Re: [Csgo_servers] DDoS Attack (VSE)

Discussion in 'HLDS / Valve Windows newsletter' started by John, Mar 23, 2017.

  1. John

    John Guest

    T24gMy8yMy8yMDE3IDE6MzQgUE0sIE1hdGhpYXMgd3JvdGU6Cj4gTXkgc2VydmVyJ3MgZ2V0dGlu
    ZyBmbG9vZCB3aXRoIFZTRSBERG9TIEF0dGFjay4gTXkgc2VydmVyIGhhdmUgRERvUyAKPiBQcm90
    ZWN0aW9uIGJ1dCBpdCB3b250IHRha2UgaXQuIGFueSBvdGhlciBERG9TIEF0dGFjayBkb2VzIGl0
    IHRha2VzIHNvIAo+IHdoYXQgY2FuIGkgZG8/IGknbSBvbiBMaW51eCBVYnVudHUgMTYuMDQuCj4K
    PiBIZXJlIGlzIHNlcnZlciBsb2dzIC0gaHR0cDovL3Bhc3RlYmluLmNvbS9RMmRiY0VNdAo+Cj4g
    SSBhbHNvIGdvdCBob3cgdGhlIHNjcmlwdCB3b3JrcyAoVlNFIEREb1MgQXR0YWNrKSAtIEZvdW5k
    IG9uIGEgZm9ydW0gCj4gdmlhIEdvb2dsZQo+Cj4gQW55IGlkZWEgdG8gc3RvcCBpdCB3aXRoIElw
    dGFibGVzPyBQYWNrZXQgbGltaXQ/CgpUaGUgdGVybSAiVlNFIiAoIlZhbHZlIFNvdXJjZSBFeHBs
    b2l0IikgdGhhdCB0aGUgYXR0YWNrZXJzIGxpa2UgdG8gdXNlIAppcyBhIG1pc25vbWVyIGJlY2F1
    c2UgdGhlcmUgaXNuJ3QgYW4gZXhwbG9pdCBpbnZvbHZlZC4gVGhlc2UgYXR0YWNrcyAKanVzdCBm
    bG9vZCBhIHNlcnZlciB3aXRoIHNwb29mZWQgcXVlcmllcyBhbmQvb3IgY29ubmVjdGlvbiBhdHRl
    bXB0cyBmcm9tIApyYW5kb20gc291cmNlcywgYW5kIFNvdXJjZSBjYW4ndCBoYW5kbGUgdGhlIHZv
    bHVtZS4KCkN1cnJlbnRseSB0aGUgbW9zdCBlZmZlY3RpdmUgZ2VuZXJhbC1wdXJwb3NlIHdheSB0
    byBkZWFsIHdpdGggdGhlc2UgaXMgCnRvIHdoaXRlbGlzdCByZWFsIHBsYXllciBJUHMgYW5kIHJh
    dGUtbGltaXQgcXVlcmllcyBhbmQgY29ubmVjdGlvbiAKYXR0ZW1wdHMgZnJvbSBhbGwgb3RoZXIg
    c291cmNlcyAoZG93biB0byBhcm91bmQgMTAwMC9zKS4gVGhpcyBjYW4gYmUgCmRvbmUgd2l0aCBp
    cHRhYmxlcyB1c2luZyBhIGNvbWJpbmF0aW9uIG9mIHRoZSBpcHNldCwgaGFzaGxpbWl0LCBhbmQg
    CmJwZi91MzIvc3RyaW5nIG1vZHVsZXMuCgpJZGVhbGx5LCB0aGUgZ2FtZSB3b3VsZCBiZSByZWRl
    c2lnbmVkIHRvIHVzaW5nIFRDUCBmb3IgcXVlcmllcyBhbmQgdGhlIAp2ZXJ5IGZpcnN0IHBhcnQg
    b2YgdGhlIGNvbm5lY3Rpb24sIG9mZmxvYWRpbmcgdGhlIGZpcnN0LWNvbnRhY3QgdGFza3MgdG8g
    CnRoZSBPUywgd2hpY2ggaGFzIGVzdGFibGlzaGVkIG1ldGhvZHMgZm9yIGNvbWJhdGluZyBoaWdo
    LXJhdGUgc3Bvb2ZlZCAKVENQIFNZTiBmbG9vZHMuIEludGVybmFsbHksIGl0IGNvdWxkIHRoZW4g
    c3RyYWlnaHQgZHJvcCBhbGwgVURQIHBhY2tldHMgCnRoYXQgZG9uJ3QgY29ycmVzcG9uZCB0byBh
    IGN1cnJlbnRseSBjb25uZWN0ZWQgcGxheWVyLgoKLUpvaG4KCl9fX19fX19fX19fX19fX19fX19f
    X19fX19fX19fX19fX19fX19fX19fX19fX19fCkNzZ29fc2VydmVycyBtYWlsaW5nIGxpc3QKQ3Nn
    b19zZXJ2ZXJzQGxpc3QudmFsdmVzb2Z0d2FyZS5jb20KaHR0cHM6Ly9saXN0LnZhbHZlc29mdHdh
    cmUuY29tL2NnaS1iaW4vbWFpbG1hbi9saXN0aW5mby9jc2dvX3NlcnZlcnM
     
  2. Mathias

    Mathias Guest

    --001a1142f5c2bd0263054b6ca036
    Content-Type: text/plain; charset=UTF-8

    Thanks John.

    Could you guide/send me the Iptables?

    My server is on port 27115 and the attack comes in on port 28960 - But it
    wont work block the port (Have tried)

    IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246
    buckets).

    IP rate limit under distributed packet load (1205 buckets, 15001
    global count), rejecting 8.59.18.221:28960.

    IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).

    IP rate limit under distributed packet load (1210 buckets, 15001
    global count), rejecting 154.112.126.3:28960.

    IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).

    IP rate limit under distributed packet load (1152 buckets, 15001
    global count), rejecting 84.3.222.161:28960.

    IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).

    IP rate limit under distributed packet load (1176 buckets, 16663
    global count), rejecting 88.131.51.148:28960.


    2017-03-23 22:27 GMT+01:00 John <lists.valve@nuclearfallout.net>:

    > On 3/23/2017 1:34 PM, Mathias wrote:
    >
    >> My servers getting flood with VSE DDoS Attack. My server have DDoS
    >> Protection but it wont take it. any other DDoS Attack does it takes so what
    >> can i do? im on Linux Ubuntu 16.04.
    >>
    >> Here is server logs - http://pastebin.com/Q2dbcEMt
    >>
    >> I also got how the script works (VSE DDoS Attack) - Found on a forum via
    >> Google
    >>
    >> Any idea to stop it with Iptables? Packet limit?
    >>
    >
    > The term VSE (Valve Source Exploit) that the attackers like to use is
    > a misnomer because there isnt an exploit involved. These attacks just
    > flood a server with spoofed queries and/or connection attempts from random
    > sources, and Source cant handle the volume.
    >
    > Currently the most effective general-purpose way to deal with these is to
    > whitelist real player IPs and rate-limit queries and connection attempts
    > from all other sources (down to around 1000/s). This can be done with
    > iptables using a combination of the ipset, hashlimit, and bpf/u32/string
    > modules.
    >
    > Ideally, the game would be redesigned to using TCP for queries and the
    > very first part of the connection, offloading the first-contact tasks to
    > the OS, which has established methods for combating high-rate spoofed TCP
    > SYN floods. Internally, it could then straight drop all UDP packets that
    > dont correspond to a currently connected player.
    >
    > -John
    >
    > _______________________________________________
    > Csgo_servers mailing list
    > Csgo_servers@.com
    > https://.com///listinfo/csgo_servers

    --001a1142f5c2bd0263054b6ca036
    Content-Type: text/html; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable

    <div dir=ltr>Thanks John.<div><br></div><div>Could you guide/send me the Iptables?<br> <br>My server is on port 27115 and the attack comes in on port 28960 - But it wont work block the port (Have tried)</div><div><span style=background-color:rgb(0,0,0)><br></span></div><div><span style=background-color:rgb(0,0,0)>&quot;<span style=color:rgb(255,255,255);font-family:&quot;lucida console&quot;;font-size:13px>IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246 buckets).</span></span></div><pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting <a href=http://8.59.18.221:28960>8.59.18.221:28960</a>.</span></pre><pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).</span></pre><pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting <a href=http://154.112.126.3:28960>154.112.126.3:28960</a>.</span></pre><pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).</span></pre><pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting <a href=http://84.3.222.161:28960>84.3.222.161:28960</a>.</span></pre><pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).</span></pre><pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting <a href=http://88.131.51.148:28960>88.131.51.148:28960</a>.&quot;</span></pre></div><div class=gmail_extra><br><div class=gmail_quote>2017-03-23 22:27 GMT+01:00 John <span dir=ltr>&lt;<a href=mailto:lists.valve@nuclearfallout.net target=_blank>lists.valve@nuclearfallout.net</a>&gt;</span>:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><span class=>On 3/23/2017 1:34 PM, Mathias wrote:<br>
    <blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex>
    My server&#39;s getting flood with VSE DDoS Attack. My server have DDoS Protection but it wont take it. any other DDoS Attack does it takes so what can i do? i&#39;m on Linux Ubuntu 16.04.<br>
    <br>
    Here is server logs - <a href=http://pastebin.com/Q2dbcEMt rel=noreferrer target=_blank>http://pastebin.com/Q2dbcEMt</a><br>
    <br>
    I also got how the script works (VSE DDoS Attack) - Found on a forum via Google<br>
    <br>
    Any idea to stop it with Iptables? Packet limit?<br>
    </blockquote>
    <br></span>
    The term &quot;VSE&quot; (&quot;Valve Source Exploit&quot;) that the attackers like to use is a misnomer because there isn&#39;t an exploit involved. These attacks just flood a server with spoofed queries and/or connection attempts from random sources, and Source can&#39;t handle the volume.<br>
    <br>
    Currently the most effective general-purpose way to deal with these is to whitelist real player IPs and rate-limit queries and connection attempts from all other sources (down to around 1000/s). This can be done with iptables using a combination of the ipset, hashlimit, and bpf/u32/string modules.<br>
    <br>
    Ideally, the game would be redesigned to using TCP for queries and the very first part of the connection, offloading the first-contact tasks to the OS, which has established methods for combating high-rate spoofed TCP SYN floods. Internally, it could then straight drop all UDP packets that don&#39;t correspond to a currently connected player.<br>
    <br>
    -John<br>
    <br>
    ______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a></blockquote></div><br></div>

    --001a1142f5c2bd0263054b6ca036--


     
  3. John

    John Guest

    This is a multi-part message in MIME format.
    --------------0570F7396D152D47CD5CE22F
    Content-Type: text/plain; charset=utf-8; format=flowed
    Content-Transfer-Encoding: 7bit

    If youre seeing packets from port 28960, youre most likely seeing a
    reflected query DDoS that is coming from CoDx servers (you can tell for
    certain by looking at the contents of captured packets -- look for the
    string statusResponse) -- not a direct query/connection flood, and
    likely not spoofed. You can safely block traffic from port 28960, or do
    a more thorough filter to block that traffic. This is an example rule to
    just block the port.

    iptables -I INPUT -p udp --sport 28960 -j DROP

    -John

    On 3/23/2017 2:33 PM, Mathias wrote:
    > Thanks John.
    >
    > Could you guide/send me the Iptables?
    >
    > My server is on port 27115 and the attack comes in on port 28960 - But
    > it wont work block the port (Have tried)
    >
    > IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246
    > buckets).
    > IP rate limit under distributed packet load (1205 buckets, 15001
    > global count), rejecting 8.59.18.221:28960 <http://8.59.18.221:28960>.
    > IP rate limit sustained 78411 distributed packets at 2613.7 pps (943
    > buckets).
    > IP rate limit under distributed packet load (1210 buckets, 15001
    > global count), rejecting 154.112.126.3:28960 <http://154.112.126.3:28960>.
    > IP rate limit sustained 104375 distributed packets at 3479.2 pps (968
    > buckets).
    > IP rate limit under distributed packet load (1152 buckets, 15001
    > global count), rejecting 84.3.222.161:28960 <http://84.3.222.161:28960>.
    > IP rate limit sustained 78941 distributed packets at 2631.4 pps (795
    > buckets).
    > IP rate limit under distributed packet load (1176 buckets, 16663
    > global count), rejecting 88.131.51.148:28960
    > <http://88.131.51.148:28960>.
    >
    > 2017-03-23 22:27 GMT+01:00 John <lists.valve@nuclearfallout.net
    > <mailto:lists.valve@nuclearfallout.net>>:
    >
    > On 3/23/2017 1:34 PM, Mathias wrote:
    >
    > My servers getting flood with VSE DDoS Attack. My server have
    > DDoS Protection but it wont take it. any other DDoS Attack
    > does it takes so what can i do? im on Linux Ubuntu 16.04.
    >
    > Here is server logs - http://pastebin.com/Q2dbcEMt
    >
    > I also got how the script works (VSE DDoS Attack) - Found on a
    > forum via Google
    >
    > Any idea to stop it with Iptables? Packet limit?
    >
    >
    > The term VSE (Valve Source Exploit) that the attackers like to
    > use is a misnomer because there isnt an exploit involved. These
    > attacks just flood a server with spoofed queries and/or connection
    > attempts from random sources, and Source cant handle the volume.
    >
    > Currently the most effective general-purpose way to deal with
    > these is to whitelist real player IPs and rate-limit queries and
    > connection attempts from all other sources (down to around
    > 1000/s). This can be done with iptables using a combination of the
    > ipset, hashlimit, and bpf/u32/string modules.
    >
    > Ideally, the game would be redesigned to using TCP for queries and
    > the very first part of the connection, offloading the
    > first-contact tasks to the OS, which has established methods for
    > combating high-rate spoofed TCP SYN floods. Internally, it could
    > then straight drop all UDP packets that dont correspond to a
    > currently connected player.
    >
    > -John
    >
    > _______________________________________________
    > Csgo_servers mailing list
    > Csgo_servers@.com
    > <mailto:Csgo_servers@.com>
    > https://.com///listinfo/csgo_servers
    > <https://.com///listinfo/csgo_servers>
    >
    >
    >
    >
    > _______________________________________________
    > Csgo_servers mailing list
    > Csgo_servers@.com
    > https://.com///listinfo/csgo_servers


    --------------0570F7396D152D47CD5CE22F
    Content-Type: text/html; charset=utf-8
    Content-Transfer-Encoding: 8bit

