks John.
>>
>> Could you guide/send me the Iptables?
>>
>> My server is on port 27115 and the attack comes in on port 28960 - But it
>> wont work block the port (Have tried)
>>
>> "IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246
>> buckets).
>>
>> IP rate limit under distributed packet load (1205 buckets, 15001 global 
>> count), rejecting 8.59.18.221:28960.
>>
>> IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 
>> buckets).
>>
>> IP rate limit under distributed packet load (1210 buckets, 15001 global 
>> count), rejecting 154.112.126.3:28960.
>>
>> IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 
>> buckets).
>>
>> IP rate limit under distributed packet load (1152 buckets, 15001 global 
>> count), rejecting 84.3.222.161:28960.
>>
>> IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 
>> buckets).
>>
>> IP rate limit under distributed packet load (1176 buckets, 16663 global 
>> count), rejecting 88.131.51.148:28960."
>>
>>
>> 2017-03-23 22:27 GMT+01:00 John :
>>
>>> On 3/23/2017 1:34 PM, Mathias wrote:
>>>
 My server's getting flood with VSE DDoS Attack. My server have DDoS
 Protection but it wont take it. any other DDoS Attack does it takes so what
 can i do? i'm on Linux Ubuntu 16.04.

 Here is server logs - http://pastebin.com/Q2dbcEMt

 I also got how the script works (VSE DDoS Attack) - Found on a forum
 via Google

 Any idea to stop it with Iptables? Packet limit?

>>>
>>> The term "VSE" ("Valve Source Exploit") that the attackers like to use
>>> is a misnomer because there isn't an exploit involved. These attacks just
>>> flood a server with spoofed queries and/or connection attempts from random
>>> sources, and Source can't handle the volume.
>>>
>>> Currently the most effective general-purpose way to deal with these is
>>> to whitelist real player IPs and rate-limit queries and connection attempts
>>> from all other sources (down to around 1000/s). This can be done with
>>> iptables using a combination of the ipset, hashlimit, and bpf/u32/string
>>> modules.
>>>
>>> Ideally, the game would be redesigned to using TCP for queries and the
>>> very first part of the connection, offloading the first-contact tasks to
>>> the OS, which has established methods for combating high-rate spoofed TCP
>>> SYN floods. Internally, it could then straight drop all UDP packets that
>>> don't correspond to a currently connected player.
>>>
>>> -John
>>>
>>> ___
>>> Csgo_servers mailing list
>>> Csgo_servers@list.valvesoftware.com
>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>
>>
>>
>>
>> ___
>> Csgo_servers mailing 
>> listCsgo_servers@list.valvesoftware.comhttps://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>
>>
>>
>> ___
>> Csgo_servers mailing list
>> Csgo_servers@list.valvesoftware.com
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>
>
>
___
Csgo_servers mailing list
Csgo_servers@list.valvesoftware.com
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

Re: [Csgo_servers] DDoS Attack (VSE)

2017-03-23 Thread Mathias

Thanks for this awesome help John! This kind of "Attack" have been
attacking me for days without stopping.

So i block the port everytime they attack on new port? And what if they
attack on the port directly? There must be a kind of filter possible on
Linux with Iptables. Anything i can tell me datacenter to fix this attack
permanent?



2017-03-23 22:44 GMT+01:00 John :

