I had this problem happen to me last summer, several times. I could usually get
it to stop by adding the ip to the firewall. But 2 times I was unable to get it
to stop. I contacted NFO (my VDS host ) and got them to block it on their
router. The IP address always pointed to spoofed NFO server addresses. The
servers usually had been off line at the time(turned off by the owner for
whatever reason). They should not have been sending any traffic at all. At
least for me his only happened on the goldsource game servers and never on
source games. I have not seen this happen anymore since at least August
Lorne
From: [email protected]
Date: Mon, 18 Jan 2016 22:02:54 -0500
To: [email protected]
CC: [email protected]
Subject: Re: [hlds] Need Help with "Traffic from IP was blocked for exceeding
rate limits" Messages
That's exactly what the president of NFO said it was: a reflection attack. He
said someone was firing a huge amount of queries at game servers using the
spoofed NFO IP as the source, and the server which really had that IP address
was receiving all of the query responses, even though it never sent the
requests. Unfortunately for the customer with that IP, it had practically
crippled the server at that point.
- Dave
On Mon, Jan 18, 2016 at 9:49 PM, Weasels Lair <[email protected]> wrote:
Yep. An unfortunate downside to UDP-based applications is there is no "session"
to manage. All packets are kind of "fire and forget". Very easy to spoof. Not
that you can't spoof TCP too, but then the conversation falls apart with no
reliable way to respond back.
I'm this case, it would be categorized as a sort of reflection attack, since
it's intended obviously to make effected systems take the knee-jerk reaction of
blocking or reporting NFO as a bad player - when I'm fact the traffic isn't
really coming from them.
I just switched to them as a host, and love it so far.
On Jan 18, 2016 6:37 PM, "David Parker" <[email protected]> wrote:
Hello,
This is usually caused by an attack which simply floods the server with queries
(usually A2S_INFO).
This happened on one of my servers a few months ago (running on Linux), and the
offending IP address was owned by NFO. I contacted them and had a good
discussion with a few of the NFO guys. It turned out that someone in Russia
was doing this to a lot of servers, and spoofing the NFO IP as the source.
They said it wasn't the first time this had happened, but they were very
helpful in diagnosing the issue and figuring out what was happening.
I simply used a firewall rule to block the source IP, and the messages stopped
immediately.
Hope this helps.
- Dave
On Mon, Jan 18, 2016 at 7:34 PM, [email protected]
<[email protected]> wrote:
Hello Everyone,
I've searched the web on this but can't find the specific answers I'm looking
for so I'm coming to my fellow server operators for a little guidance. I'm
hoping some of you have seen or experienced what I'm writing about below.
I still love and use HLSW to watch the logs of my servers constantly. More and
more often now I'm seeing messages similar to the ones below flooding my
console (the IP addresses and ports change but the messages are the same):
11:55:44 L 01/18/2016 - 11:55:44: Traffic from 188.127.239.74:27021 was blocked
for exceeding rate limits11:55:44 L 01/18/2016 - 11:55:44: Traffic from
188.127.239.74:27021 was blocked for exceeding rate limits11:55:44 L 01/18/2016
- 11:55:44: Traffic from 188.127.239.74:27021 was blocked for exceeding rate
limits11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was
blocked for exceeding rate limits11:55:45 L 01/18/2016 - 11:55:45: Traffic from
188.127.239.74:27021 was blocked for exceeding rate limits11:55:45 L 01/18/2016
- 11:55:45: Traffic from 188.127.239.74:27021 was blocked for exceeding rate
limits11:55:45 L 01/18/2016 - 11:55:45: Traffic from 188.127.239.74:27021 was
blocked for exceeding rate limits11:55:45 L 01/18/2016 - 11:55:45: Traffic from
188.127.239.74:27021 was blocked for exceeding rate limits11:55:46 L 01/18/2016
- 11:55:46: Traffic from 188.127.239.74:27021 was blocked for exceeding rate
limits
My initial research says that these are attacks on my servers but I'm no so
sure that's correct. I'm running my TF2 and CSS servers on my own Windows 2008
Dedicated server and when I see these messages, I immediately add them to a
Windows Firewall rule I have to block any and all traffic from these IPs before
the server even sees it. What's interesting is that I still see these messages
even though they get added to the firewall's block list. Eventually they stop
but a litle while later, I get messages like it from other IPs. Sometimes I can
go a day or two without any, and other days I get as many as 15 IPs doing this.
I want to note that I don't see any significant performance hits on the servers
when this occurs but I'd like to know more about these messages as they
specifically relate to a game server. Based upon the content of the message, I
assume these mean something bad is being blocked.
What I find even more interesting is that many of the offending IPs that are
doing this are the specific IP addresses and ports from other game servers, In
the case of the one above, it belongs to a CS 1.6 server in Russia. Why would
another game server box be attempting to connect to my servers on the same port
it's being hosted on?
This problem has grown in frequency over the past few months. Prior to that, I
don't remember seeing these messages at all in console.
Can anyone give me some background on what these mean and what they're about?
Also, any idea why they Windows Firewall doesn't block their traffic completely
when I add them to the scope of the Firewall wall so they don't appear in the
console logs?
Thanks for reading and Happy Monday,Mike Vail
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
--
Dave ParkerSystems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
--
Dave ParkerSystems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
This email has been sent from a virus-free computer protected
by Avast. www.avast.com
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
