ddos

classic Classic list List threaded Threaded
30 messages Options
12
Reply | Threaded
Open this post in threaded view
|

ddos

Левинчук Федор-2
Hi everyone
 
need your help
i have this in iptables
i have 128 tik servers
maybe some params in iptable are wrong or missing
but somehow attacker ddos my MM servers
can someone give advice?
thx in advance
 

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Calvin J
Hi,

Nobody can help you with the information you have provided. Run a tcpdump and post that here. Though, chances are unlikely that you're going to be able to block this with IPTables unless it's small. (If the attack is exceeding the line speed, run the tcpdump over IPMI.)

Also, you should dump those firewall rules in the meantime as they're likely causing you more harm than good. I assume you followed that IPTables/Srcds Hardening guide on Alliedmodders. And while some of those rules may be useful, it's extremely unlikely that you needed to copy and paste everything in that thread.

Example usage of tcpdump.

tcpdump -i any -c 30000 -w dump1.pcap

On 10/4/2015 5:12 AM, Левинчук Федор wrote:
Hi everyone
 
need your help
i have this in iptables
i have 128 tik servers
maybe some params in iptable are wrong or missing
but somehow attacker ddos my MM servers
can someone give advice?
thx in advance
 


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


--
Calvin Judy
Founder & CEO
PH#: (843) 410-8486
Mail: [hidden email]

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Левинчук Федор-2
Hi
 
before it i just block 0:32 byte packages ("connect" flood bug)
but someone dropdown my servers by make them do a lot of IO operations
it helps, but not good enough
 
/Srcds Hardening guide on Alliedmodders
It`s outdated for today ddos bugs
 
Run a tcpdump and post that here. 
have one, a lot of packages from one IP with different length, drop link to dump later
 
 
tcpdump -i any -c 30000 -w dump1.pcap
better
tcpdump -i any -C 100 -W 50 -w dump1.pcap
 
it will rollover dump in 50 files by 100mb
 
does someone use iptables & fail2ban combination?
 
04.10.2015, 21:31, "Calvin J" <[hidden email]>:
Hi,

Nobody can help you with the information you have provided. Run a tcpdump and post that here. Though, chances are unlikely that you're going to be able to block this with IPTables unless it's small. (If the attack is exceeding the line speed, run the tcpdump over IPMI.)

Also, you should dump those firewall rules in the meantime as they're likely causing you more harm than good. I assume you followed that IPTables/Srcds Hardening guide on Alliedmodders. And while some of those rules may be useful, it's extremely unlikely that you needed to copy and paste everything in that thread.

Example usage of tcpdump.

tcpdump -i any -c 30000 -w dump1.pcap

On 10/4/2015 5:12 AM, Левинчук Федор wrote:
Hi everyone
 
need your help
i have this in iptables
i have 128 tik servers
maybe some params in iptable are wrong or missing
but somehow attacker ddos my MM servers
can someone give advice?
thx in advance
 


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


--
Calvin Judy
Founder & CEO
PH#: (843) 410-8486
Mail: [hidden email]
,

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Bruno Garcia
fail2ban uses iptables for banning...

On Mon, Oct 5, 2015 at 2:42 AM, Левинчук Федор <[hidden email]> wrote:
Hi
 
before it i just block 0:32 byte packages ("connect" flood bug)
but someone dropdown my servers by make them do a lot of IO operations
it helps, but not good enough
 
/Srcds Hardening guide on Alliedmodders
It`s outdated for today ddos bugs
 
Run a tcpdump and post that here. 
have one, a lot of packages from one IP with different length, drop link to dump later
 
 
tcpdump -i any -c 30000 -w dump1.pcap
better
tcpdump -i any -C 100 -W 50 -w dump1.pcap
 
it will rollover dump in 50 files by 100mb
 
does someone use iptables & fail2ban combination?
 
04.10.2015, 21:31, "Calvin J" <[hidden email]>:
Hi,

Nobody can help you with the information you have provided. Run a tcpdump and post that here. Though, chances are unlikely that you're going to be able to block this with IPTables unless it's small. (If the attack is exceeding the line speed, run the tcpdump over IPMI.)

Also, you should dump those firewall rules in the meantime as they're likely causing you more harm than good. I assume you followed that IPTables/Srcds Hardening guide on Alliedmodders. And while some of those rules may be useful, it's extremely unlikely that you needed to copy and paste everything in that thread.

Example usage of tcpdump.

tcpdump -i any -c 30000 -w dump1.pcap

On 10/4/2015 5:12 AM, Левинчук Федор wrote:
Hi everyone
 
need your help
i have this in iptables
i have 128 tik servers
maybe some params in iptable are wrong or missing
but somehow attacker ddos my MM servers
can someone give advice?
thx in advance
 


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


--
Calvin Judy
Founder & CEO
PH#: (843) 410-8486
Mail: [hidden email]
,

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Левинчук Федор
yep
I think better way it to ban IP that have more trafic to server than it should
but i don`t  know what params i need
for example
at one server i have 4 128 tick public servers with 20 slots each
at second server i have 4 128 tick public compatitive with 11 slots and gotv(128 snapshot_rate) each

how to calculate rate rules in iptables and then ban ddos-ers at fail2ban?

05.10.2015, 16:30, "Bruno Garcia" <[hidden email]>:

> fail2ban uses iptables for banning...
>
> On Mon, Oct 5, 2015 at 2:42 AM, Левинчук Федор <[hidden email]> wrote:
>> Hi
>>
>> before it i just block 0:32 byte packages ("connect" flood bug)
>> but someone dropdown my servers by make them do a lot of IO operations
>> I used this guide
>> https://github.com/ulrichblock/bash-scripts-gameserver/blob/master/iptables.sh
>> it helps, but not good enough
>>
>>> /Srcds Hardening guide on Alliedmodders
>> It`s outdated for today ddos bugs
>>
>>> Run a tcpdump and post that here.
>> have one, a lot of packages from one IP with different length, drop link to dump later
>>
>>> tcpdump -i any -c 30000 -w dump1.pcap
>> better
>> tcpdump -i any -C 100 -W 50 -w dump1.pcap
>>
>> it will rollover dump in 50 files by 100mb
>>
>> does someone use iptables & fail2ban combination?
>>
>> 04.10.2015, 21:31, "Calvin J" <[hidden email]>:
>>> Hi,
>>>
>>> Nobody can help you with the information you have provided. Run a tcpdump and post that here. Though, chances are unlikely that you're going to be able to block this with IPTables unless it's small. (If the attack is exceeding the line speed, run the tcpdump over IPMI.)
>>>
>>> Also, you should dump those firewall rules in the meantime as they're likely causing you more harm than good. I assume you followed that IPTables/Srcds Hardening guide on Alliedmodders. And while some of those rules may be useful, it's extremely unlikely that you needed to copy and paste everything in that thread.
>>>
>>> Example usage of tcpdump.
>>>
>>> tcpdump -i any -c 30000 -w dump1.pcap
>>>
>>> On 10/4/2015 5:12 AM, Левинчук Федор wrote:
>>>> Hi everyone
>>>>
>>>> need your help
>>>> i have this in iptables
>>>> http://pastebin.com/RX955Vjq
>>>> i have 128 tik servers
>>>> maybe some params in iptable are wrong or missing
>>>> but somehow attacker ddos my MM servers
>>>> can someone give advice?
>>>> thx in advance
>>>>
>>>> _______________________________________________ Csgo_servers mailing list [hidden email] https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>
>>> --
>>> Calvin Judy
>>> Founder & CEO
>>> PH#: (843) 410-8486
>>> Mail: [hidden email]
>>>
>>> ,
>>>
>>> _______________________________________________
>>> Csgo_servers mailing list
>>> [hidden email]
>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>
>> _______________________________________________
>> Csgo_servers mailing list
>> [hidden email]
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
> ,
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Don Park

