Recent list of split packets attack - Garry's Mod

Hello everybody, I am just letting everyone know about this ongoing problem. This isn't anything new however could definitely cause problems. Anyways I have recently been hit with 3677 ip's that all sent split packets to all ips on one of my nodes. I made a list here so if needed anybody else can blacklist these. [URL="http://pastebin.com/sn1kvSAv"]http://pastebin.com/sn1kvSAv[/URL] Hope we can all block these together and all save headaches.

When they attacked me, the port numbers started from 60000 and went up. I don't think I saw any repeating IPs, however.

Same on my end

Why are you allowing traffic on port 60k and above?

The source port of the ips are at 60k. Regardless they are completely random. I have seen them start at 10000 and range up.

This is happening to a mega shit ton of Garry's Mod servers.

well then somebody is having a very fun time trying to take down a lot of different servers [editline]23rd December 2013[/editline] If you have any other information regarding this then feel free to post it

I just got hit by this approximately 10 hours ago, exact same attack pattern with ports going up from 60,000 to 65,000. [url=http://pastebin.com/qvqUsE4j]Here's part of the log.[/url]

Also hit by it, simple to block with iptables or NFO control panel. The attacks are not to large in size just SRCDS can't handle the traffic. Sever can be queried and doesn't crash, console still spams though with packs that make it through etc. [editline]23rd December 2013[/editline] [QUOTE=ertug20;43278629]Hello everybody, I am just letting everyone know about this ongoing problem. This isn't anything new however could definitely cause problems. Anyways I have recently been hit with 3677 ip's that all sent split packets to all ips on one of my nodes. I made a list here so if needed anybody else can blacklist these. [URL]http://pastebin.com/sn1kvSAv[/URL] Hope we can all block these together and all save headaches.[/QUOTE] Also blacklisting the IP's is a VERY bad approach, they're most likely spoofed or redirected. Packet dump from last night: [url]http://bit.ly/1a3hluo[/url]

For people that are having issues with DoS attacks like this, I'd recommend checking out [url=https://forums.alliedmods.net/showthread.php?t=151551]databomb's suggestions for hardening srcds with iptables[/url]. Or since you will probably never have a legitimate player connect using a port above 60k, you could just drop all of that traffic. iptables -A INPUT -p udp --sport 60000:65535 --destination-port 27015 -j DROP

[QUOTE=bliptec;43283393]For people that are having issues with DoS attacks like this, I'd recommend checking out [url=https://forums.alliedmods.net/showthread.php?t=151551]databomb's suggestions for hardening srcds with iptables[/url]. Or since you will probably never have a legitimate player connect using a port above 60k, you could just drop all of that traffic. iptables -A INPUT -p udp --sport 60000:65535 --destination-port 27015 -j DROP[/QUOTE] Errr, I forget but the source port range is fairly high. Think it might actually in that range.

The only problem with that source port block is it isn't limited to 60k and up, they can easily start at 5k and go up and vice versa

What's the point of releasing that list? They are all spoofed, no way anyone would use that many nodes to attack a gmod server.

My server was hit by this last night too, someone called [URL="http://steamcommunity.com/profiles/76561198079666472"]"Ultra"[/URL] was claiming to do it because I banned him from my server, though he also knocked our dedicated server out for a while, it may be a coincidence but it is the same time everyone else is claiming to have been hit by this attack too.

[QUOTE=ertug20;43284140]The only problem with that source port block is it isn't limited to 60k and up, they can easily start at 5k and go up and vice versa[/QUOTE] Yea, it's just supposed to be a quick temporary solution that people may want to use while they work on implementing a long-term solution. That single rule will be far more effective and efficient at preventing this specific attack than a blacklist of apparently spoofed IPs. Anyways, when you're dealing with spoofed attacks there's not much that you can do besides rate limiting or creating rules like the one I posted which block apparently malicious packets based on a common signature -- even fancy heuristics based attack mitigation systems do that, just in a more automated way.

This would probably explain why Noxious.net (Zombie Survival specifically) was starting to lag a bit between last night and now. (For multiple people.)

I'd get it if the attacks were directed towards douchenozzles but it's always some buttmad kid paying someone to DDoS for them. I've been lucky so far to not get hit by anything bigger than loic skiddies.