> If you're seeing packets from port 28960, you're most likely seeing a
> reflected query DDoS that is coming from CoDx servers (you can tell for
> certain by looking at the contents of captured packets -- look for the
> string 'statusResponse') -- not a direct query/connection flood, and likely
> not spoofed. You can safely block traffic from port 28960, or do a more
> thorough filter to block that traffic. This is an example rule to just
> block the port.
>
> iptables -I INPUT -p udp --sport 28960 -j DROP
>
> -John
>
>
> On 3/23/2017 2:33 PM, Mathias wrote:
>
> Thanks John.
>
> Could you guide/send me the Iptables?
>
> My server is on port 27115 and the attack comes in on port 28960 - But it
> wont work block the port (Have tried)
>
> "IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246
> buckets).
>
> IP rate limit under distributed packet load (1205 buckets, 15001 global 
> count), rejecting 8.59.18.221:28960.
>
> IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
>
> IP rate limit under distributed packet load (1210 buckets, 15001 global 
> count), rejecting 154.112.126.3:28960.
>
> IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 
> buckets).
>
> IP rate limit under distributed packet load (1152 buckets, 15001 global 
> count), rejecting 84.3.222.161:28960.
>
> IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
>
> IP rate limit under distributed packet load (1176 buckets, 16663 global 
> count), rejecting 88.131.51.148:28960."
>
>
> 2017-03-23 22:27 GMT+01:00 John :
>
>> On 3/23/2017 1:34 PM, Mathias wrote:
>>
>>> My server's getting flood with VSE DDoS Attack. My server have DDoS
>>> Protection but it wont take it. any other DDoS Attack does it takes so what
>>> can i do? i'm on Linux Ubuntu 16.04.
>>>
>>> Here is server logs - http://pastebin.com/Q2dbcEMt
>>>
>>> I also got how the script works (VSE DDoS Attack) - Found on a forum via
>>> Google
>>>
>>> Any idea to stop it with Iptables? Packet limit?
>>>
>>
>> The term "VSE" ("Valve Source Exploit") that the attackers like to use is
>> a misnomer because there isn't an exploit involved. These attacks just
>> flood a server with spoofed queries and/or connection attempts from random
>> sources, and Source can't handle the volume.
>>
>> Currently the most effective general-purpose way to deal with these is to
>> whitelist real player IPs and rate-limit queries and connection attempts
>> from all other sources (down to around 1000/s). This can be done with
>> iptables using a combination of the ipset, hashlimit, and bpf/u32/string
>> modules.
>>
>> Ideally, the game would be redesigned to using TCP for queries and the
>> very first part of the connection, offloading the first-contact tasks to
>> the OS, which has established methods for combating high-rate spoofed TCP
>> SYN floods. Internally, it could then straight drop all UDP packets that
>> don't correspond to a currently connected player.
>>
>> -John
>>
>> ___
>> Csgo_servers mailing list
>> Csgo_servers@list.valvesoftware.com
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
>
>
>
> ___
> Csgo_servers mailing 
> listCsgo_servers@list.valvesoftware.comhttps://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
>
>
> ___
> Csgo_servers mailing list
> Csgo_servers@list.valvesoftware.com
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
___
Csgo_servers mailing list
Csgo_servers@list.valvesoftware.com
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

Re: [Csgo_servers] DDoS Attack (VSE)

2017-03-23 Thread Marco Padovan

Hi,

you should ratelimit that traffic

On Thu, Mar 23, 2017 at 10:44 PM, John 
wrote:

> If you're seeing packets from port 28960, you're most likely seeing a
> reflected query DDoS that is coming from CoDx servers (you can tell for
> certain by looking at the contents of captured packets -- look for the
> string 'statusResponse') -- not a direct query/connection flood, and likely
> not spoofed. You can safely block traffic from port 28960, or do a more
> thorough filter to block that traffic. This is an example rule to just
> block the port.
>
> iptables -I INPUT -p udp --sport 28960 -j DROP
>
> -John
>
>
> On 3/23/2017 2:33 PM, Mathias wrote:
>
> Thanks John.
>
> Could you guide/send me the Iptables?
>
> My server is on port 27115 and the attack comes in on port 28960 - But it
> wont work block the port (Have tried)
>
> "IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246
> buckets).
>
> IP rate limit under distributed packet load (1205 buckets, 15001 global 
> count), rejecting 8.59.18.221:28960.
>
> IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
>
> IP rate limit under distributed packet load (1210 buckets, 15001 global 
> count), rejecting 154.112.126.3:28960.
>
> IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 
> buckets).
>
> IP rate limit under distributed packet load (1152 buckets, 15001 global 
> count), rejecting 84.3.222.161:28960.
>
> IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
>
> IP rate limit under distributed packet load (1176 buckets, 16663 global 
> count), rejecting 88.131.51.148:28960."
>
>
> 2017-03-23 22:27 GMT+01:00 John :
>
>> On 3/23/2017 1:34 PM, Mathias wrote:
>>
>>> My server's getting flood with VSE DDoS Attack. My server have DDoS
>>> Protection but it wont take it. any other DDoS Attack does it takes so what
>>> can i do? i'm on Linux Ubuntu 16.04.
>>>
>>> Here is server logs - http://pastebin.com/Q2dbcEMt
>>>
>>> I also got how the script works (VSE DDoS Attack) - Found on a forum via
>>> Google
>>>
>>> Any idea to stop it with Iptables? Packet limit?
>>>
>>
>> The term "VSE" ("Valve Source Exploit") that the attackers like to use is
>> a misnomer because there isn't an exploit involved. These attacks just
>> flood a server with spoofed queries and/or connection attempts from random
>> sources, and Source can't handle the volume.
>>
>> Currently the most effective general-purpose way to deal with these is to
>> whitelist real player IPs and rate-limit queries and connection attempts
>> from all other sources (down to around 1000/s). This can be done with
>> iptables using a combination of the ipset, hashlimit, and bpf/u32/string
>> modules.
>>
>> Ideally, the game would be redesigned to using TCP for queries and the
>> very first part of the connection, offloading the first-contact tasks to
>> the OS, which has established methods for combating high-rate spoofed TCP
>> SYN floods. Internally, it could then straight drop all UDP packets that
>> don't correspond to a currently connected player.
>>
>> -John
>>
>> ___
>> Csgo_servers mailing list
>> Csgo_servers@list.valvesoftware.com
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
>
>
>
> ___
> Csgo_servers mailing 
> listCsgo_servers@list.valvesoftware.comhttps://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
>
>
> ___
> Csgo_servers mailing list
> Csgo_servers@list.valvesoftware.com
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
___
Csgo_servers mailing list
Csgo_servers@list.valvesoftware.com
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