Banning the ip through the server firewall still has the traffic coming to your server therefore using your bandwidth (since its server side deciding if it wants to drop the traffic). 

For example, in a very simple terms, if your server has 100 mbit uplink and you block via iptables an IP thats DoSing you at 50 mbit, your resources are still being used up since it still hits the server and the server decided if it wants to pass it to the application or not.  That is a little bit of mitigation but won't stop the problem. 

Same thing can be applied to the datacenter level.  Iptables are helpful for the smaller DoS and DDoS, but in the end I don't think it solves the actual core issue. 

We're going to need more detail, like the tcpdump information or something since all we have to go off of are nonessential information and vague descriptions.  Also there's no detail as to what kind of DoS it is (e.g. layer 7 or 3) and if it really is distributed or not. 

On Oct 5, 2015 3:49 PM, "Левинчук Федор" <[hidden email]> wrote:
yep
I think better way it to ban IP that have more trafic to server than it should
but i don`t  know what params i need
for example
at one server i have 4 128 tick public servers with 20 slots each
at second server i have 4 128 tick public compatitive with 11 slots and gotv(128 snapshot_rate) each

how to calculate rate rules in iptables and then ban ddos-ers at fail2ban?

05.10.2015, 16:30, "Bruno Garcia" <[hidden email]>:
> fail2ban uses iptables for banning...
>
> On Mon, Oct 5, 2015 at 2:42 AM, Левинчук Федор <[hidden email]> wrote:
>> Hi
>>
>> before it i just block 0:32 byte packages ("connect" flood bug)
>> but someone dropdown my servers by make them do a lot of IO operations
>> I used this guide
>> https://github.com/ulrichblock/bash-scripts-gameserver/blob/master/iptables.sh
>> it helps, but not good enough
>>
>>> /Srcds Hardening guide on Alliedmodders
>> It`s outdated for today ddos bugs
>>
>>> Run a tcpdump and post that here.
>> have one, a lot of packages from one IP with different length, drop link to dump later
>>
>>> tcpdump -i any -c 30000 -w dump1.pcap
>> better
>> tcpdump -i any -C 100 -W 50 -w dump1.pcap
>>
>> it will rollover dump in 50 files by 100mb
>>
>> does someone use iptables & fail2ban combination?
>>
>> 04.10.2015, 21:31, "Calvin J" <[hidden email]>:
>>> Hi,
>>>
>>> Nobody can help you with the information you have provided. Run a tcpdump and post that here. Though, chances are unlikely that you're going to be able to block this with IPTables unless it's small. (If the attack is exceeding the line speed, run the tcpdump over IPMI.)
>>>
>>> Also, you should dump those firewall rules in the meantime as they're likely causing you more harm than good. I assume you followed that IPTables/Srcds Hardening guide on Alliedmodders. And while some of those rules may be useful, it's extremely unlikely that you needed to copy and paste everything in that thread.
>>>
>>> Example usage of tcpdump.
>>>
>>> tcpdump -i any -c 30000 -w dump1.pcap
>>>
>>> On 10/4/2015 5:12 AM, Левинчук Федор wrote:
>>>> Hi everyone
>>>>
>>>> need your help
>>>> i have this in iptables
>>>> http://pastebin.com/RX955Vjq
>>>> i have 128 tik servers
>>>> maybe some params in iptable are wrong or missing
>>>> but somehow attacker ddos my MM servers
>>>> can someone give advice?
>>>> thx in advance
>>>>
>>>> _______________________________________________ Csgo_servers mailing list [hidden email] https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>
>>> --
>>> Calvin Judy
>>> Founder & CEO
>>> PH#: <a href="tel:%28843%29%20410-8486" value="+18434108486">(843) 410-8486
>>> Mail: [hidden email]
>>>
>>> ,
>>>
>>> _______________________________________________
>>> Csgo_servers mailing list
>>> [hidden email]
>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>
>> _______________________________________________
>> Csgo_servers mailing list
>> [hidden email]
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
> ,
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Don Park

Oh also.  This is probably something you want for your iptables configuration if you do go that route.

https://steamcommunity.com/linkfilter/?url=http://whisper.ausgamers.com/wiki/index.php/Tickrate#Server_Bandwidth_Calculation_for_Dummies

On Oct 5, 2015 4:06 PM, "Don Park" <[hidden email]> wrote:

Banning the ip through the server firewall still has the traffic coming to your server therefore using your bandwidth (since its server side deciding if it wants to drop the traffic). 

For example, in a very simple terms, if your server has 100 mbit uplink and you block via iptables an IP thats DoSing you at 50 mbit, your resources are still being used up since it still hits the server and the server decided if it wants to pass it to the application or not.  That is a little bit of mitigation but won't stop the problem. 

Same thing can be applied to the datacenter level.  Iptables are helpful for the smaller DoS and DDoS, but in the end I don't think it solves the actual core issue. 

We're going to need more detail, like the tcpdump information or something since all we have to go off of are nonessential information and vague descriptions.  Also there's no detail as to what kind of DoS it is (e.g. layer 7 or 3) and if it really is distributed or not. 

On Oct 5, 2015 3:49 PM, "Левинчук Федор" <[hidden email]> wrote:
yep
I think better way it to ban IP that have more trafic to server than it should
but i don`t  know what params i need
for example
at one server i have 4 128 tick public servers with 20 slots each
at second server i have 4 128 tick public compatitive with 11 slots and gotv(128 snapshot_rate) each

how to calculate rate rules in iptables and then ban ddos-ers at fail2ban?

