[nikooo777]

Hey guys.
I'm not sure if it's a new attack vector or an unpatched old one. Anyways today I woke up to my server being unable to start up and continuously crashing.

Turns out I was getting DDoS'd with a very specific set of packets.
Here's an example (first packets malicious, last packet legit):

Code:

13:59:52.729800 IP 116.203.154.73.21934 > 54.37.245.51.27045: UDP, length 20                                                                                                                                                                                                                                                 
        0x0000:  4500 0030 e1cf 0000 c711 d77f 74cb 9a49  E..0........t..I                                                                                                                                                                                                                                                   
        0x0010:  3625 f533 55ae 69a5 001c 1db7 ffff ffff  6%.3U.i.........                                                                                                                                                                                                                                                   
        0x0020:  71f0 ed5b 9830 3030 3030 3030 3030 3000  q..[.0000000000.                                                                                                                                                                                                                                                   
13:59:52.729803 IP 26.54.168.44.62391 > 54.37.245.51.27045: UDP, length 20                                                                                                                                                                                                                                                   
        0x0000:  4500 0030 751f 0000 4111 16e3 1a36 a82c  E..0u...A....6.,                                                                                                                                                                                                                                                   
        0x0010:  3625 f533 f3b7 69a5 001c 523e ffff ffff  6%.3..i...R>....                                                                                                                                                                                                                                                   
        0x0020:  7110 a05d 6030 3030 3030 3030 3030 3000  q..]`0000000000.                                                                                                                                                                                                                                                   
13:59:52.729803 IP 55.202.194.181.33155 > 54.37.245.51.27045: UDP, length 20                                                                                                                                                                                                                                                 
        0x0000:  4500 0030 43e4 0000 0f11 4201 37ca c2b5  E..0C.....B.7...                                                                                                                                                                                                                                                   
        0x0010:  3625 f533 8183 69a5 001c 98b5 ffff ffff  6%.3..i.........                                                                                                                                                                                                                                                   
        0x0020:  718f d17e 2230 3030 3030 3030 3030 3000  q..~"0000000000.                                                                                                                                                                                                                                                   
13:59:52.729805 IP 133.70.86.216.24241 > 54.37.245.51.27045: UDP, length 20                                                                                                                                                                                                                                                  
        0x0000:  4500 0030 1b68 0000 bf11 d8dd 8546 56d8  E..0.h.......FV.                                                                                                                                                                                                                                                   
        0x0010:  3625 f533 5eb1 69a5 001c 6368 ffff ffff  6%.3^.i...ch....                                                                                                                                                                                                                                                   
        0x0020:  71c9 e4c4 8530 3030 3030 3030 3030 3000  q....0000000000.
....
14:12:02.000633 IP 108.1.54.215.23698 > 54.37.245.51.27045: UDP, length 20
        0x0000:  4500 0030 c604 0000 0911 1d88 6c01 36d7  E..0........l.6.
        0x0010:  3625 f533 5c92 69a5 001c 7446 ffff ffff  6%.3\.i...tF....
        0x0020:  7103 bf11 d630 3030 3030 3030 3030 3000  q....0000000000.
14:12:02.000636 IP 104.46.200.220.26677 > 54.37.245.51.27045: UDP, length 25
        0x0000:  4500 0035 e05c 0000 2511 58f8 682e c8dc  E..5.\..%.X.h...
        0x0010:  3625 f533 6835 69a5 0021 12b4 ffff ffff  6%.3h5i..!......
        0x0020:  5453 6f75 7263 6520 456e 6769 6e65 2051  TSource.Engine.Q
        0x0030:  7565 7279 00                             uery.

For some reasons this triggers the watchdog and crashes srcds.

A solution to this problem is to simply apply the good old hardening rules: https://forums.alliedmods.net/showthread.php?t=151551 more specifically the length rules

I hope this helps