[SilentBr]

Hi mates

I'm here again to report more attacks on my TF2 servers. A few weeks ago, I was suffering DOS attacks. These attacks were damaging all servers in same machine. So, I changed the host and these attacks stopped. (Thank God)

But now, I think my servers are getting different attacks, I guess is some exploit or something like that.

First: The server doesn't get lag. We are playing normally, and then the server suddenly stops. This stop is like a "freeze". The server freeze for 40 ~ 60 seconds, after this time the server become online again but all players disconnect from server, need connect again. If I have not been very clear, let me explain by HLSW.

a. Second 1 - We are playing with 50 ping
b. Second 2 - The server get timeout in hlsw ( 50 to timeout - don't get high or instable ping)
c. second 12 - The server continues timeout
d. second 22 - The server continues timeout
e. second 32 - The server continues timeout
f. second 42 - The server back online again with 50 ping. ( timeout to ping 50 - don't get higt or instable ping )

After this freeze, the server back at the same map ( so is not a crash, because don't back to "start map" ). When it's back, appear 32 players, after go to 22, after 16.. A lot of lost connections.

Why I think is attack?
1. Because my server #01 get this freeze, and after 2 minutes my server #02 get this freeze too.
2. My dedicated is dual quad core 2.83 ghz, 16 RAM, 100 Mbit, Linux CentOS.
3. At the exact moment that the servers froze, looked at the machine and everything was in order.
4. I'm hosted on this machine since last Saturday, never happened this before. Happend yesterday on my server #02, and today happend in both servers ( First on server #01 and after 2 minutes on server #02 ).
5. Others servers in same machine (CSS) run like a charm while my TF2 was getting freeze.

I'm pretty sure that is attacks by the 'Reason 1'... But, maybe I could be wrong? Maybe is not attack is a machine problem? Maybe is my plugins and extensions? Please tell me what sould do.

I'm running KAC and DAF as protection. Now I installed [VSP] Anti-flood plugin "Serversecure" until I get help from other members. Maybe this will solve my problem? I saw D-FENS but a member said that Anti-flood plugin Serversecure is better.. so...

My config:

PHP Code:

plugin_print
         0:<TAB>" "Server Secure" "
         1:<TAB>"Metamod:Source 1.8.6-dev"
         2:<TAB>"DoS Attack Fixer, www.sourceop.com"
 
meta version
Metamod:Source version 1.8.6-dev
         Build ID: 756:f0aa7238d72c-dev
         Loaded As: Valve Server Plugin
         Compiled on: Jan 12 2011
         Plugin interface version: 15:14
         SourceHook version: 5:5
         http://www.metamodsource.net/
 
meta list
Listing 4 plugins:
           [01] SourceMod (1.3.7-dev) by AlliedModders LLC
           [02] TF2 Tools (1.3.7-dev) by AlliedModders LLC
           [03] BinTools (1.3.7-dev) by AlliedModders LLC
           [04] SDK Tools (1.3.7-dev) by AlliedModders LLC
sm version
SourceMod Version: 1.3.7-dev
             SourcePawn Engine: SourcePawn 1.1, jit-x86 (build 1.3.7-dev)
             SourcePawn API: v1 = 4, v2 = 3
             Compiled on: Jan 16 2011 20:37:07
             Build ID: 3092:c13788be3c6f-dev
             http://www.sourcemod.net/
 
