Re: [hlds_linux] Incoming DoS attack
These days any 12 year old with their mommy's credit card can buy botnets and booters to do attacks. From: Marco Padovan e...@evcz.tk To: hlds_linux@list.valvesoftware.com Sent: Tuesday, November 27, 2012 8:34:28 AM Subject: Re: [hlds_linux] Incoming DoS attack when you have fat pipes (1gbit or 10gbit uplinks) people need fatpipes too to spooffrom and take you down... but, IIRC, that well knonw .EU isp that allows spoofing let people do that only on the 100mbit network no on the gbit network. Therefore here comes the amplification (mostly DNS (udp 53) and chargen (UDP 19) ) reporting those amplifiers (open resolvers) is very important;) Il 27/11/2012 14.29, Saint K. ha scritto: That's kind of pointless in case of UDP attacks, chances are very high that the IP's simply are spoofed. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan [e...@evcz.tk] Sent: 27 November 2012 14:27 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack ihih, nice :) the most important thing while being ddosed is to report to the relevant abuse desks so they can clean up their networks ;) Il 27/11/2012 14.26, Michael Johansen ha scritto: I am indeed. Thank you for all your help :) Date: Tue, 27 Nov 2012 14:25:24 +0100 From: e...@evcz.tk To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Hi, are you the Mike on WHT? I was the one replying in there :D Il 27/11/2012 13.54, Michael Johansen ha scritto: My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:29:01 +0100 Subject: Re: [hlds_linux] Incoming DoS attack We have no control over the upstream network. All I can do is filter the packets at the machine, but that wouldn't prevent the link from still being overloaded. Currently a null-route is in place to stop the attack at the network boarder. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:26 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Just took a look at the tcpdump, doesn't look like the attacks I'm having. I may be stupid now, but wouldn't it work just by blocking packets with the size of 50? From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:19:08 +0100 Subject: Re: [hlds_linux] Incoming DoS attack The IP's in the dump originate from China, but as it's UDP it could very well be spoofed. Looking at the payload in the packets, each new packet only has 1 character change from the previous packet. Bruteforce, or perhaps signature scanning evasion? Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:15 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack I haven't looked at the tcpdump, but I have been getting attacks too, they're SYN floods, 300 - 400 mbps in size and always coming from local/reserved (0.x) ip's. All started soem time after we set up our mvm serves. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 10:56:28 +0100 Subject: [hlds_linux] Incoming DoS attack Hi, We've been having DoS attacks aimed at one of our MvM servers. Anyone have any idea what they're attempting to do here? It is just to make the server unreachable, or are the actually trying to exploit srcds somehow? Here's a tcpdump made for about 30 seconds during the attack (which is still ongoing); http://www.specialattack.net/downloads/dump.rar Saint K. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Re: [hlds_linux] Incoming DoS attack
The funny thing is, you can actually do so on the IP. Some skid has made a Booter as it's |called in their community| which you can use to take down shit. Send an abuse report to Santrex and block this ip in your software firewall if you are on gigabit, it's only capable of pushing out ~300 mbit/s. IP: 46.166.130.152. Could also block every packet whos data contains flood or is 1024 bytes. Date: Wed, 28 Nov 2012 00:40:14 -0800 From: my_azz...@yahoo.com To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack These days any 12 year old with their mommy's credit card can buy botnets and booters to do attacks. From: Marco Padovan e...@evcz.tk To: hlds_linux@list.valvesoftware.com Sent: Tuesday, November 27, 2012 8:34:28 AM Subject: Re: [hlds_linux] Incoming DoS attack when you have fat pipes (1gbit or 10gbit uplinks) people need fatpipes too to spooffrom and take you down... but, IIRC, that well knonw .EU isp that allows spoofing let people do that only on the 100mbit network no on the gbit network. Therefore here comes the amplification (mostly DNS (udp 53) and chargen (UDP 19) ) reporting those amplifiers (open resolvers) is very important;) Il 27/11/2012 14.29, Saint K. ha scritto: That's kind of pointless in case of UDP attacks, chances are very high that the IP's simply are spoofed. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan [e...@evcz.tk] Sent: 27 November 2012 14:27 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack ihih, nice :) the most important thing while being ddosed is to report to the relevant abuse desks so they can clean up their networks ;) Il 27/11/2012 14.26, Michael Johansen ha scritto: I am indeed. Thank you for all your help :) Date: Tue, 27 Nov 2012 14:25:24 +0100 From: e...@evcz.tk To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Hi, are you the Mike on WHT? I was the one replying in there :D Il 27/11/2012 13.54, Michael Johansen ha scritto: My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:29:01 +0100 Subject: Re: [hlds_linux] Incoming DoS attack We have no control over the upstream network. All I can do is filter the packets at the machine, but that wouldn't prevent the link from still being overloaded. Currently a null-route is in place to stop the attack at the network boarder. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:26 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Just took a look at the tcpdump, doesn't look like the attacks I'm having. I may be stupid now, but wouldn't it work just by blocking packets with the size of 50? From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:19:08 +0100 Subject: Re: [hlds_linux] Incoming DoS attack The IP's in the dump originate from China, but as it's UDP it could very well be spoofed. Looking at the payload in the packets, each new packet only has 1 character change from the previous packet. Bruteforce, or perhaps signature scanning evasion? Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:15 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack I haven't looked at the tcpdump, but I have been getting attacks too, they're SYN floods, 300 - 400 mbps in size and always coming from local/reserved (0.x) ip's. All started soem time after we set up our mvm serves. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 10:56:28 +0100 Subject: [hlds_linux] Incoming DoS attack Hi, We've been having DoS attacks aimed at one of our MvM servers. Anyone have any idea what they're attempting to do here? It is just to make the server unreachable, or are the actually trying to exploit srcds somehow? Here's a tcpdump made for about 30 seconds during the attack (which is still ongoing); http://www.specialattack.net/downloads/dump.rar Saint K. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit
Re: [hlds_linux] Incoming DoS attack
