You'll have to respond to each type of attack separately. There are
hundreds of types of attacks that can be used, and some can't be
filtered without also blocking legitimate traffic.
Your specific type of reflection attack is one of the easiest types to
block, since you can even do a simple port-based filter and get all of
it, with only a very small number of false-positives. There's no need to
have your upstream filter it for you on their end unless you are seeing
enough traffic to flood out your network adapter (check your bandwidth
graph to see if that's the case).
Marco is mistaken; you shouldn't use a rate-limit for this type of
attack, because you don't need any of it to get through. Rate-limits are
only needed when there's a reasonable chance of false positives with the
filter, in order to eliminate collateral damage when an attack is not in
progress.
You don't need any special tool to get a packet capture with tcpdump,
and you shouldn't try to send us a pcap file. Just run it directly.
Capture 10 packets from your current attack with this, for instance:
tcpdump -nvXp -c 10 udp and src port 28960
A good GSP will have a mitigation system to block attacks like this one
out-of-the-box upstream, and they should provide tools for capturing
and/or filtering traffic through their control panel. Good GSPs also
have extensive experience with mitigating many other types of attacks.
If you haven't already spoken to your host, I recommend opening a ticket
with them.
-John
On 3/23/2017 2:53 PM, Mathias wrote:
Thanks for this awesome help John! This kind of "Attack" have been
attacking me for days without stopping.
So i block the port everytime they attack on new port? And what if
they attack on the port directly? There must be a kind of filter
possible on Linux with Iptables. Anything i can tell me datacenter to
fix this attack permanent?
2017-03-23 22:44 GMT+01:00 John <[email protected]
<mailto:[email protected]>>:
If you're seeing packets from port 28960, you're most likely
seeing a reflected query DDoS that is coming from CoDx servers
(you can tell for certain by looking at the contents of captured
packets -- look for the string 'statusResponse') -- not a direct
query/connection flood, and likely not spoofed. You can safely
block traffic from port 28960, or do a more thorough filter to
block that traffic. This is an example rule to just block the port.
iptables -I INPUT -p udp --sport 28960 -j DROP
-John
On 3/23/2017 2:33 PM, Mathias wrote:
Thanks John.
Could you guide/send me the Iptables?
My server is on port 27115 and the attack comes in on port 28960
- But it wont work block the port (Have tried)
"IP rate limit sustained 79085 distributed packets at 2636.2 pps
(1246 buckets).
IP rate limit under distributed packet load (1205 buckets, 15001
global count), rejecting 8.59.18.221:28960
<http://8.59.18.221:28960>.
IP rate limit sustained 78411 distributed packets at 2613.7 pps
(943 buckets).
IP rate limit under distributed packet load (1210 buckets, 15001
global count), rejecting 154.112.126.3:28960
<http://154.112.126.3:28960>.
IP rate limit sustained 104375 distributed packets at 3479.2 pps
(968 buckets).
IP rate limit under distributed packet load (1152 buckets, 15001
global count), rejecting 84.3.222.161:28960
<http://84.3.222.161:28960>.
IP rate limit sustained 78941 distributed packets at 2631.4 pps
(795 buckets).
IP rate limit under distributed packet load (1176 buckets, 16663
global count), rejecting 88.131.51.148:28960
<http://88.131.51.148:28960>."
2017-03-23 22:27 GMT+01:00 John <[email protected]
<mailto:[email protected]>>:
On 3/23/2017 1:34 PM, Mathias wrote:
My server's getting flood with VSE DDoS Attack. My server
have DDoS Protection but it wont take it. any other DDoS
Attack does it takes so what can i do? i'm on Linux
Ubuntu 16.04.
Here is server logs - http://pastebin.com/Q2dbcEMt
I also got how the script works (VSE DDoS Attack) - Found
on a forum via Google
Any idea to stop it with Iptables? Packet limit?
The term "VSE" ("Valve Source Exploit") that the attackers
like to use is a misnomer because there isn't an exploit
involved. These attacks just flood a server with spoofed
queries and/or connection attempts from random sources, and
Source can't handle the volume.
Currently the most effective general-purpose way to deal with
these is to whitelist real player IPs and rate-limit queries
and connection attempts from all other sources (down to
around 1000/s). This can be done with iptables using a
combination of the ipset, hashlimit, and bpf/u32/string modules.
Ideally, the game would be redesigned to using TCP for
queries and the very first part of the connection, offloading
the first-contact tasks to the OS, which has established
methods for combating high-rate spoofed TCP SYN floods.
Internally, it could then straight drop all UDP packets that
don't correspond to a currently connected player.
-John
_______________________________________________
Csgo_servers mailing list
[email protected]
<mailto:[email protected]>
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers>
_______________________________________________
Csgo_servers mailing list
[email protected]
<mailto:[email protected]>
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers>
_______________________________________________ Csgo_servers
mailing list [email protected]
<mailto:[email protected]>
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers>
_______________________________________________
Csgo_servers mailing list
[email protected]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
_______________________________________________
Csgo_servers mailing list
[email protected]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
