Recent list of split packets attack

Hello everybody, I am just letting everyone know about this ongoing problem. This isn’t anything new however could definitely cause problems. Anyways I have recently been hit with 3677 ip’s that all sent split packets to all ips on one of my nodes. I made a list here so if needed anybody else can blacklist these.

http://pastebin.com/sn1kvSAv

Hope we can all block these together and all save headaches.

When they attacked me, the port numbers started from 60000 and went up. I don’t think I saw any repeating IPs, however.

Same on my end

Why are you allowing traffic on port 60k and above?

The source port of the ips are at 60k. Regardless they are completely random. I have seen them start at 10000 and range up.

This is happening to a mega shit ton of Garry’s Mod servers.

well then somebody is having a very fun time trying to take down a lot of different servers

[editline]23rd December 2013[/editline]

If you have any other information regarding this then feel free to post it

I just got hit by this approximately 10 hours ago, exact same attack pattern with ports going up from 60,000 to 65,000.

Here’s part of the log.

Also hit by it, simple to block with iptables or NFO control panel. The attacks are not to large in size just SRCDS can’t handle the traffic.

Sever can be queried and doesn’t crash, console still spams though with packs that make it through etc.

[editline]23rd December 2013[/editline]

Also blacklisting the IP’s is a VERY bad approach, they’re most likely spoofed or redirected.

Packet dump from last night: http://bit.ly/1a3hluo

For people that are having issues with DoS attacks like this, I’d recommend checking out databomb’s suggestions for hardening srcds with iptables. Or since you will probably never have a legitimate player connect using a port above 60k, you could just drop all of that traffic.

iptables -A INPUT -p udp --sport 60000:65535 --destination-port 27015 -j DROP

Errr, I forget but the source port range is fairly high. Think it might actually in that range.

The only problem with that source port block is it isn’t limited to 60k and up, they can easily start at 5k and go up and vice versa

What’s the point of releasing that list?
They are all spoofed, no way anyone would use that many nodes to attack a gmod server.

My server was hit by this last night too, someone called “Ultra” was claiming to do it because I banned him from my server, though he also knocked our dedicated server out for a while, it may be a coincidence but it is the same time everyone else is claiming to have been hit by this attack too.

Yea, it’s just supposed to be a quick temporary solution that people may want to use while they work on implementing a long-term solution. That single rule will be far more effective and efficient at preventing this specific attack than a blacklist of apparently spoofed IPs. Anyways, when you’re dealing with spoofed attacks there’s not much that you can do besides rate limiting or creating rules like the one I posted which block apparently malicious packets based on a common signature – even fancy heuristics based attack mitigation systems do that, just in a more automated way.

This would probably explain why Noxious.net (Zombie Survival specifically) was starting to lag a bit between last night and now. (For multiple people.)

I’d get it if the attacks were directed towards douchenozzles but it’s always some buttmad kid paying someone to DDoS for them. I’ve been lucky so far to not get hit by anything bigger than loic skiddies.

At this point DDoS’ing is the Internet equivalent of suing people.

(It seems like people will sue over anything now a days…)

Typically with these attacks out DDoS protection system kicks in ~5 minutes of the attack which in last night’s case it did and stopped a flood attack which initially hit at around ~600Mbp/s but the spilt packet attacks continued against the gmod servers we were running and there was near to nothing we could do about it. So I presume this is some sort of layer 7.

Last night’s graph around the initial attack: http://puu.sh/5WeAt/7d6d52cf11.png

Also for anyone hosting with vilayer or OVH using their seemingly bulletproof protection system(VAC), it can’t protect against this.

Yes, this is a layer 7 attack. It specifically targets srcds’ inability to handle split packets efficiently. You’re probably not going to see massive levels of these and should be able to just filter it with your server’s firewall. You should really just block everything except complete connection requests and established connections.