Yea lol tell me about it! I have been constantly attacked on and off for the past 4 months due to my servers being in the top 20 on gametracker for CS1.6 I must have seen all kinds of ddos attacks out there. For those on linux and getting syn floods, a nice preventative thing you can do is enable syn cookies. read more: http://baheyeldin.com/technology/linux/detecting-and-preventing-syn-flood-attacks-web-servers-running-linux.html From: Michael Johansen michs...@live.no To: hlds_linux@list.valvesoftware.com Sent: Wednesday, November 28, 2012 3:45:26 AM Subject: Re: [hlds_linux] Incoming DoS attack The funny thing is, you can actually do so on the IP. Some skid has made a Booter as it's |called in their community| which you can use to take down shit. Send an abuse report to Santrex and block this ip in your software firewall if you are on gigabit, it's only capable of pushing out ~300 mbit/s. IP: 46.166.130.152. Could also block every packet whos data contains flood or is 1024 bytes. Date: Wed, 28 Nov 2012 00:40:14 -0800 From: my_azz...@yahoo.com To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack These days any 12 year old with their mommy's credit card can buy botnets and booters to do attacks. From: Marco Padovan e...@evcz.tk To: hlds_linux@list.valvesoftware.com Sent: Tuesday, November 27, 2012 8:34:28 AM Subject: Re: [hlds_linux] Incoming DoS attack when you have fat pipes (1gbit or 10gbit uplinks) people need fatpipes too to spooffrom and take you down... but, IIRC, that well knonw .EU isp that allows spoofing let people do that only on the 100mbit network no on the gbit network. Therefore here comes the amplification (mostly DNS (udp 53) and chargen (UDP 19) ) reporting those amplifiers (open resolvers) is very important;) Il 27/11/2012 14.29, Saint K. ha scritto: That's kind of pointless in case of UDP attacks, chances are very high that the IP's simply are spoofed. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan [e...@evcz.tk] Sent: 27 November 2012 14:27 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack ihih, nice :) the most important thing while being ddosed is to report to the relevant abuse desks so they can clean up their networks ;) Il 27/11/2012 14.26, Michael Johansen ha scritto: I am indeed. Thank you for all your help :) Date: Tue, 27 Nov 2012 14:25:24 +0100 From: e...@evcz.tk To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Hi, are you the Mike on WHT? I was the one replying in there :D Il 27/11/2012 13.54, Michael Johansen ha scritto: My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:29:01 +0100 Subject: Re: [hlds_linux] Incoming DoS attack We have no control over the upstream network. All I can do is filter the packets at the machine, but that wouldn't prevent the link from still being overloaded. Currently a null-route is in place to stop the attack at the network boarder. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:26 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Just took a look at the tcpdump, doesn't look like the attacks I'm having. I may be stupid now, but wouldn't it work just by blocking packets with the size of 50? From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:19:08 +0100 Subject: Re: [hlds_linux] Incoming DoS attack The IP's in the dump originate from China, but as it's UDP it could very well be spoofed. Looking at the payload in the packets, each new packet only has 1 character change from the previous packet. Bruteforce, or perhaps signature scanning evasion? Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:15 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack I haven't looked at the tcpdump, but I have been getting attacks too, they're SYN floods, 300 - 400 mbps in size and always coming from local/reserved (0.x) ip's. All started soem time after we set up our mvm serves. From: sai...@specialattack.net
Re: [hlds_linux] Incoming DoS attack
Syn cookies didn't help for me sadly. Had to tune sysctl a tad more. Bumping up the maximum values for nf_conntrack module and all sorts of things. Now I'm using a couple of iptables rules to block all SYN-packets going over 5 per second. I've blocked ~800k packets the last days since enabling it. It's quite stable for now, but you never know when you're in for a larger attack unfortunantly. Date: Wed, 28 Nov 2012 00:55:20 -0800 From: my_azz...@yahoo.com To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Yea lol tell me about it! I have been constantly attacked on and off for the past 4 months due to my servers being in the top 20 on gametracker for CS1.6 I must have seen all kinds of ddos attacks out there. For those on linux and getting syn floods, a nice preventative thing you can do is enable syn cookies. read more: http://baheyeldin.com/technology/linux/detecting-and-preventing-syn-flood-attacks-web-servers-running-linux.html From: Michael Johansen michs...@live.no To: hlds_linux@list.valvesoftware.com Sent: Wednesday, November 28, 2012 3:45:26 AM Subject: Re: [hlds_linux] Incoming DoS attack The funny thing is, you can actually do so on the IP. Some skid has made a Booter as it's |called in their community| which you can use to take down shit. Send an abuse report to Santrex and block this ip in your software firewall if you are on gigabit, it's only capable of pushing out ~300 mbit/s. IP: 46.166.130.152. Could also block every packet whos data contains flood or is 1024 bytes. Date: Wed, 28 Nov 2012 00:40:14 -0800 From: my_azz...@yahoo.com To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack These days any 12 year old with their mommy's credit card can buy botnets and booters to do attacks. From: Marco Padovan e...@evcz.tk To: hlds_linux@list.valvesoftware.com Sent: Tuesday, November 27, 2012 8:34:28 AM Subject: Re: [hlds_linux] Incoming DoS attack when you have fat pipes (1gbit or 10gbit uplinks) people need fatpipes too to spooffrom and take you down... but, IIRC, that well knonw .EU isp that allows spoofing let people do that only on the 100mbit network no on the gbit network. Therefore here comes the amplification (mostly DNS (udp 53) and chargen (UDP 19) ) reporting those amplifiers (open resolvers) is very important;) Il 27/11/2012 14.29, Saint K. ha scritto: That's kind of pointless in case of UDP attacks, chances are very high that the IP's simply are spoofed. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan [e...@evcz.tk] Sent: 27 November 2012 14:27 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack ihih, nice :) the most important thing while being ddosed is to report to the relevant abuse desks so they can clean up their networks ;) Il 27/11/2012 14.26, Michael Johansen ha scritto: I am indeed. Thank you for all your help :) Date: Tue, 27 Nov 2012 14:25:24 +0100 From: e...@evcz.tk To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Hi, are you the Mike on WHT? I was the one replying in there :D Il 27/11/2012 13.54, Michael Johansen ha scritto: My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:29:01 +0100 Subject: Re: [hlds_linux] Incoming DoS attack We have no control over the upstream network. All I can do is filter the packets at the machine, but that wouldn't prevent the link from still being overloaded. Currently a null-route is in place to stop the attack at the network boarder. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:26 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Just took a look at the tcpdump, doesn't look like the attacks I'm having. I may be stupid now, but wouldn't it work just by blocking packets with the size of 50? From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:19:08 +0100 Subject: Re: [hlds_linux] Incoming DoS attack The IP's in the dump originate from China, but as it's UDP it could very well be spoofed. Looking at the payload in the packets, each new packet only has 1 character change from