    <html>
    <head>
    <meta content=text/html; charset=utf-8 http-equiv=Content-Type>
    </head>
    <body bgcolor=#FFFFFF text=#000000>
    <div class=moz-cite-prefix>If youre seeing packets from port
    28960, youre most likely seeing a reflected query DDoS that is
    coming from CoDx servers (you can tell for certain by looking at
    the contents of captured packets -- look for the string
    statusResponse) -- not a direct query/connection flood, and
    likely not spoofed. You can safely block traffic from port 28960,
    or do a more thorough filter to block that traffic. This is an
    example rule to just block the port.<br>
    <br>
    iptables -I INPUT -p udp --sport 28960 -j DROP<br>
    <br>
    -John<br>
    <br>
    On 3/23/2017 2:33 PM, Mathias wrote:<br>
    </div>
    <blockquote
    cite=mid:CABwK1kZFu9KqpimQuuoWYNxysSjVV6X3ko1eiOFE0uqycGnCXw@mail.gmail.com
    type=cite>
    <div dir=ltr>Thanks John.
    <div><br>
    </div>
    <div>Could you guide/send me the Iptables?<br>
     <br>
    My server is on port 27115 and the attack comes in on port
    28960 - But it wont work block the port (Have tried)</div>
    <div><span style=background-color:rgb(0,0,0)><br>
    </span></div>
    <div><span style=background-color:rgb(0,0,0)><span
    style=color:rgb(255,255,255);font-family:&quot;lucida
    console&quot;;font-size:13px>IP rate limit sustained
    79085 distributed packets at 2636.2 pps (1246 buckets).</span></span></div>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting <a moz-do-not-send=true href=http://8.59.18.221:28960>8.59.18.221:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting <a moz-do-not-send=true href=http://154.112.126.3:28960>154.112.126.3:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting <a moz-do-not-send=true href=http://84.3.222.161:28960>84.3.222.161:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting <a moz-do-not-send=true href=http://88.131.51.148:28960>88.131.51.148:28960</a>.</span></pre>
    </div>
    <div class=gmail_extra><br>
    <div class=gmail_quote>2017-03-23 22:27 GMT+01:00 John <span
    dir=ltr>&lt;<a moz-do-not-send=true
    href=mailto:lists.valve@nuclearfallout.net
    target=_blank>lists.valve@nuclearfallout.net</a>&gt;</span>:<br>
    <blockquote class=gmail_quote style=margin:0 0 0
    .8ex;border-left:1px #ccc solid;padding-left:1ex><span
    class=>On 3/23/2017 1:34 PM, Mathias wrote:<br>
    <blockquote class=gmail_quote style=margin:0 0 0
    .8ex;border-left:1px #ccc solid;padding-left:1ex>
    My servers getting flood with VSE DDoS Attack. My
    server have DDoS Protection but it wont take it. any
    other DDoS Attack does it takes so what can i do? im on
    Linux Ubuntu 16.04.<br>
    <br>
    Here is server logs - <a moz-do-not-send=true
    href=http://pastebin.com/Q2dbcEMt rel=noreferrer
    target=_blank>http://pastebin.com/Q2dbcEMt</a><br>
    <br>
    I also got how the script works (VSE DDoS Attack) -
    Found on a forum via Google<br>
    <br>
    Any idea to stop it with Iptables? Packet limit?<br>
    </blockquote>
    <br>
    </span>
    The term VSE (Valve Source Exploit) that the attackers
    like to use is a misnomer because there isnt an exploit
    involved. These attacks just flood a server with spoofed
    queries and/or connection attempts from random sources, and
    Source cant handle the volume.<br>
    <br>
    Currently the most effective general-purpose way to deal
    with these is to whitelist real player IPs and rate-limit
    queries and connection attempts from all other sources (down
    to around 1000/s). This can be done with iptables using a
    combination of the ipset, hashlimit, and bpf/u32/string
    modules.<br>
    <br>
    Ideally, the game would be redesigned to using TCP for
    queries and the very first part of the connection,
    offloading the first-contact tasks to the OS, which has
    established methods for combating high-rate spoofed TCP SYN
    floods. Internally, it could then straight drop all UDP
    packets that dont correspond to a currently connected
    player.<br>
    <br>
    -John<br>
    <br>
    ______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a moz-do-not-send=true
    href=mailto:Csgo_servers@.com
    target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a moz-do-not-send=true
    href=https://.com///listinfo/csgo_servers
    rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a></blockquote>
    </div>
    <br>
    </div>
    <br>
    <fieldset class=mimeAttachmentHeader></fieldset>
    <br>
    <pre wrap=>_______________________________________________
    Csgo_servers mailing list
    <a class=moz-txt-link-abbreviated href=mailto:Csgo_servers@.com>Csgo_servers@.com</a>
    <a class=moz-txt-link-freetext href=https://.com///listinfo/csgo_servers>https://.com///listinfo/csgo_servers</a></pre>
    </blockquote>
    <br>
    </body>
    </html>

    --------------0570F7396D152D47CD5CE22F--


     
  4. MarcoPadovan

    MarcoPadovan Guest

    --001a1147494aadba65054b6cdad8
    Content-Type: text/plain; charset=UTF-8

    Hi,

    you should ratelimit that traffic

    On Thu, Mar 23, 2017 at 10:44 PM, John <lists.valve@nuclearfallout.net>
    wrote:

    > If youre seeing packets from port 28960, youre most likely seeing a
    > reflected query DDoS that is coming from CoDx servers (you can tell for
    > certain by looking at the contents of captured packets -- look for the
    > string statusResponse) -- not a direct query/connection flood, and likely
    > not spoofed. You can safely block traffic from port 28960, or do a more
    > thorough filter to block that traffic. This is an example rule to just
    > block the port.
    >
    > iptables -I INPUT -p udp --sport 28960 -j DROP
    >
    > -John
    >
    >
    > On 3/23/2017 2:33 PM, Mathias wrote:
    >
    > Thanks John.
    >
    > Could you guide/send me the Iptables?
    >
    > My server is on port 27115 and the attack comes in on port 28960 - But it
    > wont work block the port (Have tried)
    >
    > IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246
    > buckets).
    >
    > IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
    >
    > IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
    >
    > IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
    >
    > IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
    >
    > IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
    >
    > IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
    >
    > IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960.
    >
    >
    > 2017-03-23 22:27 GMT+01:00 John <lists.valve@nuclearfallout.net>:
    >
    >> On 3/23/2017 1:34 PM, Mathias wrote:
    >>
    >>> My servers getting flood with VSE DDoS Attack. My server have DDoS
    >>> Protection but it wont take it. any other DDoS Attack does it takes so what
    >>> can i do? im on Linux Ubuntu 16.04.
    >>>
    >>> Here is server logs - http://pastebin.com/Q2dbcEMt
    >>>
    >>> I also got how the script works (VSE DDoS Attack) - Found on a forum via
    >>> Google
    >>>
    >>> Any idea to stop it with Iptables? Packet limit?
    >>>
    >>
    >> The term VSE (Valve Source Exploit) that the attackers like to use is
    >> a misnomer because there isnt an exploit involved. These attacks just
    >> flood a server with spoofed queries and/or connection attempts from random
    >> sources, and Source cant handle the volume.
    >>
    >> Currently the most effective general-purpose way to deal with these is to
    >> whitelist real player IPs and rate-limit queries and connection attempts
    >> from all other sources (down to around 1000/s). This can be done with
    >> iptables using a combination of the ipset, hashlimit, and bpf/u32/string
    >> modules.
    >>
    >> Ideally, the game would be redesigned to using TCP for queries and the
    >> very first part of the connection, offloading the first-contact tasks to
    >> the OS, which has established methods for combating high-rate spoofed TCP
    >> SYN floods. Internally, it could then straight drop all UDP packets that
    >> dont correspond to a currently connected player.
    >>
    >> -John
    >>
    >> _______________________________________________
    >> Csgo_servers mailing list
    >> Csgo_servers@.com
    >> https://.com///listinfo/csgo_servers
    >
    >
    >
    >
    > _______________________________________________
    > Csgo_servers mailing listCsgo_servers@.comhttps://.com///listinfo/csgo_servers
    >
    >
    >
    > _______________________________________________
    > Csgo_servers mailing list
    > Csgo_servers@.com
    > https://.com///listinfo/csgo_servers
    >

    --001a1147494aadba65054b6cdad8
    Content-Type: text/html; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable

    <div dir=ltr>Hi,<div><br></div><div>you should ratelimit that traffic</div></div><div class=gmail_extra><br><div class=gmail_quote>On Thu, Mar 23, 2017 at 10:44 PM, John <span dir=ltr>&lt;<a href=mailto:lists.valve@nuclearfallout.net target=_blank>lists.valve@nuclearfallout.net</a>&gt;</span> wrote:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex>
    &nbsp;
    &nbsp;
    &nbsp;
    <div bgcolor=#FFFFFF text=#000000>
    <div class=m_-7305217332124377361moz-cite-prefix>If you&#39;re seeing packets from port
    28960, you&#39;re most likely seeing a reflected query DDoS that is
    coming from CoDx servers (you can tell for certain by looking at
    the contents of captured packets -- look for the string
    &#39;statusResponse&#39;) -- not a direct query/connection flood, and
    likely not spoofed. You can safely block traffic from port 28960,
    or do a more thorough filter to block that traffic. This is an
    example rule to just block the port.<br>
    <br>
    iptables -I INPUT -p udp --sport 28960 -j DROP<span class=HOEnZb><font color=#888888><br>
    <br>
    -John</font></span><div><div class=h5><br>
    <br>
    On 3/23/2017 2:33 PM, Mathias wrote:<br>
    </div></div></div><div><div class=h5>
    <blockquote type=cite>
    <div dir=ltr>Thanks John.
    <div><br>
    </div>
    <div>Could you guide/send me the Iptables?<br>
     <br>
    My server is on port 27115 and the attack comes in on port
    28960 - But it wont work block the port (Have tried)</div>
    <div><span style=background-color:rgb(0,0,0)><br>
    </span></div>
    <div><span style=background-color:rgb(0,0,0)>&quot;<span>IP rate limit sustained
    79085 distributed packets at 2636.2 pps (1246 buckets).</span></span></div>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting <a href=http://8.59.18.221:28960 target=_blank>8.59.18.221:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting <a href=http://154.112.126.3:28960 target=_blank>154.112.126.3:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting <a href=http://84.3.222.161:28960 target=_blank>84.3.222.161:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting <a href=http://88.131.51.148:28960 target=_blank>88.131.51.148:28960</a>.&quot;</span></pre>
    </div>
    <div class=gmail_extra><br>
    <div class=gmail_quote>2017-03-23 22:27 GMT+01:00 John <span dir=ltr>&lt;<a href=mailto:lists.valve@nuclearfallout.net target=_blank>lists.valve@nuclearfallout.<wbr>net</a>&gt;</span>:<br>
    <blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><span>On 3/23/2017 1:34 PM, Mathias wrote:<br>
    <blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex>
    My server&#39;s getting flood with VSE DDoS Attack. My
    server have DDoS Protection but it wont take it. any
    other DDoS Attack does it takes so what can i do? i&#39;m on
    Linux Ubuntu 16.04.<br>
    <br>
    Here is server logs - <a href=http://pastebin.com/Q2dbcEMt rel=noreferrer target=_blank>http://pastebin.com/Q2dbcEMt</a><br>
    <br>
    I also got how the script works (VSE DDoS Attack) -
    Found on a forum via Google<br>
    <br>
    Any idea to stop it with Iptables? Packet limit?<br>
    </blockquote>
    <br>
    </span>
    The term &quot;VSE&quot; (&quot;Valve Source Exploit&quot;) that the attackers
    like to use is a misnomer because there isn&#39;t an exploit
    involved. These attacks just flood a server with spoofed
    queries and/or connection attempts from random sources, and
    Source can&#39;t handle the volume.<br>
    <br>
    Currently the most effective general-purpose way to deal
    with these is to whitelist real player IPs and rate-limit
    queries and connection attempts from all other sources (down
    to around 1000/s). This can be done with iptables using a
    combination of the ipset, hashlimit, and bpf/u32/string
    modules.<br>
    <br>
    Ideally, the game would be redesigned to using TCP for
    queries and the very first part of the connection,
    offloading the first-contact tasks to the OS, which has
    established methods for combating high-rate spoofed TCP SYN
    floods. Internally, it could then straight drop all UDP
    packets that don&#39;t correspond to a currently connected
    player.<br>
    <br>
    -John<br>
    <br>
    ______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a></blockquote>
    </div>
    <br>
    </div>
    <br>
    <fieldset class=m_-7305217332124377361mimeAttachmentHeader></fieldset>
    <br>
    <pre>______________________________<wbr>_________________
    Csgo_servers mailing list
    <a class=m_-7305217332124377361moz-txt-link-abbreviated href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.<wbr>valvesoftware.com</a>
    <a class=m_-7305217332124377361moz-txt-link-freetext href=https://.com///listinfo/csgo_servers target=_blank>https://.<wbr>com///listinfo/<wbr>csgo_servers</a></pre>
    </blockquote>
    <br>
    </div></div></div>

    <br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com>Csgo_servers@list.<wbr>valvesoftware.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.<wbr>com///listinfo/<wbr>csgo_servers</a><br></blockquote></div><br></div>

    --001a1147494aadba65054b6cdad8--


     
  5. Mathias

    Mathias Guest

    --001a1149d68246ca19054b6ce93a
    Content-Type: text/plain; charset=UTF-8

    Thanks for this awesome help John! This kind of Attack have been
    attacking me for days without stopping.

    So i block the port everytime they attack on new port? And what if they
    attack on the port directly? There must be a kind of filter possible on
    Linux with Iptables. Anything i can tell me datacenter to fix this attack
    permanent?