sm plugins list
Listing 25 plugins:
           01 "Fun Votes" (1.3.7-dev) by AlliedModders LLC
           02 "Nextmap" (1.3.7-dev) by AlliedModders LLC
           03 "Client Preferences" (1.3.7-dev) by AlliedModders LLC
           04 "CBaseServer Ext Basic Reserve Slots" by predfoot winkerbottom
           05 "Basic Commands" (1.3.7-dev) by AlliedModders LLC
           06 "Kigen's Anti-Cheat" (1.2.1.6) by CodingDirect LLC
           07 "Basic Comm Control" (1.3.7-dev) by AlliedModders LLC
           08 "Player Commands" (1.3.7-dev) by AlliedModders LLC
           09 "High Ping Kicker - Lite Edition" (1.0.0.1) by Liam
           10 "Basic Votes" (1.3.7-dev) by AlliedModders LLC
           11 "MapChooser" (1.3.7-dev) by AlliedModders LLC
           12 "Sound Commands" (1.3.7-dev) by AlliedModders LLC
           13 "Admin Menu" (1.3.7-dev) by AlliedModders LLC
           14 "Basic Chat" (1.3.7-dev) by AlliedModders LLC
           15 "Basic Ban Commands" (1.3.7-dev) by AlliedModders LLC
           16 "Admin Help" (1.3.7-dev) by AlliedModders LLC
           17 "Rock The Vote" (1.3.7-dev) by AlliedModders LLC
           18 "Advertisements" (0.5.5) by Tsunami
           19 "AFK Manager" (3.3.0) by Rothgar
           20 "Admin File Reader" (1.3.7-dev) by AlliedModders LLC
           21 "Reserved Slots" (1.3.7-dev) by AlliedModders LLC
           22 "Fun Commands" (1.3.7-dev) by AlliedModders LLC
           23 "Basic Info Triggers" (1.3.7-dev) by AlliedModders LLC
           24 "Map Nominations" (1.3.7-dev) by AlliedModders LLC
           25 "Anti-Flood" (1.3.7-dev) by AlliedModders LLC
 
sm exts list
[SM] Displaying 11 extensions:
         [01] Automatic Updater (1.3.7-dev): Updates SourceMod gamedata files
         [02] Webternet (1.3.7-dev): Extension for interacting with URLs
         [03] CBaseServer tools (1.1.0.0): Base server tools (and example of detours)
         [04] TF2 Tools (1.3.7-dev): TF2 extended functionality
         [05] BinTools (1.3.7-dev): Low-level C/C++ Calling API
         [06] SDK Tools (1.3.7-dev): Source SDK Tools
         [07] Top Menus (1.3.7-dev): Creates sorted nested menus
         [08] Client Preferences (1.3.7-dev): Saves client preference settings
         [09] SQLite (1.3.7-dev): SQLite Driver
         [10] <FAILED> file "sdkhooks.ext.so": /home/tf27016/orangebox/tf/addons/sourcemod/extensions/sdkhooks.ext.so: cannot open shared object file: No such file or directory
         [11] Socket (3.0.1alpha): Socket extension for SourceMod 


PS: I don't use SDK HOOKS and KAC get an error about Didn't find this extension, is optional.

So, these are all my informations. I really need help.

Thanks

[meecrob]

Personally, I would remove DAF and VSP since you are on a Linux machine. Properly configured IPTables should solve your problems if it is an attack.

The only inbound ports you need open are:

UDP 27015 , this is used by the server browser and to allow players to connect and play on your server.

TCP 27015 , only if you are using RCON (SourceBans, etc) and even then, you should restrict access to the IP address which your SourceBans installation of what have you is located.

You will also want to allow ESTABLISHED,RELATED sessions for various other server functions to work.

[Jiffs]

In your server.cfg there is a variable sv_tags? If the answer is "yes", put here.

Explanation: I had same problem on my CW server. The problem occurs when the full server, and when the players enable tornament mode. Solution was: removal of sv_tags all the variables in which there is a space and numbers.

Before: sv_tags "normal,2011,custom maps,etf2l config"

After: sv_tags "normal,clanwar"

[SilentBr]

@@@ meecrob

Should I disable DAF? But if I disable I guess some bad players will do lag by that program with commands... these stuff.

About VSP I installed to try block these attacks, and untill now, no "freeze" again thank God, I don't know if VSP solve the problem or is coincidence. But as I told before, I don't have sure if is attack or a problem with configuration / machine, I think is attack keep in mind. I'm going to send your suggestion to the company that host my servers, let see what they would say. Thanks

@@@ Jiffs

I don't use sv_tags. I'm posting my cfg, if you see anything wrong, please tell me. Thanks

PHP Code:

