• Split packet attacks?
    18 replies, posted
Hello. Recently my community has suffered greatly from split packet attacks aimed at my servers. If you don't understand what I mean by the term, it's basically huge amounts of small packages sent to my servers causing them to crash. This is an example of how the console.log file looks like when an attack occurs: [CODE]NET_GetLong: Split packet from 180.22.191.204:47610 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ]NET_GetLong: Split packet from 122.82.236.167:37550 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ] NET_GetLong: Split packet from 32.57.38.176:22264 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ] NET_GetLong: Split packet from 188.157.44.179:48752 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ] NET_GetLong: Split packet from 71.88.37.134:28762 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ] NET_GetLong: Split packet from 18.118.169.192:19882 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ] NET_GetLong: Split packet from 44.41.113.241:2503 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ] NET_GetLong: Split packet from 125.48.202.181:37914 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ] NET_GetLong: Split packet from 166.139.99.185:23263 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ] NET_GetLong: Split packet from 195.241.20.200:6390 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ] NET_GetLong: Split packet from 204.156.122.240:7920 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ] NET_GetLong: Split packet from 131.218.230.215:17333 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ] NET_GetLong: Split packet from 83.161.14.219:8975 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ] NET_GetLong: Split packet from 88.180.160.153:53635 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ] NET_GetLong: Split packet from 68.145.30.147:6519 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ] NET_GetLong: Split packet from 170.55.235.200:24043 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ] NET_GetLong: Split packet from 119.234.207.152:15285 with invalid split size (number 121/ count 116) where size 25955 is out of valid range [564 - 1248 ][/CODE] And so it continues. There is a really a massive amount of IPs. My host blocks them through a firewall each time the attacks occurs, but somehow the attacker never run out of IPs and I'm being constantly attacked. Are you familiar with these sorts of attacks and do you know if there's anyway to prevent/stop them? Note that split packet attacks are not the same thing as DOS or DDOS attacks. These attacks are really damaging my community and causing my servers to crash frequently. Any help would be sincerely appreciated.
Ask to be given a different IP address. shouldn't be a problem. then report the IPs for abuse.
[QUOTE=FrankPetrov;40083225]Ask to be given a different IP address. shouldn't be a problem. then report the IPs for abuse.[/QUOTE] The attacker has obviously aimed his attacks at my community, since all of my 3 servers are being attacked. If I changed my IP I would just lose players and he would find out about my new IP quickly and start attacking it.
also, check this out. [url]http://www.mail-archive.com/hlds_linux@list.valvesoftware.com/msg68306.html[/url]
[QUOTE=FrankPetrov;40083243]also, check this out. [url]http://www.mail-archive.com/hlds_linux@list.valvesoftware.com/msg68306.html[/url][/QUOTE] I'm afraid that it doesn't really bring anything that could restrain the attacks to the table.
Use wireshark to capture the attack, then post the pcap file here.
From the look of the attack, it looks like none of the packets are coming from an srcds port, so just block anything that isn't in the range of 27000-27999 from accessing your srcds servers.
I also experienced the attack, luckily it's passed over. Try reading this: [url]http://facepunch.com/showthread.php?t=1251000[/url] maybe you can find some useful info in the topic.
[QUOTE=Blasphemy;40084279]From the look of the attack, it looks like none of the packets are coming from an srcds port, so just block anything that isn't in the range of 27000-27999 from accessing your srcds servers.[/QUOTE] Clients use a much much broader scope than 27000-27999 for queries and game traffic.
For a minecraft server, I ran under the port that Telnet would use. Operate under a port they will never guess.
looks like you really annoyed someone?
[QUOTE=tyguy;40103852]looks like you really annoyed someone?[/QUOTE] Ban the wrong minge and you'll get (D) DoS'ed.
[QUOTE=WhiteHusky;40086715]For a minecraft server, I ran under the port that Telnet would use. Operate under a port they will never guess.[/QUOTE] Your thought was that, rather than using the default Minecraft port, you'd switch to a port that people are specifically scanning for due to it's insecurities? Amazing.
Issue has been resolved. AzuiSleet deserves all the credit.
Mind telling us what was done? Did you use the ServerSecure plugin?
[QUOTE=danielga;40170010]Mind telling us what was done? Did you use the ServerSecure plugin[/QUOTE] Yeah, serversecure3. I'm afraid I can't just give it to you guys though. You'll have to speak to AzuiSleet since he's the creator. It's not public yet.
[url]https://code.google.com/p/gmodmodules/source/detail?r=189[/url] Wat. That may be from a while ago, but the source is pretty much out. Edit: I compiled it, and it seems to be running just fine on my servers. Not sure if I'm allowed to give a download to it, since it's not my work. Doubt Azuisleet or Voided check here regularly, so it may be hard to get any confirmation from them if they want it linked on here.
What exactly does this module do?
Adds like 2 security checks to the server(it's a plugin, not a module)
Sorry, you need to Log In to post a reply to this thread.