    2017-03-23 22:44 GMT+01:00 John <lists.valve@nuclearfallout.net>:

    > If youre seeing packets from port 28960, youre most likely seeing a
    > reflected query DDoS that is coming from CoDx servers (you can tell for
    > certain by looking at the contents of captured packets -- look for the
    > string statusResponse) -- not a direct query/connection flood, and likely
    > not spoofed. You can safely block traffic from port 28960, or do a more
    > thorough filter to block that traffic. This is an example rule to just
    > block the port.
    >
    > iptables -I INPUT -p udp --sport 28960 -j DROP
    >
    > -John
    >
    >
    > On 3/23/2017 2:33 PM, Mathias wrote:
    >
    > Thanks John.
    >
    > Could you guide/send me the Iptables?
    >
    > My server is on port 27115 and the attack comes in on port 28960 - But it
    > wont work block the port (Have tried)
    >
    > IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246
    > buckets).
    >
    > IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
    >
    > IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
    >
    > IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
    >
    > IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
    >
    > IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
    >
    > IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
    >
    > IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960.
    >
    >
    > 2017-03-23 22:27 GMT+01:00 John <lists.valve@nuclearfallout.net>:
    >
    >> On 3/23/2017 1:34 PM, Mathias wrote:
    >>
    >>> My servers getting flood with VSE DDoS Attack. My server have DDoS
    >>> Protection but it wont take it. any other DDoS Attack does it takes so what
    >>> can i do? im on Linux Ubuntu 16.04.
    >>>
    >>> Here is server logs - http://pastebin.com/Q2dbcEMt
    >>>
    >>> I also got how the script works (VSE DDoS Attack) - Found on a forum via
    >>> Google
    >>>
    >>> Any idea to stop it with Iptables? Packet limit?
    >>>
    >>
    >> The term VSE (Valve Source Exploit) that the attackers like to use is
    >> a misnomer because there isnt an exploit involved. These attacks just
    >> flood a server with spoofed queries and/or connection attempts from random
    >> sources, and Source cant handle the volume.
    >>
    >> Currently the most effective general-purpose way to deal with these is to
    >> whitelist real player IPs and rate-limit queries and connection attempts
    >> from all other sources (down to around 1000/s). This can be done with
    >> iptables using a combination of the ipset, hashlimit, and bpf/u32/string
    >> modules.
    >>
    >> Ideally, the game would be redesigned to using TCP for queries and the
    >> very first part of the connection, offloading the first-contact tasks to
    >> the OS, which has established methods for combating high-rate spoofed TCP
    >> SYN floods. Internally, it could then straight drop all UDP packets that
    >> dont correspond to a currently connected player.
    >>
    >> -John
    >>
    >> _______________________________________________
    >> Csgo_servers mailing list
    >> Csgo_servers@.com
    >> https://.com///listinfo/csgo_servers
    >
    >
    >
    >
    > _______________________________________________
    > Csgo_servers mailing listCsgo_servers@.comhttps://.com///listinfo/csgo_servers
    >
    >
    >
    > _______________________________________________
    > Csgo_servers mailing list
    > Csgo_servers@.com
    > https://.com///listinfo/csgo_servers
    >

    --001a1149d68246ca19054b6ce93a
    Content-Type: text/html; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable

    <div dir=ltr>Thanks for this awesome help John! This kind of &quot;Attack&quot; have been attacking me for days without stopping.<div><br></div><div>So i block the port everytime they attack on new port? And what if they attack on the port directly? There must be a kind of filter possible on Linux with Iptables. Anything i can tell me datacenter to fix this attack permanent?</div><div><br></div><div><br></div></div><div class=gmail_extra><br><div class=gmail_quote>2017-03-23 22:44 GMT+01:00 John <span dir=ltr>&lt;<a href=mailto:lists.valve@nuclearfallout.net target=_blank>lists.valve@nuclearfallout.net</a>&gt;</span>:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex>
    &nbsp;
    &nbsp;
    &nbsp;
    <div bgcolor=#FFFFFF text=#000000>
    <div class=m_-215066809999191040moz-cite-prefix>If you&#39;re seeing packets from port
    28960, you&#39;re most likely seeing a reflected query DDoS that is
    coming from CoDx servers (you can tell for certain by looking at
    the contents of captured packets -- look for the string
    &#39;statusResponse&#39;) -- not a direct query/connection flood, and
    likely not spoofed. You can safely block traffic from port 28960,
    or do a more thorough filter to block that traffic. This is an
    example rule to just block the port.<br>
    <br>
    iptables -I INPUT -p udp --sport 28960 -j DROP<span class=HOEnZb><font color=#888888><br>
    <br>
    -John</font></span><div><div class=h5><br>
    <br>
    On 3/23/2017 2:33 PM, Mathias wrote:<br>
    </div></div></div><div><div class=h5>
    <blockquote type=cite>
    <div dir=ltr>Thanks John.
    <div><br>
    </div>
    <div>Could you guide/send me the Iptables?<br>
     <br>
    My server is on port 27115 and the attack comes in on port
    28960 - But it wont work block the port (Have tried)</div>
    <div><span style=background-color:rgb(0,0,0)><br>
    </span></div>
    <div><span style=background-color:rgb(0,0,0)>&quot;<span>IP rate limit sustained
    79085 distributed packets at 2636.2 pps (1246 buckets).</span></span></div>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting <a href=http://8.59.18.221:28960 target=_blank>8.59.18.221:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting <a href=http://154.112.126.3:28960 target=_blank>154.112.126.3:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting <a href=http://84.3.222.161:28960 target=_blank>84.3.222.161:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting <a href=http://88.131.51.148:28960 target=_blank>88.131.51.148:28960</a>.&quot;</span></pre>
    </div>
    <div class=gmail_extra><br>
    <div class=gmail_quote>2017-03-23 22:27 GMT+01:00 John <span dir=ltr>&lt;<a href=mailto:lists.valve@nuclearfallout.net target=_blank>lists.valve@nuclearfallout.<wbr>net</a>&gt;</span>:<br>
    <blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><span>On 3/23/2017 1:34 PM, Mathias wrote:<br>
    <blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex>
    My server&#39;s getting flood with VSE DDoS Attack. My
    server have DDoS Protection but it wont take it. any
    other DDoS Attack does it takes so what can i do? i&#39;m on
    Linux Ubuntu 16.04.<br>
    <br>
    Here is server logs - <a href=http://pastebin.com/Q2dbcEMt rel=noreferrer target=_blank>http://pastebin.com/Q2dbcEMt</a><br>
    <br>
    I also got how the script works (VSE DDoS Attack) -
    Found on a forum via Google<br>
    <br>
    Any idea to stop it with Iptables? Packet limit?<br>
    </blockquote>
    <br>
    </span>
    The term &quot;VSE&quot; (&quot;Valve Source Exploit&quot;) that the attackers
    like to use is a misnomer because there isn&#39;t an exploit
    involved. These attacks just flood a server with spoofed
    queries and/or connection attempts from random sources, and
    Source can&#39;t handle the volume.<br>
    <br>
    Currently the most effective general-purpose way to deal
    with these is to whitelist real player IPs and rate-limit
    queries and connection attempts from all other sources (down
    to around 1000/s). This can be done with iptables using a
    combination of the ipset, hashlimit, and bpf/u32/string
    modules.<br>
    <br>
    Ideally, the game would be redesigned to using TCP for
    queries and the very first part of the connection,
    offloading the first-contact tasks to the OS, which has
    established methods for combating high-rate spoofed TCP SYN
    floods. Internally, it could then straight drop all UDP
    packets that don&#39;t correspond to a currently connected
    player.<br>
    <br>
    -John<br>
    <br>
    ______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a></blockquote>
    </div>
    <br>
    </div>
    <br>
    <fieldset class=m_-215066809999191040mimeAttachmentHeader></fieldset>
    <br>
    <pre>______________________________<wbr>_________________
    Csgo_servers mailing list
    <a class=m_-215066809999191040moz-txt-link-abbreviated href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.<wbr>valvesoftware.com</a>
    <a class=m_-215066809999191040moz-txt-link-freetext href=https://.com///listinfo/csgo_servers target=_blank>https://.<wbr>com///listinfo/<wbr>csgo_servers</a></pre>
    </blockquote>
    <br>
    </div></div></div>

    <br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com>Csgo_servers@list.<wbr>valvesoftware.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.<wbr>com///listinfo/<wbr>csgo_servers</a><br></blockquote></div><br></div>

    --001a1149d68246ca19054b6ce93a--


     
  6. Mathias

    Mathias Guest

    --94eb2c0490783f9f3b054b6ceaf2
    Content-Type: text/plain; charset=UTF-8

    How Marco? CSGO Cvar? Iptables?

    2017-03-23 22:53 GMT+01:00 Mathias <uartigzone3@gmail.com>:

    > Thanks for this awesome help John! This kind of Attack have been
    > attacking me for days without stopping.
    >
    > So i block the port everytime they attack on new port? And what if they
    > attack on the port directly? There must be a kind of filter possible on
    > Linux with Iptables. Anything i can tell me datacenter to fix this attack
    > permanent?
    >
    >
    >
    > 2017-03-23 22:44 GMT+01:00 John <lists.valve@nuclearfallout.net>:
    >
    >> If youre seeing packets from port 28960, youre most likely seeing a
    >> reflected query DDoS that is coming from CoDx servers (you can tell for
    >> certain by looking at the contents of captured packets -- look for the
    >> string statusResponse) -- not a direct query/connection flood, and likely
    >> not spoofed. You can safely block traffic from port 28960, or do a more
    >> thorough filter to block that traffic. This is an example rule to just
    >> block the port.
    >>
    >> iptables -I INPUT -p udp --sport 28960 -j DROP
    >>
    >> -John
    >>
    >>
    >> On 3/23/2017 2:33 PM, Mathias wrote:
    >>
    >> Thanks John.
    >>
    >> Could you guide/send me the Iptables?
    >>
    >> My server is on port 27115 and the attack comes in on port 28960 - But it
    >> wont work block the port (Have tried)
    >>
    >> IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246
    >> buckets).
    >>
    >> IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
    >>
    >> IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
    >>
    >> IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
    >>
    >> IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
    >>
    >> IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
    >>
    >> IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
    >>
    >> IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960.
    >>
    >>
    >> 2017-03-23 22:27 GMT+01:00 John <lists.valve@nuclearfallout.net>:
    >>
    >>> On 3/23/2017 1:34 PM, Mathias wrote:
    >>>
    >>>> My servers getting flood with VSE DDoS Attack. My server have DDoS
    >>>> Protection but it wont take it. any other DDoS Attack does it takes so what
    >>>> can i do? im on Linux Ubuntu 16.04.
    >>>>
    >>>> Here is server logs - http://pastebin.com/Q2dbcEMt
    >>>>
    >>>> I also got how the script works (VSE DDoS Attack) - Found on a forum
    >>>> via Google
    >>>>
    >>>> Any idea to stop it with Iptables? Packet limit?
    >>>>
    >>>
    >>> The term VSE (Valve Source Exploit) that the attackers like to use
    >>> is a misnomer because there isnt an exploit involved. These attacks just
    >>> flood a server with spoofed queries and/or connection attempts from random
    >>> sources, and Source cant handle the volume.
    >>>
    >>> Currently the most effective general-purpose way to deal with these is
    >>> to whitelist real player IPs and rate-limit queries and connection attempts
    >>> from all other sources (down to around 1000/s). This can be done with
    >>> iptables using a combination of the ipset, hashlimit, and bpf/u32/string
    >>> modules.
    >>>
    >>> Ideally, the game would be redesigned to using TCP for queries and the
    >>> very first part of the connection, offloading the first-contact tasks to
    >>> the OS, which has established methods for combating high-rate spoofed TCP
    >>> SYN floods. Internally, it could then straight drop all UDP packets that
    >>> dont correspond to a currently connected player.
    >>>
    >>> -John
    >>>
    >>> _______________________________________________
    >>> Csgo_servers mailing list
    >>> Csgo_servers@.com
    >>> https://.com///listinfo/csgo_servers
    >>
    >>
    >>
    >>
    >> _______________________________________________
    >> Csgo_servers mailing listCsgo_servers@.comhttps://.com///listinfo/csgo_servers
    >>
    >>
    >>
    >> _______________________________________________
    >> Csgo_servers mailing list
    >> Csgo_servers@.com
    >> https://.com///listinfo/csgo_servers
    >>
    >
    >

    --94eb2c0490783f9f3b054b6ceaf2
    Content-Type: text/html; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable

    <div dir=ltr>How Marco? CSGO Cvar? Iptables?</div><div class=gmail_extra><br><div class=gmail_quote>2017-03-23 22:53 GMT+01:00 Mathias <span dir=ltr>&lt;<a href=mailto:uartigzone3@gmail.com target=_blank>uartigzone3@gmail.com</a>&gt;</span>:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><div dir=ltr>Thanks for this awesome help John! This kind of &quot;Attack&quot; have been attacking me for days without stopping.<div><br></div><div>So i block the port everytime they attack on new port? And what if they attack on the port directly? There must be a kind of filter possible on Linux with Iptables. Anything i can tell me datacenter to fix this attack permanent?</div><div><br></div><div><br></div></div><div class=HOEnZb><div class=h5><div class=gmail_extra><br><div class=gmail_quote>2017-03-23 22:44 GMT+01:00 John <span dir=ltr>&lt;<a href=mailto:lists.valve@nuclearfallout.net target=_blank>lists.valve@nuclearfallout.<wbr>net</a>&gt;</span>:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex>
    &nbsp;
    &nbsp;
    &nbsp;
    <div bgcolor=#FFFFFF text=#000000>
    <div class=m_4283724209866454822m_-215066809999191040moz-cite-prefix>If you&#39;re seeing packets from port
    28960, you&#39;re most likely seeing a reflected query DDoS that is
    coming from CoDx servers (you can tell for certain by looking at
    the contents of captured packets -- look for the string
    &#39;statusResponse&#39;) -- not a direct query/connection flood, and
    likely not spoofed. You can safely block traffic from port 28960,
    or do a more thorough filter to block that traffic. This is an
    example rule to just block the port.<br>
    <br>
    iptables -I INPUT -p udp --sport 28960 -j DROP<span class=m_4283724209866454822HOEnZb><font color=#888888><br>
    <br>
    -John</font></span><div><div class=m_4283724209866454822h5><br>
    <br>
    On 3/23/2017 2:33 PM, Mathias wrote:<br>
    </div></div></div><div><div class=m_4283724209866454822h5>
    <blockquote type=cite>
    <div dir=ltr>Thanks John.
    <div><br>
    </div>
    <div>Could you guide/send me the Iptables?<br>
     <br>
    My server is on port 27115 and the attack comes in on port
    28960 - But it wont work block the port (Have tried)</div>
    <div><span style=background-color:rgb(0,0,0)><br>
    </span></div>
    <div><span style=background-color:rgb(0,0,0)>&quot;<span>IP rate limit sustained
    79085 distributed packets at 2636.2 pps (1246 buckets).</span></span></div>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting <a href=http://8.59.18.221:28960 target=_blank>8.59.18.221:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting <a href=http://154.112.126.3:28960 target=_blank>154.112.126.3:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting <a href=http://84.3.222.161:28960 target=_blank>84.3.222.161:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting <a href=http://88.131.51.148:28960 target=_blank>88.131.51.148:28960</a>.&quot;</span></pre>
    </div>
    <div class=gmail_extra><br>
    <div class=gmail_quote>2017-03-23 22:27 GMT+01:00 John <span dir=ltr>&lt;<a href=mailto:lists.valve@nuclearfallout.net target=_blank>lists.valve@nuclearfallout.ne<wbr>t</a>&gt;</span>:<br>
    <blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><span>On 3/23/2017 1:34 PM, Mathias wrote:<br>
    <blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex>
    My server&#39;s getting flood with VSE DDoS Attack. My
    server have DDoS Protection but it wont take it. any
    other DDoS Attack does it takes so what can i do? i&#39;m on
    Linux Ubuntu 16.04.<br>
    <br>
    Here is server logs - <a href=http://pastebin.com/Q2dbcEMt rel=noreferrer target=_blank>http://pastebin.com/Q2dbcEMt</a><br>
    <br>
    I also got how the script works (VSE DDoS Attack) -
    Found on a forum via Google<br>
    <br>
    Any idea to stop it with Iptables? Packet limit?<br>
    </blockquote>
    <br>
    </span>
    The term &quot;VSE&quot; (&quot;Valve Source Exploit&quot;) that the attackers
    like to use is a misnomer because there isn&#39;t an exploit
    involved. These attacks just flood a server with spoofed
    queries and/or connection attempts from random sources, and
    Source can&#39;t handle the volume.<br>
    <br>
    Currently the most effective general-purpose way to deal
    with these is to whitelist real player IPs and rate-limit
    queries and connection attempts from all other sources (down
    to around 1000/s). This can be done with iptables using a
    combination of the ipset, hashlimit, and bpf/u32/string
    modules.<br>
    <br>
    Ideally, the game would be redesigned to using TCP for
    queries and the very first part of the connection,
    offloading the first-contact tasks to the OS, which has
    established methods for combating high-rate spoofed TCP SYN
    floods. Internally, it could then straight drop all UDP
    packets that don&#39;t correspond to a currently connected
    player.<br>
    <br>
    -John<br>
    <br>
    ______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a></blockquote>
    </div>
    <br>
    </div>
    <br>
    <fieldset class=m_4283724209866454822m_-215066809999191040mimeAttachmentHeader></fieldset>
    <br>
    <pre>______________________________<wbr>_________________
    Csgo_servers mailing list
    <a class=m_4283724209866454822m_-215066809999191040moz-txt-link-abbreviated href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a>
    <a class=m_4283724209866454822m_-215066809999191040moz-txt-link-freetext href=https://.com///listinfo/csgo_servers target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a></pre>
    </blockquote>
    <br>
    </div></div></div>

