Re: [Csgo_servers] Server brought down by attack
So our server is still down from this packet spam attack. Once more I have to wonder if there is anything Valve could do to help us out? You guys have known about this problem for a while now. Is anyone working on a fix? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8407.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
Valve can't do a thing to prevent attacks like this. Internet is internet, if someone really hates your server, they will continue to worlds end doing so. I'm surprised your network admin can't do a thing. -ics p0stpwned kirjoitti: So our server is still down from this packet spam attack. Once more I have to wonder if there is anything Valve could do to help us out? You guys have known about this problem for a while now. Is anyone working on a fix? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8407.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
The problem is they are spamming legit in-game traffic. I can have my provider block that traffic, but then our server won't even appear on the browser or anything. This is not an ordinary DDOS - it's an exploit in CS:GO and if anyone can fix it it's Valve. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8409.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
Have you already tried to ratelimiting those incoming request to like max 1 by each /24? On Wed, Nov 19, 2014 at 8:22 PM, p0stpwned getmeabeerwo...@hotmail.com wrote: The problem is they are spamming legit in-game traffic. I can have my provider block that traffic, but then our server won't even appear on the browser or anything. This is not an ordinary DDOS - it's an exploit in CS:GO and if anyone can fix it it's Valve. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8409.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
As already discussed there is currently no out of the box way to filter these attacks. IP whitelists are what kept my server playable for my regulars during attacks like these. Valve does have a command that can be used to help alleviate the effects of an attack, but it doesn't work as intended. On 11/19/2014 2:28 PM, Marco Padovan wrote: Have you already tried to ratelimiting those incoming request to like max 1 by each /24? On Wed, Nov 19, 2014 at 8:22 PM, p0stpwned getmeabeerwo...@hotmail.com mailto:getmeabeerwo...@hotmail.com wrote: The problem is they are spamming legit in-game traffic. I can have my provider block that traffic, but then our server won't even appear on the browser or anything. This is not an ordinary DDOS - it's an exploit in CS:GO and if anyone can fix it it's Valve. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8409.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com mailto:Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
Well we managed to get up for a few hours today, but then they modified the attack and now we're up but we have massive DDOS lag. Is there nothing you guys at Valve can do about this? They're spamming our server with CS queries. Can't you limit it on your end? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8318.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
Since qconnect shouldn't be blocked, I would rate limit instead of blocking. You can find a lot of iptable examples for rate limiting a port. On 5 November 2014 07:25, Slaven24 sla...@team-sw.eu wrote: Has someone a script for the iptables rules?? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8296.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
This will block legitimate traffic. On 11/5/2014 6:19 AM, José Santos wrote: Since qconnect shouldn't be blocked, I would rate limit instead of blocking. You can find a lot of iptable examples for rate limiting a port. On 5 November 2014 07:25, Slaven24 sla...@team-sw.eu mailto:sla...@team-sw.eu wrote: Has someone a script for the iptables rules?? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8296.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com mailto:Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
Yeah there's no real point staying up if we're not even on the browser list. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8299.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
The attack you're under is actually pretty advanced, especially with spoofed IPs. I don't know of any countermeasure. The only real thing you can do: Go to the police (or whoever is the right person in your country) and try to get them investigating. The next thing is simply letting the server running. There is not much you can do, sadly. Am 5. November 2014 15:06:10 schrieb p0stpwned getmeabeerwo...@hotmail.com: Yeah there's no real point staying up if we're not even on the browser list. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8299.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
