Hello everybody, I am just letting everyone know about this ongoing problem. This isn’t anything new however could definitely cause problems. Anyways I have recently been hit with 3677 ip’s that all sent split packets to all ips on one of my nodes. I made a list here so if needed anybody else can blacklist these.
My server was hit by this last night too, someone called “Ultra” was claiming to do it because I banned him from my server, though he also knocked our dedicated server out for a while, it may be a coincidence but it is the same time everyone else is claiming to have been hit by this attack too.
Yea, it’s just supposed to be a quick temporary solution that people may want to use while they work on implementing a long-term solution. That single rule will be far more effective and efficient at preventing this specific attack than a blacklist of apparently spoofed IPs. Anyways, when you’re dealing with spoofed attacks there’s not much that you can do besides rate limiting or creating rules like the one I posted which block apparently malicious packets based on a common signature – even fancy heuristics based attack mitigation systems do that, just in a more automated way.
I’d get it if the attacks were directed towards douchenozzles but it’s always some buttmad kid paying someone to DDoS for them. I’ve been lucky so far to not get hit by anything bigger than loic skiddies.
Typically with these attacks out DDoS protection system kicks in ~5 minutes of the attack which in last night’s case it did and stopped a flood attack which initially hit at around ~600Mbp/s but the spilt packet attacks continued against the gmod servers we were running and there was near to nothing we could do about it. So I presume this is some sort of layer 7.
Yes, this is a layer 7 attack. It specifically targets srcds’ inability to handle split packets efficiently. You’re probably not going to see massive levels of these and should be able to just filter it with your server’s firewall. You should really just block everything except complete connection requests and established connections.