What kind of attack does this?

A few days ago someone (pulsareffect’s dedicated server) decided to use the source query dos attack on my servers. I installed DAF. Didn’t think that exploit would still exist today. Today though I noticed that a specific server on the machine would stop responding to queries all together every couple of seconds and then come back. It doesn’t seem to be actually lagging though since anyone still in the server doesn’t experience any lag. It’s just that if you try to find it on the server list you won’t be able to and the master server doesn’t see it during the period where it doesn’t respond.

hlsw graph to demonstrate.

http://img211.imageshack.us/img211/1644/dumb.png

I also had to change the port of this server since no one could see it and absolutely 0 queries would go through. I just tested it and if I put a server on that port then it works now so it’s definitely an attack.

Sent you a PM.

The matureness of young adults.

So that’s what happened to NoX ZS.

Why did you edit out the bit about blocking the IP it’s coming from, flapjack?

I just wanted to know what causes it. Someone said it’s spoofed source query packets.

It only affects the server viewing. If you’re playing, you won’t notice it. Don’t know what’s it exactly though.

I assumed the packets are not sent directly to your server, since it doesn’t cause noticeable lag - instead spamming the Steamcloud servers. Though, it’s possible someone is sending corrupt query packets, but if it’s that, just block the attacking IP.

When we had that problem a while ago I logged packets. But nothing unusual went through the network.

208.122.52.35 (pulsareffect.com) is doing it. Sending a little under 100 source query packets per second. I’m going to block the IP for now.

This plugin is supposed to fix it but starting it on GMod just crashes on load: http://forums.alliedmods.net/showthread.php?t=114787

Any idea if the attack is initiated by pulsareffect, or if their box has been compromised? (Or rather, do they even have a reason to attack you?)

I’ll also assume the DAF plugin didn’t work.

It’s A2S_INFO spam from spoofed IP’s. DAF protects against A2C_PRINT. The only working plugin doesn’t work in gmod (crash on load). Hey, anyone can do this by the way. Don’t like a server? Just start up HLSW, set the refresh to maximum and add the server. There’s no chance of them being able to protect against it.

Pretty sure source blocks single ips spamming any A2S queries, HLSW theory voided.

good joke.

permaban pulsareffect!

How do you know what IP is attacking, and how do you block them?

Look at server loggs, and block them in IP tables, or another firewall.

epic bump from march.

My Logs are empty, but I get A2C_PRINT Spam. And how do I block IP’s on ZoneAlarm?