DDoS Attack (VSE)

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

DDoS Attack (VSE)

Mathias Mortensen
Hello,


My server's getting flood with VSE DDoS Attack. My server have DDoS Protection but it wont take it. any other DDoS Attack does it takes so what can i do? i'm on Linux Ubuntu 16.04.

Here is server logs - http://pastebin.com/Q2dbcEMt

I also got how the script works (VSE DDoS Attack) - Found on a forum via Google

Any idea to stop it with Iptables? Packet limit?

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DDoS Attack (VSE)

John
On 3/23/2017 1:34 PM, Mathias wrote:

> My server's getting flood with VSE DDoS Attack. My server have DDoS
> Protection but it wont take it. any other DDoS Attack does it takes so
> what can i do? i'm on Linux Ubuntu 16.04.
>
> Here is server logs - http://pastebin.com/Q2dbcEMt
>
> I also got how the script works (VSE DDoS Attack) - Found on a forum
> via Google
>
> Any idea to stop it with Iptables? Packet limit?

The term "VSE" ("Valve Source Exploit") that the attackers like to use
is a misnomer because there isn't an exploit involved. These attacks
just flood a server with spoofed queries and/or connection attempts from
random sources, and Source can't handle the volume.

Currently the most effective general-purpose way to deal with these is
to whitelist real player IPs and rate-limit queries and connection
attempts from all other sources (down to around 1000/s). This can be
done with iptables using a combination of the ipset, hashlimit, and
bpf/u32/string modules.

Ideally, the game would be redesigned to using TCP for queries and the
very first part of the connection, offloading the first-contact tasks to
the OS, which has established methods for combating high-rate spoofed
TCP SYN floods. Internally, it could then straight drop all UDP packets
that don't correspond to a currently connected player.

-John

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DDoS Attack (VSE)

Mathias Mortensen
Thanks John.

Could you guide/send me the Iptables?
 
My server is on port 27115 and the attack comes in on port 28960 - But it wont work block the port (Have tried)

"IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246 buckets).
IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960."

2017-03-23 22:27 GMT+01:00 John <[hidden email]>:
On 3/23/2017 1:34 PM, Mathias wrote:
My server's getting flood with VSE DDoS Attack. My server have DDoS Protection but it wont take it. any other DDoS Attack does it takes so what can i do? i'm on Linux Ubuntu 16.04.

Here is server logs - http://pastebin.com/Q2dbcEMt

I also got how the script works (VSE DDoS Attack) - Found on a forum via Google

Any idea to stop it with Iptables? Packet limit?

The term "VSE" ("Valve Source Exploit") that the attackers like to use is a misnomer because there isn't an exploit involved. These attacks just flood a server with spoofed queries and/or connection attempts from random sources, and Source can't handle the volume.

Currently the most effective general-purpose way to deal with these is to whitelist real player IPs and rate-limit queries and connection attempts from all other sources (down to around 1000/s). This can be done with iptables using a combination of the ipset, hashlimit, and bpf/u32/string modules.

Ideally, the game would be redesigned to using TCP for queries and the very first part of the connection, offloading the first-contact tasks to the OS, which has established methods for combating high-rate spoofed TCP SYN floods. Internally, it could then straight drop all UDP packets that don't correspond to a currently connected player.

-John

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DDoS Attack (VSE)

John
If you're seeing packets from port 28960, you're most likely seeing a reflected query DDoS that is coming from CoDx servers (you can tell for certain by looking at the contents of captured packets -- look for the string 'statusResponse') -- not a direct query/connection flood, and likely not spoofed. You can safely block traffic from port 28960, or do a more thorough filter to block that traffic. This is an example rule to just block the port.

iptables -I INPUT -p udp --sport 28960 -j DROP

-John

On 3/23/2017 2:33 PM, Mathias wrote:
Thanks John.

Could you guide/send me the Iptables?
 
My server is on port 27115 and the attack comes in on port 28960 - But it wont work block the port (Have tried)

"IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246 buckets).
IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960."