Aren't there any kind of retry implemented into the client game? Why not just drop the first 3 packets and then allow if it keeps trying? On Wed, Nov 5, 2014 at 3:24 PM, Moritz Uehling f...@flysoftiii.de wrote: The attack you're under is actually pretty advanced, especially with spoofed IPs. I don't know of any countermeasure. The only real thing you can do: Go to the police (or whoever is the right person in your country) and try to get them investigating. The next thing is simply letting the server running. There is not much you can do, sadly. Am 5. November 2014 15:06:10 schrieb p0stpwned getmeabeerwo...@hotmail.com: Yeah there's no real point staying up if we're not even on the browser list. -- View this message in context: http://csgo-servers.1073505. n5.nabble.com/Server-brought-down-by-attack-tp8280p8299.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
You can use dnat based on string to send query to a caching software. Le 5 nov. 2014 16:51, Marco Padovan e...@evcz.tk a écrit : Aren't there any kind of retry implemented into the client game? Why not just drop the first 3 packets and then allow if it keeps trying? On Wed, Nov 5, 2014 at 3:24 PM, Moritz Uehling f...@flysoftiii.de wrote: The attack you're under is actually pretty advanced, especially with spoofed IPs. I don't know of any countermeasure. The only real thing you can do: Go to the police (or whoever is the right person in your country) and try to get them investigating. The next thing is simply letting the server running. There is not much you can do, sadly. Am 5. November 2014 15:06:10 schrieb p0stpwned getmeabeerwo...@hotmail.com: Yeah there's no real point staying up if we're not even on the browser list. -- View this message in context: http://csgo-servers.1073505. n5.nabble.com/Server-brought-down-by-attack-tp8280p8299.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
I don't know if this has been asked yet but have you determined if this attack is directly at your community and your server(s) as some vendetta some disgruntled user has against you or would it appear to just be some random asshole spamming an attack at your ip just because they can? If it is just seemingly random I'd talk to your host about moving servers/ip addresses and just hope for the best. If the attack is going to follow you then, unfortunately you're kinda out of luck. On Nov 5, 2014 10:11 AM, Zaretti Steve kosso...@gmail.com wrote: You can use dnat based on string to send query to a caching software. Le 5 nov. 2014 16:51, Marco Padovan e...@evcz.tk a écrit : Aren't there any kind of retry implemented into the client game? Why not just drop the first 3 packets and then allow if it keeps trying? On Wed, Nov 5, 2014 at 3:24 PM, Moritz Uehling f...@flysoftiii.de wrote: The attack you're under is actually pretty advanced, especially with spoofed IPs. I don't know of any countermeasure. The only real thing you can do: Go to the police (or whoever is the right person in your country) and try to get them investigating. The next thing is simply letting the server running. There is not much you can do, sadly. Am 5. November 2014 15:06:10 schrieb p0stpwned getmeabeerwo...@hotmail.com: Yeah there's no real point staying up if we're not even on the browser list. -- View this message in context: http://csgo-servers.1073505. n5.nabble.com/Server-brought-down-by-attack-tp8280p8299.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
This is possible I guess Am 5. November 2014 16:51:35 schrieb Marco Padovan e...@evcz.tk: Aren't there any kind of retry implemented into the client game? Why not just drop the first 3 packets and then allow if it keeps trying? On Wed, Nov 5, 2014 at 3:24 PM, Moritz Uehling f...@flysoftiii.de wrote: The attack you're under is actually pretty advanced, especially with spoofed IPs. I don't know of any countermeasure. The only real thing you can do: Go to the police (or whoever is the right person in your country) and try to get them investigating. The next thing is simply letting the server running. There is not much you can do, sadly. Am 5. November 2014 15:06:10 schrieb p0stpwned getmeabeerwo...@hotmail.com: Yeah there's no real point staying up if we're not even on the browser list. -- View this message in context: http://csgo-servers.1073505. n5.nabble.com/Server-brought-down-by-attack-tp8280p8299.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers -- ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
This attack has been launched by a rival pub that for some reason declared WAR on our server, so I'm guessing the attack will follow us. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8305.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
I'd try reporting the others to their GSP (if they're using one) with whatever evidence you have On 6/11/2014 3:52 AM, p0stpwned wrote: This attack has been launched by a rival pub that for some reason declared WAR on our server, so I'm guessing the attack will follow us. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8305.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
