Hi i catched ddos attack in wireshark it look like that, mass ssdp packages to server http://imgur.com/EMrA7F4
this is dumps https://yadi.sk/d/E0PFxjEuk8vHM (~150mb) dump36 < it ok, no other packages than steam/csgo dump37 < start ddos, ssdp packages dump38 < continue ddos, all players timed out dump39 ... 07.10.2015, 13:16, "Ryan Bentley" <[email protected]>: > Using hashlimit will certainly cause UDP packets to be erroneously dropped. > UDP is stateless, however iptables counters this with the hashlimit module to > create a hash based on the header of the packet to try and match it to a > 'connection' or a sequence of UDP packets. srcds is UDP based, 130/s will > probably cause packets to be dropped. > > On Wed, Oct 7, 2015 at 3:49 AM, Левинчук Федор <[email protected]> wrote: >> I`m reading iptables man >> >> hashlimit >> >> it`s limit like -limit key but create different query for each host >> for SRCDS it will limit packages for one connection? >> >> for ex in >> >> net_channels >> - remote IP: 79.105.25.42:27005 >> - online: 14:00 >> - reliable: available >> - latency: 0.1, loss 0.00 >> - packets: in 62.8/s, out 64.5/s >> - choke: in 0.52, out 0.00 >> - flow: in 9.5, out 22.4 kB/s >> - total: in 7.7, out 19.8 MB >> >> NetChannel 'psch': >> - remote IP: 94.245.190.164:27005 >> - online: 07:16 >> - reliable: available >> - latency: 0.1, loss 0.00 >> - packets: in 128.6/s, out 130.0/s >> - choke: in 0.00, out 0.00 >> - flow: in 20.6, out 43.5 kB/s >> - total: in 8.2, out 19.4 MB >> my servers has 128 tiks >> >> and if I make >> >> IPTABLES -A INPUT -p udp --dport 27015:27540 -m state --state NEW -m >> hashlimit --hashlimit-mode srcip --hashlimit-upto 130/s -j ACCEPT >> IPTABLES -A INPUT -p udp --dport 27015:27540 -j DROP >> >> it will pass normal players connect and drop if more then 130 packages in >> secoond for each? or i mistaking? >> >> 06.10.2015, 09:34, "Calvin J" <[email protected]>: >>> :\ >>> >>> sv_max_queries_sec 15 >>> >>> On 10/5/2015 7:26 PM, Левинчук Федор wrote: >>>> ok thx, i`ll bring it to default >>>> description of this cvar is not clear >>>> I tested with sv_max_queries_sec "2.0" at console saw lines of limitations >>>> for my HLSW queries, thought it some kind of protection, and if cvar lower >>>> is better >>>> >>>> Now i thinking maybe there are commands that increase IO operations? like >>>> it was with "sound_test" ? >>> >>> -- >>> Calvin Judy >>> Founder & CEO >>> PH#: (843) 410-8486 >>> Mail: [email protected] >>> >>> , >>> >>> _______________________________________________ >>> Csgo_servers mailing list >>> [email protected] >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >> >> _______________________________________________ >> Csgo_servers mailing list >> [email protected] >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers > > , > > _______________________________________________ > Csgo_servers mailing list > [email protected] > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers _______________________________________________ Csgo_servers mailing list [email protected] https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