2017-03-23 22:27 GMT+01:00 John <[hidden email]>:
On 3/23/2017 1:34 PM, Mathias wrote:
My server's getting flood with VSE DDoS Attack. My server have DDoS Protection but it wont take it. any other DDoS Attack does it takes so what can i do? i'm on Linux Ubuntu 16.04.

Here is server logs - http://pastebin.com/Q2dbcEMt

I also got how the script works (VSE DDoS Attack) - Found on a forum via Google

Any idea to stop it with Iptables? Packet limit?

The term "VSE" ("Valve Source Exploit") that the attackers like to use is a misnomer because there isn't an exploit involved. These attacks just flood a server with spoofed queries and/or connection attempts from random sources, and Source can't handle the volume.

Currently the most effective general-purpose way to deal with these is to whitelist real player IPs and rate-limit queries and connection attempts from all other sources (down to around 1000/s). This can be done with iptables using a combination of the ipset, hashlimit, and bpf/u32/string modules.

Ideally, the game would be redesigned to using TCP for queries and the very first part of the connection, offloading the first-contact tasks to the OS, which has established methods for combating high-rate spoofed TCP SYN floods. Internally, it could then straight drop all UDP packets that don't correspond to a currently connected player.

-John

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers



_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DDoS Attack (VSE)

Marco Padovan
Hi,

you should ratelimit that traffic

On Thu, Mar 23, 2017 at 10:44 PM, John <[hidden email]> wrote:
If you're seeing packets from port 28960, you're most likely seeing a reflected query DDoS that is coming from CoDx servers (you can tell for certain by looking at the contents of captured packets -- look for the string 'statusResponse') -- not a direct query/connection flood, and likely not spoofed. You can safely block traffic from port 28960, or do a more thorough filter to block that traffic. This is an example rule to just block the port.

iptables -I INPUT -p udp --sport 28960 -j DROP

-John


On 3/23/2017 2:33 PM, Mathias wrote:
Thanks John.

Could you guide/send me the Iptables?
 
My server is on port 27115 and the attack comes in on port 28960 - But it wont work block the port (Have tried)

"IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246 buckets).
IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960."

2017-03-23 22:27 GMT+01:00 John <[hidden email]>:
On 3/23/2017 1:34 PM, Mathias wrote:
My server's getting flood with VSE DDoS Attack. My server have DDoS Protection but it wont take it. any other DDoS Attack does it takes so what can i do? i'm on Linux Ubuntu 16.04.

Here is server logs - http://pastebin.com/Q2dbcEMt

I also got how the script works (VSE DDoS Attack) - Found on a forum via Google

Any idea to stop it with Iptables? Packet limit?

The term "VSE" ("Valve Source Exploit") that the attackers like to use is a misnomer because there isn't an exploit involved. These attacks just flood a server with spoofed queries and/or connection attempts from random sources, and Source can't handle the volume.

Currently the most effective general-purpose way to deal with these is to whitelist real player IPs and rate-limit queries and connection attempts from all other sources (down to around 1000/s). This can be done with iptables using a combination of the ipset, hashlimit, and bpf/u32/string modules.

Ideally, the game would be redesigned to using TCP for queries and the very first part of the connection, offloading the first-contact tasks to the OS, which has established methods for combating high-rate spoofed TCP SYN floods. Internally, it could then straight drop all UDP packets that don't correspond to a currently connected player.

-John

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers



_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DDoS Attack (VSE)

Mathias Mortensen
In reply to this post by John
Thanks for this awesome help John! This kind of "Attack" have been attacking me for days without stopping.

So i block the port everytime they attack on new port? And what if they attack on the port directly? There must be a kind of filter possible on Linux with Iptables. Anything i can tell me datacenter to fix this attack permanent?