05.10.2015, 16:30, "Bruno Garcia" <[hidden email]>:
> fail2ban uses iptables for banning...
>
> On Mon, Oct 5, 2015 at 2:42 AM, Левинчук Федор <[hidden email]> wrote:
>> Hi
>>
>> before it i just block 0:32 byte packages ("connect" flood bug)
>> but someone dropdown my servers by make them do a lot of IO operations
>> I used this guide
>> https://github.com/ulrichblock/bash-scripts-gameserver/blob/master/iptables.sh
>> it helps, but not good enough
>>
>>> /Srcds Hardening guide on Alliedmodders
>> It`s outdated for today ddos bugs
>>
>>> Run a tcpdump and post that here.
>> have one, a lot of packages from one IP with different length, drop link to dump later
>>
>>> tcpdump -i any -c 30000 -w dump1.pcap
>> better
>> tcpdump -i any -C 100 -W 50 -w dump1.pcap
>>
>> it will rollover dump in 50 files by 100mb
>>
>> does someone use iptables & fail2ban combination?
>>
>> 04.10.2015, 21:31, "Calvin J" <[hidden email]>:
>>> Hi,
>>>
>>> Nobody can help you with the information you have provided. Run a tcpdump and post that here. Though, chances are unlikely that you're going to be able to block this with IPTables unless it's small. (If the attack is exceeding the line speed, run the tcpdump over IPMI.)
>>>
>>> Also, you should dump those firewall rules in the meantime as they're likely causing you more harm than good. I assume you followed that IPTables/Srcds Hardening guide on Alliedmodders. And while some of those rules may be useful, it's extremely unlikely that you needed to copy and paste everything in that thread.
>>>
>>> Example usage of tcpdump.
>>>
>>> tcpdump -i any -c 30000 -w dump1.pcap
>>>
>>> On 10/4/2015 5:12 AM, Левинчук Федор wrote:
>>>> Hi everyone
>>>>
>>>> need your help
>>>> i have this in iptables
>>>> http://pastebin.com/RX955Vjq
>>>> i have 128 tik servers
>>>> maybe some params in iptable are wrong or missing
>>>> but somehow attacker ddos my MM servers
>>>> can someone give advice?
>>>> thx in advance
>>>>
>>>> _______________________________________________ Csgo_servers mailing list [hidden email] https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>
>>> --
>>> Calvin Judy
>>> Founder & CEO
>>> PH#: <a href="tel:%28843%29%20410-8486" value="+18434108486" target="_blank">(843) 410-8486
>>> Mail: [hidden email]
>>>
>>> ,
>>>
>>> _______________________________________________
>>> Csgo_servers mailing list
>>> [hidden email]
>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>
>> _______________________________________________
>> Csgo_servers mailing list
>> [hidden email]
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
> ,
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Nomaan Ahmad
That wiki is really old and isn't for CS:GO.

On 5 October 2015 at 08:09, Don Park <[hidden email]> wrote:

Oh also.  This is probably something you want for your iptables configuration if you do go that route.

https://steamcommunity.com/linkfilter/?url=http://whisper.ausgamers.com/wiki/index.php/Tickrate#Server_Bandwidth_Calculation_for_Dummies

On Oct 5, 2015 4:06 PM, "Don Park" <[hidden email]> wrote:

Banning the ip through the server firewall still has the traffic coming to your server therefore using your bandwidth (since its server side deciding if it wants to drop the traffic). 

For example, in a very simple terms, if your server has 100 mbit uplink and you block via iptables an IP thats DoSing you at 50 mbit, your resources are still being used up since it still hits the server and the server decided if it wants to pass it to the application or not.  That is a little bit of mitigation but won't stop the problem. 

Same thing can be applied to the datacenter level.  Iptables are helpful for the smaller DoS and DDoS, but in the end I don't think it solves the actual core issue. 

We're going to need more detail, like the tcpdump information or something since all we have to go off of are nonessential information and vague descriptions.  Also there's no detail as to what kind of DoS it is (e.g. layer 7 or 3) and if it really is distributed or not. 

On Oct 5, 2015 3:49 PM, "Левинчук Федор" <[hidden email]> wrote:
yep
I think better way it to ban IP that have more trafic to server than it should
but i don`t  know what params i need
for example
at one server i have 4 128 tick public servers with 20 slots each
at second server i have 4 128 tick public compatitive with 11 slots and gotv(128 snapshot_rate) each

how to calculate rate rules in iptables and then ban ddos-ers at fail2ban?

05.10.2015, 16:30, "Bruno Garcia" <[hidden email]>:
> fail2ban uses iptables for banning...
>
> On Mon, Oct 5, 2015 at 2:42 AM, Левинчук Федор <[hidden email]> wrote:
>> Hi
>>
>> before it i just block 0:32 byte packages ("connect" flood bug)
>> but someone dropdown my servers by make them do a lot of IO operations
>> I used this guide
>> https://github.com/ulrichblock/bash-scripts-gameserver/blob/master/iptables.sh
>> it helps, but not good enough
>>
>>> /Srcds Hardening guide on Alliedmodders
>> It`s outdated for today ddos bugs
>>
>>> Run a tcpdump and post that here.
>> have one, a lot of packages from one IP with different length, drop link to dump later
>>
>>> tcpdump -i any -c 30000 -w dump1.pcap
>> better
>> tcpdump -i any -C 100 -W 50 -w dump1.pcap
>>
>> it will rollover dump in 50 files by 100mb
>>
>> does someone use iptables & fail2ban combination?
>>
>> 04.10.2015, 21:31, "Calvin J" <[hidden email]>:
>>> Hi,
>>>
>>> Nobody can help you with the information you have provided. Run a tcpdump and post that here. Though, chances are unlikely that you're going to be able to block this with IPTables unless it's small. (If the attack is exceeding the line speed, run the tcpdump over IPMI.)
>>>
>>> Also, you should dump those firewall rules in the meantime as they're likely causing you more harm than good. I assume you followed that IPTables/Srcds Hardening guide on Alliedmodders. And while some of those rules may be useful, it's extremely unlikely that you needed to copy and paste everything in that thread.
>>>
>>> Example usage of tcpdump.
>>>
>>> tcpdump -i any -c 30000 -w dump1.pcap
>>>
>>> On 10/4/2015 5:12 AM, Левинчук Федор wrote:
>>>> Hi everyone
>>>>
>>>> need your help
>>>> i have this in iptables
>>>> http://pastebin.com/RX955Vjq
>>>> i have 128 tik servers
>>>> maybe some params in iptable are wrong or missing
>>>> but somehow attacker ddos my MM servers
>>>> can someone give advice?
>>>> thx in advance
>>>>
>>>> _______________________________________________ Csgo_servers mailing list [hidden email] https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>
>>> --
>>> Calvin Judy
>>> Founder & CEO
>>> PH#: <a href="tel:%28843%29%20410-8486" value="+18434108486" target="_blank">(843) 410-8486
>>> Mail: [hidden email]
>>>
>>> ,
>>>
>>> _______________________________________________
>>> Csgo_servers mailing list
>>> [hidden email]
>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>
>> _______________________________________________
>> Csgo_servers mailing list
>> [hidden email]
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
> ,
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Usman Khan

Ddos will still eat up your bandwidth even if blocked at your OS machine level.