Re: [hlds_linux] Incoming DoS attack
Our other server yesterday got hit by the so called DNS response DDoS. So I'm guessing right now the attack wasn't aimed at exploiting SRCDS itself, but simply to put down our services. Not much you can do but wait for the attacks to die out. (If every ISP would just implement ip source guard you could at least actually block IP addresses knowing they come from a real source meh) From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 28 November 2012 09:57 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Syn cookies didn't help for me sadly. Had to tune sysctl a tad more. Bumping up the maximum values for nf_conntrack module and all sorts of things. Now I'm using a couple of iptables rules to block all SYN-packets going over 5 per second. I've blocked ~800k packets the last days since enabling it. It's quite stable for now, but you never know when you're in for a larger attack unfortunantly. Date: Wed, 28 Nov 2012 00:55:20 -0800 From: my_azz...@yahoo.com To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Yea lol tell me about it! I have been constantly attacked on and off for the past 4 months due to my servers being in the top 20 on gametracker for CS1.6 I must have seen all kinds of ddos attacks out there. For those on linux and getting syn floods, a nice preventative thing you can do is enable syn cookies. read more: http://baheyeldin.com/technology/linux/detecting-and-preventing-syn-flood-attacks-web-servers-running-linux.html From: Michael Johansen michs...@live.no To: hlds_linux@list.valvesoftware.com Sent: Wednesday, November 28, 2012 3:45:26 AM Subject: Re: [hlds_linux] Incoming DoS attack The funny thing is, you can actually do so on the IP. Some skid has made a Booter as it's |called in their community| which you can use to take down shit. Send an abuse report to Santrex and block this ip in your software firewall if you are on gigabit, it's only capable of pushing out ~300 mbit/s. IP: 46.166.130.152. Could also block every packet whos data contains flood or is 1024 bytes. Date: Wed, 28 Nov 2012 00:40:14 -0800 From: my_azz...@yahoo.com To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack These days any 12 year old with their mommy's credit card can buy botnets and booters to do attacks. From: Marco Padovan e...@evcz.tk To: hlds_linux@list.valvesoftware.com Sent: Tuesday, November 27, 2012 8:34:28 AM Subject: Re: [hlds_linux] Incoming DoS attack when you have fat pipes (1gbit or 10gbit uplinks) people need fatpipes too to spooffrom and take you down... but, IIRC, that well knonw .EU isp that allows spoofing let people do that only on the 100mbit network no on the gbit network. Therefore here comes the amplification (mostly DNS (udp 53) and chargen (UDP 19) ) reporting those amplifiers (open resolvers) is very important;) Il 27/11/2012 14.29, Saint K. ha scritto: That's kind of pointless in case of UDP attacks, chances are very high that the IP's simply are spoofed. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan [e...@evcz.tk] Sent: 27 November 2012 14:27 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack ihih, nice :) the most important thing while being ddosed is to report to the relevant abuse desks so they can clean up their networks ;) Il 27/11/2012 14.26, Michael Johansen ha scritto: I am indeed. Thank you for all your help :) Date: Tue, 27 Nov 2012 14:25:24 +0100 From: e...@evcz.tk To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Hi, are you the Mike on WHT? I was the one replying in there :D Il 27/11/2012 13.54, Michael Johansen ha scritto: My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:29:01 +0100 Subject: Re: [hlds_linux] Incoming DoS attack We have no control over the upstream network. All I can do is filter the packets at the machine, but that wouldn't prevent the link from still being overloaded. Currently a null-route is in place to stop the attack at the network boarder. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no
Re: [hlds_linux] Incoming DoS attack
If you're with a ISP/provider that actually takes care of their customers they |can| just blackhole the ip's that are attacking, or the signature of the attack in their routers, problem is that it takes time and it takes a lot of CPU, and there may also be like 20k IP's and then you're out of luck :( From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Wed, 28 Nov 2012 11:18:23 +0100 Subject: Re: [hlds_linux] Incoming DoS attack Our other server yesterday got hit by the so called DNS response DDoS. So I'm guessing right now the attack wasn't aimed at exploiting SRCDS itself, but simply to put down our services. Not much you can do but wait for the attacks to die out. (If every ISP would just implement ip source guard you could at least actually block IP addresses knowing they come from a real source meh) From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 28 November 2012 09:57 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Syn cookies didn't help for me sadly. Had to tune sysctl a tad more. Bumping up the maximum values for nf_conntrack module and all sorts of things. Now I'm using a couple of iptables rules to block all SYN-packets going over 5 per second. I've blocked ~800k packets the last days since enabling it. It's quite stable for now, but you never know when you're in for a larger attack unfortunantly. Date: Wed, 28 Nov 2012 00:55:20 -0800 From: my_azz...@yahoo.com To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Yea lol tell me about it! I have been constantly attacked on and off for the past 4 months due to my servers being in the top 20 on gametracker for CS1.6 I must have seen all kinds of ddos attacks out there. For those on linux and getting syn floods, a nice preventative thing you can do is enable syn cookies. read more: http://baheyeldin.com/technology/linux/detecting-and-preventing-syn-flood-attacks-web-servers-running-linux.html From: Michael Johansen michs...@live.no To: hlds_linux@list.valvesoftware.com Sent: Wednesday, November 28, 2012 3:45:26 AM Subject: Re: [hlds_linux] Incoming DoS attack The funny thing is, you can actually do so on the IP. Some skid has made a Booter as it's |called in their community| which you can use to take down shit. Send an abuse report to Santrex and block this ip in your software firewall if you are on gigabit, it's only capable of pushing out ~300 mbit/s. IP: 46.166.130.152. Could also block every packet whos data contains flood or is 1024 bytes. Date: Wed, 28 Nov 2012 00:40:14 -0800 From: my_azz...