Was there not a metamod extension that could help mitigate this issue at some point, or am I mistaken?
And yes, this does seem like the most likely cause. If the address is being spoofed, that makes sense why the firewall block you placed on the spoofed address is ineffective. What you could always do is grab a copy of wireshark and capture a dump at the time the error is generated to confirm the diagnosis, A2S_INFO packets have a predefined structure which is documented on the valve development wiki. I imagine since the server is mitigating it to some affect (hence the messages being generated) that's why you are seeing minimal performance decrease. On 19 Jan 2016 2:37 a.m., "David Parker" <[email protected]> wrote: > Hello, > > This is usually caused by an attack which simply floods the server with > queries (usually A2S_INFO). > > This happened on one of my servers a few months ago (running on Linux), > and the offending IP address was owned by NFO. I contacted them and had a > good discussion with a few of the NFO guys. It turned out that someone in > Russia was doing this to a lot of servers, and spoofing the NFO IP as the > source. They said it wasn't the first time this had happened, but they > were very helpful in diagnosing the issue and figuring out what was > happening. > > I simply used a firewall rule to block the source IP, and the messages > stopped immediately. > > Hope this helps. > > - Dave > > On Mon, Jan 18, 2016 at 7:34 PM, [email protected] < > [email protected]> wrote: > >> Hello Everyone, >> >> I've searched the web on this but can't find the specific answers I'm >> looking for so I'm coming to my fellow server operators for a little >> guidance. I'm hoping some of you have seen or experienced what I'm writing >> about below. >> >> I still love and use HLSW to watch the logs of my servers constantly. >> More and more often now I'm seeing messages similar to the ones below >> flooding my console (the IP addresses and ports change but the messages are >> the same): >> >> 11:55:44 L 01/18/2016 - 11:55:44: Traffic from 188.127.239.74:27021 was >> blocked for exceeding rate limits >> 11:55:44 L 01/18/2016 - 11:55:44: Traffic from 188.127.239.74:27021 was >> blocked for exceeding rate limits >> 11:55:44 L 01/18/2016 - 11:55:44: Traffic from 188.127.239.74:27021 was >> blocked for exceeding rate limits >> 11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was >> blocked for exceeding rate limits >> 11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was >> blocked for exceeding rate limits >> 11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was >> blocked for exceeding rate limits >> 11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was >> blocked for exceeding rate limits >> 11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was >> blocked for exceeding rate limits >> 11:55:46 L 01/18/2016 - 11:55:46: Traffic from 188.127.239.74:27021 was >> blocked for exceeding rate limits >> >> My initial research says that these are attacks on my servers but I'm no >> so sure that's correct. I'm running my TF2 and CSS servers on my own >> Windows 2008 Dedicated server and when I see these messages, I immediately >> add them to a Windows Firewall rule I have to block any and all traffic >> from these IPs before the server even sees it. What's interesting is that I >> still see these messages even though they get added to the firewall's block >> list. Eventually they stop but a litle while later, I get messages like it >> from other IPs. Sometimes I can go a day or two without any, and other days >> I get as many as 15 IPs doing this. >> >> I want to note that I don't see any significant performance hits on the >> servers when this occurs but I'd like to know more about these messages as >> they specifically relate to a game server. Based upon the content of the >> message, I assume these mean something bad is being blocked. >> >> What I find even more interesting is that many of the offending IPs that >> are doing this are the specific IP addresses and ports from other game >> servers, In the case of the one above, it belongs to a CS 1.6 server in >> Russia. Why would another game server box be attempting to connect to my >> servers on the same port it's being hosted on? >> >> This problem has grown in frequency over the past few months. Prior to >> that, I don't remember seeing these messages at all in console. >> >> Can anyone give me some background on what these mean and what they're >> about? Also, any idea why they Windows Firewall doesn't block their traffic >> completely when I add them to the scope of the Firewall wall so they don't >> appear in the console logs? >> >> Thanks for reading and Happy Monday, >> Mike Vail >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >> >> > > > -- > Dave Parker > Systems Administrator > Utica College > Integrated Information Technology Services > (315) 792-3229 > Registered Linux User #408177 > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds > >
_______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
