Exploit server

Hello guys,

I am the owner of a garry’s mod server and I have been the target of a malicious person who does not stop to launch massives attacks to my server.

My server is rebooting again and again, I do not manage to connect to my server so hard it reboots everytime for 2 days now.

I contacted my hostserver and in the console he can see mass differents ips and obviously he cannot blacklist ip by ip …

He gave me a sample :

NET_GetLong: Split packet from 55.13.65.148:14491 with invalid split size (number 99/ count 114) where size 8293 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 76.224.194.143:11484 with invalid split size (number 99/ count 114) where size 8293 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 214.31.72.199:49376 with invalid split size (number 99/ count 114) where size 8293 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 120.176.204.41:63543 with invalid split size (number 99/ count 114) where size 8293 is out of valid range [564 - 1248 ]
NET_GetLong: Split packet from 142.132.167.72:24153 with invalid split size (number 99/ count 114) where size 8293 is out of valid range [564 - 1248 ]

I have the same attack

Try setting net_splitrate to 0 and have your host drop all fragmented traffic.

no change for me

I can smell Killslick…

I think (not sure) that “serversecure 3” can block that
Also, you can check this thread: http://forum.facepunch.com/showthread.php?t=1337532

There is no fix, unless you block invalid packet data.

If you’re looking for an easy fix, there isn’t one sadly :confused:

unfortunately I think that we have to wait that the person behind these attacks is bored and give up his shitty activity…

I would say that just adding a firewall rule to block fragments is easy. For iptables it would just be


iptables -A INPUT -f -j DROP

Just setting net_splitrate to 0 won’t do much since source will still choke when it gets unexpected split packets, which is why I’m guessing it didn’t work for sokare. Having your host drop fragments was the more important part of my suggestion.

[editline]13th March 2014[/editline]

I should warn that that the iptables rule I posted is very vague and will drop every split packet that goes through the firewall. If you’re actually going to use it, you should make it more specific with something like --destination-port 27015 or -d 10.0.0.0

specify plz iptables -A INPUT -f -j DROP

Fragmented packets generally don’t happen legitimately with jumbo frames enabled. I’ve been blocking fragments over ~660 virtual servers for a month and not a single one has been blocked.

If they have paid a company to attack and are not doing it themselves getting an ip may help for a short period of time.

If you’re running on a linux distro with iptables (most of them), you can just put that in the terminal and it will block all split packets until the rules are reloaded.

http://forum.facepunch.com/showthread.php?t=1375333&p=44231936&viewfull=1#post44231936

Virtualize a Linux OS, run your server under it, get the IP of the man who is spamming you with those packets (Wireshark)

Block it with the linux firewall, (because windows’s one is useless, exept for blocking your own apps).

At least try and read the OP before responding:

no change for me other paket