On 5 Oct 2015 12:17, "Nomaan Ahmad" <[hidden email]> wrote:
That wiki is really old and isn't for CS:GO.

On 5 October 2015 at 08:09, Don Park <[hidden email]> wrote:

Oh also.  This is probably something you want for your iptables configuration if you do go that route.

https://steamcommunity.com/linkfilter/?url=http://whisper.ausgamers.com/wiki/index.php/Tickrate#Server_Bandwidth_Calculation_for_Dummies

On Oct 5, 2015 4:06 PM, "Don Park" <[hidden email]> wrote:

Banning the ip through the server firewall still has the traffic coming to your server therefore using your bandwidth (since its server side deciding if it wants to drop the traffic). 

For example, in a very simple terms, if your server has 100 mbit uplink and you block via iptables an IP thats DoSing you at 50 mbit, your resources are still being used up since it still hits the server and the server decided if it wants to pass it to the application or not.  That is a little bit of mitigation but won't stop the problem. 

Same thing can be applied to the datacenter level.  Iptables are helpful for the smaller DoS and DDoS, but in the end I don't think it solves the actual core issue. 

We're going to need more detail, like the tcpdump information or something since all we have to go off of are nonessential information and vague descriptions.  Also there's no detail as to what kind of DoS it is (e.g. layer 7 or 3) and if it really is distributed or not. 

On Oct 5, 2015 3:49 PM, "Левинчук Федор" <[hidden email]> wrote:
yep
I think better way it to ban IP that have more trafic to server than it should
but i don`t  know what params i need
for example
at one server i have 4 128 tick public servers with 20 slots each
at second server i have 4 128 tick public compatitive with 11 slots and gotv(128 snapshot_rate) each

how to calculate rate rules in iptables and then ban ddos-ers at fail2ban?

05.10.2015, 16:30, "Bruno Garcia" <[hidden email]>:
> fail2ban uses iptables for banning...
>
> On Mon, Oct 5, 2015 at 2:42 AM, Левинчук Федор <[hidden email]> wrote:
>> Hi
>>
>> before it i just block 0:32 byte packages ("connect" flood bug)
>> but someone dropdown my servers by make them do a lot of IO operations
>> I used this guide
>> https://github.com/ulrichblock/bash-scripts-gameserver/blob/master/iptables.sh
>> it helps, but not good enough
>>
>>> /Srcds Hardening guide on Alliedmodders
>> It`s outdated for today ddos bugs
>>
>>> Run a tcpdump and post that here.
>> have one, a lot of packages from one IP with different length, drop link to dump later
>>
>>> tcpdump -i any -c 30000 -w dump1.pcap
>> better
>> tcpdump -i any -C 100 -W 50 -w dump1.pcap
>>
>> it will rollover dump in 50 files by 100mb
>>
>> does someone use iptables & fail2ban combination?
>>
>> 04.10.2015, 21:31, "Calvin J" <[hidden email]>:
>>> Hi,
>>>
>>> Nobody can help you with the information you have provided. Run a tcpdump and post that here. Though, chances are unlikely that you're going to be able to block this with IPTables unless it's small. (If the attack is exceeding the line speed, run the tcpdump over IPMI.)
>>>
>>> Also, you should dump those firewall rules in the meantime as they're likely causing you more harm than good. I assume you followed that IPTables/Srcds Hardening guide on Alliedmodders. And while some of those rules may be useful, it's extremely unlikely that you needed to copy and paste everything in that thread.
>>>
>>> Example usage of tcpdump.
>>>
>>> tcpdump -i any -c 30000 -w dump1.pcap
>>>
>>> On 10/4/2015 5:12 AM, Левинчук Федор wrote:
>>>> Hi everyone
>>>>
>>>> need your help
>>>> i have this in iptables
>>>> http://pastebin.com/RX955Vjq
>>>> i have 128 tik servers
>>>> maybe some params in iptable are wrong or missing
>>>> but somehow attacker ddos my MM servers
>>>> can someone give advice?
>>>> thx in advance
>>>>
>>>> _______________________________________________ Csgo_servers mailing list [hidden email] https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>
>>> --
>>> Calvin Judy
>>> Founder & CEO
>>> PH#: <a href="tel:%28843%29%20410-8486" value="+18434108486" target="_blank">(843) 410-8486
>>> Mail: [hidden email]
>>>
>>> ,
>>>
>>> _______________________________________________
>>> Csgo_servers mailing list
>>> [hidden email]
>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>
>> _______________________________________________
>> Csgo_servers mailing list
>> [hidden email]
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
> ,
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Don Park
In reply to this post by Nomaan Ahmad

Could you please explain how its outdated then?  Because it addresses the theoretical maximum bandwidth use within actual physical limitations of networking.   The math is still the same.  Its still used for insurgency game servers  and they share a fair amount of networking code. 

On Oct 5, 2015 4:17 PM, "Nomaan Ahmad" <[hidden email]> wrote:
That wiki is really old and isn't for CS:GO.

On 5 October 2015 at 08:09, Don Park <[hidden email]> wrote:

Oh also.  This is probably something you want for your iptables configuration if you do go that route.

https://steamcommunity.com/linkfilter/?url=http://whisper.ausgamers.com/wiki/index.php/Tickrate#Server_Bandwidth_Calculation_for_Dummies

On Oct 5, 2015 4:06 PM, "Don Park" <[hidden email]> wrote:

Banning the ip through the server firewall still has the traffic coming to your server therefore using your bandwidth (since its server side deciding if it wants to drop the traffic). 

For example, in a very simple terms, if your server has 100 mbit uplink and you block via iptables an IP thats DoSing you at 50 mbit, your resources are still being used up since it still hits the server and the server decided if it wants to pass it to the application or not.  That is a little bit of mitigation but won't stop the problem. 

Same thing can be applied to the datacenter level.  Iptables are helpful for the smaller DoS and DDoS, but in the end I don't think it solves the actual core issue. 

We're going to need more detail, like the tcpdump information or something since all we have to go off of are nonessential information and vague descriptions.  Also there's no detail as to what kind of DoS it is (e.g. layer 7 or 3) and if it really is distributed or not. 

On Oct 5, 2015 3:49 PM, "Левинчук Федор" <[hidden email]> wrote:
yep
I think better way it to ban IP that have more trafic to server than it should
but i don`t  know what params i need
for example
at one server i have 4 128 tick public servers with 20 slots each
at second server i have 4 128 tick public compatitive with 11 slots and gotv(128 snapshot_rate) each

how to calculate rate rules in iptables and then ban ddos-ers at fail2ban?

