[joropito]

Sorry but that server is using droto. I can see the ip address in your hex dump... (port 27017 btw)

[peku33]

I've found out that this 'exploit' is based on A2S_* source IP spoofing.

'Hackers' computer sends A2S_* (packets used to get basic server info, ie used by gametracker, in-game server browser etc) to server with fake source IP. This source IP is set to victim server. Hackers sends 1000 requests to server, and it sends 1000 respones to victim server.

There are to things, which should be done to secure your server.

a) Prevent the server to be source of attacks by limiting A2S_* quries per second. There are a few cvars, but i don't know whether they are still woriking:

Code:

max_queries_global 20
max_queries_sec 3
max_queries_window 30

They will limit in (and out) A2S_* packets.


b) Cut all incoming A2S_* replays to server using 'iptables' (?). The replay format is FF FF FF FF [Byte determining type of replay: 6A (ping) 41 (getchallenge) 49 (info) 6D (info for p47) 44 (players) 45 (rules)] [some data]

[guven5]

Why some people talking about that sh*t like a new thing, i get that flood attack from 6-7 months (or more) now probably more atatckers and victims and started to talking about "alliedmods.net" forum... may be attack scripts a bit changed only (now more efective)

i dont know what people do but i know how stop that flood attack, good for some coders, if they have a solution they can get good donates (if we think there is too many game hostings over the world)

[rx1983]

My serve is being attacked. I get the following message:

Code:

Traffic from xxx.xxx.xxx was blocked for exceeding rate limits
Traffic from xxx.xxx.xxx was blocked for exceeding rate limits
Traffic from xxx.xxx.xxx was blocked for exceeding rate limits

we are talking about the same thing?

[Zephyrus]

anyway valve could only made the attack smaller but if you got a huge enough attack or as low as 300-400mb/s (as far as i know devnull achieved about that amount) can be enough to knock out a common server with a 100mbit connection

[joropito]

Quote:

Originally Posted by Alfred ---------- Forwarded message ---------- From: Alfred Reynolds<........> Date: Mon, Aug 6, 2012 at 6:25 PM Subject: Re: [hlds_linux] New 1.6 Exploit very dangerous! To: Half-Life dedicated Linux server mailing list <.......> I dug into a user report of this, they were running a plugin that lets people from stolen versions of the game play on servers (dproto), that software has (at least one) bug that means you can be attacked. So yeah, be careful the 3rd party software you use on a server, and if its job is to let people steal the game.... - Alfred

[last_hope]

Reason: No >>> No reason.
good luck..

[asherkin]

If your server is updated and you aren't using dproto, the issue is already solved.

[guven5]

Server cvar "max_queries_sec" = "***PROTECTED***"
Server cvar "max_queries_window" = "***PROTECTED***"


you cvar commands may be can reduce replay but what is that "PROTECTED"


also how to disable "FF FF FF FF" with iptables

Quote:

Originally Posted by asherkin If your server is updated and you aren't using dproto, the issue is already solved.

i have steam servers... also upto date, but still probem... smaller yes but somethings also depend attack parameters....

[YamiKaitou]

Update your server and you will not have to worry about this exploit.