Source Engine Flood

Someone dosing me from spoofed ip that i can’t block.

I am using windows server 2008 r2.

I got log from attack.

Lots of connection on protocol UDP and UDP Stream Shows :

“…TSource Engine Query.”

Thats all.

Anyone can help about this attack ?

Yes, Its using HL2SEQA or a different source query flooding method, its really fucking powerful so i suggest using a failover ip address

if you’re with a good host they can probably filter it for you, no idea how you could try stuff with windows but if you were on linux you could have a semi decent attempt at dropping most of it with iptables

but make a ticket with your host, if you can use wireshark or something give them a dump of some of the attack (if you’re with someone like nfo just tell them what’s up and they’ll handle it all for you)

You can’t filter the query attacks, thats why they’re so fucking op.

you can, i mean you’d be blocking legit querys more than likely but if the attack is bad enough to be lagging or keeping the server down it’s not a bad temporary thing to do (plus the attacker could assume you took the server down and stop if he isn’t very smart)

you might be able to rate limit or (i think this is possible) rate limit and start dropping anyone who breaks the rate limit, but if there’s multiple spoofed ips that probably won’t help, unless they’re all attacking so fast even with multiple ips

Ok i just solved but i just changed OS to linux centos 6.6.

Kawaiii actually u can it was hard to do it but 2 lines of code fixed everything :smiley:

Flood limiter iptables :

“iptables -A INPUT -m string --string ‘TSource’ --algo bm -m limit --limit 15/s --limit-burst 1 -j ACCEPT,
iptables -A INPUT -m string --string ‘TSource’ --algo bm -j DROP”

I have 4 core on my device soo if you are machine is not strong enough lower limit 15/s to 5/s.