Re: [Csgo_servers] DDoS Attack (VSE)

2017-03-23 Thread John

If you're seeing packets from port 28960, you're most likely seeing a 
reflected query DDoS that is coming from CoDx servers (you can tell for 
certain by looking at the contents of captured packets -- look for the 
string 'statusResponse') -- not a direct query/connection flood, and 
likely not spoofed. You can safely block traffic from port 28960, or do 
a more thorough filter to block that traffic. This is an example rule to 
just block the port.


iptables -I INPUT -p udp --sport 28960 -j DROP

-John

On 3/23/2017 2:33 PM, Mathias wrote:

Thanks John.

Could you guide/send me the Iptables?

My server is on port 27115 and the attack comes in on port 28960 - But 
it wont work block the port (Have tried)


"IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246 
buckets).
IP rate limit under distributed packet load (1205 buckets, 15001 
global count), rejecting 8.59.18.221:28960 .
IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 
buckets).
IP rate limit under distributed packet load (1210 buckets, 15001 
global count), rejecting 154.112.126.3:28960 .
IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 
buckets).
IP rate limit under distributed packet load (1152 buckets, 15001 
global count), rejecting 84.3.222.161:28960 .
IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 
buckets).
IP rate limit under distributed packet load (1176 buckets, 16663 
global count), rejecting 88.131.51.148:28960 
."


2017-03-23 22:27 GMT+01:00 John >:


On 3/23/2017 1:34 PM, Mathias wrote:

My server's getting flood with VSE DDoS Attack. My server have
DDoS Protection but it wont take it. any other DDoS Attack
does it takes so what can i do? i'm on Linux Ubuntu 16.04.

Here is server logs - http://pastebin.com/Q2dbcEMt

I also got how the script works (VSE DDoS Attack) - Found on a
forum via Google

Any idea to stop it with Iptables? Packet limit?


The term "VSE" ("Valve Source Exploit") that the attackers like to
use is a misnomer because there isn't an exploit involved. These
attacks just flood a server with spoofed queries and/or connection
attempts from random sources, and Source can't handle the volume.

Currently the most effective general-purpose way to deal with
these is to whitelist real player IPs and rate-limit queries and
connection attempts from all other sources (down to around
1000/s). This can be done with iptables using a combination of the
ipset, hashlimit, and bpf/u32/string modules.

Ideally, the game would be redesigned to using TCP for queries and
the very first part of the connection, offloading the
first-contact tasks to the OS, which has established methods for
combating high-rate spoofed TCP SYN floods. Internally, it could
then straight drop all UDP packets that don't correspond to a
currently connected player.

-John

___
Csgo_servers mailing list
Csgo_servers@list.valvesoftware.com

https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers





___
Csgo_servers mailing list
Csgo_servers@list.valvesoftware.com
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


___
Csgo_servers mailing list
Csgo_servers@list.valvesoftware.com
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

Re: [Csgo_servers] DDoS Attack (VSE)

2017-03-23 Thread Mathias

Thanks John.

Could you guide/send me the Iptables?

My server is on port 27115 and the attack comes in on port 28960 - But it
wont work block the port (Have tried)

"IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246
buckets).

IP rate limit under distributed packet load (1205 buckets, 15001
global count), rejecting 8.59.18.221:28960.

IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).

IP rate limit under distributed packet load (1210 buckets, 15001
global count), rejecting 154.112.126.3:28960.

IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).

IP rate limit under distributed packet load (1152 buckets, 15001
global count), rejecting 84.3.222.161:28960.

IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).

IP rate limit under distributed packet load (1176 buckets, 16663
global count), rejecting 88.131.51.148:28960."


2017-03-23 22:27 GMT+01:00 John :

> On 3/23/2017 1:34 PM, Mathias wrote:
>
>> My server's getting flood with VSE DDoS Attack. My server have DDoS
>> Protection but it wont take it. any other DDoS Attack does it takes so what
>> can i do? i'm on Linux Ubuntu 16.04.
>>
>> Here is server logs - http://pastebin.com/Q2dbcEMt
>>
>> I also got how the script works (VSE DDoS Attack) - Found on a forum via
>> Google
>>
>> Any idea to stop it with Iptables? Packet limit?
>>
>
> The term "VSE" ("Valve Source Exploit") that the attackers like to use is
> a misnomer because there isn't an exploit involved. These attacks just
> flood a server with spoofed queries and/or connection attempts from random
> sources, and Source can't handle the volume.
>
> Currently the most effective general-purpose way to deal with these is to
> whitelist real player IPs and rate-limit queries and connection attempts
> from all other sources (down to around 1000/s). This can be done with
> iptables using a combination of the ipset, hashlimit, and bpf/u32/string
> modules.
>
> Ideally, the game would be redesigned to using TCP for queries and the
> very first part of the connection, offloading the first-contact tasks to
> the OS, which has established methods for combating high-rate spoofed TCP
> SYN floods. Internally, it could then straight drop all UDP packets that
> don't correspond to a currently connected player.
>
> -John
>
> ___
> Csgo_servers mailing list
> Csgo_servers@list.valvesoftware.com
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
___
Csgo_servers mailing list
Csgo_servers@list.valvesoftware.com
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

Re: [Csgo_servers] DDoS Attack (VSE)

2017-03-23 Thread John


On 3/23/2017 1:34 PM, Mathias wrote:
My server's getting flood with VSE DDoS Attack. My server have DDoS 
Protection but it wont take it. any other DDoS Attack does it takes so 
what can i do? i'm on Linux Ubuntu 16.04.


Here is server logs - http://pastebin.com/Q2dbcEMt

I also got how the script works (VSE DDoS Attack) - Found on a forum 
via Google


Any idea to stop it with Iptables? Packet limit?


The term "VSE" ("Valve Source Exploit") that the attackers like to use 
is a misnomer because there isn't an exploit involved. These attacks 
just flood a server with spoofed queries and/or connection attempts from 
random sources, and Source can't handle the volume.


Currently the most effective general-purpose way to deal with these is 
to whitelist real player IPs and rate-limit queries and connection 
attempts from all other sources (down to around 1000/s). This can be 
done with iptables using a combination of the ipset, hashlimit, and 
bpf/u32/string modules.


Ideally, the game would be redesigned to using TCP for queries and the 
very first part of the connection, offloading the first-contact tasks to 
the OS, which has established methods for combating high-rate spoofed 
TCP SYN floods. Internally, it could then straight drop all UDP packets 
that don't correspond to a currently connected player.


-John

___
Csgo_servers mailing list
Csgo_servers@list.valvesoftware.com
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

[Csgo_servers] DDoS Attack (VSE)

2017-03-23 Thread Mathias

Hello,


My server's getting flood with VSE DDoS Attack. My server have DDoS
Protection but it wont take it. any other DDoS Attack does it takes so what
can i do? i'm on Linux Ubuntu 16.04.

Here is server logs - http://pastebin.com/Q2dbcEMt

I also got how the script works (VSE DDoS Attack) - Found on a forum via
Google

Any idea to stop it with Iptables? Packet limit?
___
Csgo_servers mailing list
Csgo_servers@list.valvesoftware.com
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

Re: [Csgo_servers] DDoS Attack (VSE)

Re: [Csgo_servers] DDoS Attack (VSE)

Re: [Csgo_servers] DDoS Attack (VSE)

Re: [Csgo_servers] DDoS Attack (VSE)

Re: [Csgo_servers] DDoS Attack (VSE)

Re: [Csgo_servers] DDoS Attack (VSE)

Re: [Csgo_servers] DDoS Attack (VSE)

Re: [Csgo_servers] DDoS Attack (VSE)

Re: [Csgo_servers] DDoS Attack (VSE)

Re: [Csgo_servers] DDoS Attack (VSE)

Re: [Csgo_servers] DDoS Attack (VSE)

[Csgo_servers] DDoS Attack (VSE)

12 matches

Site Navigation

Mail list logo

Footer information