@yahoo.com To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack These days any 12 year old with their mommy's credit card can buy botnets and booters to do attacks. From: Marco Padovan e...@evcz.tk To: hlds_linux@list.valvesoftware.com Sent: Tuesday, November 27, 2012 8:34:28 AM Subject: Re: [hlds_linux] Incoming DoS attack when you have fat pipes (1gbit or 10gbit uplinks) people need fatpipes too to spooffrom and take you down... but, IIRC, that well knonw .EU isp that allows spoofing let people do that only on the 100mbit network no on the gbit network. Therefore here comes the amplification (mostly DNS (udp 53) and chargen (UDP 19) ) reporting those amplifiers (open resolvers) is very important;) Il 27/11/2012 14.29, Saint K. ha scritto: That's kind of pointless in case of UDP attacks, chances are very high that the IP's simply are spoofed. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan [e...@evcz.tk] Sent: 27 November 2012 14:27 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack ihih, nice :) the most important thing while being ddosed is to report to the relevant abuse desks so they can clean up their networks ;) Il 27/11/2012 14.26, Michael Johansen ha scritto: I am indeed. Thank you for all your help :) Date: Tue, 27 Nov 2012 14:25:24 +0100 From: e...@evcz.tk To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Hi, are you the Mike on WHT? I was the one replying in there :D Il 27/11/2012 13.54, Michael Johansen ha scritto: My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. From: sai...@specialattack.net To: hlds_linux
Re: [hlds_linux] Incoming DoS attack
I am not a promoter, but with Hetzner if an attack is on my server, I just get an email with the list of ip's that where doing the ddos stating they stopped them from coming through. -Original Message- From: hlds_linux-boun...@list.valvesoftware.com [mailto:hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen Sent: woensdag 28 november 2012 11:35 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack If you're with a ISP/provider that actually takes care of their customers they |can| just blackhole the ip's that are attacking, or the signature of the attack in their routers, problem is that it takes time and it takes a lot of CPU, and there may also be like 20k IP's and then you're out of luck :( From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Wed, 28 Nov 2012 11:18:23 +0100 Subject: Re: [hlds_linux] Incoming DoS attack Our other server yesterday got hit by the so called DNS response DDoS. So I'm guessing right now the attack wasn't aimed at exploiting SRCDS itself, but simply to put down our services. Not much you can do but wait for the attacks to die out. (If every ISP would just implement ip source guard you could at least actually block IP addresses knowing they come from a real source meh) From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 28 November 2012 09:57 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Syn cookies didn't help for me sadly. Had to tune sysctl a tad more. Bumping up the maximum values for nf_conntrack module and all sorts of things. Now I'm using a couple of iptables rules to block all SYN-packets going over 5 per second. I've blocked ~800k packets the last days since enabling it. It's quite stable for now, but you never know when you're in for a larger attack unfortunantly. Date: Wed, 28 Nov 2012 00:55:20 -0800 From: my_azz...@yahoo.com To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Yea lol tell me about it! I have been constantly attacked on and off for the past 4 months due to my servers being in the top 20 on gametracker for CS1.6 I must have seen all kinds of ddos attacks out there. For those on linux and getting syn floods, a nice preventative thing you can do is enable syn cookies. read more: http://baheyeldin.com/technology/linux/detecting-and-preventing-syn- flood-attacks-web-servers-running-linux.html From: Michael Johansen michs...@live.no To: hlds_linux@list.valvesoftware.com Sent: Wednesday, November 28, 2012 3:45:26 AM Subject: Re: [hlds_linux] Incoming DoS attack The funny thing is, you can actually do so on the IP. Some skid has made a Booter as it's |called in their community| which you can use to take down shit. Send an abuse report to Santrex and block this ip in your software firewall if you are on gigabit, it's only capable of pushing out ~300 mbit/s. IP: 46.166.130.152. Could also block every packet whos data contains flood or is 1024 bytes. Date: Wed, 28 Nov 2012 00:40:14 -0800 From: my_azz...@yahoo.com To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack These days any 12 year old with their mommy's credit card can buy botnets and booters to do attacks. From: Marco Padovan e...@evcz.tk To: hlds_linux@list.valvesoftware.com Sent: Tuesday, November 27, 2012 8:34:28 AM Subject: Re: [hlds_linux] Incoming DoS attack when you have fat pipes (1gbit or 10gbit uplinks) people need fatpipes too to spooffrom and take you down... but, IIRC, that well knonw .EU isp that allows spoofing let people do that only on the 100mbit network no on the gbit network. Therefore here comes the amplification (mostly DNS (udp 53) and chargen (UDP 19) ) reporting those amplifiers (open resolvers) is very important;) Il 27/11/2012 14.29, Saint K. ha scritto: That's kind of pointless in case of UDP attacks, chances are very high that the IP's simply are spoofed. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan [e...@evcz.tk] Sent: 27 November 2012 14:27 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack ihih, nice :) the most important thing while being ddosed is to report to the relevant abuse desks so they can clean up their networks ;) Il 27/11/2012 14.26, Michael Johansen ha scritto: I am indeed. Thank you for all your help :) Date: Tue, 27 Nov 2012 14:25:24 +0100 From: e...@evcz.tk To: hlds_linux
Re: [hlds_linux] Incoming DoS attack
IIRC Hetzner are all automated right? Would be good for them to have a automatic blocking system, so they dont have to spend money on people manning their NOC (if they even have one). From: riem...@binkey.nl Date: Wed, 28 Nov 2012 13:34:22 +0100 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack I am not a promoter, but with Hetzner if an attack is on my server, I just get an email with the list of ip's that where doing the ddos stating they stopped them from coming through. -Original Message- From: hlds_linux-boun...@list.valvesoftware.com [mailto:hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen Sent: woensdag 28 november 2012 11:35 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack If you're with a ISP/provider that actually takes care of their customers they |can| just blackhole the ip's that are attacking, or the signature of the attack in their routers, problem is that it takes time and it takes a lot of CPU, and there may also be like 20k IP's and then you're out of luck :( From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Wed, 28 Nov 2012 11:18:23 +0100 Subject: Re: [hlds_linux] Incoming DoS attack Our other server yesterday got hit by the so called DNS response DDoS. So I'm guessing right now the attack wasn't aimed at exploiting SRCDS itself, but simply to put down our services. Not much you can do but wait for the attacks to die out. (If every ISP would just implement ip source guard you could at least actually block IP addresses knowing they come from a real source meh) From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 28 November 2012 09:57 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Syn cookies didn't help for me sadly. Had to tune sysctl a tad more. Bumping up the maximum values for nf_conntrack module and all sorts of things. Now I'm using a couple of iptables rules to block all SYN-packets going over 5 per second. I've blocked ~800k packets the last days since enabling it. It's quite stable for now, but you never know when you're in for a larger attack unfortunantly. Date: Wed, 28 Nov 2012 00:55:20 -0800 From: my_azz...