 
// This config file is executed when the Server Starts up and everytime the server changes levels.
// server name
hostname "My Server"
// rcon passsword
rcon_password "xxxxx"
// Server password
sv_password ""
//Server Rates
sv_maxrate 35000
sv_minrate 20000
sv_minupdaterate 33
sv_maxupdaterate 66
sv_mincmdrate 33
sv_maxcmdrate 66
sv_client_predict 1
sv_client_max_interp_ratio 1
sv_client_min_interp_ratio 1
//General Variables
sv_unlag 1
sv_maxunlag .5
sv_allow_color_correction 0
sv_allow_wait_command 0
sv_allowdownload 1
sv_allowupload 1
sv_downloadurl ""
decalfrequency 10
sv_alltalk 0
sv_cheats 0
sv_consistency 1
sv_gravity 800
sv_voiceenable 1
sv_pure 2
sv_pure_kick_clients 1
sv_pure_trace 1
sv_pausable 0
sv_region 2
sv_lan 0
//by fingerclick - disable HLSS
sv_allow_voice_from_file 0
cl_logofile 1
mp_timelimit 35
mp_stalemate_timelimit 60
mp_bonusroundtime 20
mp_allowspectators 1
mp_autoteambalance 1
mp_autocrosshair 0
mp_chattime 5
mp_disable_respawn_times 1
mp_enableroundwaittime 1
mp_falldamage 0
mp_flashlight 0
mp_footsteps 1
mp_forcecamera 1
mp_fraglimit 0
mp_forcerespawn 1
mp_friendlyfire 0
mp_idledealmethod 2
mp_idlemaxtime 190
mp_match_end_at_timelimit 0
mp_maxrounds 0
mp_respawnwavetime 10.0
mp_showrespawntimes 1
mp_stalemate_enable 0
mp_winlimit 0
mm_max_spectators 2
mp_teams_unbalance_limit 1
mp_teamplay 0
mp_time_between_capscoring 30
tf_teamtalk 0 
tf_weapon_criticals 1
tf_birthday 0
tf_damage_disablespread 1
sv_downloadurl "my_site"
//SM Cvars
sm_advertisements_interval 90
// execute ban files
exec banned_user.cfg
exec banned_ip.cfg
writeid
writeip 


[voogru]

Interesting how you took out your server name and sv_downloadurl.... thats kind of public information.

It seems like you're hiding something.

That usually means someone is using nosteam.

[bluechester]

Quote:

Originally Posted by voogru Interesting how you took out your server name and sv_downloadurl.... thats kind of public information. It seems like you're hiding something. That usually means someone is using nosteam.

Or maybe you're just paranoid? He's obviously trying to hide his server name from any more attacks and as for the fast downloads, he simply doesn't want anyone leeching his bandwidth.

I've been having the same problems with my servers. It only happens when all my servers are full. They seem to lag spike in game, but on the outside in the server list, one at a time they go offline each at an interval of 5 seconds.

[voogru]

Quote:

Originally Posted by bluechester He's obviously trying to hide his server name from any more attacks and as for the fast downloads, he simply doesn't want anyone leeching his bandwidth.

Clients can read the sv_downloadurl really easily.

I'm just making an observation. My spidy senses tingle when I see someone hiding things that people don't ordinarily hide.

Considering he has a server in his signature...

[thetwistedpanda]

I've done requests for him in the past, his servers run Steam. I've had to join his servers and verify the script was working properly , I checked while I was there.

[Leonardo]

goddamn
I've got similar trouble
it's partial fixed by removing non-threading sql function from most of plugins
but sometimes it's happend anyway ...

[SilentBr]

No, my server are not non-steam. I just didn't put my server name because I don't want the attacker see that I'm looking for help. Anyway, you can get my servers name, ips, etc and check yourself by gametracker.

Back to the problem. I installed VSP Server Secure and the server didn't freeze for about 4 days. But happen now.

I don't know what do. Now I'm in doubt. Only the server #02 got freeze. I guess is config. I need try desable some plugins and test again.

The are an error about "SDK Hooks" could not be read because I didn't install. Is optional, KAC makes this error. I'm going to install right now but I don't know if is this the problem.

If after I install SDK Hooks keep freezing, so I'll desable some plugins. What plugins sould I desable first? I think KAC, CBaseServers, Sockets... What do you guys think? My server.cfg is ok or need change something?

Thanks