    <br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a><br></blockquote></div><br></div>
    </div></div></blockquote></div><br></div>

    --94eb2c0490783f9f3b054b6ceaf2--


     
  7. --94eb2c0748149c7e58054b6cfd8d
    Content-Type: text/plain; charset=UTF-8

    tcpdump needed :)

    On Thu, Mar 23, 2017 at 11:54 PM, Mathias <uartigzone3@gmail.com> wrote:

    > How Marco? CSGO Cvar? Iptables?
    >
    > 2017-03-23 22:53 GMT+01:00 Mathias <uartigzone3@gmail.com>:
    >
    >> Thanks for this awesome help John! This kind of Attack have been
    >> attacking me for days without stopping.
    >>
    >> So i block the port everytime they attack on new port? And what if they
    >> attack on the port directly? There must be a kind of filter possible on
    >> Linux with Iptables. Anything i can tell me datacenter to fix this attack
    >> permanent?
    >>
    >>
    >>
    >> 2017-03-23 22:44 GMT+01:00 John <lists.valve@nuclearfallout.net>:
    >>
    >>> If youre seeing packets from port 28960, youre most likely seeing a
    >>> reflected query DDoS that is coming from CoDx servers (you can tell for
    >>> certain by looking at the contents of captured packets -- look for the
    >>> string statusResponse) -- not a direct query/connection flood, and likely
    >>> not spoofed. You can safely block traffic from port 28960, or do a more
    >>> thorough filter to block that traffic. This is an example rule to just
    >>> block the port.
    >>>
    >>> iptables -I INPUT -p udp --sport 28960 -j DROP
    >>>
    >>> -John
    >>>
    >>>
    >>> On 3/23/2017 2:33 PM, Mathias wrote:
    >>>
    >>> Thanks John.
    >>>
    >>> Could you guide/send me the Iptables?
    >>>
    >>> My server is on port 27115 and the attack comes in on port 28960 - But
    >>> it wont work block the port (Have tried)
    >>>
    >>> IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246
    >>> buckets).
    >>>
    >>> IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
    >>>
    >>> IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
    >>>
    >>> IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
    >>>
    >>> IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
    >>>
    >>> IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
    >>>
    >>> IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
    >>>
    >>> IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960.
    >>>
    >>>
    >>> 2017-03-23 22:27 GMT+01:00 John <lists.valve@nuclearfallout.net>:
    >>>
    >>>> On 3/23/2017 1:34 PM, Mathias wrote:
    >>>>
    >>>>> My servers getting flood with VSE DDoS Attack. My server have DDoS
    >>>>> Protection but it wont take it. any other DDoS Attack does it takes so what
    >>>>> can i do? im on Linux Ubuntu 16.04.
    >>>>>
    >>>>> Here is server logs - http://pastebin.com/Q2dbcEMt
    >>>>>
    >>>>> I also got how the script works (VSE DDoS Attack) - Found on a forum
    >>>>> via Google
    >>>>>
    >>>>> Any idea to stop it with Iptables? Packet limit?
    >>>>>
    >>>>
    >>>> The term VSE (Valve Source Exploit) that the attackers like to use
    >>>> is a misnomer because there isnt an exploit involved. These attacks just
    >>>> flood a server with spoofed queries and/or connection attempts from random
    >>>> sources, and Source cant handle the volume.
    >>>>
    >>>> Currently the most effective general-purpose way to deal with these is
    >>>> to whitelist real player IPs and rate-limit queries and connection attempts
    >>>> from all other sources (down to around 1000/s). This can be done with
    >>>> iptables using a combination of the ipset, hashlimit, and bpf/u32/string
    >>>> modules.
    >>>>
    >>>> Ideally, the game would be redesigned to using TCP for queries and the
    >>>> very first part of the connection, offloading the first-contact tasks to
    >>>> the OS, which has established methods for combating high-rate spoofed TCP
    >>>> SYN floods. Internally, it could then straight drop all UDP packets that
    >>>> dont correspond to a currently connected player.
    >>>>
    >>>> -John
    >>>>
    >>>> _______________________________________________
    >>>> Csgo_servers mailing list
    >>>> Csgo_servers@.com
    >>>> https://.com///listinfo/csgo_servers
    >>>
    >>>
    >>>
    >>>
    >>> _______________________________________________
    >>> Csgo_servers mailing listCsgo_servers@.comhttps://.com///listinfo/csgo_servers
    >>>
    >>>
    >>>
    >>> _______________________________________________
    >>> Csgo_servers mailing list
    >>> Csgo_servers@.com
    >>> https://.com///listinfo/csgo_servers
    >>>
    >>
    >>
    >
    > _______________________________________________
    > Csgo_servers mailing list
    > Csgo_servers@.com
    > https://.com///listinfo/csgo_servers
    >

    --94eb2c0748149c7e58054b6cfd8d
    Content-Type: text/html; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable

    <div dir=ltr>tcpdump needed :)</div><div class=gmail_extra><br><div class=gmail_quote>On Thu, Mar 23, 2017 at 11:54 PM, Mathias <span dir=ltr>&lt;<a href=mailto:uartigzone3@gmail.com target=_blank>uartigzone3@gmail.com</a>&gt;</span> wrote:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><div dir=ltr>How Marco? CSGO Cvar? Iptables?</div><div class=HOEnZb><div class=h5><div class=gmail_extra><br><div class=gmail_quote>2017-03-23 22:53 GMT+01:00 Mathias <span dir=ltr>&lt;<a href=mailto:uartigzone3@gmail.com target=_blank>uartigzone3@gmail.com</a>&gt;</span>:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><div dir=ltr>Thanks for this awesome help John! This kind of &quot;Attack&quot; have been attacking me for days without stopping.<div><br></div><div>So i block the port everytime they attack on new port? And what if they attack on the port directly? There must be a kind of filter possible on Linux with Iptables. Anything i can tell me datacenter to fix this attack permanent?</div><div><br></div><div><br></div></div><div class=m_-197710433038253419HOEnZb><div class=m_-197710433038253419h5><div class=gmail_extra><br><div class=gmail_quote>2017-03-23 22:44 GMT+01:00 John <span dir=ltr>&lt;<a href=mailto:lists.valve@nuclearfallout.net target=_blank>lists.valve@nuclearfallout.ne<wbr>t</a>&gt;</span>:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex>
    &nbsp;
    &nbsp;
    &nbsp;
    <div bgcolor=#FFFFFF text=#000000>
    <div class=m_-197710433038253419m_4283724209866454822m_-215066809999191040moz-cite-prefix>If you&#39;re seeing packets from port
    28960, you&#39;re most likely seeing a reflected query DDoS that is
    coming from CoDx servers (you can tell for certain by looking at
    the contents of captured packets -- look for the string
    &#39;statusResponse&#39;) -- not a direct query/connection flood, and
    likely not spoofed. You can safely block traffic from port 28960,
    or do a more thorough filter to block that traffic. This is an
    example rule to just block the port.<br>
    <br>
    iptables -I INPUT -p udp --sport 28960 -j DROP<span class=m_-197710433038253419m_4283724209866454822HOEnZb><font color=#888888><br>
    <br>
    -John</font></span><div><div class=m_-197710433038253419m_4283724209866454822h5><br>
    <br>
    On 3/23/2017 2:33 PM, Mathias wrote:<br>
    </div></div></div><div><div class=m_-197710433038253419m_4283724209866454822h5>
    <blockquote type=cite>
    <div dir=ltr>Thanks John.
    <div><br>
    </div>
    <div>Could you guide/send me the Iptables?<br>
     <br>
    My server is on port 27115 and the attack comes in on port
    28960 - But it wont work block the port (Have tried)</div>
    <div><span style=background-color:rgb(0,0,0)><br>
    </span></div>
    <div><span style=background-color:rgb(0,0,0)>&quot;<span>IP rate limit sustained
    79085 distributed packets at 2636.2 pps (1246 buckets).</span></span></div>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting <a href=http://8.59.18.221:28960 target=_blank>8.59.18.221:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting <a href=http://154.112.126.3:28960 target=_blank>154.112.126.3:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting <a href=http://84.3.222.161:28960 target=_blank>84.3.222.161:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting <a href=http://88.131.51.148:28960 target=_blank>88.131.51.148:28960</a>.&quot;</span></pre>
    </div>
    <div class=gmail_extra><br>
    <div class=gmail_quote>2017-03-23 22:27 GMT+01:00 John <span dir=ltr>&lt;<a href=mailto:lists.valve@nuclearfallout.net target=_blank>lists.valve@nuclearfallout.ne<wbr>t</a>&gt;</span>:<br>
    <blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><span>On 3/23/2017 1:34 PM, Mathias wrote:<br>
    <blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex>
    My server&#39;s getting flood with VSE DDoS Attack. My
    server have DDoS Protection but it wont take it. any
    other DDoS Attack does it takes so what can i do? i&#39;m on
    Linux Ubuntu 16.04.<br>
    <br>
    Here is server logs - <a href=http://pastebin.com/Q2dbcEMt rel=noreferrer target=_blank>http://pastebin.com/Q2dbcEMt</a><br>
    <br>
    I also got how the script works (VSE DDoS Attack) -
    Found on a forum via Google<br>
    <br>
    Any idea to stop it with Iptables? Packet limit?<br>
    </blockquote>
    <br>
    </span>
    The term &quot;VSE&quot; (&quot;Valve Source Exploit&quot;) that the attackers
    like to use is a misnomer because there isn&#39;t an exploit
    involved. These attacks just flood a server with spoofed
    queries and/or connection attempts from random sources, and
    Source can&#39;t handle the volume.<br>
    <br>
    Currently the most effective general-purpose way to deal
    with these is to whitelist real player IPs and rate-limit
    queries and connection attempts from all other sources (down
    to around 1000/s). This can be done with iptables using a
    combination of the ipset, hashlimit, and bpf/u32/string
    modules.<br>
    <br>
    Ideally, the game would be redesigned to using TCP for
    queries and the very first part of the connection,
    offloading the first-contact tasks to the OS, which has
    established methods for combating high-rate spoofed TCP SYN
    floods. Internally, it could then straight drop all UDP
    packets that don&#39;t correspond to a currently connected
    player.<br>
    <br>
    -John<br>
    <br>
    ______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a></blockquote>
    </div>
    <br>
    </div>
    <br>
    <fieldset class=m_-197710433038253419m_4283724209866454822m_-215066809999191040mimeAttachmentHeader></fieldset>
    <br>
    <pre>______________________________<wbr>_________________
    Csgo_servers mailing list
    <a class=m_-197710433038253419m_4283724209866454822m_-215066809999191040moz-txt-link-abbreviated href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a>
    <a class=m_-197710433038253419m_4283724209866454822m_-215066809999191040moz-txt-link-freetext href=https://.com///listinfo/csgo_servers target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a></pre>
    </blockquote>
    <br>
    </div></div></div>

    <br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a><br></blockquote></div><br></div>
    </div></div></blockquote></div><br></div>
    </div></div><br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com>Csgo_servers@list.<wbr>valvesoftware.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.<wbr>com///listinfo/<wbr>csgo_servers</a><br></blockquote></div><br></div>

    --94eb2c0748149c7e58054b6cfd8d--


     
  8. Mathias

    Mathias Guest

    --001a113e2dd4297053054b6d1e06
    Content-Type: text/plain; charset=UTF-8

    Thanks. How does tcpdump work? And setup? :)

    2017-03-23 22:59 GMT+01:00 / UGC- Gaming.net / <dedimarknet@gmail.com>:

    > tcpdump needed :)
    >
    > On Thu, Mar 23, 2017 at 11:54 PM, Mathias <uartigzone3@gmail.com> wrote:
    >
    >> How Marco? CSGO Cvar? Iptables?
    >>
    >> 2017-03-23 22:53 GMT+01:00 Mathias <uartigzone3@gmail.com>:
    >>
    >>> Thanks for this awesome help John! This kind of Attack have been
    >>> attacking me for days without stopping.
    >>>
    >>> So i block the port everytime they attack on new port? And what if they
    >>> attack on the port directly? There must be a kind of filter possible on
    >>> Linux with Iptables. Anything i can tell me datacenter to fix this attack
    >>> permanent?
    >>>
    >>>
    >>>
    >>> 2017-03-23 22:44 GMT+01:00 John <lists.valve@nuclearfallout.net>:
    >>>
    >>>> If youre seeing packets from port 28960, youre most likely seeing a
    >>>> reflected query DDoS that is coming from CoDx servers (you can tell for
    >>>> certain by looking at the contents of captured packets -- look for the
    >>>> string statusResponse) -- not a direct query/connection flood, and likely
    >>>> not spoofed. You can safely block traffic from port 28960, or do a more
    >>>> thorough filter to block that traffic. This is an example rule to just
    >>>> block the port.
    >>>>
    >>>> iptables -I INPUT -p udp --sport 28960 -j DROP
    >>>>
    >>>> -John
    >>>>
    >>>>
    >>>> On 3/23/2017 2:33 PM, Mathias wrote:
    >>>>
    >>>> Thanks John.
    >>>>
    >>>> Could you guide/send me the Iptables?
    >>>>
    >>>> My server is on port 27115 and the attack comes in on port 28960 - But
    >>>> it wont work block the port (Have tried)
    >>>>
    >>>> IP rate limit sustained 79085 distributed packets at 2636.2 pps (1246
    >>>> buckets).
    >>>>
    >>>> IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
    >>>>
    >>>> IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
    >>>>
    >>>> IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
    >>>>
    >>>> IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
    >>>>
    >>>> IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
    >>>>
    >>>> IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
    >>>>
    >>>> IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960.
    >>>>
    >>>>
    >>>> 2017-03-23 22:27 GMT+01:00 John <lists.valve@nuclearfallout.net>:
    >>>>
    >>>>> On 3/23/2017 1:34 PM, Mathias wrote:
    >>>>>
    >>>>>> My servers getting flood with VSE DDoS Attack. My server have DDoS
    >>>>>> Protection but it wont take it. any other DDoS Attack does it takes so what
    >>>>>> can i do? im on Linux Ubuntu 16.04.
    >>>>>>
    >>>>>> Here is server logs - http://pastebin.com/Q2dbcEMt
    >>>>>>
    >>>>>> I also got how the script works (VSE DDoS Attack) - Found on a forum
    >>>>>> via Google
    >>>>>>
    >>>>>> Any idea to stop it with Iptables? Packet limit?
    >>>>>>
    >>>>>
    >>>>> The term VSE (Valve Source Exploit) that the attackers like to use
    >>>>> is a misnomer because there isnt an exploit involved. These attacks just
    >>>>> flood a server with spoofed queries and/or connection attempts from random
    >>>>> sources, and Source cant handle the volume.
    >>>>>
    >>>>> Currently the most effective general-purpose way to deal with these is
    >>>>> to whitelist real player IPs and rate-limit queries and connection attempts
    >>>>> from all other sources (down to around 1000/s). This can be done with
    >>>>> iptables using a combination of the ipset, hashlimit, and bpf/u32/string
    >>>>> modules.
    >>>>>
    >>>>> Ideally, the game would be redesigned to using TCP for queries and the
    >>>>> very first part of the connection, offloading the first-contact tasks to
    >>>>> the OS, which has established methods for combating high-rate spoofed TCP
    >>>>> SYN floods. Internally, it could then straight drop all UDP packets that
    >>>>> dont correspond to a currently connected player.
    >>>>>
    >>>>> -John
    >>>>>
    >>>>> _______________________________________________
    >>>>> Csgo_servers mailing list
    >>>>> Csgo_servers@.com
    >>>>> https://.com///listinfo/csgo_servers
    >>>>
    >>>>
    >>>>
    >>>>
    >>>> _______________________________________________
    >>>> Csgo_servers mailing listCsgo_servers@.comhttps://.com///listinfo/csgo_servers
    >>>>
    >>>>
    >>>>
    >>>> _______________________________________________
    >>>> Csgo_servers mailing list
    >>>> Csgo_servers@.com
    >>>> https://.com///listinfo/csgo_servers
    >>>>
    >>>
    >>>
    >>
    >> _______________________________________________
    >> Csgo_servers mailing list
    >> Csgo_servers@.com
    >> https://.com///listinfo/csgo_servers
    >>
    >
    >
    > _______________________________________________
    > Csgo_servers mailing list
    > Csgo_servers@.com
    > https://.com///listinfo/csgo_servers
    >

    --001a113e2dd4297053054b6d1e06
    Content-Type: text/html; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable

    <div dir=ltr>Thanks. How does <span style=font-size:12.8px>tcpdump work? And setup? :)</span></div><div class=gmail_extra><br><div class=gmail_quote>2017-03-23 22:59 GMT+01:00 / UGC- Gaming.net / <span dir=ltr>&lt;<a href=mailto:dedimarknet@gmail.com target=_blank>dedimarknet@gmail.com</a>&gt;</span>:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><div dir=ltr>tcpdump needed :)</div><div class=HOEnZb><div class=h5><div class=gmail_extra><br><div class=gmail_quote>On Thu, Mar 23, 2017 at 11:54 PM, Mathias <span dir=ltr>&lt;<a href=mailto:uartigzone3@gmail.com target=_blank>uartigzone3@gmail.com</a>&gt;</span> wrote:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><div dir=ltr>How Marco? CSGO Cvar? Iptables?</div><div class=m_1546239057763388032HOEnZb><div class=m_1546239057763388032h5><div class=gmail_extra><br><div class=gmail_quote>2017-03-23 22:53 GMT+01:00 Mathias <span dir=ltr>&lt;<a href=mailto:uartigzone3@gmail.com target=_blank>uartigzone3@gmail.com</a>&gt;</span>:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><div dir=ltr>Thanks for this awesome help John! This kind of &quot;Attack&quot; have been attacking me for days without stopping.<div><br></div><div>So i block the port everytime they attack on new port? And what if they attack on the port directly? There must be a kind of filter possible on Linux with Iptables. Anything i can tell me datacenter to fix this attack permanent?</div><div><br></div><div><br></div></div><div class=m_1546239057763388032m_-197710433038253419HOEnZb><div class=m_1546239057763388032m_-197710433038253419h5><div class=gmail_extra><br><div class=gmail_quote>2017-03-23 22:44 GMT+01:00 John <span dir=ltr>&lt;<a href=mailto:lists.valve@nuclearfallout.net target=_blank>lists.valve@nuclearfallout.ne<wbr>t</a>&gt;</span>:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex>
    &nbsp;
    &nbsp;
    &nbsp;
    <div bgcolor=#FFFFFF text=#000000>
    <div class=m_1546239057763388032m_-197710433038253419m_4283724209866454822m_-215066809999191040moz-cite-prefix>If you&#39;re seeing packets from port
    28960, you&#39;re most likely seeing a reflected query DDoS that is
    coming from CoDx servers (you can tell for certain by looking at
    the contents of captured packets -- look for the string
    &#39;statusResponse&#39;) -- not a direct query/connection flood, and
    likely not spoofed. You can safely block traffic from port 28960,
    or do a more thorough filter to block that traffic. This is an
    example rule to just block the port.<br>
    <br>
    iptables -I INPUT -p udp --sport 28960 -j DROP<span class=m_1546239057763388032m_-197710433038253419m_4283724209866454822HOEnZb><font color=#888888><br>
    <br>
    -John</font></span><div><div class=m_1546239057763388032m_-197710433038253419m_4283724209866454822h5><br>
    <br>
    On 3/23/2017 2:33 PM, Mathias wrote:<br>
    </div></div></div><div><div class=m_1546239057763388032m_-197710433038253419m_4283724209866454822h5>
    <blockquote type=cite>
    <div dir=ltr>Thanks John.
    <div><br>
    </div>
    <div>Could you guide/send me the Iptables?<br>
     <br>
    My server is on port 27115 and the attack comes in on port
    28960 - But it wont work block the port (Have tried)</div>
    <div><span style=background-color:rgb(0,0,0)><br>
    </span></div>
    <div><span style=background-color:rgb(0,0,0)>&quot;<span>IP rate limit sustained
    79085 distributed packets at 2636.2 pps (1246 buckets).</span></span></div>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting <a href=http://8.59.18.221:28960 target=_blank>8.59.18.221:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting <a href=http://154.112.126.3:28960 target=_blank>154.112.126.3:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting <a href=http://84.3.222.161:28960 target=_blank>84.3.222.161:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting <a href=http://88.131.51.148:28960 target=_blank>88.131.51.148:28960</a>.&quot;</span></pre>
    </div>
    <div class=gmail_extra><br>
    <div class=gmail_quote>2017-03-23 22:27 GMT+01:00 John <span dir=ltr>&lt;<a href=mailto:lists.valve@nuclearfallout.net target=_blank>lists.valve@nuclearfallout.ne<wbr>t</a>&gt;</span>:<br>
    <blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><span>On 3/23/2017 1:34 PM, Mathias wrote:<br>
    <blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex>
    My server&#39;s getting flood with VSE DDoS Attack. My
    server have DDoS Protection but it wont take it. any
    other DDoS Attack does it takes so what can i do? i&#39;m on
    Linux Ubuntu 16.04.<br>
    <br>
    Here is server logs - <a href=http://pastebin.com/Q2dbcEMt rel=noreferrer target=_blank>http://pastebin.com/Q2dbcEMt</a><br>
    <br>
    I also got how the script works (VSE DDoS Attack) -
    Found on a forum via Google<br>
    <br>
    Any idea to stop it with Iptables? Packet limit?<br>
    </blockquote>
    <br>
    </span>
    The term &quot;VSE&quot; (&quot;Valve Source Exploit&quot;) that the attackers
    like to use is a misnomer because there isn&#39;t an exploit
    involved. These attacks just flood a server with spoofed
    queries and/or connection attempts from random sources, and
    Source can&#39;t handle the volume.<br>
    <br>
    Currently the most effective general-purpose way to deal
    with these is to whitelist real player IPs and rate-limit
    queries and connection attempts from all other sources (down
    to around 1000/s). This can be done with iptables using a
    combination of the ipset, hashlimit, and bpf/u32/string
    modules.<br>
    <br>
    Ideally, the game would be redesigned to using TCP for
    queries and the very first part of the connection,
    offloading the first-contact tasks to the OS, which has
    established methods for combating high-rate spoofed TCP SYN
    floods. Internally, it could then straight drop all UDP
    packets that don&#39;t correspond to a currently connected
    player.<br>
    <br>
    -John<br>
    <br>
    ______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a></blockquote>
    </div>
    <br>
    </div>
    <br>
    <fieldset class=m_1546239057763388032m_-197710433038253419m_4283724209866454822m_-215066809999191040mimeAttachmentHeader></fieldset>
    <br>
    <pre>______________________________<wbr>_________________
    Csgo_servers mailing list
    <a class=m_1546239057763388032m_-197710433038253419m_4283724209866454822m_-215066809999191040moz-txt-link-abbreviated href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a>
    <a class=m_1546239057763388032m_-197710433038253419m_4283724209866454822m_-215066809999191040moz-txt-link-freetext href=https://.com///listinfo/csgo_servers target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a></pre>
    </blockquote>
    <br>
    </div></div></div>

    <br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a><br></blockquote></div><br></div>
    </div></div></blockquote></div><br></div>
    </div></div><br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a><br></blockquote></div><br></div>
    </div></div><br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com>Csgo_servers@list.<wbr>valvesoftware.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.<wbr>com///listinfo/<wbr>csgo_servers</a><br></blockquote></div><br></div>

    --001a113e2dd4297053054b6d1e06--


     
  9. --94eb2c05c2d419657e054b6d31b3
    Content-Type: text/plain; charset=UTF-8

    https://github.com/pavel-odintsov/fastnetmon

    # collect a full dump of the attack with full payload in pcap compatible
    format
    collect_attack_pcap_dumps = on
    # Execute Deep Packet Inspection on captured PCAP packets
    process_pcap_attack_dumps_with_dpi = on

    On Fri, Mar 24, 2017 at 12:08 AM, Mathias <uartigzone3@gmail.com> wrote:

    > Thanks. How does tcpdump work? And setup? :)
    >
    > 2017-03-23 22:59 GMT+01:00 / UGC- Gaming.net / <dedimarknet@gmail.com>:
    >
    >> tcpdump needed :)
    >>
    >> On Thu, Mar 23, 2017 at 11:54 PM, Mathias <uartigzone3@gmail.com> wrote:
    >>
    >>> How Marco? CSGO Cvar? Iptables?
    >>>
    >>> 2017-03-23 22:53 GMT+01:00 Mathias <uartigzone3@gmail.com>:
    >>>
    >>>> Thanks for this awesome help John! This kind of Attack have been
    >>>> attacking me for days without stopping.
    >>>>
    >>>> So i block the port everytime they attack on new port? And what if they
    >>>> attack on the port directly? There must be a kind of filter possible on
    >>>> Linux with Iptables. Anything i can tell me datacenter to fix this attack
    >>>> permanent?
    >>>>
    >>>>
    >>>>
    >>>> 2017-03-23 22:44 GMT+01:00 John <lists.valve@nuclearfallout.net>:
    >>>>
    >>>>> If youre seeing packets from port 28960, youre most likely seeing a
    >>>>> reflected query DDoS that is coming from CoDx servers (you can tell for
    >>>>> certain by looking at the contents of captured packets -- look for the
    >>>>> string statusResponse) -- not a direct query/connection flood, and likely
    >>>>> not spoofed. You can safely block traffic from port 28960, or do a more
    >>>>> thorough filter to block that traffic. This is an example rule to just
    >>>>> block the port.
    >>>>>
    >>>>> iptables -I INPUT -p udp --sport 28960 -j DROP
    >>>>>
    >>>>> -John
    >>>>>
    >>>>>
    >>>>> On 3/23/2017 2:33 PM, Mathias wrote:
    >>>>>
    >>>>> Thanks John.
    >>>>>
    >>>>> Could you guide/send me the Iptables?
    >>>>>
    >>>>> My server is on port 27115 and the attack comes in on port 28960 - But
    >>>>> it wont work block the port (Have tried)
    >>>>>
    >>>>> IP rate limit sustained 79085 distributed packets at 2636.2 pps
    >>>>> (1246 buckets).
    >>>>>
    >>>>> IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
    >>>>>
    >>>>> IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
    >>>>>
    >>>>> IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
    >>>>>
    >>>>> IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
    >>>>>
    >>>>> IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
    >>>>>
    >>>>> IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
    >>>>>
    >>>>> IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960.
    >>>>>
    >>>>>
    >>>>> 2017-03-23 22:27 GMT+01:00 John <lists.valve@nuclearfallout.net>:
    >>>>>
    >>>>>> On 3/23/2017 1:34 PM, Mathias wrote:
    >>>>>>
    >>>>>>> My servers getting flood with VSE DDoS Attack. My server have DDoS
    >>>>>>> Protection but it wont take it. any other DDoS Attack does it takes so what
    >>>>>>> can i do? im on Linux Ubuntu 16.04.
    >>>>>>>
    >>>>>>> Here is server logs - http://pastebin.com/Q2dbcEMt
    >>>>>>>
    >>>>>>> I also got how the script works (VSE DDoS Attack) - Found on a forum
    >>>>>>> via Google
    >>>>>>>
    >>>>>>> Any idea to stop it with Iptables? Packet limit?
    >>>>>>>
    >>>>>>
    >>>>>> The term VSE (Valve Source Exploit) that the attackers like to
    >>>>>> use is a misnomer because there isnt an exploit involved. These attacks
    >>>>>> just flood a server with spoofed queries and/or connection attempts from
    >>>>>> random sources, and Source cant handle the volume.
    >>>>>>
    >>>>>> Currently the most effective general-purpose way to deal with these
    >>>>>> is to whitelist real player IPs and rate-limit queries and connection
    >>>>>> attempts from all other sources (down to around 1000/s). This can be done
    >>>>>> with iptables using a combination of the ipset, hashlimit, and
    >>>>>> bpf/u32/string modules.
    >>>>>>
    >>>>>> Ideally, the game would be redesigned to using TCP for queries and
    >>>>>> the very first part of the connection, offloading the first-contact tasks
    >>>>>> to the OS, which has established methods for combating high-rate spoofed
    >>>>>> TCP SYN floods. Internally, it could then straight drop all UDP packets
    >>>>>> that dont correspond to a currently connected player.
    >>>>>>
    >>>>>> -John
    >>>>>>
    >>>>>> _______________________________________________
    >>>>>> Csgo_servers mailing list
    >>>>>> Csgo_servers@.com
    >>>>>> https://.com///listinfo/csgo_servers
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>> _______________________________________________
    >>>>> Csgo_servers mailing listCsgo_servers@.comhttps://.com///listinfo/csgo_servers
    >>>>>
    >>>>>
    >>>>>
    >>>>> _______________________________________________
    >>>>> Csgo_servers mailing list
    >>>>> Csgo_servers@.com
    >>>>> https://.com///listinfo/csgo_servers
    >>>>>
    >>>>
    >>>>
    >>>
    >>> _______________________________________________
    >>> Csgo_servers mailing list
    >>> Csgo_servers@.com
    >>> https://.com///listinfo/csgo_servers
    >>>
    >>
    >>
    >> _______________________________________________
    >> Csgo_servers mailing list
    >> Csgo_servers@.com
    >> https://.com///listinfo/csgo_servers
    >>
    >
    >
    > _______________________________________________
    > Csgo_servers mailing list
    > Csgo_servers@.com
    > https://.com///listinfo/csgo_servers
    >

    --94eb2c05c2d419657e054b6d31b3
    Content-Type: text/html; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable

    <div dir=ltr><a href=https://github.com/pavel-odintsov/fastnetmon>https://github.com/pavel-odintsov/fastnetmon</a><br><div><br></div><div><table class=gmail-highlight gmail-tab-size gmail-js-file-line-container style=box-sizing:border-box;border-collapse:collapse;color:rgb(36,41,46);font-family:-apple-system,blinkmacsystemfont,&quot;segoe ui&quot;,helvetica,arial,sans-serif,&quot;apple color emoji&quot;,&quot;segoe ui emoji&quot;,&quot;segoe ui symbol&quot;;font-size:14px><tbody style=box-sizing:border-box><tr style=box-sizing:border-box><td id=gmail-LC180 class=gmail-blob-code gmail-blob-code-inner gmail-js-file-line style=box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre># collect a full dump of the attack with full payload in pcap compatible format</td></tr><tr style=box-sizing:border-box><td id=gmail-L181 class=gmail-blob-num gmail-js-line-number style=box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(27,31,35,0.298039);text-align:right;white-space:nowrap;vertical-align:top></td><td id=gmail-LC181 class=gmail-blob-code gmail-blob-code-inner gmail-js-file-line style=box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre>collect_attack_pcap_dumps = on</td></tr><tr style=box-sizing:border-box><td id=gmail-L182 class=gmail-blob-num gmail-js-line-number style=box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(27,31,35,0.298039);text-align:right;white-space:nowrap;vertical-align:top></td><td id=gmail-LC182 class=gmail-blob-code gmail-blob-code-inner gmail-js-file-line style=box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre>
    </td></tr><tr style=box-sizing:border-box><td id=gmail-L183 class=gmail-blob-num gmail-js-line-number style=box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(27,31,35,0.298039);text-align:right;white-space:nowrap;vertical-align:top></td><td id=gmail-LC183 class=gmail-blob-code gmail-blob-code-inner gmail-js-file-line style=box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre># Execute Deep Packet Inspection on captured PCAP packets</td></tr><tr style=box-sizing:border-box><td id=gmail-L184 class=gmail-blob-num gmail-js-line-number style=box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(27,31,35,0.298039);text-align:right;white-space:nowrap;vertical-align:top></td><td id=gmail-LC184 class=gmail-blob-code gmail-blob-code-inner gmail-js-file-line style=box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre>process_pcap_attack_dumps_with_dpi = on</td></tr></tbody></table></div></div><div class=gmail_extra><br><div class=gmail_quote>On Fri, Mar 24, 2017 at 12:08 AM, Mathias <span dir=ltr>&lt;<a href=mailto:uartigzone3@gmail.com target=_blank>uartigzone3@gmail.com</a>&gt;</span> wrote:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><div dir=ltr>Thanks. How does <span style=font-size:12.8px>tcpdump work? And setup? :)</span></div><div class=HOEnZb><div class=h5><div class=gmail_extra><br><div class=gmail_quote>2017-03-23 22:59 GMT+01:00 / UGC- Gaming.net / <span dir=ltr>&lt;<a href=mailto:dedimarknet@gmail.com target=_blank>dedimarknet@gmail.com</a>&gt;</span>:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><div dir=ltr>tcpdump needed :)</div><div class=m_-1601959679928067772HOEnZb><div class=m_-1601959679928067772h5><div class=gmail_extra><br><div class=gmail_quote>On Thu, Mar 23, 2017 at 11:54 PM, Mathias <span dir=ltr>&lt;<a href=mailto:uartigzone3@gmail.com target=_blank>uartigzone3@gmail.com</a>&gt;</span> wrote:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><div dir=ltr>How Marco? CSGO Cvar? Iptables?</div><div class=m_-1601959679928067772m_1546239057763388032HOEnZb><div class=m_-1601959679928067772m_1546239057763388032h5><div class=gmail_extra><br><div class=gmail_quote>2017-03-23 22:53 GMT+01:00 Mathias <span dir=ltr>&lt;<a href=mailto:uartigzone3@gmail.com target=_blank>uartigzone3@gmail.com</a>&gt;</span>:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><div dir=ltr>Thanks for this awesome help John! This kind of &quot;Attack&quot; have been attacking me for days without stopping.<div><br></div><div>So i block the port everytime they attack on new port? And what if they attack on the port directly? There must be a kind of filter possible on Linux with Iptables. Anything i can tell me datacenter to fix this attack permanent?</div><div><br></div><div><br></div></div><div class=m_-1601959679928067772m_1546239057763388032m_-197710433038253419HOEnZb><div class=m_-1601959679928067772m_1546239057763388032m_-197710433038253419h5><div class=gmail_extra><br><div class=gmail_quote>2017-03-23 22:44 GMT+01:00 John <span dir=ltr>&lt;<a href=mailto:lists.valve@nuclearfallout.net target=_blank>lists.valve@nuclearfallout.ne<wbr>t</a>&gt;</span>:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex>
    &nbsp;
    &nbsp;
    &nbsp;
    <div bgcolor=#FFFFFF text=#000000>
    <div class=m_-1601959679928067772m_1546239057763388032m_-197710433038253419m_4283724209866454822m_-215066809999191040moz-cite-prefix>If you&#39;re seeing packets from port
    28960, you&#39;re most likely seeing a reflected query DDoS that is
    coming from CoDx servers (you can tell for certain by looking at
    the contents of captured packets -- look for the string
    &#39;statusResponse&#39;) -- not a direct query/connection flood, and
    likely not spoofed. You can safely block traffic from port 28960,
    or do a more thorough filter to block that traffic. This is an
    example rule to just block the port.<br>
    <br>
    iptables -I INPUT -p udp --sport 28960 -j DROP<span class=m_-1601959679928067772m_1546239057763388032m_-197710433038253419m_4283724209866454822HOEnZb><font color=#888888><br>
    <br>
    -John</font></span><div><div class=m_-1601959679928067772m_1546239057763388032m_-197710433038253419m_4283724209866454822h5><br>
    <br>
    On 3/23/2017 2:33 PM, Mathias wrote:<br>
    </div></div></div><div><div class=m_-1601959679928067772m_1546239057763388032m_-197710433038253419m_4283724209866454822h5>
    <blockquote type=cite>
    <div dir=ltr>Thanks John.
    <div><br>
    </div>
    <div>Could you guide/send me the Iptables?<br>
     <br>
    My server is on port 27115 and the attack comes in on port
    28960 - But it wont work block the port (Have tried)</div>
    <div><span style=background-color:rgb(0,0,0)><br>
    </span></div>
    <div><span style=background-color:rgb(0,0,0)>&quot;<span>IP rate limit sustained
    79085 distributed packets at 2636.2 pps (1246 buckets).</span></span></div>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting <a href=http://8.59.18.221:28960 target=_blank>8.59.18.221:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting <a href=http://154.112.126.3:28960 target=_blank>154.112.126.3:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting <a href=http://84.3.222.161:28960 target=_blank>84.3.222.161:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting <a href=http://88.131.51.148:28960 target=_blank>88.131.51.148:28960</a>.&quot;</span></pre>
    </div>
    <div class=gmail_extra><br>
    <div class=gmail_quote>2017-03-23 22:27 GMT+01:00 John <span dir=ltr>&lt;<a href=mailto:lists.valve@nuclearfallout.net target=_blank>lists.valve@nuclearfallout.ne<wbr>t</a>&gt;</span>:<br>
    <blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><span>On 3/23/2017 1:34 PM, Mathias wrote:<br>
    <blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex>
    My server&#39;s getting flood with VSE DDoS Attack. My
    server have DDoS Protection but it wont take it. any
    other DDoS Attack does it takes so what can i do? i&#39;m on
    Linux Ubuntu 16.04.<br>
    <br>
    Here is server logs - <a href=http://pastebin.com/Q2dbcEMt rel=noreferrer target=_blank>http://pastebin.com/Q2dbcEMt</a><br>
    <br>
    I also got how the script works (VSE DDoS Attack) -
    Found on a forum via Google<br>
    <br>
    Any idea to stop it with Iptables? Packet limit?<br>
    </blockquote>
    <br>
    </span>
    The term &quot;VSE&quot; (&quot;Valve Source Exploit&quot;) that the attackers
    like to use is a misnomer because there isn&#39;t an exploit
    involved. These attacks just flood a server with spoofed
    queries and/or connection attempts from random sources, and
    Source can&#39;t handle the volume.<br>
    <br>
    Currently the most effective general-purpose way to deal
    with these is to whitelist real player IPs and rate-limit
    queries and connection attempts from all other sources (down
    to around 1000/s). This can be done with iptables using a
    combination of the ipset, hashlimit, and bpf/u32/string
    modules.<br>
    <br>
    Ideally, the game would be redesigned to using TCP for
    queries and the very first part of the connection,
    offloading the first-contact tasks to the OS, which has
    established methods for combating high-rate spoofed TCP SYN
    floods. Internally, it could then straight drop all UDP
    packets that don&#39;t correspond to a currently connected
    player.<br>
    <br>
    -John<br>
    <br>
    ______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a></blockquote>
    </div>
    <br>
    </div>
    <br>
    <fieldset class=m_-1601959679928067772m_1546239057763388032m_-197710433038253419m_4283724209866454822m_-215066809999191040mimeAttachmentHeader></fieldset>
    <br>
    <pre>______________________________<wbr>_________________
    Csgo_servers mailing list
    <a class=m_-1601959679928067772m_1546239057763388032m_-197710433038253419m_4283724209866454822m_-215066809999191040moz-txt-link-abbreviated href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a>
    <a class=m_-1601959679928067772m_1546239057763388032m_-197710433038253419m_4283724209866454822m_-215066809999191040moz-txt-link-freetext href=https://.com///listinfo/csgo_servers target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a></pre>
    </blockquote>
    <br>
    </div></div></div>

    <br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a><br></blockquote></div><br></div>
    </div></div></blockquote></div><br></div>
    </div></div><br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a><br></blockquote></div><br></div>
    </div></div><br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a><br></blockquote></div><br></div>
    </div></div><br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com>Csgo_servers@list.<wbr>valvesoftware.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.<wbr>com///listinfo/<wbr>csgo_servers</a><br></blockquote></div><br></div>

    --94eb2c05c2d419657e054b6d31b3--


     
  10. Mathias

    Mathias Guest

    --001a1142f5c2e072a1054b6d62b8
    Content-Type: text/plain; charset=UTF-8

    Cool, thanks!!

    Should i install this on the same server as Game server or another smaller
    server?

    2017-03-23 23:13 GMT+01:00 / UGC- Gaming.net / <dedimarknet@gmail.com>:

    > https://github.com/pavel-odintsov/fastnetmon
    >
    > # collect a full dump of the attack with full payload in pcap compatible
    > format
    > collect_attack_pcap_dumps = on
    > # Execute Deep Packet Inspection on captured PCAP packets
    > process_pcap_attack_dumps_with_dpi = on
    >
    > On Fri, Mar 24, 2017 at 12:08 AM, Mathias <uartigzone3@gmail.com> wrote:
    >
    >> Thanks. How does tcpdump work? And setup? :)
    >>
    >> 2017-03-23 22:59 GMT+01:00 / UGC- Gaming.net / <dedimarknet@gmail.com>:
    >>
    >>> tcpdump needed :)
    >>>
    >>> On Thu, Mar 23, 2017 at 11:54 PM, Mathias <uartigzone3@gmail.com> wrote:
    >>>
    >>>> How Marco? CSGO Cvar? Iptables?
    >>>>
    >>>> 2017-03-23 22:53 GMT+01:00 Mathias <uartigzone3@gmail.com>:
    >>>>
    >>>>> Thanks for this awesome help John! This kind of Attack have been
    >>>>> attacking me for days without stopping.
    >>>>>
    >>>>> So i block the port everytime they attack on new port? And what if
    >>>>> they attack on the port directly? There must be a kind of filter possible
    >>>>> on Linux with Iptables. Anything i can tell me datacenter to fix this
    >>>>> attack permanent?
    >>>>>
    >>>>>
    >>>>>
    >>>>> 2017-03-23 22:44 GMT+01:00 John <lists.valve@nuclearfallout.net>:
    >>>>>
    >>>>>> If youre seeing packets from port 28960, youre most likely seeing a
    >>>>>> reflected query DDoS that is coming from CoDx servers (you can tell for
    >>>>>> certain by looking at the contents of captured packets -- look for the
    >>>>>> string statusResponse) -- not a direct query/connection flood, and likely
    >>>>>> not spoofed. You can safely block traffic from port 28960, or do a more
    >>>>>> thorough filter to block that traffic. This is an example rule to just
    >>>>>> block the port.
    >>>>>>
    >>>>>> iptables -I INPUT -p udp --sport 28960 -j DROP
    >>>>>>
    >>>>>> -John
    >>>>>>
    >>>>>>
    >>>>>> On 3/23/2017 2:33 PM, Mathias wrote:
    >>>>>>
    >>>>>> Thanks John.
    >>>>>>
    >>>>>> Could you guide/send me the Iptables?
    >>>>>>
    >>>>>> My server is on port 27115 and the attack comes in on port 28960 -
    >>>>>> But it wont work block the port (Have tried)
    >>>>>>
    >>>>>> IP rate limit sustained 79085 distributed packets at 2636.2 pps
    >>>>>> (1246 buckets).
    >>>>>>
    >>>>>> IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting 8.59.18.221:28960.
    >>>>>>
    >>>>>> IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).
    >>>>>>
    >>>>>> IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting 154.112.126.3:28960.
    >>>>>>
    >>>>>> IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).
    >>>>>>
    >>>>>> IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting 84.3.222.161:28960.
    >>>>>>
    >>>>>> IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).
    >>>>>>
    >>>>>> IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting 88.131.51.148:28960.
    >>>>>>
    >>>>>>
    >>>>>> 2017-03-23 22:27 GMT+01:00 John <lists.valve@nuclearfallout.net>:
    >>>>>>
    >>>>>>> On 3/23/2017 1:34 PM, Mathias wrote:
    >>>>>>>
    >>>>>>>> My servers getting flood with VSE DDoS Attack. My server have DDoS
    >>>>>>>> Protection but it wont take it. any other DDoS Attack does it takes so what
    >>>>>>>> can i do? im on Linux Ubuntu 16.04.
    >>>>>>>>
    >>>>>>>> Here is server logs - http://pastebin.com/Q2dbcEMt
    >>>>>>>>
    >>>>>>>> I also got how the script works (VSE DDoS Attack) - Found on a
    >>>>>>>> forum via Google
    >>>>>>>>
    >>>>>>>> Any idea to stop it with Iptables? Packet limit?
    >>>>>>>>
    >>>>>>>
    >>>>>>> The term VSE (Valve Source Exploit) that the attackers like to
    >>>>>>> use is a misnomer because there isnt an exploit involved. These attacks
    >>>>>>> just flood a server with spoofed queries and/or connection attempts from
    >>>>>>> random sources, and Source cant handle the volume.
    >>>>>>>
    >>>>>>> Currently the most effective general-purpose way to deal with these
    >>>>>>> is to whitelist real player IPs and rate-limit queries and connection
    >>>>>>> attempts from all other sources (down to around 1000/s). This can be done
    >>>>>>> with iptables using a combination of the ipset, hashlimit, and
    >>>>>>> bpf/u32/string modules.
    >>>>>>>
    >>>>>>> Ideally, the game would be redesigned to using TCP for queries and
    >>>>>>> the very first part of the connection, offloading the first-contact tasks
    >>>>>>> to the OS, which has established methods for combating high-rate spoofed
    >>>>>>> TCP SYN floods. Internally, it could then straight drop all UDP packets
    >>>>>>> that dont correspond to a currently connected player.
    >>>>>>>
    >>>>>>> -John
    >>>>>>>
    >>>>>>> _______________________________________________
    >>>>>>> Csgo_servers mailing list
    >>>>>>> Csgo_servers@.com
    >>>>>>> https://.com///listinfo/csgo_servers
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>> _______________________________________________
    >>>>>> Csgo_servers mailing listCsgo_servers@.comhttps://.com///listinfo/csgo_servers
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>> _______________________________________________
    >>>>>> Csgo_servers mailing list
    >>>>>> Csgo_servers@.com
    >>>>>> https://.com///listinfo/csgo_servers
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>> _______________________________________________
    >>>> Csgo_servers mailing list
    >>>> Csgo_servers@.com
    >>>> https://.com///listinfo/csgo_servers
    >>>>
    >>>
    >>>
    >>> _______________________________________________
    >>> Csgo_servers mailing list
    >>> Csgo_servers@.com
    >>> https://.com///listinfo/csgo_servers
    >>>
    >>
    >>
    >> _______________________________________________
    >> Csgo_servers mailing list
    >> Csgo_servers@.com
    >> https://.com///listinfo/csgo_servers
    >>
    >
    >
    > _______________________________________________
    > Csgo_servers mailing list
    > Csgo_servers@.com
    > https://.com///listinfo/csgo_servers
    >

    --001a1142f5c2e072a1054b6d62b8
    Content-Type: text/html; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable

    <div dir=ltr>Cool, thanks!!<div><br></div><div>Should i install this on the same server as Game server or another smaller server?</div></div><div class=gmail_extra><br><div class=gmail_quote>2017-03-23 23:13 GMT+01:00 / UGC- Gaming.net / <span dir=ltr>&lt;<a href=mailto:dedimarknet@gmail.com target=_blank>dedimarknet@gmail.com</a>&gt;</span>:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><div dir=ltr><a href=https://github.com/pavel-odintsov/fastnetmon target=_blank>https://github.com/pavel-<wbr>odintsov/fastnetmon</a><br><div><br></div><div><table class=m_-5574284152896107887gmail-highlight m_-5574284152896107887gmail-tab-size m_-5574284152896107887gmail-js-file-line-container style=box-sizing:border-box;border-collapse:collapse;color:rgb(36,41,46);font-family:-apple-system,blinkmacsystemfont,&quot;segoe ui&quot;,helvetica,arial,sans-serif,&quot;apple color emoji&quot;,&quot;segoe ui emoji&quot;,&quot;segoe ui symbol&quot;;font-size:14px><tbody style=box-sizing:border-box><tr style=box-sizing:border-box><td id=m_-5574284152896107887gmail-LC180 class=m_-5574284152896107887gmail-blob-code m_-5574284152896107887gmail-blob-code-inner m_-5574284152896107887gmail-js-file-line style=box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre-wrap># collect a full dump of the attack with full payload in pcap compatible format</td></tr><tr style=box-sizing:border-box><td id=m_-5574284152896107887gmail-L181 class=m_-5574284152896107887gmail-blob-num m_-5574284152896107887gmail-js-line-number style=box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(27,31,35,0.298039);text-align:right;white-space:nowrap;vertical-align:top></td><td id=m_-5574284152896107887gmail-LC181 class=m_-5574284152896107887gmail-blob-code m_-5574284152896107887gmail-blob-code-inner m_-5574284152896107887gmail-js-file-line style=box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre-wrap>collect_attack_pcap_dumps = on</td></tr><tr style=box-sizing:border-box><td id=m_-5574284152896107887gmail-L182 class=m_-5574284152896107887gmail-blob-num m_-5574284152896107887gmail-js-line-number style=box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(27,31,35,0.298039);text-align:right;white-space:nowrap;vertical-align:top></td><td id=m_-5574284152896107887gmail-LC182 class=m_-5574284152896107887gmail-blob-code m_-5574284152896107887gmail-blob-code-inner m_-5574284152896107887gmail-js-file-line style=box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre-wrap>
    </td></tr><tr style=box-sizing:border-box><td id=m_-5574284152896107887gmail-L183 class=m_-5574284152896107887gmail-blob-num m_-5574284152896107887gmail-js-line-number style=box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(27,31,35,0.298039);text-align:right;white-space:nowrap;vertical-align:top></td><td id=m_-5574284152896107887gmail-LC183 class=m_-5574284152896107887gmail-blob-code m_-5574284152896107887gmail-blob-code-inner m_-5574284152896107887gmail-js-file-line style=box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre-wrap># Execute Deep Packet Inspection on captured PCAP packets</td></tr><tr style=box-sizing:border-box><td id=m_-5574284152896107887gmail-L184 class=m_-5574284152896107887gmail-blob-num m_-5574284152896107887gmail-js-line-number style=box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(27,31,35,0.298039);text-align:right;white-space:nowrap;vertical-align:top></td><td id=m_-5574284152896107887gmail-LC184 class=m_-5574284152896107887gmail-blob-code m_-5574284152896107887gmail-blob-code-inner m_-5574284152896107887gmail-js-file-line style=box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:sfmono-regular,consolas,&quot;liberation mono&quot;,menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre-wrap>process_pcap_attack_dumps_<wbr>with_dpi = on</td></tr></tbody></table></div></div><div class=HOEnZb><div class=h5><div class=gmail_extra><br><div class=gmail_quote>On Fri, Mar 24, 2017 at 12:08 AM, Mathias <span dir=ltr>&lt;<a href=mailto:uartigzone3@gmail.com target=_blank>uartigzone3@gmail.com</a>&gt;</span> wrote:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><div dir=ltr>Thanks. How does <span style=font-size:12.8px>tcpdump work? And setup? :)</span></div><div class=m_-5574284152896107887HOEnZb><div class=m_-5574284152896107887h5><div class=gmail_extra><br><div class=gmail_quote>2017-03-23 22:59 GMT+01:00 / UGC- Gaming.net / <span dir=ltr>&lt;<a href=mailto:dedimarknet@gmail.com target=_blank>dedimarknet@gmail.com</a>&gt;</span>:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><div dir=ltr>tcpdump needed :)</div><div class=m_-5574284152896107887m_-1601959679928067772HOEnZb><div class=m_-5574284152896107887m_-1601959679928067772h5><div class=gmail_extra><br><div class=gmail_quote>On Thu, Mar 23, 2017 at 11:54 PM, Mathias <span dir=ltr>&lt;<a href=mailto:uartigzone3@gmail.com target=_blank>uartigzone3@gmail.com</a>&gt;</span> wrote:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><div dir=ltr>How Marco? CSGO Cvar? Iptables?</div><div class=m_-5574284152896107887m_-1601959679928067772m_1546239057763388032HOEnZb><div class=m_-5574284152896107887m_-1601959679928067772m_1546239057763388032h5><div class=gmail_extra><br><div class=gmail_quote>2017-03-23 22:53 GMT+01:00 Mathias <span dir=ltr>&lt;<a href=mailto:uartigzone3@gmail.com target=_blank>uartigzone3@gmail.com</a>&gt;</span>:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><div dir=ltr>Thanks for this awesome help John! This kind of &quot;Attack&quot; have been attacking me for days without stopping.<div><br></div><div>So i block the port everytime they attack on new port? And what if they attack on the port directly? There must be a kind of filter possible on Linux with Iptables. Anything i can tell me datacenter to fix this attack permanent?</div><div><br></div><div><br></div></div><div class=m_-5574284152896107887m_-1601959679928067772m_1546239057763388032m_-197710433038253419HOEnZb><div class=m_-5574284152896107887m_-1601959679928067772m_1546239057763388032m_-197710433038253419h5><div class=gmail_extra><br><div class=gmail_quote>2017-03-23 22:44 GMT+01:00 John <span dir=ltr>&lt;<a href=mailto:lists.valve@nuclearfallout.net target=_blank>lists.valve@nuclearfallout.ne<wbr>t</a>&gt;</span>:<br><blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex>
    &nbsp;
    &nbsp;
    &nbsp;
    <div bgcolor=#FFFFFF text=#000000>
    <div class=m_-5574284152896107887m_-1601959679928067772m_1546239057763388032m_-197710433038253419m_4283724209866454822m_-215066809999191040moz-cite-prefix>If you&#39;re seeing packets from port
    28960, you&#39;re most likely seeing a reflected query DDoS that is
    coming from CoDx servers (you can tell for certain by looking at
    the contents of captured packets -- look for the string
    &#39;statusResponse&#39;) -- not a direct query/connection flood, and
    likely not spoofed. You can safely block traffic from port 28960,
    or do a more thorough filter to block that traffic. This is an
    example rule to just block the port.<br>
    <br>
    iptables -I INPUT -p udp --sport 28960 -j DROP<span class=m_-5574284152896107887m_-1601959679928067772m_1546239057763388032m_-197710433038253419m_4283724209866454822HOEnZb><font color=#888888><br>
    <br>
    -John</font></span><div><div class=m_-5574284152896107887m_-1601959679928067772m_1546239057763388032m_-197710433038253419m_4283724209866454822h5><br>
    <br>
    On 3/23/2017 2:33 PM, Mathias wrote:<br>
    </div></div></div><div><div class=m_-5574284152896107887m_-1601959679928067772m_1546239057763388032m_-197710433038253419m_4283724209866454822h5>
    <blockquote type=cite>
    <div dir=ltr>Thanks John.
    <div><br>
    </div>
    <div>Could you guide/send me the Iptables?<br>
     <br>
    My server is on port 27115 and the attack comes in on port
    28960 - But it wont work block the port (Have tried)</div>
    <div><span style=background-color:rgb(0,0,0)><br>
    </span></div>
    <div><span style=background-color:rgb(0,0,0)>&quot;<span>IP rate limit sustained
    79085 distributed packets at 2636.2 pps (1246 buckets).</span></span></div>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting <a href=http://8.59.18.221:28960 target=_blank>8.59.18.221:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting <a href=http://154.112.126.3:28960 target=_blank>154.112.126.3:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting <a href=http://84.3.222.161:28960 target=_blank>84.3.222.161:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting <a href=http://88.131.51.148:28960 target=_blank>88.131.51.148:28960</a>.&quot;</span></pre>
    </div>
    <div class=gmail_extra><br>
    <div class=gmail_quote>2017-03-23 22:27 GMT+01:00 John <span dir=ltr>&lt;<a href=mailto:lists.valve@nuclearfallout.net target=_blank>lists.valve@nuclearfallout.ne<wbr>t</a>&gt;</span>:<br>
    <blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex><span>On 3/23/2017 1:34 PM, Mathias wrote:<br>
    <blockquote class=gmail_quote style=margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex>
    My server&#39;s getting flood with VSE DDoS Attack. My
    server have DDoS Protection but it wont take it. any
    other DDoS Attack does it takes so what can i do? i&#39;m on
    Linux Ubuntu 16.04.<br>
    <br>
    Here is server logs - <a href=http://pastebin.com/Q2dbcEMt rel=noreferrer target=_blank>http://pastebin.com/Q2dbcEMt</a><br>
    <br>
    I also got how the script works (VSE DDoS Attack) -
    Found on a forum via Google<br>
    <br>
    Any idea to stop it with Iptables? Packet limit?<br>
    </blockquote>
    <br>
    </span>
    The term &quot;VSE&quot; (&quot;Valve Source Exploit&quot;) that the attackers
    like to use is a misnomer because there isn&#39;t an exploit
    involved. These attacks just flood a server with spoofed
    queries and/or connection attempts from random sources, and
    Source can&#39;t handle the volume.<br>
    <br>
    Currently the most effective general-purpose way to deal
    with these is to whitelist real player IPs and rate-limit
    queries and connection attempts from all other sources (down
    to around 1000/s). This can be done with iptables using a
    combination of the ipset, hashlimit, and bpf/u32/string
    modules.<br>
    <br>
    Ideally, the game would be redesigned to using TCP for
    queries and the very first part of the connection,
    offloading the first-contact tasks to the OS, which has
    established methods for combating high-rate spoofed TCP SYN
    floods. Internally, it could then straight drop all UDP
    packets that don&#39;t correspond to a currently connected
    player.<br>
    <br>
    -John<br>
    <br>
    ______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a></blockquote>
    </div>
    <br>
    </div>
    <br>
    <fieldset class=m_-5574284152896107887m_-1601959679928067772m_1546239057763388032m_-197710433038253419m_4283724209866454822m_-215066809999191040mimeAttachmentHeader></fieldset>
    <br>
    <pre>______________________________<wbr>_________________
    Csgo_servers mailing list
    <a class=m_-5574284152896107887m_-1601959679928067772m_1546239057763388032m_-197710433038253419m_4283724209866454822m_-215066809999191040moz-txt-link-abbreviated href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a>
    <a class=m_-5574284152896107887m_-1601959679928067772m_1546239057763388032m_-197710433038253419m_4283724209866454822m_-215066809999191040moz-txt-link-freetext href=https://.com///listinfo/csgo_servers target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a></pre>
    </blockquote>
    <br>
    </div></div></div>

    <br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a><br></blockquote></div><br></div>
    </div></div></blockquote></div><br></div>
    </div></div><br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a><br></blockquote></div><br></div>
    </div></div><br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a><br></blockquote></div><br></div>
    </div></div><br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a><br></blockquote></div><br></div>
    </div></div><br>______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a href=mailto:Csgo_servers@.com>Csgo_servers@list.<wbr>valvesoftware.com</a><br>
    <a href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.<wbr>com///listinfo/<wbr>csgo_servers</a><br></blockquote></div><br></div>

    --001a1142f5c2e072a1054b6d62b8--


     
  11. John

    John Guest

    This is a multi-part message in MIME format.
    --------------FFBBC4E287C712FA363E5487
    Content-Type: text/plain; charset=utf-8; format=flowed
    Content-Transfer-Encoding: 7bit

    Youll have to respond to each type of attack separately. There are
    hundreds of types of attacks that can be used, and some cant be
    filtered without also blocking legitimate traffic.

    Your specific type of reflection attack is one of the easiest types to
    block, since you can even do a simple port-based filter and get all of
    it, with only a very small number of false-positives. Theres no need to
    have your upstream filter it for you on their end unless you are seeing
    enough traffic to flood out your network adapter (check your bandwidth
    graph to see if thats the case).

    Marco is mistaken; you shouldnt use a rate-limit for this type of
    attack, because you dont need any of it to get through. Rate-limits are
    only needed when theres a reasonable chance of false positives with the
    filter, in order to eliminate collateral damage when an attack is not in
    progress.

    You dont need any special tool to get a packet capture with tcpdump,
    and you shouldnt try to send us a pcap file. Just run it directly.
    Capture 10 packets from your current attack with this, for instance:

    tcpdump -nvXp -c 10 udp and src port 28960

    A good GSP will have a mitigation system to block attacks like this one
    out-of-the-box upstream, and they should provide tools for capturing
    and/or filtering traffic through their control panel. Good GSPs also
    have extensive experience with mitigating many other types of attacks.
    If you havent already spoken to your host, I recommend opening a ticket
    with them.

    -John

    On 3/23/2017 2:53 PM, Mathias wrote:
    > Thanks for this awesome help John! This kind of Attack have been
    > attacking me for days without stopping.
    >
    > So i block the port everytime they attack on new port? And what if
    > they attack on the port directly? There must be a kind of filter
    > possible on Linux with Iptables. Anything i can tell me datacenter to
    > fix this attack permanent?
    >
    >
    >
    > 2017-03-23 22:44 GMT+01:00 John <lists.valve@nuclearfallout.net
    > <mailto:lists.valve@nuclearfallout.net>>:
    >
    > If youre seeing packets from port 28960, youre most likely
    > seeing a reflected query DDoS that is coming from CoDx servers
    > (you can tell for certain by looking at the contents of captured
    > packets -- look for the string statusResponse) -- not a direct
    > query/connection flood, and likely not spoofed. You can safely
    > block traffic from port 28960, or do a more thorough filter to
    > block that traffic. This is an example rule to just block the port.
    >
    > iptables -I INPUT -p udp --sport 28960 -j DROP
    >
    > -John
    >
    >
    > On 3/23/2017 2:33 PM, Mathias wrote:
    >> Thanks John.
    >>
    >> Could you guide/send me the Iptables?
    >>
    >> My server is on port 27115 and the attack comes in on port 28960
    >> - But it wont work block the port (Have tried)
    >>
    >> IP rate limit sustained 79085 distributed packets at 2636.2 pps
    >> (1246 buckets).
    >> IP rate limit under distributed packet load (1205 buckets, 15001
    >> global count), rejecting 8.59.18.221:28960
    >> <http://8.59.18.221:28960>.
    >> IP rate limit sustained 78411 distributed packets at 2613.7 pps
    >> (943 buckets).
    >> IP rate limit under distributed packet load (1210 buckets, 15001
    >> global count), rejecting 154.112.126.3:28960
    >> <http://154.112.126.3:28960>.
    >> IP rate limit sustained 104375 distributed packets at 3479.2 pps
    >> (968 buckets).
    >> IP rate limit under distributed packet load (1152 buckets, 15001
    >> global count), rejecting 84.3.222.161:28960
    >> <http://84.3.222.161:28960>.
    >> IP rate limit sustained 78941 distributed packets at 2631.4 pps
    >> (795 buckets).
    >> IP rate limit under distributed packet load (1176 buckets, 16663
    >> global count), rejecting 88.131.51.148:28960
    >> <http://88.131.51.148:28960>.
    >>
    >> 2017-03-23 22:27 GMT+01:00 John <lists.valve@nuclearfallout.net
    >> <mailto:lists.valve@nuclearfallout.net>>:
    >>
    >> On 3/23/2017 1:34 PM, Mathias wrote:
    >>
    >> My servers getting flood with VSE DDoS Attack. My server
    >> have DDoS Protection but it wont take it. any other DDoS
    >> Attack does it takes so what can i do? im on Linux
    >> Ubuntu 16.04.
    >>
    >> Here is server logs - http://pastebin.com/Q2dbcEMt
    >>
    >> I also got how the script works (VSE DDoS Attack) - Found
    >> on a forum via Google
    >>
    >> Any idea to stop it with Iptables? Packet limit?
    >>
    >>
    >> The term VSE (Valve Source Exploit) that the attackers
    >> like to use is a misnomer because there isnt an exploit
    >> involved. These attacks just flood a server with spoofed
    >> queries and/or connection attempts from random sources, and
    >> Source cant handle the volume.
    >>
    >> Currently the most effective general-purpose way to deal with
    >> these is to whitelist real player IPs and rate-limit queries
    >> and connection attempts from all other sources (down to
    >> around 1000/s). This can be done with iptables using a
    >> combination of the ipset, hashlimit, and bpf/u32/string modules.
    >>
    >> Ideally, the game would be redesigned to using TCP for
    >> queries and the very first part of the connection, offloading
    >> the first-contact tasks to the OS, which has established
    >> methods for combating high-rate spoofed TCP SYN floods.
    >> Internally, it could then straight drop all UDP packets that
    >> dont correspond to a currently connected player.
    >>
    >> -John
    >>
    >> _______________________________________________
    >> Csgo_servers mailing list
    >> Csgo_servers@.com
    >> <mailto:Csgo_servers@.com>
    >> https://.com///listinfo/csgo_servers
    >> <https://.com///listinfo/csgo_servers>
    >>
    >>
    >>
    >>
    >> _______________________________________________
    >> Csgo_servers mailing list
    >> Csgo_servers@.com
    >> <mailto:Csgo_servers@.com>
    >> https://.com///listinfo/csgo_servers
    >> <https://.com///listinfo/csgo_servers>
    > _______________________________________________ Csgo_servers
    > mailing list Csgo_servers@.com
    > <mailto:Csgo_servers@.com>
    > https://.com///listinfo/csgo_servers
    > <https://.com///listinfo/csgo_servers>
    >
    >
    > _______________________________________________
    > Csgo_servers mailing list
    > Csgo_servers@.com
    > https://.com///listinfo/csgo_servers

    --------------FFBBC4E287C712FA363E5487
    Content-Type: text/html; charset=utf-8
    Content-Transfer-Encoding: 8bit

    <html>
    <head>
    <meta content=text/html; charset=utf-8 http-equiv=Content-Type>
    </head>
    <body bgcolor=#FFFFFF text=#000000>
    <div class=moz-cite-prefix>Youll have to respond to each type of
    attack separately. There are hundreds of types of attacks that can
    be used, and some cant be filtered without also blocking
    legitimate traffic. <br>
    <br>
    Your specific type of reflection attack is one of the easiest
    types to block, since you can even do a simple port-based filter
    and get all of it, with only a very small number of
    false-positives. Theres no need to have your upstream filter it
    for you on their end unless you are seeing enough traffic to flood
    out your network adapter (check your bandwidth graph to see if
    thats the case).<br>
    <br>
    Marco is mistaken; you shouldnt use a rate-limit for this type of
    attack, because you dont need any of it to get through.
    Rate-limits are only needed when theres a reasonable chance of
    false positives with the filter, in order to eliminate collateral
    damage when an attack is not in progress.<br>
    <br>
    You dont need any special tool to get a packet capture with
    tcpdump, and you shouldnt try to send us a pcap file. Just run it
    directly. Capture 10 packets from your current attack with this,
    for instance:<br>
    <br>
    tcpdump -nvXp -c 10 udp and src port 28960<br>
    <br>
    A good GSP will have a mitigation system to block attacks like
    this one out-of-the-box upstream, and they should provide tools
    for capturing and/or filtering traffic through their control
    panel. Good GSPs also have extensive experience with mitigating
    many other types of attacks. If you havent already spoken to your
    host, I recommend opening a ticket with them.<br>
    <br>
    -John<br>
    <br>
    On 3/23/2017 2:53 PM, Mathias wrote:<br>
    </div>
    <blockquote
    cite=mid:CABwK1kZCfjor-Tpf45Rei6cCGuDrPMRediOF0bSaFJX3dGtN1A@mail.gmail.com
    type=cite>
    <div dir=ltr>Thanks for this awesome help John! This kind of
    Attack have been attacking me for days without stopping.
    <div><br>
    </div>
    <div>So i block the port everytime they attack on new port? And
    what if they attack on the port directly? There must be a kind
    of filter possible on Linux with Iptables. Anything i can tell
    me datacenter to fix this attack permanent?</div>
    <div><br>
    </div>
    <div><br>
    </div>
    </div>
    <div class=gmail_extra><br>
    <div class=gmail_quote>2017-03-23 22:44 GMT+01:00 John <span
    dir=ltr>&lt;<a moz-do-not-send=true
    href=mailto:lists.valve@nuclearfallout.net
    target=_blank>lists.valve@nuclearfallout.net</a>&gt;</span>:<br>
    <blockquote class=gmail_quote style=margin:0 0 0
    .8ex;border-left:1px #ccc solid;padding-left:1ex>
    <div bgcolor=#FFFFFF text=#000000>
    <div class=m_-215066809999191040moz-cite-prefix>If
    youre seeing packets from port 28960, youre most
    likely seeing a reflected query DDoS that is coming from
    CoDx servers (you can tell for certain by looking at the
    contents of captured packets -- look for the string
    statusResponse) -- not a direct query/connection
    flood, and likely not spoofed. You can safely block
    traffic from port 28960, or do a more thorough filter to
    block that traffic. This is an example rule to just
    block the port.<br>
    <br>
    iptables -I INPUT -p udp --sport 28960 -j DROP<span
    class=HOEnZb><font color=#888888><br>
    <br>
    -John</font></span>
    <div>
    <div class=h5><br>
    <br>
    On 3/23/2017 2:33 PM, Mathias wrote:<br>
    </div>
    </div>
    </div>
    <div>
    <div class=h5>
    <blockquote type=cite>
    <div dir=ltr>Thanks John.
    <div><br>
    </div>
    <div>Could you guide/send me the Iptables?<br>
     <br>
    My server is on port 27115 and the attack comes
    in on port 28960 - But it wont work block the
    port (Have tried)</div>
    <div><span style=background-color:rgb(0,0,0)><br>
    </span></div>
    <div><span style=background-color:rgb(0,0,0)><span>IP
    rate limit sustained 79085 distributed
    packets at 2636.2 pps (1246 buckets).</span></span></div>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1205 buckets, 15001 global count), rejecting <a moz-do-not-send=true href=http://8.59.18.221:28960 target=_blank>8.59.18.221:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78411 distributed packets at 2613.7 pps (943 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1210 buckets, 15001 global count), rejecting <a moz-do-not-send=true href=http://154.112.126.3:28960 target=_blank>154.112.126.3:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 104375 distributed packets at 3479.2 pps (968 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1152 buckets, 15001 global count), rejecting <a moz-do-not-send=true href=http://84.3.222.161:28960 target=_blank>84.3.222.161:28960</a>.</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit sustained 78941 distributed packets at 2631.4 pps (795 buckets).</span></pre>
    <pre style=font-family:&quot;lucida console&quot;;font-size:13px;color:rgb(255,255,255);margin-top:0px;margin-bottom:0px><span style=background-color:rgb(0,0,0)>IP rate limit under distributed packet load (1176 buckets, 16663 global count), rejecting <a moz-do-not-send=true href=http://88.131.51.148:28960 target=_blank>88.131.51.148:28960</a>.</span></pre>
    </div>
    <div class=gmail_extra><br>
    <div class=gmail_quote>2017-03-23 22:27
    GMT+01:00 John <span dir=ltr>&lt;<a
    moz-do-not-send=true
    href=mailto:lists.valve@nuclearfallout.net
    target=_blank>lists.valve@nuclearfallout.<wbr>net</a>&gt;</span>:<br>
    <blockquote class=gmail_quote style=margin:0
    0 0 .8ex;border-left:1px #ccc
    solid;padding-left:1ex><span>On 3/23/2017
    1:34 PM, Mathias wrote:<br>
    <blockquote class=gmail_quote
    style=margin:0 0 0 .8ex;border-left:1px
    #ccc solid;padding-left:1ex> My servers
    getting flood with VSE DDoS Attack. My
    server have DDoS Protection but it wont
    take it. any other DDoS Attack does it
    takes so what can i do? im on Linux
    Ubuntu 16.04.<br>
    <br>
    Here is server logs - <a
    moz-do-not-send=true
    href=http://pastebin.com/Q2dbcEMt
    rel=noreferrer target=_blank>http://pastebin.com/Q2dbcEMt</a><br>
    <br>
    I also got how the script works (VSE DDoS
    Attack) - Found on a forum via Google<br>
    <br>
    Any idea to stop it with Iptables? Packet
    limit?<br>
    </blockquote>
    <br>
    </span> The term VSE (Valve Source
    Exploit) that the attackers like to use is a
    misnomer because there isnt an exploit
    involved. These attacks just flood a server
    with spoofed queries and/or connection
    attempts from random sources, and Source cant
    handle the volume.<br>
    <br>
    Currently the most effective general-purpose
    way to deal with these is to whitelist real
    player IPs and rate-limit queries and
    connection attempts from all other sources
    (down to around 1000/s). This can be done with
    iptables using a combination of the ipset,
    hashlimit, and bpf/u32/string modules.<br>
    <br>
    Ideally, the game would be redesigned to using
    TCP for queries and the very first part of the
    connection, offloading the first-contact tasks
    to the OS, which has established methods for
    combating high-rate spoofed TCP SYN floods.
    Internally, it could then straight drop all
    UDP packets that dont correspond to a
    currently connected player.<br>
    <br>
    -John<br>
    <br>
    ______________________________<wbr>_________________<br>
    Csgo_servers mailing list<br>
    <a moz-do-not-send=true
    href=mailto:Csgo_servers@.com
    target=_blank>Csgo_servers@list.valvesoftwar<wbr>e.com</a><br>
    <a moz-do-not-send=true
    href=https://.com///listinfo/csgo_servers
    rel=noreferrer target=_blank>https://.com<wbr>///listinfo/csgo<wbr>_servers</a></blockquote>
    </div>
    <br>
    </div>
    <br>
    <fieldset
    class=m_-215066809999191040mimeAttachmentHeader></fieldset>
    <br>
    <pre>______________________________<wbr>_________________
    Csgo_servers mailing list
    <a moz-do-not-send=true class=m_-215066809999191040moz-txt-link-abbreviated href=mailto:Csgo_servers@.com target=_blank>Csgo_servers@list.<wbr>valvesoftware.com</a>
    <a moz-do-not-send=true class=m_-215066809999191040moz-txt-link-freetext href=https://.com///listinfo/csgo_servers target=_blank>https://.<wbr>com///listinfo/<wbr>csgo_servers</a></pre>
    </blockquote>


    </div></div></div>


    ______________________________<wbr>_________________

    Csgo_servers mailing list

    <a moz-do-not-send=true href=mailto:Csgo_servers@.com>Csgo_servers@list.<wbr>valvesoftware.com</a>

    <a moz-do-not-send=true href=https://.com///listinfo/csgo_servers rel=noreferrer target=_blank>https://.<wbr>com///listinfo/<wbr>csgo_servers</a>
    </blockquote></div>
    </div>


    <fieldset class=mimeAttachmentHeader></fieldset>
    <pre wrap=>_______________________________________________
    Csgo_servers mailing list
    <a class=moz-txt-link-abbreviated href=mailto:Csgo_servers@.com>Csgo_servers@.com</a>
    <a class=moz-txt-link-freetext href=https://.com///listinfo/csgo_servers>https://.com///listinfo/csgo_servers</a></pre>

    </blockquote>
    </body></html>
    --------------FFBBC4E287C712FA363E5487--


     

Share This Page

Loading...