2017-03-23 22:44 GMT+01:00 John <[hidden email]>:
If you're seeing packets from port 28960, you're most likely seeing a reflected query DDoS that is coming from CoDx servers (you can tell for certain by looking at the contents of captured packets -- look for the string 'statusResponse') -- not a direct query/connection flood, and likely not spoofed. You can safely block traffic from port 28960, or do a more thorough filter to block that traffic. This is an example rule to just block the port.

iptables -I INPUT -p udp --sport 28960 -j DROP

-John


On 3/23/2017 2:33 PM, Mathias wrote:
Thanks John.

Could you guide/send me the Iptables?
 
My server is on port 27115 and the attack comes in on port 28960 - But it wont work block the port (Have tried)

"IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246 buckets).
IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960."

2017-03-23 22:27 GMT+01:00 John <[hidden email]>:
On 3/23/2017 1:34 PM, Mathias wrote:
My server's getting flood with VSE DDoS Attack. My server have DDoS Protection but it wont take it. any other DDoS Attack does it takes so what can i do? i'm on Linux Ubuntu 16.04.

Here is server logs - http://pastebin.com/Q2dbcEMt

I also got how the script works (VSE DDoS Attack) - Found on a forum via Google

Any idea to stop it with Iptables? Packet limit?

The term "VSE" ("Valve Source Exploit") that the attackers like to use is a misnomer because there isn't an exploit involved. These attacks just flood a server with spoofed queries and/or connection attempts from random sources, and Source can't handle the volume.

Currently the most effective general-purpose way to deal with these is to whitelist real player IPs and rate-limit queries and connection attempts from all other sources (down to around 1000/s). This can be done with iptables using a combination of the ipset, hashlimit, and bpf/u32/string modules.

Ideally, the game would be redesigned to using TCP for queries and the very first part of the connection, offloading the first-contact tasks to the OS, which has established methods for combating high-rate spoofed TCP SYN floods. Internally, it could then straight drop all UDP packets that don't correspond to a currently connected player.

-John

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers



_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DDoS Attack (VSE)

Mathias Mortensen
How Marco? CSGO Cvar? Iptables?

2017-03-23 22:53 GMT+01:00 Mathias <[hidden email]>:
Thanks for this awesome help John! This kind of "Attack" have been attacking me for days without stopping.

So i block the port everytime they attack on new port? And what if they attack on the port directly? There must be a kind of filter possible on Linux with Iptables. Anything i can tell me datacenter to fix this attack permanent?



2017-03-23 22:44 GMT+01:00 John <[hidden email]>:
If you're seeing packets from port 28960, you're most likely seeing a reflected query DDoS that is coming from CoDx servers (you can tell for certain by looking at the contents of captured packets -- look for the string 'statusResponse') -- not a direct query/connection flood, and likely not spoofed. You can safely block traffic from port 28960, or do a more thorough filter to block that traffic. This is an example rule to just block the port.

iptables -I INPUT -p udp --sport 28960 -j DROP

-John


On 3/23/2017 2:33 PM, Mathias wrote:
Thanks John.

Could you guide/send me the Iptables?
 
My server is on port 27115 and the attack comes in on port 28960 - But it wont work block the port (Have tried)

"IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246 buckets).
IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960."

2017-03-23 22:27 GMT+01:00 John <[hidden email]>:
On 3/23/2017 1:34 PM, Mathias wrote:
My server's getting flood with VSE DDoS Attack. My server have DDoS Protection but it wont take it. any other DDoS Attack does it takes so what can i do? i'm on Linux Ubuntu 16.04.

Here is server logs - http://pastebin.com/Q2dbcEMt

I also got how the script works (VSE DDoS Attack) - Found on a forum via Google

Any idea to stop it with Iptables? Packet limit?

The term "VSE" ("Valve Source Exploit") that the attackers like to use is a misnomer because there isn't an exploit involved. These attacks just flood a server with spoofed queries and/or connection attempts from random sources, and Source can't handle the volume.

Currently the most effective general-purpose way to deal with these is to whitelist real player IPs and rate-limit queries and connection attempts from all other sources (down to around 1000/s). This can be done with iptables using a combination of the ipset, hashlimit, and bpf/u32/string modules.

