[vortex.]

how can tsource engine attacks fix? I need help. I need all of comments.

[Neuro Toxin]

You could start with a packet dump.

[vortex.]

How? I dont understand.

[vortex.]

Now fixed attacks. If attacks are continuing, i will tell you. Thanks for help.

[sneaK]

Quote:

Originally Posted by vortex. Now fixed attacks. If attacks are continuing, i will tell you. Thanks for help.

How did you fix the attacks?

[vortex.]

Attacks are continuing. Here tcmdump;
I need help please someone say fix way.

PHP Code:

22:11:21.646192 IP 78.171.100.85.59051 > 185.126.178.195.27015: UDP, length 11
        0x0000:  4500 0027 23cb 0000 6f11 08b9 4eab 6455  E..'#...o...N.dU
        0x0010:  b97e b2c3 e6ab 6987 0013 f525 ffff ffff  .~....i....%....
        0x0020:  5453 6f75 7263 6500 0000 0000 0000       TSource.......
22:11:21.646210 IP 185.126.178.195.27015 > 78.171.100.85.59051: UDP, length 194
        0x0000:  4500 00de 5d4f 4000 4011 bd7d b97e b2c3  E...]O@.@..}.~..
        0x0010:  4eab 6455 6987 e6ab 00ca 201e ffff ffff  N.dUi...........
        0x0020:  4911 5b54 525d 2041 736b 6572 2050 524f  I.[TR].Asker.PRO
        0x0030:  2050 5542 2021 6b6e 6966 6520 2177 7320  .PUB.!knife.!ws.
        0x0040:  2165 6c64 6976 656e 2021 6e61 6d65 7461  !eldiven.!nameta
        0x0050:  6720 2173 7420 0064 655f 6475 7374 3200  g.!st..de_dust2.
        0x0060:  6373 676f 0043 6f75 6e74 6572 2d53 7472  csgo.Counter-Str
        0x0070:  696b 653a 2047 6c6f 6261 6c20 4f66 6665  ike:.Global.Offe
        0x0080:  6e73 6976 6500 da02 1024 0164 6c00 0131  nsive....$.dl..1
        0x0090:  2e33 352e 372e 3600 b187 695c f711 0000  .35.7.6...i\....
        0x00a0:  0030 0121 656c 64c4 b176 656e 2c21 6b6e  .0.!eld..ven,!kn
        0x00b0:  c4b1 6665 2c21 7773 2c54 522c 5b54 525d  ..fe,!ws,TR,[TR]
        0x00c0:  2c66 7265 6561 726d 6f72 202c 7472 2c73  ,freearmor.,tr,s
        0x00d0:  6563 7572 6500 da02 0000 0000 0000       ecure.........
22:11:21.646216 IP 88.232.125.11.27005 > 185.126.178.195.27015: UDP, length 18
        0x0000:  4500 002e 6449 0000 3511 df40 58e8 7d0b  E...dI..5..@X.}.
        0x0010:  b97e b2c3 697d 6987 001a 957f ffff ffff  .~..i}i.........
        0x0020:  5500 0000 0000 0000 0000 0000 0000       U.............
22:11:21.646224 IP 88.232.125.11.27005 > 185.126.178.195.27015: UDP, length 18
        0x0000:  4500 002e 49bd 0000 5e11 d0cc 58e8 7d0b  E...I...^...X.}.
        0x0010:  b97e b2c3 697d 6987 001a 5707 ffff ffff  .~..i}i...W.....
        0x0020:  5633 3b45 0200 0000 0000 0000 0000       V3;E..........
22:11:21.646226 IP 88.232.125.11.27005 > 185.126.178.195.27015: UDP, length 23
        0x0000:  4500 0033 3191 0000 4311 03f4 58e8 7d0b  E..31...C...X.}.
        0x0010:  b97e b2c3 697d 6987 001f 3381 ffff ffff  .~..i}i...3.....
        0x0020:  7163 6f6e 6e65 6374 3078 3133 3834 3537  qconnect0x138457
        0x0030:  3532 00                                  52.
22:11:21.646236 IP 85.110.120.154.27005 > 185.126.178.195.27015: UDP, length 18
        0x0000:  4500 002e 2eac 0000 3c11 15c9 556e 789a  E.......<...Unx.
        0x0010:  b97e b2c3 697d 6987 001a 5ef2 ffff ffff  .~..i}i...^.....
        0x0020:  5633 3b45 0200 0000 0000 0000 0000       V3;E..........
22:11:21.646245 IP 85.110.120.154.27005 > 185.126.178.195.27015: UDP, length 23
        0x0000:  4500 0033 242d 0000 3a11 2243 556e 789a  E..3$-..:."CUnx.
        0x0010:  b97e b2c3 697d 6987 001f 4067 ffff ffff  .~..i}i...@g....
        0x0020:  7163 6f6e 6e65 6374 3078 3438 3331 3635  qconnect0x483165
        0x0030:  3137 00                                  17.
22:11:21.646286 IP 78.171.100.85.59051 > 185.126.178.195.27015: UDP, length 11
        0x0000:  4500 0027 23cb 0000 6f11 08b9 4eab 6455  E..'#...o...N.dU
        0x0010:  b97e b2c3 e6ab 6987 0013 f525 ffff ffff  .~....i....%....
        0x0020:  5453 6f75 7263 6500 0000 0000 0000       TSource.......
22:11:21.646344 IP 78.171.100.85.59051 > 185.126.178.195.27015: UDP, length 11
        0x0000:  4500 0027 23cb 0000 6f11 08b9 4eab 6455  E..'#...o...N.dU
        0x0010:  b97e b2c3 e6ab 6987 0013 f525 ffff ffff  .~....i....%....
        0x0020:  5453 6f75 7263 6500 0000 0000 0000       TSource....... 