05.10.2015, 16:30, "Bruno Garcia" <[hidden email]>:
> fail2ban uses iptables for banning...
>
> On Mon, Oct 5, 2015 at 2:42 AM, Левинчук Федор <[hidden email]> wrote:
>> Hi
>>
>> before it i just block 0:32 byte packages ("connect" flood bug)
>> but someone dropdown my servers by make them do a lot of IO operations
>> I used this guide
>> https://github.com/ulrichblock/bash-scripts-gameserver/blob/master/iptables.sh
>> it helps, but not good enough
>>
>>> /Srcds Hardening guide on Alliedmodders
>> It`s outdated for today ddos bugs
>>
>>> Run a tcpdump and post that here.
>> have one, a lot of packages from one IP with different length, drop link to dump later
>>
>>> tcpdump -i any -c 30000 -w dump1.pcap
>> better
>> tcpdump -i any -C 100 -W 50 -w dump1.pcap
>>
>> it will rollover dump in 50 files by 100mb
>>
>> does someone use iptables & fail2ban combination?
>>
>> 04.10.2015, 21:31, "Calvin J" <[hidden email]>:
>>> Hi,
>>>
>>> Nobody can help you with the information you have provided. Run a tcpdump and post that here. Though, chances are unlikely that you're going to be able to block this with IPTables unless it's small. (If the attack is exceeding the line speed, run the tcpdump over IPMI.)
>>>
>>> Also, you should dump those firewall rules in the meantime as they're likely causing you more harm than good. I assume you followed that IPTables/Srcds Hardening guide on Alliedmodders. And while some of those rules may be useful, it's extremely unlikely that you needed to copy and paste everything in that thread.
>>>
>>> Example usage of tcpdump.
>>>
>>> tcpdump -i any -c 30000 -w dump1.pcap
>>>
>>> On 10/4/2015 5:12 AM, Левинчук Федор wrote:
>>>> Hi everyone
>>>>
>>>> need your help
>>>> i have this in iptables
>>>> http://pastebin.com/RX955Vjq
>>>> i have 128 tik servers
>>>> maybe some params in iptable are wrong or missing
>>>> but somehow attacker ddos my MM servers
>>>> can someone give advice?
>>>> thx in advance
>>>>
>>>> _______________________________________________ Csgo_servers mailing list [hidden email] https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>
>>> --
>>> Calvin Judy
>>> Founder & CEO
>>> PH#: <a href="tel:%28843%29%20410-8486" value="+18434108486" target="_blank">(843) 410-8486
>>> Mail: [hidden email]
>>>
>>> ,
>>>
>>> _______________________________________________
>>> Csgo_servers mailing list
>>> [hidden email]
>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>
>> _______________________________________________
>> Csgo_servers mailing list
>> [hidden email]
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
> ,
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Roland Mondek-2
It is and it will be always possible to DDOS any csgo server if it does not use some kind of two-way ddos protection. You can drop packets with specific length / not contain specific string...but is is very easy to copy legit srcds packet with legit length and flood any srcds server in the world with the legit packets....Those packts are for example qconnect or ...U.. packet...This is a common issue of SRCDS.

On Mon, Oct 5, 2015 at 9:22 AM, Don Park <[hidden email]> wrote:

Could you please explain how its outdated then?  Because it addresses the theoretical maximum bandwidth use within actual physical limitations of networking.   The math is still the same.  Its still used for insurgency game servers  and they share a fair amount of networking code. 

On Oct 5, 2015 4:17 PM, "Nomaan Ahmad" <[hidden email]> wrote:
That wiki is really old and isn't for CS:GO.

On 5 October 2015 at 08:09, Don Park <[hidden email]> wrote:

Oh also.  This is probably something you want for your iptables configuration if you do go that route.

https://steamcommunity.com/linkfilter/?url=http://whisper.ausgamers.com/wiki/index.php/Tickrate#Server_Bandwidth_Calculation_for_Dummies

On Oct 5, 2015 4:06 PM, "Don Park" <[hidden email]> wrote:

Banning the ip through the server firewall still has the traffic coming to your server therefore using your bandwidth (since its server side deciding if it wants to drop the traffic). 

For example, in a very simple terms, if your server has 100 mbit uplink and you block via iptables an IP thats DoSing you at 50 mbit, your resources are still being used up since it still hits the server and the server decided if it wants to pass it to the application or not.  That is a little bit of mitigation but won't stop the problem. 

Same thing can be applied to the datacenter level.  Iptables are helpful for the smaller DoS and DDoS, but in the end I don't think it solves the actual core issue. 

We're going to need more detail, like the tcpdump information or something since all we have to go off of are nonessential information and vague descriptions.  Also there's no detail as to what kind of DoS it is (e.g. layer 7 or 3) and if it really is distributed or not. 

On Oct 5, 2015 3:49 PM, "Левинчук Федор" <[hidden email]> wrote:
yep
I think better way it to ban IP that have more trafic to server than it should
but i don`t  know what params i need
for example
at one server i have 4 128 tick public servers with 20 slots each
at second server i have 4 128 tick public compatitive with 11 slots and gotv(128 snapshot_rate) each

how to calculate rate rules in iptables and then ban ddos-ers at fail2ban?

05.10.2015, 16:30, "Bruno Garcia" <[hidden email]>:
> fail2ban uses iptables for banning...
>
> On Mon, Oct 5, 2015 at 2:42 AM, Левинчук Федор <[hidden email]> wrote:
>> Hi
>>
>> before it i just block 0:32 byte packages ("connect" flood bug)
>> but someone dropdown my servers by make them do a lot of IO operations
>> I used this guide
>> https://github.com/ulrichblock/bash-scripts-gameserver/blob/master/iptables.sh
>> it helps, but not good enough
>>
>>> /Srcds Hardening guide on Alliedmodders
>> It`s outdated for today ddos bugs
>>
>>> Run a tcpdump and post that here.
>> have one, a lot of packages from one IP with different length, drop link to dump later
>>
>>> tcpdump -i any -c 30000 -w dump1.pcap
>> better
>> tcpdump -i any -C 100 -W 50 -w dump1.pcap
>>
>> it will rollover dump in 50 files by 100mb
>>
>> does someone use iptables & fail2ban combination?
>>
>> 04.10.2015, 21:31, "Calvin J" <[hidden email]>:
>>> Hi,
>>>
>>> Nobody can help you with the information you have provided. Run a tcpdump and post that here. Though, chances are unlikely that you're going to be able to block this with IPTables unless it's small. (If the attack is exceeding the line speed, run the tcpdump over IPMI.)
>>>
>>> Also, you should dump those firewall rules in the meantime as they're likely causing you more harm than good. I assume you followed that IPTables/Srcds Hardening guide on Alliedmodders. And while some of those rules may be useful, it's extremely unlikely that you needed to copy and paste everything in that thread.
>>>
>>> Example usage of tcpdump.
>>>
>>> tcpdump -i any -c 30000 -w dump1.pcap
>>>
>>> On 10/4/2015 5:12 AM, Левинчук Федор wrote:
>>>> Hi everyone
>>>>
>>>> need your help
>>>> i have this in iptables
>>>> http://pastebin.com/RX955Vjq
>>>> i have 128 tik servers
>>>> maybe some params in iptable are wrong or missing
>>>> but somehow attacker ddos my MM servers
>>>> can someone give advice?
>>>> thx in advance
>>>>
>>>> _______________________________________________ Csgo_servers mailing list [hidden email] https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>
>>> --
>>> Calvin Judy
>>> Founder & CEO
>>> PH#: <a href="tel:%28843%29%20410-8486" value="+18434108486" target="_blank">(843) 410-8486
>>> Mail: [hidden email]
>>>
>>> ,
>>>
>>> _______________________________________________
>>> Csgo_servers mailing list
>>> [hidden email]
>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>
>> _______________________________________________
>> Csgo_servers mailing list
>> [hidden email]
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
> ,
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers



--
S pozdravom / Sincerely,
Roland Mondek

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Левинчук Федор
this is tcpdump during ddos
https://drive.google.com/open?id=0B9GQJednE4hjYnRrN2p0Tk44bmM


05.10.2015, 17:46, "Roland Mondek" <[hidden email]>:

> It is and it will be always possible to DDOS any csgo server if it does not use some kind of two-way ddos protection. You can drop packets with specific length / not contain specific string...but is is very easy to copy legit srcds packet with legit length and flood any srcds server in the world with the legit packets....Those packts are for example qconnect or ...U.. packet...This is a common issue of SRCDS.
>
> On Mon, Oct 5, 2015 at 9:22 AM, Don Park <[hidden email]> wrote:
>> Could you please explain how its outdated then?  Because it addresses the theoretical maximum bandwidth use within actual physical limitations of networking.   The math is still the same.  Its still used for insurgency game servers  and they share a fair amount of networking code.
>>
>> On Oct 5, 2015 4:17 PM, "Nomaan Ahmad" <[hidden email]> wrote:
>>> That wiki is really old and isn't for CS:GO.
>>>
>>> On 5 October 2015 at 08:09, Don Park <[hidden email]> wrote:
>>>> Oh also.  This is probably something you want for your iptables configuration if you do go that route.
>>>>
>>>> https://steamcommunity.com/linkfilter/?url=http://whisper.ausgamers.com/wiki/index.php/Tickrate#Server_Bandwidth_Calculation_for_Dummies
>>>>
>>>> On Oct 5, 2015 4:06 PM, "Don Park" <[hidden email]> wrote:
>>>>> Banning the ip through the server firewall still has the traffic coming to your server therefore using your bandwidth (since its server side deciding if it wants to drop the traffic).
>>>>>
>>>>> For example, in a very simple terms, if your server has 100 mbit uplink and you block via iptables an IP thats DoSing you at 50 mbit, your resources are still being used up since it still hits the server and the server decided if it wants to pass it to the application or not.  That is a little bit of mitigation but won't stop the problem.
>>>>>
>>>>> Same thing can be applied to the datacenter level.  Iptables are helpful for the smaller DoS and DDoS, but in the end I don't think it solves the actual core issue.
>>>>>
>>>>> We're going to need more detail, like the tcpdump information or something since all we have to go off of are nonessential information and vague descriptions.  Also there's no detail as to what kind of DoS it is (e.g. layer 7 or 3) and if it really is distributed or not.
>>>>>
>>>>> On Oct 5, 2015 3:49 PM, "Левинчук Федор" <[hidden email]> wrote:
>>>>>> yep
>>>>>> I think better way it to ban IP that have more trafic to server than it should
>>>>>> but i don`t  know what params i need
>>>>>> for example
>>>>>> at one server i have 4 128 tick public servers with 20 slots each
>>>>>> at second server i have 4 128 tick public compatitive with 11 slots and gotv(128 snapshot_rate) each
>>>>>>
>>>>>> how to calculate rate rules in iptables and then ban ddos-ers at fail2ban?
>>>>>>
>>>>>> 05.10.2015, 16:30, "Bruno Garcia" <[hidden email]>:
>>>>>>> fail2ban uses iptables for banning...
>>>>>>>
>>>>>>> On Mon, Oct 5, 2015 at 2:42 AM, Левинчук Федор <[hidden email]> wrote:
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> before it i just block 0:32 byte packages ("connect" flood bug)
>>>>>>>> but someone dropdown my servers by make them do a lot of IO operations
>>>>>>>> I used this guide
>>>>>>>> https://github.com/ulrichblock/bash-scripts-gameserver/blob/master/iptables.sh
>>>>>>>> it helps, but not good enough
>>>>>>>>
>>>>>>>>> /Srcds Hardening guide on Alliedmodders
>>>>>>>> It`s outdated for today ddos bugs
>>>>>>>>
>>>>>>>>> Run a tcpdump and post that here.
>>>>>>>> have one, a lot of packages from one IP with different length, drop link to dump later
>>>>>>>>
>>>>>>>>> tcpdump -i any -c 30000 -w dump1.pcap
>>>>>>>> better
>>>>>>>> tcpdump -i any -C 100 -W 50 -w dump1.pcap
>>>>>>>>
>>>>>>>> it will rollover dump in 50 files by 100mb
>>>>>>>>
>>>>>>>> does someone use iptables & fail2ban combination?
>>>>>>>>
>>>>>>>> 04.10.2015, 21:31, "Calvin J" <[hidden email]>:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Nobody can help you with the information you have provided. Run a tcpdump and post that here. Though, chances are unlikely that you're going to be able to block this with IPTables unless it's small. (If the attack is exceeding the line speed, run the tcpdump over IPMI.)
>>>>>>>>>
>>>>>>>>> Also, you should dump those firewall rules in the meantime as they're likely causing you more harm than good. I assume you followed that IPTables/Srcds Hardening guide on Alliedmodders. And while some of those rules may be useful, it's extremely unlikely that you needed to copy and paste everything in that thread.
>>>>>>>>>
>>>>>>>>> Example usage of tcpdump.
>>>>>>>>>
>>>>>>>>> tcpdump -i any -c 30000 -w dump1.pcap
>>>>>>>>>
>>>>>>>>> On 10/4/2015 5:12 AM, Левинчук Федор wrote:
>>>>>>>>>> Hi everyone
>>>>>>>>>>
>>>>>>>>>> need your help
>>>>>>>>>> i have this in iptables
>>>>>>>>>> http://pastebin.com/RX955Vjq
>>>>>>>>>> i have 128 tik servers
>>>>>>>>>> maybe some params in iptable are wrong or missing
>>>>>>>>>> but somehow attacker ddos my MM servers
>>>>>>>>>> can someone give advice?
>>>>>>>>>> thx in advance
>>>>>>>>>>
>>>>>>>>>> _______________________________________________ Csgo_servers mailing list [hidden email] https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Calvin Judy
>>>>>>>>> Founder & CEO
>>>>>>>>> PH#: (843) 410-8486
>>>>>>>>> Mail: [hidden email]
>>>>>>>>>
>>>>>>>>> ,
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Csgo_servers mailing list
>>>>>>>>> [hidden email]
>>>>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Csgo_servers mailing list
>>>>>>>> [hidden email]
>>>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>>>>>
>>>>>>> ,
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Csgo_servers mailing list
>>>>>>> [hidden email]
>>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>>>>
>>>>>> _______________________________________________
>>>>>> Csgo_servers mailing list
>>>>>> [hidden email]
>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>>
>>>> _______________________________________________
>>>> Csgo_servers mailing list
>>>> [hidden email]
>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>
>>> _______________________________________________
>>> Csgo_servers mailing list
>>> [hidden email]
>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>
>> _______________________________________________
>> Csgo_servers mailing list
>> [hidden email]
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
> --
> S pozdravom / Sincerely,
> Roland Mondek
>
> ,
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Nathaniel Theis
that's a private file

