[HolyDuFF]

Hey, my servers are being crashed by some kind of attack. It eats all my bandwidth (100 Mbps) and around 33% CPU usage per server IF the servers are running. If i terminate them it all works fine. And yes, i have searched all over google and this forum about this issue and i found lots of topics. But in most of them they were talking about Counter-Strike and my servers are for Counter-Strike: Source. I have seen the previous topic posted here from 8th august and i found a big topic that was about Counter-Strike. I also found links to some mail archive but that was all about linux and i'm running windows. However they said that if you update your server to the latest update this issue will be fixed. But the fix is an so called optional update. And at one topic a guy explained how to update your server to an optional update (Something about -hlbeta). But i have tried and it didn't work. So if you guys know how to update to an optional update or a fix to this issue. Please post it here so everyone can find and understand it so that nobody has to suffer from these horrible attacks anymore! Here is again what i'm running and logs from the attack.

Servers: Counter-Strike: Source (SRCDS)
Operating system: Windows Server 2008 R2 Standard x64

Detailed SRCDS information

Protocol version 22
Exe version 1.0.0.72 (cstrike)
Exe build: 18:27:57 Jun 27 2012 (4981) (240)

Logs (From SRCDS console)

NET_GetLong: Split packet from 188.93.232.62:30611 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 188.93.232.62:30611 with invalid split size (number 101/ count 18) where size 24946 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 178.211.32.231:27015 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 178.211.32.231:27015 with invalid split size (number 48/ count 18) where size 13870 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 88.199.98.117:27019 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 88.199.98.117:27019 with invalid split size (number 97/ count 18) where size 27756 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 88.199.98.115:27038 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 88.199.98.115:27038 with invalid split size (number 119/ count 18) where size 28789 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 94.242.208.121:27015 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 94.242.208.121:27015 with invalid split size (number 116/ count 18) where size 115 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 93.191.11.75:27016 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 93.191.11.75:27016 with invalid split size (number 105/ count 18) where size 27491 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 86.107.251.18:28012 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 86.107.251.18:28012 with invalid split size (number 0/ count 18) where size 30323 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 86.107.251.18:28012 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 86.107.251.18:28012 with invalid split size (number 0/ count 18) where size 30323 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 178.49.14.117:27015 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 178.49.14.117:27015 with invalid split size (number 116/ count 18) where size 12288 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 78.157.84.48:27022 with invalid split size (number -1/ count 3) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 78.157.84.48:27022 with invalid split size (number 108/ count 19) where size 13056 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 78.157.84.48:27022 with invalid split size (number 103/ count 35) where size 24946 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 5.39.36.10:27034 with invalid split size (number-1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 5.39.36.10:27034 with invalid split size (number116/ count 18) where size 28521 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 91.204.161.168:27036 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 91.204.161.168:27036 with invalid split size (number 0/ count 18) where size 12337 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 200.58.104.23:27015 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 200.58.104.23:27015 with invalid split size (number 105/ count 18) where size 111 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 77.241.194.40:27015 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 77.241.194.40:27015 with invalid split size (number 116/ count 18) where size 27745 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 206.217.143.154:27018 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 206.217.143.154:27018 with invalid split size (number 48/ count 18) where size 29440 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 91.82.84.216:27869 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 91.82.84.216:27869 with invalid split size (number 0/ count 18) where size 49 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 217.112.171.103:27015 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 217.112.171.103:27015 with invalid split size (number 112/ count 18) where size 27743 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 88.198.62.189:27104 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 88.198.62.189:27104 with invalid split size (number 101/ count 18) where size 121 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 212.232.75.85:27017 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 212.232.75.85:27017 with invalid split size (number 108/ count 18) where size 31092 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 81.0.217.213:27045 with invalid split size (number -1/ count 2) where size -1 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 81.0.217.213:27045 with invalid split size (number 110/ count 18) where size 29796 is out of valid range [564 - 1248 ]

Thanks in advance!

[SmackDaddy]

Same thing happening here tonight, but TF2 server. Updating the server to "optional update" doesn't fix it.

Any help would be appreciated.

[nemaides]

I would suggest banning thoose IP's
I found a post on the steam forum with the same issue, they found that the IP's were cs1.6 servers
So i just did a lookup on thoose ip's you posted and what do you know, alot of cs1.6 servers

Quote:

188.93.232.62 : Dotsi.pt 88.199.98.117 : 1.6 Servers 178.211.32.231 : tactical genious 94.242.208.121 : None 88.199.98.115 : 1.6 servers 93.191.11.75 : 1.6 servers 86.107.251.18 : None 178.49.14.117 : Fortuna 78.157.84.48 : UpArena 5.39.36.10 : None 91.204.161.168 : CS1.6 and CS:GO Servers 200.58.104.23 : 1.6 Servers 77.241.194.40 : 1.6 Server SURF 24/7 206.217.143.154 : Lookstyle 1.6 91.82.84.216 : 1.6 Servers 217.112.171.103 : Gamester.avonet.cz 88.198.62.189 : Alot of 1.6 servers, different countrys? O.o 212.232.75.85 : Sobak 1.6 servers 81.0.217.213 : CSGame.cz

I know this post is a month old, but theres no solution yet, thought i would give atleast something.

[asherkin]

It's a known reflected DoS amplification vector, it was fixed in the goldsrc engine a couple of months back.
Unfortunately it'll take time for everyone to update their servers, and of course the large number of no-steam servers.

[nemaides]

Quote:

Originally Posted by asherkin It's a known reflected DoS amplification vector, it was fixed in the goldsrc engine a couple of months back. Unfortunately it'll take time for everyone to update their servers, and of course the large number of no-steam servers.

so you're saying this has been fixed? we updated our server on port 27015, and we still get flooded..
Ours is a css server btw, dunno if they havent updated it on there.
as a temp fix i made a batch file so i can easly update our 6 servers with newly added banned ip's when i discover them.

[asherkin]

Quote:

Originally Posted by nemaides so you're saying this has been fixed? we updated our server on port 27015, and we still get flooded..

No, it's the servers that are being used to attack you that need to update, best you can do is block them, as you've discovered.

[nemaides]

Quote:

Originally Posted by asherkin No, it's the servers that are being used to attack you that need to update, best you can do is block them, as you've discovered.

ah i see, it's sad that this even happened.. they should test their stuff before release.. well thx for the answer

[deepaklost]

this attack is back ... not sure how different it is ... but it shows Invalid split packet length in console before crash ...