@yahoo.com To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Yea lol tell me about it! I have been constantly attacked on and off for the past 4 months due to my servers being in the top 20 on gametracker for CS1.6 I must have seen all kinds of ddos attacks out there. For those on linux and getting syn floods, a nice preventative thing you can do is enable syn cookies. read more: http://baheyeldin.com/technology/linux/detecting-and-preventing-syn- flood-attacks-web-servers-running-linux.html From: Michael Johansen michs...@live.no To: hlds_linux@list.valvesoftware.com Sent: Wednesday, November 28, 2012 3:45:26 AM Subject: Re: [hlds_linux] Incoming DoS attack The funny thing is, you can actually do so on the IP. Some skid has made a Booter as it's |called in their community| which you can use to take down shit. Send an abuse report to Santrex and block this ip in your software firewall if you are on gigabit, it's only capable of pushing out ~300 mbit/s. IP: 46.166.130.152. Could also block every packet whos data contains flood or is 1024 bytes. Date: Wed, 28 Nov 2012 00:40:14 -0800 From: my_azz...@yahoo.com To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack These days any 12 year old with their mommy's credit card can buy botnets and booters to do attacks. From: Marco Padovan e...@evcz.tk To: hlds_linux@list.valvesoftware.com Sent: Tuesday, November 27, 2012 8:34:28 AM Subject: Re: [hlds_linux] Incoming DoS attack when you have fat pipes (1gbit or 10gbit uplinks) people need fatpipes too to spooffrom and take you down... but, IIRC, that well knonw .EU isp that allows spoofing let people do that only on the 100mbit network no on the gbit network. Therefore here comes the amplification (mostly DNS (udp 53) and chargen (UDP 19) ) reporting those amplifiers (open resolvers) is very important;) Il 27/11/2012 14.29, Saint K. ha scritto: That's kind of pointless in case of UDP attacks, chances are very high that the IP's simply are spoofed. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan [e...@evcz.tk] Sent: 27 November 2012
Re: [hlds_linux] Incoming DoS attack
they use netflow. that specific email is sent for imformative purpose only. if the attack keeps going they nullroute you and disconnect your server from the network Il 28/11/2012 13.36, Michael Johansen ha scritto: IIRC Hetzner are all automated right? Would be good for them to have a automatic blocking system, so they dont have to spend money on people manning their NOC (if they even have one). ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Re: [hlds_linux] Incoming DoS attack
Hi, what rules did you setup to block the syn packets in iptables? After enabling syn cookies it helped for a while but now its not helping. Thanks. From: Michael Johansen michs...@live.no To: hlds_linux@list.valvesoftware.com Sent: Wednesday, November 28, 2012 3:57:54 AM Subject: Re: [hlds_linux] Incoming DoS attack Syn cookies didn't help for me sadly. Had to tune sysctl a tad more. Bumping up the maximum values for nf_conntrack module and all sorts of things. Now I'm using a couple of iptables rules to block all SYN-packets going over 5 per second. I've blocked ~800k packets the last days since enabling it. It's quite stable for now, but you never know when you're in for a larger attack unfortunantly. Date: Wed, 28 Nov 2012 00:55:20 -0800 From: my_azz...@yahoo.com To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Yea lol tell me about it! I have been constantly attacked on and off for the past 4 months due to my servers being in the top 20 on gametracker for CS1.6 I must have seen all kinds of ddos attacks out there. For those on linux and getting syn floods, a nice preventative thing you can do is enable syn cookies. read more: http://baheyeldin.com/technology/linux/detecting-and-preventing-syn-flood-attacks-web-servers-running-linux.html From: Michael Johansen michs...@live.no To: hlds_linux@list.valvesoftware.com Sent: Wednesday, November 28, 2012 3:45:26 AM Subject: Re: [hlds_linux] Incoming DoS attack The funny thing is, you can actually do so on the IP. Some skid has made a Booter as it's |called in their community| which you can use to take down shit. Send an abuse report to Santrex and block this ip in your software firewall if you are on gigabit, it's only capable of pushing out ~300 mbit/s. IP: 46.166.130.152. Could also block every packet whos data contains flood or is 1024 bytes. Date: Wed, 28 Nov 2012 00:40:14 -0800 From: my_azz...@yahoo.com To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack These days any 12 year old with their mommy's credit card can buy botnets and booters to do attacks. From: Marco Padovan e...@evcz.tk To: hlds_linux@list.valvesoftware.com Sent: Tuesday, November 27, 2012 8:34:28 AM Subject: Re: [hlds_linux] Incoming DoS attack when you have fat pipes (1gbit or 10gbit uplinks) people need fatpipes too to spooffrom and take you down... but, IIRC, that well knonw .EU isp that allows spoofing let people do that only on the 100mbit network no on the gbit network. Therefore here comes the amplification (mostly DNS (udp 53) and chargen (UDP 19) ) reporting those amplifiers (open resolvers) is very important;) Il 27/11/2012 14.29, Saint K. ha scritto: That's kind of pointless in case of UDP attacks, chances are very high that the IP's simply are spoofed. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan [e...@evcz.tk] Sent: 27 November 2012 14:27 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack ihih, nice :) the most important thing while being ddosed is to report to the relevant abuse desks so they can clean up their networks ;) Il 27/11/2012 14.26, Michael Johansen ha scritto: I am indeed. Thank you for all your help :) Date: Tue, 27 Nov 2012 14:25:24 +0100 From: e...@evcz.tk To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Hi, are you the Mike on WHT? I was the one replying in there :D Il 27/11/2012 13.54, Michael Johansen ha scritto: My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:29:01 +0100 Subject: Re: [hlds_linux] Incoming DoS attack We have no control over the upstream network. All I can do is filter the packets at the machine, but that wouldn't prevent the link from still being overloaded. Currently a null-route is in place to stop the attack at the network boarder. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:26 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Just took a look at the tcpdump, doesn't look like the attacks I'm having. I may be stupid now, but wouldn't it work just by blocking packets with the size of 50