On Mon, Oct 5, 2015 at 10:01 AM, Левинчук Федор
<[hidden email]> wrote:

> this is tcpdump during ddos
> https://drive.google.com/open?id=0B9GQJednE4hjYnRrN2p0Tk44bmM
>
>
> 05.10.2015, 17:46, "Roland Mondek" <[hidden email]>:
>> It is and it will be always possible to DDOS any csgo server if it does not use some kind of two-way ddos protection. You can drop packets with specific length / not contain specific string...but is is very easy to copy legit srcds packet with legit length and flood any srcds server in the world with the legit packets....Those packts are for example qconnect or ...U.. packet...This is a common issue of SRCDS.
>>
>> On Mon, Oct 5, 2015 at 9:22 AM, Don Park <[hidden email]> wrote:
>>> Could you please explain how its outdated then?  Because it addresses the theoretical maximum bandwidth use within actual physical limitations of networking.   The math is still the same.  Its still used for insurgency game servers  and they share a fair amount of networking code.
>>>
>>> On Oct 5, 2015 4:17 PM, "Nomaan Ahmad" <[hidden email]> wrote:
>>>> That wiki is really old and isn't for CS:GO.
>>>>
>>>> On 5 October 2015 at 08:09, Don Park <[hidden email]> wrote:
>>>>> Oh also.  This is probably something you want for your iptables configuration if you do go that route.
>>>>>
>>>>> https://steamcommunity.com/linkfilter/?url=http://whisper.ausgamers.com/wiki/index.php/Tickrate#Server_Bandwidth_Calculation_for_Dummies
>>>>>
>>>>> On Oct 5, 2015 4:06 PM, "Don Park" <[hidden email]> wrote:
>>>>>> Banning the ip through the server firewall still has the traffic coming to your server therefore using your bandwidth (since its server side deciding if it wants to drop the traffic).
>>>>>>
>>>>>> For example, in a very simple terms, if your server has 100 mbit uplink and you block via iptables an IP thats DoSing you at 50 mbit, your resources are still being used up since it still hits the server and the server decided if it wants to pass it to the application or not.  That is a little bit of mitigation but won't stop the problem.
>>>>>>
>>>>>> Same thing can be applied to the datacenter level.  Iptables are helpful for the smaller DoS and DDoS, but in the end I don't think it solves the actual core issue.
>>>>>>
>>>>>> We're going to need more detail, like the tcpdump information or something since all we have to go off of are nonessential information and vague descriptions.  Also there's no detail as to what kind of DoS it is (e.g. layer 7 or 3) and if it really is distributed or not.
>>>>>>
>>>>>> On Oct 5, 2015 3:49 PM, "Левинчук Федор" <[hidden email]> wrote:
>>>>>>> yep
>>>>>>> I think better way it to ban IP that have more trafic to server than it should
>>>>>>> but i don`t  know what params i need
>>>>>>> for example
>>>>>>> at one server i have 4 128 tick public servers with 20 slots each
>>>>>>> at second server i have 4 128 tick public compatitive with 11 slots and gotv(128 snapshot_rate) each
>>>>>>>
>>>>>>> how to calculate rate rules in iptables and then ban ddos-ers at fail2ban?
>>>>>>>
>>>>>>> 05.10.2015, 16:30, "Bruno Garcia" <[hidden email]>:
>>>>>>>> fail2ban uses iptables for banning...
>>>>>>>>
>>>>>>>> On Mon, Oct 5, 2015 at 2:42 AM, Левинчук Федор <[hidden email]> wrote:
>>>>>>>>> Hi
>>>>>>>>>
>>>>>>>>> before it i just block 0:32 byte packages ("connect" flood bug)
>>>>>>>>> but someone dropdown my servers by make them do a lot of IO operations
>>>>>>>>> I used this guide
>>>>>>>>> https://github.com/ulrichblock/bash-scripts-gameserver/blob/master/iptables.sh
>>>>>>>>> it helps, but not good enough
>>>>>>>>>
>>>>>>>>>> /Srcds Hardening guide on Alliedmodders
>>>>>>>>> It`s outdated for today ddos bugs
>>>>>>>>>
>>>>>>>>>> Run a tcpdump and post that here.
>>>>>>>>> have one, a lot of packages from one IP with different length, drop link to dump later
>>>>>>>>>
>>>>>>>>>> tcpdump -i any -c 30000 -w dump1.pcap
>>>>>>>>> better
>>>>>>>>> tcpdump -i any -C 100 -W 50 -w dump1.pcap
>>>>>>>>>
>>>>>>>>> it will rollover dump in 50 files by 100mb
>>>>>>>>>
>>>>>>>>> does someone use iptables & fail2ban combination?
>>>>>>>>>
>>>>>>>>> 04.10.2015, 21:31, "Calvin J" <[hidden email]>:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> Nobody can help you with the information you have provided. Run a tcpdump and post that here. Though, chances are unlikely that you're going to be able to block this with IPTables unless it's small. (If the attack is exceeding the line speed, run the tcpdump over IPMI.)
>>>>>>>>>>
>>>>>>>>>> Also, you should dump those firewall rules in the meantime as they're likely causing you more harm than good. I assume you followed that IPTables/Srcds Hardening guide on Alliedmodders. And while some of those rules may be useful, it's extremely unlikely that you needed to copy and paste everything in that thread.
>>>>>>>>>>
>>>>>>>>>> Example usage of tcpdump.
>>>>>>>>>>
>>>>>>>>>> tcpdump -i any -c 30000 -w dump1.pcap
>>>>>>>>>>
>>>>>>>>>> On 10/4/2015 5:12 AM, Левинчук Федор wrote:
>>>>>>>>>>> Hi everyone
>>>>>>>>>>>
>>>>>>>>>>> need your help
>>>>>>>>>>> i have this in iptables
>>>>>>>>>>> http://pastebin.com/RX955Vjq
>>>>>>>>>>> i have 128 tik servers
>>>>>>>>>>> maybe some params in iptable are wrong or missing
>>>>>>>>>>> but somehow attacker ddos my MM servers
>>>>>>>>>>> can someone give advice?
>>>>>>>>>>> thx in advance
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________ Csgo_servers mailing list [hidden email] https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Calvin Judy
>>>>>>>>>> Founder & CEO
>>>>>>>>>> PH#: (843) 410-8486
>>>>>>>>>> Mail: [hidden email]
>>>>>>>>>>
>>>>>>>>>> ,
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Csgo_servers mailing list
>>>>>>>>>> [hidden email]
>>>>>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Csgo_servers mailing list
>>>>>>>>> [hidden email]
>>>>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>>>>>>
>>>>>>>> ,
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Csgo_servers mailing list
>>>>>>>> [hidden email]
>>>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Csgo_servers mailing list
>>>>>>> [hidden email]
>>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>>>
>>>>> _______________________________________________
>>>>> Csgo_servers mailing list
>>>>> [hidden email]
>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>>
>>>> _______________________________________________
>>>> Csgo_servers mailing list
>>>> [hidden email]
>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>>
>>> _______________________________________________
>>> Csgo_servers mailing list
>>> [hidden email]
>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>>
>> --
>> S pozdravom / Sincerely,
>> Roland Mondek
>>
>> ,
>>
>> _______________________________________________
>> Csgo_servers mailing list
>> [hidden email]
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Ilyas
In reply to this post by Левинчук Федор
You must to change sharing options to "Anyone who is given the link to
the file or folder can access it "