I talked about rate-limit qconnect, not A2S_INFO so server would appear in serverlist. About rate-limiting qconnect, it could affect legit players when an attack occurs but I think it's better to try connect a couple of times than don't be able to play. So I would recommend try this before a better solution is available iptables -I INPUT 10 -p udp -m udp --dport 27015 -m string --algo bm --string qconnect -m limit --limit 3/s --limit-burst 10 -j ACCEPT iptables -I INPUT 11 -p udp -m udp --dport 27015 -m string --algo bm --string qconnect -j DROP On 5 November 2014 13:12, Kevin C s...@serveredirect.com wrote: This will block legitimate traffic. On 11/5/2014 6:19 AM, José Santos wrote: Since qconnect shouldn't be blocked, I would rate limit instead of blocking. You can find a lot of iptable examples for rate limiting a port. On 5 November 2014 07:25, Slaven24 sla...@team-sw.eu wrote: Has someone a script for the iptables rules?? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8296.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing listCsgo_servers@list.valvesoftware.comhttps://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
The problem is there are like hundreds of these coming in per second, so if I limit them that much how is anyone going to get in at all, even with multiple retries? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8309.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
The attacks against us eventually stopped after a few days. The only solution we came up with was our IP whitelist. Unfortunately you need to have a list of IPs already to do this. I would recommend running the tracker plugin I linked a few messages ago when your server is back up so you can whitelist if this happens again. There is probably something limiting the amount of responses that can be given in the engine. Valve implied the limitation after removing sv_max_queries_sec_global should be CPU, but our CPU usage was only 1-2% while still not allowing players to join the server. On 11/5/2014 5:02 PM, p0stpwned wrote: The problem is there are like hundreds of these coming in per second, so if I limit them that much how is anyone going to get in at all, even with multiple retries? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8309.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
If you know the source IP, can't you just drop all traffic from it with iptables? -ics Kevin C kirjoitti: It's hard to tell anything with these captures, you need to use detailed. On 11/4/2014 2:14 AM, p0stpwned wrote: Never mind. We were up for about 10 minutes when all of a sudden the server went down again. Now it's spamming stuff like this: 00:12:50.578328 IP 74.91.113.223.27015 78.221.214.144.27005: udp, payload 42 (DF) 00:12:50.578353 IP 75.27.12.222.27005 74.91.113.223.27015: udp, payload 23 00:12:50.578389 IP 74.91.113.223.27015 218.246.105.131.27005: udp, payload 42 (DF) 00:12:50.578430 IP 114.225.30.236.27005 74.91.113.223.27015: udp, payload 23 Not sure what the significance of the 42 (DF) one is but whatever it is it looks like it brought down my server? lol -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8284.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
UDP packet sources can be spoofed - and always are for these attacks. ~ Their heads are green, and their hands are blue, And they went to sea in a Sieve. - Edward Lear On Tue, Nov 4, 2014 at 4:00 PM, ics i...@ics-base.net wrote: If you know the source IP, can't you just drop all traffic from it with iptables? -ics Kevin C kirjoitti: It's hard to tell anything with these captures, you need to use detailed. On 11/4/2014 2:14 AM, p0stpwned wrote: Never mind. We were up for about 10 minutes when all of a sudden the server went down again. Now it's spamming stuff like this: 00:12:50.578328 IP 74.91.113.223.27015 78.221.214.144.27005: udp, payload 42 (DF) 00:12:50.578353 IP 75.27.12.222.27005 74.91.113.223.27015: udp, payload 23 00:12:50.578389 IP 74.91.113.223.27015 218.246.105.131.27005: udp, payload 42 (DF) 00:12:50.578430 IP 114.225.30.236.27005 74.91.113.223.27015: udp, payload 23 Not sure what the significance of the 42 (DF) one is but whatever it is it looks like it brought down my server? lol -- View this message in context: http://csgo-servers.1073505. n5.nabble.com/Server-brought-down-by-attack-tp8280p8284.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