Re: [hlds_linux] Incoming DoS attack
I haven't looked at the tcpdump, but I have been getting attacks too, they're SYN floods, 300 - 400 mbps in size and always coming from local/reserved (0.x) ip's. All started soem time after we set up our mvm serves. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 10:56:28 +0100 Subject: [hlds_linux] Incoming DoS attack Hi, We've been having DoS attacks aimed at one of our MvM servers. Anyone have any idea what they're attempting to do here? It is just to make the server unreachable, or are the actually trying to exploit srcds somehow? Here's a tcpdump made for about 30 seconds during the attack (which is still ongoing); http://www.specialattack.net/downloads/dump.rar Saint K. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Re: [hlds_linux] Incoming DoS attack
The IP's in the dump originate from China, but as it's UDP it could very well be spoofed. Looking at the payload in the packets, each new packet only has 1 character change from the previous packet. Bruteforce, or perhaps signature scanning evasion? Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:15 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack I haven't looked at the tcpdump, but I have been getting attacks too, they're SYN floods, 300 - 400 mbps in size and always coming from local/reserved (0.x) ip's. All started soem time after we set up our mvm serves. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 10:56:28 +0100 Subject: [hlds_linux] Incoming DoS attack Hi, We've been having DoS attacks aimed at one of our MvM servers. Anyone have any idea what they're attempting to do here? It is just to make the server unreachable, or are the actually trying to exploit srcds somehow? Here's a tcpdump made for about 30 seconds during the attack (which is still ongoing); http://www.specialattack.net/downloads/dump.rar Saint K. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Re: [hlds_linux] Incoming DoS attack
Just took a look at the tcpdump, doesn't look like the attacks I'm having. I may be stupid now, but wouldn't it work just by blocking packets with the size of 50? From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:19:08 +0100 Subject: Re: [hlds_linux] Incoming DoS attack The IP's in the dump originate from China, but as it's UDP it could very well be spoofed. Looking at the payload in the packets, each new packet only has 1 character change from the previous packet. Bruteforce, or perhaps signature scanning evasion? Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:15 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack I haven't looked at the tcpdump, but I have been getting attacks too, they're SYN floods, 300 - 400 mbps in size and always coming from local/reserved (0.x) ip's. All started soem time after we set up our mvm serves. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 10:56:28 +0100 Subject: [hlds_linux] Incoming DoS attack Hi, We've been having DoS attacks aimed at one of our MvM servers. Anyone have any idea what they're attempting to do here? It is just to make the server unreachable, or are the actually trying to exploit srcds somehow? Here's a tcpdump made for about 30 seconds during the attack (which is still ongoing); http://www.specialattack.net/downloads/dump.rar Saint K. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Re: [hlds_linux] Incoming DoS attack
We have no control over the upstream network. All I can do is filter the packets at the machine, but that wouldn't prevent the link from still being overloaded. Currently a null-route is in place to stop the attack at the network boarder. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:26 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Just took a look at the tcpdump, doesn't look like the attacks I'm having. I may be stupid now, but wouldn't it work just by blocking packets with the size of 50? From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:19:08 +0100 Subject: Re: [hlds_linux] Incoming DoS attack The IP's in the dump originate from China, but as it's UDP it could very well be spoofed. Looking at the payload in the packets, each new packet only has 1 character change from the previous packet. Bruteforce, or perhaps signature scanning evasion? Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:15 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack I haven't looked at the tcpdump, but I have been getting attacks too, they're SYN floods, 300 - 400 mbps in size and always coming from local/reserved (0.x) ip's. All started soem time after we set up our mvm serves. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 10:56:28 +0100 Subject: [hlds_linux] Incoming DoS attack Hi, We've been having DoS attacks aimed at one of our MvM servers. Anyone have any idea what they're attempting to do here? It is just to make the server unreachable, or are the actually trying to exploit srcds somehow? Here's a tcpdump made for about 30 seconds during the attack (which is still ongoing); http://www.specialattack.net/downloads/dump.rar Saint K. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Re: [hlds_linux] Incoming DoS attack
My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:29:01 +0100 Subject: Re: [hlds_linux] Incoming DoS attack We have no control over the upstream network. All I can do is filter the packets at the machine, but that wouldn't prevent the link from still being overloaded. Currently a null-route is in place to stop the attack at the network boarder. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:26 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Just took a look at the tcpdump, doesn't look like the attacks I'm having. I may be stupid now, but wouldn't it work just by blocking packets with the size of 50? From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:19:08 +0100 Subject: Re: [hlds_linux] Incoming DoS attack The IP's in the dump originate from China, but as it's UDP it could very well be spoofed. Looking at the payload in the packets, each new packet only has 1 character change from the previous packet. Bruteforce, or perhaps signature scanning evasion? Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:15 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack I haven't looked at the tcpdump, but I have been getting attacks too, they're SYN floods, 300 - 400 mbps in size and always coming from local/reserved (0.x) ip's. All started soem time after we set up our mvm serves. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 10:56:28 +0100 Subject: [hlds_linux] Incoming DoS attack Hi, We've been having DoS attacks aimed at one of our MvM servers. Anyone have any idea what they're attempting to do here? It is just to make the server unreachable, or are the actually trying to exploit srcds somehow? Here's a tcpdump made for about 30 seconds during the attack (which is still ongoing); http://www.specialattack.net/downloads/dump.rar Saint K. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Re: [hlds_linux] Incoming DoS attack