[nikooo777]

you could try and detect an attack based on the packets per second you're receiving.

Check your average and try to understand what number is considered not normal for you.

then you can tweak this script that i made

PHP Code:

#!/bin/bash
TOGGLE=0
while true
do
        R1=`cat /sys/class/net/eth0/statistics/rx_packets`
        sleep 1
        R2=`cat /sys/class/net/eth0/statistics/rx_packets`
        RXPPS=`expr $R2 - $R1`
        if [ "$RXPPS" -gt "28000" ]; then
#UNUSUAL TRAFFIC DETECTED! LOG IT
                iptables-save > .current.bac
                iptables -t nat -F
                if [ "$RXPPS" -gt "70000" ]; then
#VERY UNUSUAL TRAFFIC DETECTED, DROP ALL NEW CONNECTIONS BUT MAINTAIN THE OLD ONES
                        iptables -A INPUT -p udp -m state --state NEW -j DROP
                fi
                echo "$(date) - Attack detected ($RXPPS pps)! Applying Security means!" >> /var/log/ids.log
                FILE=$(date +%d-%m-%Y_%Hh%Mm%Ss)
                timeout 0.8 tcpdump -nX "dst host YOURIPHERE" > /var/log/ids/$FILE.log
                SIZE=$(du -k "$FILE" | cut -f 1)
                if [ "$SIZE" -lt "1" ]; then
                        timeout 1.2 tcpdump -nX "dst host YOURIPHERE" > /var/log/ids/$FILE.log
                fi
                sleep 60
                iptables-restore .current.bac
                rm .current.bac
                echo "$(date) - Back to normal" >> /var/log/ids.log
        fi
        sleep 5
done 


up to you to understand it tho. I'm releasing it only because i don't use it anymore but could still help others.

also perhaps consider OVH. I did some analysis over that specific source query attack and helped OVH out with it. never had a problem ever since.

[vortex.]

The script is not working. Can you help me on TeamViewer?

[nikooo777]

it works but you need to understand it and edit it first.
sorry no, i don't have time for this nor want to.

[vortex.]

We edited and tried. But didnt work.