Ideally, the game would be redesigned to using TCP for queries and the very first part of the connection, offloading the first-contact tasks to the OS, which has established methods for combating high-rate spoofed TCP SYN floods. Internally, it could then straight drop all UDP packets that don't correspond to a currently connected player.

-John

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers



_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers



_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DDoS Attack (VSE)

dedimark
tcpdump needed :)

On Thu, Mar 23, 2017 at 11:54 PM, Mathias <[hidden email]> wrote:
How Marco? CSGO Cvar? Iptables?

2017-03-23 22:53 GMT+01:00 Mathias <[hidden email]>:
Thanks for this awesome help John! This kind of "Attack" have been attacking me for days without stopping.

So i block the port everytime they attack on new port? And what if they attack on the port directly? There must be a kind of filter possible on Linux with Iptables. Anything i can tell me datacenter to fix this attack permanent?



2017-03-23 22:44 GMT+01:00 John <[hidden email]>:
If you're seeing packets from port 28960, you're most likely seeing a reflected query DDoS that is coming from CoDx servers (you can tell for certain by looking at the contents of captured packets -- look for the string 'statusResponse') -- not a direct query/connection flood, and likely not spoofed. You can safely block traffic from port 28960, or do a more thorough filter to block that traffic. This is an example rule to just block the port.

iptables -I INPUT -p udp --sport 28960 -j DROP

-John


On 3/23/2017 2:33 PM, Mathias wrote:
Thanks John.

Could you guide/send me the Iptables?
 
My server is on port 27115 and the attack comes in on port 28960 - But it wont work block the port (Have tried)

"IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246 buckets).
IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960."

2017-03-23 22:27 GMT+01:00 John <[hidden email]>:
On 3/23/2017 1:34 PM, Mathias wrote:
My server's getting flood with VSE DDoS Attack. My server have DDoS Protection but it wont take it. any other DDoS Attack does it takes so what can i do? i'm on Linux Ubuntu 16.04.

Here is server logs - http://pastebin.com/Q2dbcEMt

I also got how the script works (VSE DDoS Attack) - Found on a forum via Google

Any idea to stop it with Iptables? Packet limit?

The term "VSE" ("Valve Source Exploit") that the attackers like to use is a misnomer because there isn't an exploit involved. These attacks just flood a server with spoofed queries and/or connection attempts from random sources, and Source can't handle the volume.

Currently the most effective general-purpose way to deal with these is to whitelist real player IPs and rate-limit queries and connection attempts from all other sources (down to around 1000/s). This can be done with iptables using a combination of the ipset, hashlimit, and bpf/u32/string modules.

Ideally, the game would be redesigned to using TCP for queries and the very first part of the connection, offloading the first-contact tasks to the OS, which has established methods for combating high-rate spoofed TCP SYN floods. Internally, it could then straight drop all UDP packets that don't correspond to a currently connected player.

-John

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers



_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers



_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DDoS Attack (VSE)

Mathias Mortensen
Thanks. How does tcpdump work? And setup? :)

2017-03-23 22:59 GMT+01:00 / UGC- Gaming.net / <[hidden email]>:
tcpdump needed :)

On Thu, Mar 23, 2017 at 11:54 PM, Mathias <[hidden email]> wrote:
How Marco? CSGO Cvar? Iptables?

2017-03-23 22:53 GMT+01:00 Mathias <[hidden email]>:
Thanks for this awesome help John! This kind of "Attack" have been attacking me for days without stopping.

So i block the port everytime they attack on new port? And what if they attack on the port directly? There must be a kind of filter possible on Linux with Iptables. Anything i can tell me datacenter to fix this attack permanent?