Hi, are you the Mike on WHT? I was the one replying in there :D Il 27/11/2012 13.54, Michael Johansen ha scritto: My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:29:01 +0100 Subject: Re: [hlds_linux] Incoming DoS attack We have no control over the upstream network. All I can do is filter the packets at the machine, but that wouldn't prevent the link from still being overloaded. Currently a null-route is in place to stop the attack at the network boarder. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:26 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Just took a look at the tcpdump, doesn't look like the attacks I'm having. I may be stupid now, but wouldn't it work just by blocking packets with the size of 50? From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:19:08 +0100 Subject: Re: [hlds_linux] Incoming DoS attack The IP's in the dump originate from China, but as it's UDP it could very well be spoofed. Looking at the payload in the packets, each new packet only has 1 character change from the previous packet. Bruteforce, or perhaps signature scanning evasion? Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:15 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack I haven't looked at the tcpdump, but I have been getting attacks too, they're SYN floods, 300 - 400 mbps in size and always coming from local/reserved (0.x) ip's. All started soem time after we set up our mvm serves. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 10:56:28 +0100 Subject: [hlds_linux] Incoming DoS attack Hi, We've been having DoS attacks aimed at one of our MvM servers. Anyone have any idea what they're attempting to do here? It is just to make the server unreachable, or are the actually trying to exploit srcds somehow? Here's a tcpdump made for about 30 seconds during the attack (which is still ongoing); http://www.specialattack.net/downloads/dump.rar Saint K. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Re: [hlds_linux] Incoming DoS attack
I am indeed. Thank you for all your help :) Date: Tue, 27 Nov 2012 14:25:24 +0100 From: e...@evcz.tk To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Hi, are you the Mike on WHT? I was the one replying in there :D Il 27/11/2012 13.54, Michael Johansen ha scritto: My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:29:01 +0100 Subject: Re: [hlds_linux] Incoming DoS attack We have no control over the upstream network. All I can do is filter the packets at the machine, but that wouldn't prevent the link from still being overloaded. Currently a null-route is in place to stop the attack at the network boarder. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:26 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Just took a look at the tcpdump, doesn't look like the attacks I'm having. I may be stupid now, but wouldn't it work just by blocking packets with the size of 50? From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:19:08 +0100 Subject: Re: [hlds_linux] Incoming DoS attack The IP's in the dump originate from China, but as it's UDP it could very well be spoofed. Looking at the payload in the packets, each new packet only has 1 character change from the previous packet. Bruteforce, or perhaps signature scanning evasion? Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:15 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack I haven't looked at the tcpdump, but I have been getting attacks too, they're SYN floods, 300 - 400 mbps in size and always coming from local/reserved (0.x) ip's. All started soem time after we set up our mvm serves. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 10:56:28 +0100 Subject: [hlds_linux] Incoming DoS attack Hi, We've been having DoS attacks aimed at one of our MvM servers. Anyone have any idea what they're attempting to do here? It is just to make the server unreachable, or are the actually trying to exploit srcds somehow? Here's a tcpdump made for about 30 seconds during the attack (which is still ongoing); http://www.specialattack.net/downloads/dump.rar Saint K. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Re: [hlds_linux] Incoming DoS attack
The what, on the what? From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan [e...@evcz.tk] Sent: 27 November 2012 14:25 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Hi, are you the Mike on WHT? I was the one replying in there :D Il 27/11/2012 13.54, Michael Johansen ha scritto: My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:29:01 +0100 Subject: Re: [hlds_linux] Incoming DoS attack We have no control over the upstream network. All I can do is filter the packets at the machine, but that wouldn't prevent the link from still being overloaded. Currently a null-route is in place to stop the attack at the network boarder. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:26 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Just took a look at the tcpdump, doesn't look like the attacks I'm having. I may be stupid now, but wouldn't it work just by blocking packets with the size of 50? From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:19:08 +0100 Subject: Re: [hlds_linux] Incoming DoS attack The IP's in the dump originate from China, but as it's UDP it could very well be spoofed. Looking at the payload in the packets, each new packet only has 1 character change from the previous packet. Bruteforce, or perhaps signature scanning evasion? Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:15 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack I haven't looked at the tcpdump, but I have been getting attacks too, they're SYN floods, 300 - 400 mbps in size and always coming from local/reserved (0.x) ip's. All started soem time after we set up our mvm serves. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 10:56:28 +0100 Subject: [hlds_linux] Incoming DoS attack Hi, We've been having DoS attacks aimed at one of our MvM servers. Anyone have any idea what they're attempting to do here? It is just to make the server unreachable, or are the actually trying to exploit srcds somehow? Here's a tcpdump made for about 30 seconds during the attack (which is still ongoing); http://www.specialattack.net/downloads/dump.rar Saint K. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Re: [hlds_linux] Incoming DoS attack
