[joropito]

Sorry but that server is using droto. I can see the ip address in your hex dump... (port 27017 btw)

[xPaw]

Quote:

Originally Posted by marianow guy's try droping this hex string on iptables this solve the problem for me |FFFFFFFF56| Regards,

0x56 is A2S_RULES, what kind of problem do you expect it so solve by blocking it?

[guven5]

Why some people talking about that sh*t like a new thing, i get that flood attack from 6-7 months (or more) now probably more atatckers and victims and started to talking about "alliedmods.net" forum... may be attack scripts a bit changed only (now more efective)

i dont know what people do but i know how stop that flood attack, good for some coders, if they have a solution they can get good donates (if we think there is too many game hostings over the world)

[rx1983]

My serve is being attacked. I get the following message:

Code:

Traffic from xxx.xxx.xxx was blocked for exceeding rate limits
Traffic from xxx.xxx.xxx was blocked for exceeding rate limits
Traffic from xxx.xxx.xxx was blocked for exceeding rate limits

we are talking about the same thing?

[Zephyrus]

anyway valve could only made the attack smaller but if you got a huge enough attack or as low as 300-400mb/s (as far as i know devnull achieved about that amount) can be enough to knock out a common server with a 100mbit connection

[joropito]

Quote:

Originally Posted by Alfred ---------- Forwarded message ---------- From: Alfred Reynolds<........> Date: Mon, Aug 6, 2012 at 6:25 PM Subject: Re: [hlds_linux] New 1.6 Exploit very dangerous! To: Half-Life dedicated Linux server mailing list <.......> I dug into a user report of this, they were running a plugin that lets people from stolen versions of the game play on servers (dproto), that software has (at least one) bug that means you can be attacked. So yeah, be careful the 3rd party software you use on a server, and if its job is to let people steal the game.... - Alfred

[last_hope]

Reason: No >>> No reason.
good luck..

[marianow]

Quote:

Originally Posted by xPaw 0x56 is A2S_RULES, what kind of problem do you expect it so solve by blocking it?

the problem is: A2S_RULES and A2S_PLAYERS responses.

PD: email from hlds_announce:

We have released an update to Half-Life 1 dedicated servers. This update fixes a potential vulnerability in the challenge/response protocol uses for out of band queries (in particular A2S_RULES and A2S_PLAYERS responses). The update also fixes sprays not functioning correctly when new users join a server.

Also as a reminder, we will be disabling the older heartbeating protocol later this week so you need to update to be listed on the master server. This change only effect the server side, any clients (i.e server list generators or management tools) will be unaffected by this change.

- Alfred

[peku33]

I've found out that this 'exploit' is based on A2S_* source IP spoofing.

'Hackers' computer sends A2S_* (packets used to get basic server info, ie used by gametracker, in-game server browser etc) to server with fake source IP. This source IP is set to victim server. Hackers sends 1000 requests to server, and it sends 1000 respones to victim server.

There are to things, which should be done to secure your server.

a) Prevent the server to be source of attacks by limiting A2S_* quries per second. There are a few cvars, but i don't know whether they are still woriking:

Code:

max_queries_global 20
max_queries_sec 3
max_queries_window 30

They will limit in (and out) A2S_* packets.


b) Cut all incoming A2S_* replays to server using 'iptables' (?). The replay format is FF FF FF FF [Byte determining type of replay: 6A (ping) 41 (getchallenge) 49 (info) 6D (info for p47) 44 (players) 45 (rules)] [some data]

[asherkin]

If your server is updated and you aren't using dproto, the issue is already solved.