2017-03-23 22:44 GMT+01:00 John <[hidden email]>:
If you're seeing packets from port 28960, you're most likely seeing a reflected query DDoS that is coming from CoDx servers (you can tell for certain by looking at the contents of captured packets -- look for the string 'statusResponse') -- not a direct query/connection flood, and likely not spoofed. You can safely block traffic from port 28960, or do a more thorough filter to block that traffic. This is an example rule to just block the port.

iptables -I INPUT -p udp --sport 28960 -j DROP

-John


On 3/23/2017 2:33 PM, Mathias wrote:
Thanks John.

Could you guide/send me the Iptables?
 
My server is on port 27115 and the attack comes in on port 28960 - But it wont work block the port (Have tried)

"IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246 buckets).
IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960."

2017-03-23 22:27 GMT+01:00 John <[hidden email]>:
On 3/23/2017 1:34 PM, Mathias wrote:
My server's getting flood with VSE DDoS Attack. My server have DDoS Protection but it wont take it. any other DDoS Attack does it takes so what can i do? i'm on Linux Ubuntu 16.04.

Here is server logs - http://pastebin.com/Q2dbcEMt

I also got how the script works (VSE DDoS Attack) - Found on a forum via Google

Any idea to stop it with Iptables? Packet limit?

The term "VSE" ("Valve Source Exploit") that the attackers like to use is a misnomer because there isn't an exploit involved. These attacks just flood a server with spoofed queries and/or connection attempts from random sources, and Source can't handle the volume.

Currently the most effective general-purpose way to deal with these is to whitelist real player IPs and rate-limit queries and connection attempts from all other sources (down to around 1000/s). This can be done with iptables using a combination of the ipset, hashlimit, and bpf/u32/string modules.

Ideally, the game would be redesigned to using TCP for queries and the very first part of the connection, offloading the first-contact tasks to the OS, which has established methods for combating high-rate spoofed TCP SYN floods. Internally, it could then straight drop all UDP packets that don't correspond to a currently connected player.

-John

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers



_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers



_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DDoS Attack (VSE)

dedimark
https://github.com/pavel-odintsov/fastnetmon

# collect a full dump of the attack with full payload in pcap compatible format
collect_attack_pcap_dumps = on
# Execute Deep Packet Inspection on captured PCAP packets
process_pcap_attack_dumps_with_dpi = on

On Fri, Mar 24, 2017 at 12:08 AM, Mathias <[hidden email]> wrote:
Thanks. How does tcpdump work? And setup? :)

2017-03-23 22:59 GMT+01:00 / UGC- Gaming.net / <[hidden email]>:
tcpdump needed :)

On Thu, Mar 23, 2017 at 11:54 PM, Mathias <[hidden email]> wrote:
How Marco? CSGO Cvar? Iptables?

2017-03-23 22:53 GMT+01:00 Mathias <[hidden email]>:
Thanks for this awesome help John! This kind of "Attack" have been attacking me for days without stopping.

So i block the port everytime they attack on new port? And what if they attack on the port directly? There must be a kind of filter possible on Linux with Iptables. Anything i can tell me datacenter to fix this attack permanent?



2017-03-23 22:44 GMT+01:00 John <[hidden email]>:
If you're seeing packets from port 28960, you're most likely seeing a reflected query DDoS that is coming from CoDx servers (you can tell for certain by looking at the contents of captured packets -- look for the string 'statusResponse') -- not a direct query/connection flood, and likely not spoofed. You can safely block traffic from port 28960, or do a more thorough filter to block that traffic. This is an example rule to just block the port.

iptables -I INPUT -p udp --sport 28960 -j DROP

-John


On 3/23/2017 2:33 PM, Mathias wrote:
Thanks John.

Could you guide/send me the Iptables?
 
My server is on port 27115 and the attack comes in on port 28960 - But it wont work block the port (Have tried)

"IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246 buckets).
IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960."

2017-03-23 22:27 GMT+01:00 John <[hidden email]>:
On 3/23/2017 1:34 PM, Mathias wrote:
My server's getting flood with VSE DDoS Attack. My server have DDoS Protection but it wont take it. any other DDoS Attack does it takes so what can i do? i'm on Linux Ubuntu 16.04.

