[QUOTE=ertug20;43288903]That might not work because not one ip was reproduced in the whole attack.[/QUOTE]
The pps filter will match all ips, not per ip. So 500 ips can send the attack in one second and only 5 packets will get through.
Oh, I misread it. I see what you did there
They're basically exploiting the ob engine or srcds in some way. Normal methods of dealing with DDoS attacks won't work on it. You also have to take into account they take down hundreds of servers in a single instant, it's something much more.
I got this information directly from a support member at NFO servers. NFO tries to setup temporary filters for the attack on their firewall for rented servers.
just happened to my server. I didnt even do anything to anyone! it was just a listen server for me and my friends! This is getting out of hand...
It appears to be pretty simple imo. If you look at this page [URL="https://developer.valvesoftware.com/wiki/Server_queries"]https://developer.valvesoftware.com/wiki/Server_queries[/URL] and scroll down to the Multi-packet Response Format you can see that split packets start with fe ff ff ff, and single packets start with ff ff ff ff.
If you look at the rest of the data required for a splitpacket to work right, you can see that there are a few fields to it, including an ID, the total amount of packets in this stream, the ID of the packet in this stream, and sometimes the size. Sending packets that aren't formatted correctly is going to print out something similar to this error: "NET_GetLong: Split packet from 189.203.44.214:64442 with invalid split size (number 0/ count 0) where size 0 is out of valid range [564 - 1248 ]"
Apparently spamming these malformed split packets is what is crashing these servers.
It's obvious that the server will send these split packets to clients so it can send the full extent of the server rules etc; but after having the rule i mentioned above in place on an active server for the past 12+ hours i haven't heard any complaints. I'm not sure why the client would ever need to upload a splitpacket.
[QUOTE=-XTC-;43298960]It appears to be pretty simple imo. If you look at this page [URL="https://developer.valvesoftware.com/wiki/Server_queries"]https://developer.valvesoftware.com/wiki/Server_queries[/URL] and scroll down to the Multi-packet Response Format you can see that split packets start with fe ff ff ff, and single packets start with ff ff ff ff.
If you look at the rest of the data required for a splitpacket to work right, you can see that there are a few fields to it, including an ID, the total amount of packets in this stream, the ID of the packet in this stream, and sometimes the size. Sending packets that aren't formatted correctly is going to print out something similar to this error: "NET_GetLong: Split packet from 189.203.44.214:64442 with invalid split size (number 0/ count 0) where size 0 is out of valid range [564 - 1248 ]"
Apparently spamming these malformed split packets is what is crashing these servers.
It's obvious that the server will send these split packets to clients so it can send the full extent of the server rules etc; but after having the rule i mentioned above in place on an active server for the past 12+ hours i haven't heard any complaints. I'm not sure why the client would ever need to upload a splitpacket.[/QUOTE]
We set it to 50pps when it started and the servers havn't crashed since, 5 seems a bit strict just incase etc.
[QUOTE=Pantho;43298985]We set it to 50pps when it started and the servers havn't crashed since, 5 seems a bit strict just incase etc.[/QUOTE]
Glad to hear that, keep us updated.
Sorry, you need to Log In to post a reply to this thread.