Spoofing. On 04.11.2014 17:00, ics wrote: If you know the source IP, can't you just drop all traffic from it with iptables? -ics Kevin C kirjoitti: It's hard to tell anything with these captures, you need to use detailed. On 11/4/2014 2:14 AM, p0stpwned wrote: Never mind. We were up for about 10 minutes when all of a sudden the server went down again. Now it's spamming stuff like this: 00:12:50.578328 IP 74.91.113.223.27015 78.221.214.144.27005: udp, payload 42 (DF) 00:12:50.578353 IP 75.27.12.222.27005 74.91.113.223.27015: udp, payload 23 00:12:50.578389 IP 74.91.113.223.27015 218.246.105.131.27005: udp, payload 42 (DF) 00:12:50.578430 IP 114.225.30.236.27005 74.91.113.223.27015: udp, payload 23 Not sure what the significance of the 42 (DF) one is but whatever it is it looks like it brought down my server? lol -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8284.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
Yeah each packet is sent from a new spoofed ip. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8290.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
Are the IP's spoofed totally random or do they all fall within a certain range? On Nov 4, 2014 11:00 AM, p0stpwned getmeabeerwo...@hotmail.com wrote: Yeah each packet is sent from a new spoofed ip. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8290.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
Seems to be at random. Some start with 5, some start with 200, and everything in between. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8292.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
Here is what the detailed capture looks like: 10:49:22.829593 IP (tos 0x28, ttl 127, id 51501, len 51) 130.49.187.56.27005 74.91.113.223.27015: [udp sum ok] udp, payload 23 0x 4528 0033 c92d 7f11 78c0 8231 bb38E(.3.-x..1.8 0x0010 4a5b 71df 697d 6987 001f 8f22 J[q.i}i 0x0020 7163 6f6e 6e65 6374 3078 3030 3030 3030qconnect0x00 0x0030 3030 0000. 10:49:22.830649 IP (tos 0x0, ttl 122, id 51502, len 51) 16.193.12.80.27005 74.91.113.223.27015: [udp sum ok] udp, payload 23 0x 4500 0033 c92e 7a11 9e40 10c1 0c50E..3z..@...P 0x0010 4a5b 71df 697d 6987 001f af7b J[q.i}i{ 0x0020 7163 6f6e 6e65 6374 3078 3030 3030 3030qconnect0x00 0x0030 3030 0000. You were right abut the qconnect thing. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8293.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
Well that sucks. I was going to ask if you could insert a wildcard and drop everything within a range but if it's that random it isn't going to help anything. On Nov 4, 2014 11:49 AM, p0stpwned getmeabeerwo...@hotmail.com wrote: Seems to be at random. Some start with 5, some start with 200, and everything in between. -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8292.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
Has someone a script for the iptables rules?? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8296.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
[Csgo_servers] Server brought down by attack
So my server has been brought down by somebody attacking it. It's similar to that old csgodown.com website's method. If I look at my firewall it appears as follows: 15:01:19.083163 IP 94.198.189.75.27005 74.91.113.223.27015: udp, payload 23 15:01:19.083164 IP 114.47.127.237.27005 74.91.113.223.27015: udp, payload 23 15:01:19.086329 IP 97.35.83.154.27005 74.91.113.223.27015: udp, payload 23 15:01:19.086420 IP 222.59.88.49.27005 74.91.113.223.27015: udp, payload 23 15:01:19.087486 IP 103.3.23.84.27005 74.91.113.223.27015: udp, payload 23 These packets are being spammed non-stop. My server provider can block it, but we'll also be dropping Steam traffic so we'll end up being knocked off the server browser etc. I don't feel like retaliating in a similar fashion against the guy who's doing this, because I know that won't help anybody in the end, so I'm curious if anybody knows another way to go about this? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
We experienced this attack for a while. If you capture detailed in the firewall(if you're at NFO), you should see qconnect in the ASCII field. These attack packets are being forged as legitimate connection packets. We emailed valve about it, and had a pretty good conversation about it. They specifically recommended changing these values sv_max_queries_sec_global sv_max_queries_window We changed these values to many things, global was set to 10m as an experiment, with window set to anything from 1-30. This helped, allowing the server to respond to many connections(we saw a bunch of connect-retry packets appear in the firewall capture after doing this). Valve said the server should be able to respond to as many connections as the CPU can handle. In our experience CPU usage was 1-2% on our E3-1270v3 and the server was still not joinable. After explaining this to Valve, they went silent :( If your servers are on linux, our only option was to create a firewall whitelist. We use https://forums.alliedmods.net/showthread.php?p=949571 on our servers to generate some cool statistics for our servers, using this we can extract all IP addresses a player has ever used to join our server, and make a whitelist of IPs to accept packets from, and block the rest. This prevents players who have never joined your server from