Originally Posted by Kigen
Lets say an attacker only has one machine and must hide it. So he decides to only use 10Mbps. The attack packet is 42 bytes. 10Megabits is 1310720 bytes. Divide that by 42 and you get approx. 31207 packets per second. Then we will look at the server. Most will be using shared hosting. This means that only a few hundred megabytes of memory will be available to the server. Lets say you are right that the IP record only takes 16 bytes (btw, look up struct padding). So lets say the server has 500MB extra aside from base SRCDS use (which is around 200-300MB). 500MB is 524288000 bytes. That means 32768000 IP records can be stored. That means that the server would only last 1050 seconds before it consumes all that available memory. Then lets say another server on the box crashes/restarts (because this is a shared host). Then server would then start to allocate into that space the other server was using. However, the other server would no longer be able to malloc() SRCDS's needed space. Then angry customer complains to the host provider. The host provider then sees that your SRCDS server is consuming an abnormal amount of RAM and then tries to restart it. But your server would fast consume the available memory. They would suspend your service.
All this because of a poorly coded plugin you were using.
I seriously hope you guys are joking about not caring about the list growing infinitely. You don't even at least have pruning to keep the list under a certain size so that when someone runs the command they don't see over 1000 lines of IPs. Seriously, its pointless to be keeping a record of attacking IPs anyway since they will most likely be spoofed.
I've seen attacker keep up a sustained spoofed IP attack at 100Mbps for over 2 months. That caused me to have to make my own anti-DoS plugin that covers all types of attacks against an SRCDS.
1. 16 bytes is the alignment size that x86 uses too, maybe you should look it up instead
2. any sane hosting would set up iptables rules in the first place, so if this extension causes a machine crash the customers do have a valid reason to complain, as they shouldnt even have to use it in the first place if they would have chosen a decent provider
3. by telling ppl not to use this, you basically tell them to eat 100% CPU in case of an attack instead of just having a server that crashs after running out of its memory (if someone even use spoofed ips to do such... i havent met anyone doing so)
4. instead of telling ppl not to use this, you could have just as well provided the 2 lines to add to the code, to clear up the sourcehook list once it has 1000 ips in it
5. feel free to share your great anti-dos plugin if this is poorly written...
6. most ppl dont get attacked by someone who has enough knowledge to spoof UDP headers
7. blame shitty internet providers without ingress/egress filtering, any ISP/Datacenter without such is poorly designed, so this plugin is the least of your problems
8. "That caused me to have to make my own anti-DoS plugin that covers all types of attacks against an SRCDS." -> as you havent made anything like that publicly available i assume you made it for your own server and i have to tell you how useless it was instead of just using 2-3 iptables rules, BUT ITS PROBABLY PROPERLY WRITTEN, so you have that at least, but dont judge yourself pls for not being able to use iptables
that being sad any plugin against srcds dos is poorly designed because you should be using iptables instead