[QUOTE=pkhzor;43284984]I'd get it if the attacks were directed towards douchenozzles but it's always some buttmad kid paying someone to DDoS for them. I've been lucky so far to not get hit by anything bigger than loic skiddies.[/QUOTE] At this point DDoS'ing is the Internet equivalent of suing people. (It seems like people will sue over anything now a days...)

Typically with these attacks out DDoS protection system kicks in ~5 minutes of the attack which in last night's case it did and stopped a flood attack which initially hit at around ~600Mbp/s but the spilt packet attacks continued against the gmod servers we were running and there was near to nothing we could do about it. So I presume this is some sort of layer 7. Last night's graph around the initial attack: [url]http://puu.sh/5WeAt/7d6d52cf11.png[/url] Also for anyone hosting with vilayer or OVH using their seemingly bulletproof protection system(VAC), it can't protect against this.

[QUOTE=JRODISME;43285097]Typically with these attacks out DDoS protection system kicks in ~5 minutes of the attack which in last night's case it did and stopped a flood attack which initially hit at around ~600Mbp/s but the spilt packet attacks continued against the gmod servers we were running and there was near to nothing we could do about it. So I presume this is some sort of layer 7. Last night's graph around the initial attack: [url]http://puu.sh/5WeAt/7d6d52cf11.png[/url] Also for anyone hosting with vilayer or OVH using their seemingly bulletproof protection system(VAC), it can't protect against this.[/QUOTE] Yes, this is a layer 7 attack. It specifically targets srcds' inability to handle split packets efficiently. You're probably not going to see massive levels of these and should be able to just filter it with your server's firewall. You should really just block everything except complete connection requests and established connections.

[QUOTE=bliptec;43285185]Yes, this is a layer 7 attack. It specifically targets srcds' inability to handle split packets efficiently. You're probably not going to see massive levels of these and should be able to just filter it with your server's firewall. You should really just block everything except complete connection requests and established connections.[/QUOTE] How would I go about blocking the things?

[QUOTE=Mors Quaedam;43284718]My server was hit by this last night too, someone called [URL="http://steamcommunity.com/profiles/76561198079666472"]"Ultra"[/URL] was claiming to do it because I banned him from my server, though he also knocked our dedicated server out for a while, it may be a coincidence but it is the same time everyone else is claiming to have been hit by this attack too.[/QUOTE] I know this guy. He used to be one of my propkilling buds. He didn't personally do it however. He has a friend that does it for him whenever he asks. I know that guy as well ha.

Does serversecure 3 still work to block these attacks?

I would like to just tell everyone that my servers were also encountered with the same issue.

[QUOTE=bliptec;43285185]Yes, this is a layer 7 attack. It specifically targets srcds' inability to handle split packets efficiently. You're probably not going to see massive levels of these and should be able to just filter it with your server's firewall. You should really just block everything except complete connection requests and established connections.[/QUOTE] I may be wrong, but impossible? UDP is stateless how could you only allow completed connection requests only? And since it only ever sends 1 packet from per ip then ... Either way as I said this split packet business can be sorted by rate filtering the packet length used for the attacks. Very quick and easy, you'll get some console spam still but it won't crash the server.

An easy solution that I found with this is to simply block any packets with very small length increments. Also to the regular Garry's Mod Server this shouldn't be a very big problem however if you own a gsp like myself and it is an attack towards all your servers the cpu usage spikes extremely... This could indeed cause the server or other servers to crash.

[QUOTE=Pantho;43285432]I may be wrong, but impossible? UDP is stateless how could you only allow completed connection requests only? And since it only ever sends 1 packet from per ip then ...[/QUOTE] If you put quite a bit of effort into the firewall you could get it to only allow certain packets from the IPs that have been authenticated by the server as players :v: [sp]but yea, I was really thinking of tcp when I said that[/sp]

Indeed you could but if you are new to hosting then that could be a problem.

This is untested but it *should* work assuming i set this up right.. [IMG]http://i.imgur.com/HMkh70r.png[/IMG] After looking at some random samples on game traffic i found that no clients were sending splitpackets to the server ever, but i included a 5pps rule for good measure. Edit: If you want to measure how many split packets you're receiving, you can use the filter " udp.dstport==27015 && udp[8:4]==fe:ff:ff:ff " (without quotes) in wireshark.

That might not work because not one ip was reproduced in the whole attack.