ihih, nice :) the most important thing while being ddosed is to report to the relevant abuse desks so they can clean up their networks ;) Il 27/11/2012 14.26, Michael Johansen ha scritto: I am indeed. Thank you for all your help :) Date: Tue, 27 Nov 2012 14:25:24 +0100 From: e...@evcz.tk To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Hi, are you the Mike on WHT? I was the one replying in there :D Il 27/11/2012 13.54, Michael Johansen ha scritto: My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:29:01 +0100 Subject: Re: [hlds_linux] Incoming DoS attack We have no control over the upstream network. All I can do is filter the packets at the machine, but that wouldn't prevent the link from still being overloaded. Currently a null-route is in place to stop the attack at the network boarder. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:26 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Just took a look at the tcpdump, doesn't look like the attacks I'm having. I may be stupid now, but wouldn't it work just by blocking packets with the size of 50? From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:19:08 +0100 Subject: Re: [hlds_linux] Incoming DoS attack The IP's in the dump originate from China, but as it's UDP it could very well be spoofed. Looking at the payload in the packets, each new packet only has 1 character change from the previous packet. Bruteforce, or perhaps signature scanning evasion? Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:15 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack I haven't looked at the tcpdump, but I have been getting attacks too, they're SYN floods, 300 - 400 mbps in size and always coming from local/reserved (0.x) ip's. All started soem time after we set up our mvm serves. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 10:56:28 +0100 Subject: [hlds_linux] Incoming DoS attack Hi, We've been having DoS attacks aimed at one of our MvM servers. Anyone have any idea what they're attempting to do here? It is just to make the server unreachable, or are the actually trying to exploit srcds somehow? Here's a tcpdump made for about 30 seconds during the attack (which is still ongoing); http://www.specialattack.net/downloads/dump.rar Saint K. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Re: [hlds_linux] Incoming DoS attack
That's kind of pointless in case of UDP attacks, chances are very high that the IP's simply are spoofed. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan [e...@evcz.tk] Sent: 27 November 2012 14:27 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack ihih, nice :) the most important thing while being ddosed is to report to the relevant abuse desks so they can clean up their networks ;) Il 27/11/2012 14.26, Michael Johansen ha scritto: I am indeed. Thank you for all your help :) Date: Tue, 27 Nov 2012 14:25:24 +0100 From: e...@evcz.tk To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Hi, are you the Mike on WHT? I was the one replying in there :D Il 27/11/2012 13.54, Michael Johansen ha scritto: My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:29:01 +0100 Subject: Re: [hlds_linux] Incoming DoS attack We have no control over the upstream network. All I can do is filter the packets at the machine, but that wouldn't prevent the link from still being overloaded. Currently a null-route is in place to stop the attack at the network boarder. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:26 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Just took a look at the tcpdump, doesn't look like the attacks I'm having. I may be stupid now, but wouldn't it work just by blocking packets with the size of 50? From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:19:08 +0100 Subject: Re: [hlds_linux] Incoming DoS attack The IP's in the dump originate from China, but as it's UDP it could very well be spoofed. Looking at the payload in the packets, each new packet only has 1 character change from the previous packet. Bruteforce, or perhaps signature scanning evasion? Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:15 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack I haven't looked at the tcpdump, but I have been getting attacks too, they're SYN floods, 300 - 400 mbps in size and always coming from local/reserved (0.x) ip's. All started soem time after we set up our mvm serves. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 10:56:28 +0100 Subject: [hlds_linux] Incoming DoS attack Hi, We've been having DoS attacks aimed at one of our MvM servers. Anyone have any idea what they're attempting to do here? It is just to make the server unreachable, or are the actually trying to exploit srcds somehow? Here's a tcpdump made for about 30 seconds during the attack (which is still ongoing); http://www.specialattack.net/downloads/dump.rar Saint K. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit
Re: [hlds_linux] Incoming DoS attack
when you have fat pipes (1gbit or 10gbit uplinks) people need fatpipes too to spooffrom and take you down... but, IIRC, that well knonw .EU isp that allows spoofing let people do that only on the 100mbit network no on the gbit network. Therefore here comes the amplification (mostly DNS (udp 53) and chargen (UDP 19) ) reporting those amplifiers (open resolvers) is very important;) Il 27/11/2012 14.29, Saint K. ha scritto: That's kind of pointless in case of UDP attacks, chances are very high that the IP's simply are spoofed. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan [e...@evcz.tk] Sent: 27 November 2012 14:27 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack ihih, nice :) the most important thing while being ddosed is to report to the relevant abuse desks so they can clean up their networks ;) Il 27/11/2012 14.26, Michael Johansen ha scritto: I am indeed. Thank you for all your help :) Date: Tue, 27 Nov 2012 14:25:24 +0100 From: e...@evcz.tk To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Hi, are you the Mike on WHT? I was the one replying in there :D Il 27/11/2012 13.54, Michael Johansen ha scritto: My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s traffic on UDP, where as my SYN stood for about 50k pps. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:29:01 +0100 Subject: Re: [hlds_linux] Incoming DoS attack We have no control over the upstream network. All I can do is filter the packets at the machine, but that wouldn't prevent the link from still being overloaded. Currently a null-route is in place to stop the attack at the network boarder. Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:26 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack Just took a look at the tcpdump, doesn't look like the attacks I'm having. I may be stupid now, but wouldn't it work just by blocking packets with the size of 50? From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 11:19:08 +0100 Subject: Re: [hlds_linux] Incoming DoS attack The IP's in the dump originate from China, but as it's UDP it could very well be spoofed. Looking at the payload in the packets, each new packet only has 1 character change from the previous packet. Bruteforce, or perhaps signature scanning evasion? Saint K. From: hlds_linux-boun...@list.valvesoftware.com [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen [michs...@live.no] Sent: 27 November 2012 11:15 To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Incoming DoS attack I haven't looked at the tcpdump, but I have been getting attacks too, they're SYN floods, 300 - 400 mbps in size and always coming from local/reserved (0.x) ip's. All started soem time after we set up our mvm serves. From: sai...@specialattack.net To: hlds_linux@list.valvesoftware.com Date: Tue, 27 Nov 2012 10:56:28 +0100 Subject: [hlds_linux] Incoming DoS attack Hi, We've been having DoS attacks aimed at one of our MvM servers. Anyone have any idea what they're attempting to do here? It is just to make the server unreachable, or are the actually trying to exploit srcds somehow? Here's a tcpdump made for about 30 seconds during the attack (which is still ongoing); http://www.specialattack.net/downloads/dump.rar Saint K. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view