connecting, but is currently the only solution I could find that keeps your server online for a subset of people. If you need help making firewall rules, post over in the NFO forum, I am very active there. Good Luck! On 11/3/2014 5:11 PM, p0stpwned wrote: So my server has been brought down by somebody attacking it. It's similar to that old csgodown.com website's method. If I look at my firewall it appears as follows: 15:01:19.083163 IP 94.198.189.75.27005 74.91.113.223.27015: udp, payload 23 15:01:19.083164 IP 114.47.127.237.27005 74.91.113.223.27015: udp, payload 23 15:01:19.086329 IP 97.35.83.154.27005 74.91.113.223.27015: udp, payload 23 15:01:19.086420 IP 222.59.88.49.27005 74.91.113.223.27015: udp, payload 23 15:01:19.087486 IP 103.3.23.84.27005 74.91.113.223.27015: udp, payload 23 These packets are being spammed non-stop. My server provider can block it, but we'll also be dropping Steam traffic so we'll end up being knocked off the server browser etc. I don't feel like retaliating in a similar fashion against the guy who's doing this, because I know that won't help anybody in the end, so I'm curious if anybody knows another way to go about this? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
There's a good chance the actual crafter of the attack might read this, but have you thought about only blocking packets that have not been preceded by an A2S_INFO query? Since most people would join from the server browser which would query the server before it shows up on the list. On 04.11.2014 01:31, Kevin C wrote: We experienced this attack for a while. If you capture detailed in the firewall(if you're at NFO), you should see qconnect in the ASCII field. These attack packets are being forged as legitimate connection packets. We emailed valve about it, and had a pretty good conversation about it. They specifically recommended changing these values sv_max_queries_sec_global sv_max_queries_window We changed these values to many things, global was set to 10m as an experiment, with window set to anything from 1-30. This helped, allowing the server to respond to many connections(we saw a bunch of connect-retry packets appear in the firewall capture after doing this). Valve said the server should be able to respond to as many connections as the CPU can handle. In our experience CPU usage was 1-2% on our E3-1270v3 and the server was still not joinable. After explaining this to Valve, they went silent :( If your servers are on linux, our only option was to create a firewall whitelist. We use https://forums.alliedmods.net/showthread.php?p=949571 on our servers to generate some cool statistics for our servers, using this we can extract all IP addresses a player has ever used to join our server, and make a whitelist of IPs to accept packets from, and block the rest. This prevents players who have never joined your server from connecting, but is currently the only solution I could find that keeps your server online for a subset of people. If you need help making firewall rules, post over in the NFO forum, I am very active there. Good Luck! On 11/3/2014 5:11 PM, p0stpwned wrote: So my server has been brought down by somebody attacking it. It's similar to that old csgodown.com website's method. If I look at my firewall it appears as follows: 15:01:19.083163 IP 94.198.189.75.27005 74.91.113.223.27015: udp, payload 23 15:01:19.083164 IP 114.47.127.237.27005 74.91.113.223.27015: udp, payload 23 15:01:19.086329 IP 97.35.83.154.27005 74.91.113.223.27015: udp, payload 23 15:01:19.086420 IP 222.59.88.49.27005 74.91.113.223.27015: udp, payload 23 15:01:19.087486 IP 103.3.23.84.27005 74.91.113.223.27015: udp, payload 23 These packets are being spammed non-stop. My server provider can block it, but we'll also be dropping Steam traffic so we'll end up being knocked off the server browser etc. I don't feel like retaliating in a similar fashion against the guy who's doing this, because I know that won't help anybody in the end, so I'm curious if anybody knows another way to go about this? -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] Server brought down by attack
Never mind. We were up for about 10 minutes when all of a sudden the server went down again. Now it's spamming stuff like this: 00:12:50.578328 IP 74.91.113.223.27015 78.221.214.144.27005: udp, payload 42 (DF) 00:12:50.578353 IP 75.27.12.222.27005 74.91.113.223.27015: udp, payload 23 00:12:50.578389 IP 74.91.113.223.27015 218.246.105.131.27005: udp, payload 42 (DF) 00:12:50.578430 IP 114.225.30.236.27005 74.91.113.223.27015: udp, payload 23 Not sure what the significance of the 42 (DF) one is but whatever it is it looks like it brought down my server? lol -- View this message in context: http://csgo-servers.1073505.n5.nabble.com/Server-brought-down-by-attack-tp8280p8284.html Sent from the CSGO_Servers mailing list archive at Nabble.com. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers