Alright so I've been getting what seems to be some kind of attack today, it's never happened before. I've been DDoSed plenty of times, and it's usually easy enough to block or figure out a pattern with the packets, and it never spams this NET_GetLong shit in the console. This only happens for a few seconds, and the server crashes almost instantly. I've searched around, and I can't find any type of definite solution.
Heres a screen of the console right before a crash.
[IMG]http://gyazo.com/3ec6be3ba50a5f68054761ee0031f98d.png[/IMG]
Any ideas of what I can do?
Windows?
Either way run [url=http://www.wireshark.org/download.html]Wireshark[/url] when an attack is happening so we can see whats being received.
And if the attack is going on for just a few seconds every 30 minutes or so you can setup wireshark to save to seperate files. I often make it save every 60 seconds to a seperate file as up to 10k packets a second of legit traffic certainly adds up if you're waiting 30-60 minutes for an attack.
I'm just sayin that DDoSing/ "cyberattacks" are illegal and if it continues and you can call to the operator/police for this. I once got DDoSed every 45 minutes so i called to the operator, they tracked the guy down who DDoSed me and contacted to police and he had to pay 2000$ for Computer Fraud and Abuse Act.
[QUOTE=Sh4rpSh00tah;39780833]I'm just sayin that DDoSing/ "cyberattacks" are illegal and if it continues and you can call to the operator/police for this. I once got DDoSed every 45 minutes so i called to the operator, they tracked the guy down who DDoSed me and contacted to police and he had to pay 2000$ for Computer Fraud and Abuse Act.[/QUOTE]
I find this unlikely to happen. Although it's indeed illegal, every clever person will use a proxy or something. Even if they came to knock on his door, he still could say it was his friend/brother/sister/grandma/whoever and they couldn't prove him guilty.
[QUOTE=khuba;39781437]I find this unlikely to happen. Although it's indeed illegal, every clever person will use a proxy or something. Even if they came to knock on his door, he still could say it was his friend/brother/sister/grandma/whoever and they couldn't prove him guilty.[/QUOTE]
haha yeah. You're right.
[QUOTE=khuba;39781437]I find this unlikely to happen. Although it's indeed illegal, every clever person will use a proxy or something. Even if they came to knock on his door, he still could say it was his friend/brother/sister/grandma/whoever and they couldn't prove him guilty.[/QUOTE]
Whose grandma is capable of DDoSing someone when they can't even send an E-mail ?
[QUOTE=Fleskhjerta;39786370]Whose grandma is capable of DDoSing someone when they can't even send an E-mail ?[/QUOTE]
You have no idea.
[QUOTE=Fleskhjerta;39786370]Whose grandma is capable of DDoSing someone when they can't even send an E-mail ?[/QUOTE]
I still don't know how to send e-mails.
[QUOTE=Sh4rpSh00tah;39780833]I'm just sayin that DDoSing/ "cyberattacks" are illegal and if it continues and you can call to the operator/police for this. I once got DDoSed every 45 minutes so i called to the operator, they tracked the guy down who DDoSed me and contacted to police and he had to pay 2000$ for Computer Fraud and Abuse Act.[/QUOTE]
The attack is reflected so the only way you're going to find the user responsible is if he openly admits to it, and even then chances of getting anything done about it are extremely low.
Now, for the actual issue try setting net_splitpacket_maxrate higher. All the sizes that are coming in on your screenshot are 8293, the maximum is 1048576.
[code]net_splitpacket_maxrate
"net_splitpacket_maxrate" = "1048576" min. 1000.000000 max. 1048576.000000
- Max bytes per second when queueing splitpacket chunks[/code]
Also suffering from this attack atm, 2/8 servers are being attacked by it. Luckily it doesn't choke my whole connection so the other servers stay online.
Attempting to block the ips one by one via windows firewall isn't really helping. Did anyone find any sort of solution?
Same here at ZARP. I seem's like all big gmod servers are getting attacked.
[QUOTE=munch;39820448]Also suffering from this attack atm, 2/8 servers are being attacked by it. Luckily it doesn't choke my whole connection so the other servers stay online.
Attempting to block the ips one by one via windows firewall isn't really helping. Did anyone find any sort of solution?[/QUOTE]
[QUOTE=quentuz;39821048]Same here at ZARP. I seem's like all big gmod servers are getting attacked.[/QUOTE]
[url]http://facepunch.com/showthread.php?t=1251000&p=39787880&viewfull=1#post39787880[/url]
[QUOTE=rokrox;39787880]The attack is reflected so the only way you're going to find the user responsible is if he openly admits to it, and even then chances of getting anything done about it are extremely low.
Now, for the actual issue try setting net_splitpacket_maxrate higher. All the sizes that are coming in on your screenshot are 8293, the maximum is 1048576.
[code]net_splitpacket_maxrate
"net_splitpacket_maxrate" = "1048576" min. 1000.000000 max. 1048576.000000
- Max bytes per second when queueing splitpacket chunks[/code][/QUOTE]
Had it at 100k, and it didn't seem to help.
Really odd, one of my RP servers would crash because of it, while the other seemed to sustain it completely.
The packets were just stacked TSource Engine queries, and they were all 165 bytes.
See, this is why I use NFO as they already block this type of stuff :)
Getting this problem too, net_splitpacket_maxrate doesn't seem to be fixing it. Keeps knocking my server down as well.
[QUOTE=erie1555;39835841]Getting this problem too, net_splitpacket_maxrate doesn't seem to be fixing it. Keeps knocking my server down as well.[/QUOTE]
While this helps the SRCDS app is still getting the packets and deciding how to deal with them, it's never been great at this sadly and will always be extremely easy to crash using floods.
The only way to stop it crashing your server is to limit the packets using some form of firewall, Linux it's fairly simple but for Windows trying to find a DPI firewall that can actually match query packets and rate them = nearly impossible.
[QUOTE=Pantho;39834373]See, this is why I use NFO as they already block this type of stuff :)[/QUOTE]
Well we do use NFO lol :P
[QUOTE=Hergs;39838418]Well we do use NFO lol :P[/QUOTE]
Well, you've not mentioned you've been attacked in this thread, so? Anyway, before I start on a quick explanation of how to block this attack at NFO I'd like to say THIS is why I love NFO and would pick them over any current host. I'm unaware of any other host that has these features.
So you're with NFO and have been suffering these stupid scripts? Well, the awesome thing about being with NFO if you can use the extremely easy to use control panel to capture incoming traffic before it gets to your machine, using that data you can make a firewall rule to help mitigate these attacks.
If you are don't have the rudementry knowledge on packet structure needed to do this then NFO help and support would do it for you, you simply need to make a ticket. They will try to capture some traffic and find the attack, but to help them you need to click this button during the attack and then make a support ticket, makes life simpler as they can just study the already captured packet make a quick rule and boom fixed.
[IMG]http://bybservers.co.uk/sharex/pantho/2013-03-08_12-34-03.png[/IMG]
[B]
So, how do I block THIS 'Weird Attack' from my NFO server?[/B]
[I]This is completely assuming you're running from a virtual dedicated, i know standard game servers can do this but the interface might look slightly different.
[/I]
Although I'm pretty sure you are receiving source query floods, not a new attack and one that can never really be solved if the attack is done properly. You can't really distinguish between a valid incoming query or a malicious query. However this simple firewall rule can stop the servers crashing during the attack, the downside is players will have extreme difficulty seeing the server online or joining during the attack. However, everyone currently on the server won't even notice the attack and the second it's over people can rejoin. Luckily for you NFO already have a bunch of preset rules for you to apply that block most of the scripts that kids buy from hackforums these days, including this one. So, go to your NFO control panel, select "Firewall Beta" and then on rule click click the dropdown menu, select this rule and hit submit filter changes. Finito.
[IMG]http://bybservers.co.uk/sharex/pantho/2013-03-08_12-37-40.png[/IMG]
If for some reason you are running outside of ports 27015-27030 on a managed dedicated or VDS then the firewall rule can be manually recreated in there control panel and looks exactly like so:
[IMG]http://bybservers.co.uk/sharex/pantho/2013-03-08_12-28-48.png[/IMG]
If for some insanely stupid reason you cannot follow these simple instructions just open up an NFO support ticket and say:
"Hi,
My server has been flooded by source query packets. Could you please limit them as I'm not sure how to use the firewall interface.
Regards
Silly Sally."
Great info thanks but for the shared or vps but like us being hit daily with this stupidness on dedi which does not give you that option on NFO.
They plan on it i hear but not yet I have set my own in firewalls for now but we still get it. Also a little help with a plugin slows it down.
[QUOTE=paulqy;39844024]Great info thanks but for the shared or vps but like us being hit daily with this stupidness on dedi which does not give you that option on NFO.
They plan on it i hear but not yet I have set my own in firewalls for now but we still get it. Also a little help with a plugin slows it down.[/QUOTE]
Yea, there vps systems are dedicated cpu cores though so not much performance difference from a dedi. I believe if you go managed dedicated with them the firewall options are available, but you don't get host access.
[QUOTE=Pantho;39842237]Well, you've not mentioned you've been attacked in this thread, so? "[/QUOTE]
Me and Hemirox are talking about the same server, sorry for not clearing that up :I Thanks for the help though!
Is anyone else still experiencing this?
[QUOTE=erie1555;39861057]Is anyone else still experiencing this?[/QUOTE]
Yes :(
[QUOTE=Hergs;39861976]Yes :([/QUOTE]
Did you try setting net_splitpacket_maxrate to the maximum value? This is an issue with srcds, but Valve acknowledged the issue around 2010 and attempted to fix it. But setting the maximum value for the size should drop the invalid packets.
Someone should make a wireshark capture of this attack.
Wireshark has an option that allows you to capture traffic in a ring buffer, which basically means that it can use two files to capture only the most recent X minutes or most recent X MB of traffic.
[thumb]http://i.imgur.com/NavL2EW.png[/thumb]
Anyone who seems to be hit frequently by these attacks should setup wireshark to capture in a ring buffer with a 5 minute or 100MB limit, and simply let it capture. Because a ring buffer only captures the most recent minutes of MBs of traffic, you won't fill up your RAM or harddisk. Then once you get hit by this 'weird' attack you wait a few seconds so wireshark can capture it and then you turn off wireshark.
After that you have to filter out the non-attack traffic (for security sake, it could also have captured unsecure FTP logins for example) and post the .pcap files here so we can observe the attack. If you can't figure out how to do this PM me the whole capture so I can remove sensitive traffic for you before we publicize the capture.
[QUOTE=maurits150;39864256]Someone should make a wireshark capture of this attack.
Wireshark has an option that allows you to capture traffic in a ring buffer, which basically means that it can use two files to capture only the most recent X minutes or most recent X MB of traffic.
[thumb]http://i.imgur.com/NavL2EW.png[/thumb]
Anyone who seems to be hit frequently by these attacks should setup wireshark to capture in a ring buffer with a 5 minute or 100MB limit, and simply let it capture. Because a ring buffer only captures the most recent minutes of MBs of traffic, you won't fill up your RAM or harddisk. Then once you get hit by this 'weird' attack you wait a few seconds so wireshark can capture it and then you turn off wireshark.
After that you have to filter out the non-attack traffic (for security sake, it could also have captured unsecure FTP logins for example) and post the .pcap files here so we can observe the attack. If you can't figure out how to do this PM me the whole capture so I can remove sensitive traffic for you before we publicize the capture.[/QUOTE]
I thought they where just flooding fake queries? By which I mean if it's done properly there isn't a way to distinguish from real queries.
[QUOTE=Pantho;39864640]I thought they where just flooding fake queries? By which I mean if it's done properly there isn't a way to distinguish from real queries.[/QUOTE]
Fake queries don't have packet sizes of over 8000 bytes? Unless I'm not getting the error message.
[quote]NET_GetLong: Split packet from 129.204.249.137:60663 with invalid split size (number 99/ count 114) where [b]size 8293[/b] is out of valid range [564 - 1248][/quote]
Has anyone captured any packets during the attack?
We've tried blocking the IP's, but they keep changing. We even switched our own IP but this keeps happening :/. There doesn't seem to be a fix yet.
Sorry, you need to Log In to post a reply to this thread.