Here is server logs - http://pastebin.com/Q2dbcEMt

I also got how the script works (VSE DDoS Attack) - Found on a forum via Google

Any idea to stop it with Iptables? Packet limit?

The term "VSE" ("Valve Source Exploit") that the attackers like to use is a misnomer because there isn't an exploit involved. These attacks just flood a server with spoofed queries and/or connection attempts from random sources, and Source can't handle the volume.

Currently the most effective general-purpose way to deal with these is to whitelist real player IPs and rate-limit queries and connection attempts from all other sources (down to around 1000/s). This can be done with iptables using a combination of the ipset, hashlimit, and bpf/u32/string modules.

Ideally, the game would be redesigned to using TCP for queries and the very first part of the connection, offloading the first-contact tasks to the OS, which has established methods for combating high-rate spoofed TCP SYN floods. Internally, it could then straight drop all UDP packets that don't correspond to a currently connected player.

-John

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers



_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers



_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DDoS Attack (VSE)

Mathias Mortensen
Cool, thanks!!

Should i install this on the same server as Game server or another smaller server?

2017-03-23 23:13 GMT+01:00 / UGC- Gaming.net / <[hidden email]>:
https://github.com/pavel-odintsov/fastnetmon

# collect a full dump of the attack with full payload in pcap compatible format
collect_attack_pcap_dumps = on
# Execute Deep Packet Inspection on captured PCAP packets
process_pcap_attack_dumps_with_dpi = on

On Fri, Mar 24, 2017 at 12:08 AM, Mathias <[hidden email]> wrote:
Thanks. How does tcpdump work? And setup? :)

2017-03-23 22:59 GMT+01:00 / UGC- Gaming.net / <[hidden email]>:
tcpdump needed :)

On Thu, Mar 23, 2017 at 11:54 PM, Mathias <[hidden email]> wrote:
How Marco? CSGO Cvar? Iptables?

2017-03-23 22:53 GMT+01:00 Mathias <[hidden email]>:
Thanks for this awesome help John! This kind of "Attack" have been attacking me for days without stopping.

So i block the port everytime they attack on new port? And what if they attack on the port directly? There must be a kind of filter possible on Linux with Iptables. Anything i can tell me datacenter to fix this attack permanent?



2017-03-23 22:44 GMT+01:00 John <[hidden email]>:
If you're seeing packets from port 28960, you're most likely seeing a reflected query DDoS that is coming from CoDx servers (you can tell for certain by looking at the contents of captured packets -- look for the string 'statusResponse') -- not a direct query/connection flood, and likely not spoofed. You can safely block traffic from port 28960, or do a more thorough filter to block that traffic. This is an example rule to just block the port.

iptables -I INPUT -p udp --sport 28960 -j DROP

-John


On 3/23/2017 2:33 PM, Mathias wrote:
Thanks John.

Could you guide/send me the Iptables?
 
My server is on port 27115 and the attack comes in on port 28960 - But it wont work block the port (Have tried)

"IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246 buckets).
IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960."

2017-03-23 22:27 GMT+01:00 John <[hidden email]>:
On 3/23/2017 1:34 PM, Mathias wrote:
My server's getting flood with VSE DDoS Attack. My server have DDoS Protection but it wont take it. any other DDoS Attack does it takes so what can i do? i'm on Linux Ubuntu 16.04.

Here is server logs - http://pastebin.com/Q2dbcEMt

I also got how the script works (VSE DDoS Attack) - Found on a forum via Google

Any idea to stop it with Iptables? Packet limit?

The term "VSE" ("Valve Source Exploit") that the attackers like to use is a misnomer because there isn't an exploit involved. These attacks just flood a server with spoofed queries and/or connection attempts from random sources, and Source can't handle the volume.

Currently the most effective general-purpose way to deal with these is to whitelist real player IPs and rate-limit queries and connection attempts from all other sources (down to around 1000/s). This can be done with iptables using a combination of the ipset, hashlimit, and bpf/u32/string modules.