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Левинчук Федор-2
another link
 
 
06.10.2015, 03:12, "Ilyas" <[hidden email]>:

You must to change sharing options to "Anyone who is given the link to
the file or folder can access it "

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Roland Mondek-2
Are you from Slovakia ?



Dňa 5.10.2015, o 19:20, Левинчук Федор <[hidden email]> napísal:

another link
 
 
06.10.2015, 03:12, "Ilyas" <[hidden email]>:

You must to change sharing options to "Anyone who is given the link to
the file or folder can access it "

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Nathaniel Theis
What's the IP and port the attack's targetting? I assume the IP is
95.154.113.83?

On Mon, Oct 5, 2015 at 10:30 AM, Roland Mondek <[hidden email]> wrote:

> Are you from Slovakia ?
>
>
>
> Dňa 5.10.2015, o 19:20, Левинчук Федор <[hidden email]> napísal:
>
> another link
> https://yadi.sk/d/BjQQ09btjXnpz
>
>
> 06.10.2015, 03:12, "Ilyas" <[hidden email]>:
>
> You must to change sharing options to "Anyone who is given the link to
> the file or folder can access it "
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Calvin J
Another question, what makes him think there is an attack at all? I see that someone is monitoring the server via a local IP (10.55.56.61) on HLSW. And if the query limit settings aren't turned up a bit it will show timeouts on HLSW for 3-5 second intervals.

I have a feeling this is not an attack at all and he's just being timed out by the server due to sv_max_queries_sec.

Try setting sv_max_queries_sec to 10 or 15 and see if that resolves the timeouts.

On 10/5/2015 1:44 PM, Nathaniel Theis wrote:
What's the IP and port the attack's targetting? I assume the IP is
95.154.113.83?

On Mon, Oct 5, 2015 at 10:30 AM, Roland Mondek [hidden email] wrote:
Are you from Slovakia ?



Dňa 5.10.2015, o 19:20, Левинчук Федор [hidden email] napísal:

another link
https://yadi.sk/d/BjQQ09btjXnpz


06.10.2015, 03:12, "Ilyas" [hidden email]:

You must to change sharing options to "Anyone who is given the link to
the file or folder can access it "

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


--
Calvin Judy
Founder & CEO
PH#: (843) 410-8486
Mail: [hidden email]

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Nathaniel Theis
Yeah, I saw that query spam, but looks just like monitoring and in
private IP space. There's also packets from 95.154.85.178, which look
a little odd because of the huge asymmetry- it sent ~800KB  to the
server on port 27028, and only got around 15KB back. The packets
themselves look psuedorandom, and there are two different source ports
in use.

That's the only other thing in there that raised my eyebrows.

On Mon, Oct 5, 2015 at 11:14 AM, Calvin J <[hidden email]> wrote:

> Another question, what makes him think there is an attack at all? I see that
> someone is monitoring the server via a local IP (10.55.56.61) on HLSW. And
> if the query limit settings aren't turned up a bit it will show timeouts on
> HLSW for 3-5 second intervals.
>
> I have a feeling this is not an attack at all and he's just being timed out
> by the server due to sv_max_queries_sec.
>
> Try setting sv_max_queries_sec to 10 or 15 and see if that resolves the
> timeouts.
>
> On 10/5/2015 1:44 PM, Nathaniel Theis wrote:
>
> What's the IP and port the attack's targetting? I assume the IP is
> 95.154.113.83?
>
> On Mon, Oct 5, 2015 at 10:30 AM, Roland Mondek <[hidden email]> wrote:
>
> Are you from Slovakia ?
>
>
>
> Dňa 5.10.2015, o 19:20, Левинчук Федор <[hidden email]> napísal:
>
> another link
> https://yadi.sk/d/BjQQ09btjXnpz
>
>
> 06.10.2015, 03:12, "Ilyas" <[hidden email]>:
>
> You must to change sharing options to "Anyone who is given the link to
> the file or folder can access it "
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
>
>
>
> --
> Calvin Judy
> Founder & CEO
> PH#: (843) 410-8486
> Mail: [hidden email]
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|

Re: ddos

Левинчук Федор-2
In reply to this post by Nathaniel Theis

95.154.113.83?

Yes its my server IP
ports: 27025, 27026, 27027, 27028
 
 Are you from Slovakia ?
Far Eastern Russia
 
I have a feeling this is not an attack at all and he's just being timed out by the server due to sv_max_queries_sec.
it was at 6
now i set it to 2
 
 
06.10.2015, 03:46, "Nathaniel Theis" <[hidden email]>:

What's the IP and port the attack's targetting? I assume the IP is
95.154.113.83?

On Mon, Oct 5, 2015 at 10:30 AM, Roland Mondek <[hidden email]> wrote:

 Are you from Slovakia ?



 Dňa 5.10.2015, o 19:20, Левинчук Федор <[hidden email]> napísal:

 another link
 https://yadi.sk/d/BjQQ09btjXnpz


 06.10.2015, 03:12, "Ilyas" <[hidden email]>:

 You must to change sharing options to "Anyone who is given the link to
 the file or folder can access it "

 _______________________________________________
 Csgo_servers mailing list
 [hidden email]
 https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

 _______________________________________________
 Csgo_servers mailing list
 [hidden email]
 https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


 _______________________________________________
 Csgo_servers mailing list
 [hidden email]
 https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
12