A2S Attacks

bestmeth0ds · **Author**

Hello, I was wondering if anyone knows how to block people from attacking my servers with A2S packets. I have blocked A2S_INFO packets with addons such as DAF, but it seems the attackers are using other forms of A2S to hit my servers. Any information would be deeply appreciated and if anyone could "code" some sort of fix I could pay them.

bestmeth0ds · 02-13-2011 , 13:02 Re: A2S Attacks

Does anyone have any useful information? I know I'm not the only one being hit with these attacks.

Edit: I believe they are using these types of packets.

A2S_PLAYER
A2S_RULES

secu2 · 02-21-2011 , 17:48 Re: A2S Attacks

DAF?

nightrider · 02-21-2011 , 18:27 Re: A2S Attacks

DAF
http://www.sourceop.com/modules.php?...download&cid=9

ojmdk476oj · 02-22-2011 , 01:27 Re: A2S Attacks

I don't know how to fix it, but be glad they are not attacking your hole ip... Have tried that.. Not fun at all.

tigerox · 03-01-2011 , 21:49 Re: A2S Attacks

If you use linux check out connection tracking using iptables. Unless it is a spoofed attack this should fix your problem.

Samantha · 03-01-2011 , 22:44 Re: A2S Attacks

DAF doesn't block A2S_INFO packets afaik, DAF blocks A2C_PRINT, use querycache, but load it late, meaning "sm exts load query_cache" when an attack is occurring and see if it does anything.

bestmeth0ds · 03-16-2011 , 23:26 Re: A2S Attacks

For anyone still stressing on this issue I have found a solution. Here is a ruby script I use to block A2S attacks.

PHP Code:


			
#!/usr/bin/env ruby



#Path to iptables

iptables = 'sudo /sbin/iptables'

#Servers we want to enter in to the firewall

servers = [

          {:ip => '127.0.0.1',

          :ports => [ 27013, 27014, 27015, 27016, 27017, 27018, 27019, 27025 ]},

          {:ip => '127.0.0.1',

          :ports => [ 27013, 27014, 27015, 27016, 27017, 27018, 27019, 27025 ]}

          ]

#clear old stuff

`#{iptables} -F`



### default rule for established connections

`#{iptables} -A OUTPUT -m state --state established,related -j ACCEPT`

`#{iptables} -A INPUT -m state --state established,related -j ACCEPT`

###



### put ips you want to allow bypassing all these rules here

#`#{iptables} -A INPUT -s myip       -j ACCEPT`

#`#{iptables} -A INPUT -s my_ip       -j ACCEPT`

##



### local connections

`#{iptables} -A INPUT -s 127.0.0.1 -j ACCEPT`

#

#

servers.each do |server|

  ip = server[:ip]

  server[:ports].each do |port|

    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff54|' -m limit --limit 15/s --limit-burst 10 -j ACCEPT`

    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff|' -m limit --limit 15/s --limit-burst 10 -j ACCEPT`

    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff|' -m limit --limit 1/s  --limit-burst 1 -j ULOG --ulog-nlgroup 1 --ulog-prefix \"SOURCE UDP FLOOD #{port}\"`

    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff54|' -m limit --limit 1/s  --limit-burst 1 -j ULOG --ulog-nlgroup 1 --ulog-prefix \"SOURCE UDP FLOOD #{port}\"`

    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff54|' -j DROP`

    `#{iptables} -A INPUT -p udp -m udp --dport #{port} -m string --algo bm --hex-string '|ffffffff|' -j DROP`

  end

end