Ideally, the game would be redesigned to using TCP for queries and the very first part of the connection, offloading the first-contact tasks to the OS, which has established methods for combating high-rate spoofed TCP SYN floods. Internally, it could then straight drop all UDP packets that don't correspond to a currently connected player.

-John

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers



_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers



_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DDoS Attack (VSE)

John
In reply to this post by Mathias Mortensen
You'll have to respond to each type of attack separately. There are hundreds of types of attacks that can be used, and some can't be filtered without also blocking legitimate traffic.

Your specific type of reflection attack is one of the easiest types to block, since you can even do a simple port-based filter and get all of it, with only a very small number of false-positives. There's no need to have your upstream filter it for you on their end unless you are seeing enough traffic to flood out your network adapter (check your bandwidth graph to see if that's the case).

Marco is mistaken; you shouldn't use a rate-limit for this type of attack, because you don't need any of it to get through. Rate-limits are only needed when there's a reasonable chance of false positives with the filter, in order to eliminate collateral damage when an attack is not in progress.

You don't need any special tool to get a packet capture with tcpdump, and you shouldn't try to send us a pcap file. Just run it directly. Capture 10 packets from your current attack with this, for instance:

tcpdump -nvXp -c 10 udp and src port 28960

A good GSP will have a mitigation system to block attacks like this one out-of-the-box upstream, and they should provide tools for capturing and/or filtering traffic through their control panel. Good GSPs also have extensive experience with mitigating many other types of attacks. If you haven't already spoken to your host, I recommend opening a ticket with them.

-John

On 3/23/2017 2:53 PM, Mathias wrote:
Thanks for this awesome help John! This kind of "Attack" have been attacking me for days without stopping.

So i block the port everytime they attack on new port? And what if they attack on the port directly? There must be a kind of filter possible on Linux with Iptables. Anything i can tell me datacenter to fix this attack permanent?



2017-03-23 22:44 GMT+01:00 John <[hidden email]>:
If you're seeing packets from port 28960, you're most likely seeing a reflected query DDoS that is coming from CoDx servers (you can tell for certain by looking at the contents of captured packets -- look for the string 'statusResponse') -- not a direct query/connection flood, and likely not spoofed. You can safely block traffic from port 28960, or do a more thorough filter to block that traffic. This is an example rule to just block the port.

iptables -I INPUT -p udp --sport 28960 -j DROP

-John


On 3/23/2017 2:33 PM, Mathias wrote:
Thanks John.

Could you guide/send me the Iptables?
 
My server is on port 27115 and the attack comes in on port 28960 - But it wont work block the port (Have tried)

"IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246 buckets).
IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960."

2017-03-23 22:27 GMT+01:00 John <[hidden email]>:
On 3/23/2017 1:34 PM, Mathias wrote:
My server's getting flood with VSE DDoS Attack. My server have DDoS Protection but it wont take it. any other DDoS Attack does it takes so what can i do? i'm on Linux Ubuntu 16.04.

Here is server logs - http://pastebin.com/Q2dbcEMt

I also got how the script works (VSE DDoS Attack) - Found on a forum via Google

Any idea to stop it with Iptables? Packet limit?

The term "VSE" ("Valve Source Exploit") that the attackers like to use is a misnomer because there isn't an exploit involved. These attacks just flood a server with spoofed queries and/or connection attempts from random sources, and Source can't handle the volume.

Currently the most effective general-purpose way to deal with these is to whitelist real player IPs and rate-limit queries and connection attempts from all other sources (down to around 1000/s). This can be done with iptables using a combination of the ipset, hashlimit, and bpf/u32/string modules.

Ideally, the game would be redesigned to using TCP for queries and the very first part of the connection, offloading the first-contact tasks to the OS, which has established methods for combating high-rate spoofed TCP SYN floods. Internally, it could then straight drop all UDP packets that don't correspond to a currently connected player.

-John

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers



_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
_______________________________________________ Csgo_servers mailing list [hidden email] https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Loading...