[bobbobagan]

Hey all (in particular Drunken F00l)

You may remember I posted a few weeks ago with problems of being DDoSed. After getting your plugin set up correctly, we managed to block the attacks.

We are now onto round two of the attacks. Ever since blocking the attacks, the rival community has vowed to get around our protection and start to interrupt game play on the server. We believe they have, with a new kind of lag.

Again, it is easy to tell these attacks are deliberate because they only happen at certain times, effecting certain servers. I have tried checking daf_status during the attacks, but nothing appears.

The lag is also a different kind of lag. This lag freezes the server/all players for 1-2 seconds then is fine, then happens about 5 seconds later again continually until the server is empty. Again I have been in discussions with our host (Hypernia), and they gave us this responce:

Hi,

It's just very difficult to defend against this attack. The only thing i can suggest is appeal to the mod community and report the abusers to their ISP/Community and hopefully some action might be taken. We'll have perhaps thousands of connections to our servers at any given time, so it's near impossible to determine which if any is mischievous and trying to cause problems.

Paul Clayton
Hypernia Hosting Corp.

So I appeal to you. Are you able to help us block these attacks? I believe your plugin blocks UDP packets, is that correct? Possibly they are using TCP this time (I know RCON runs though TCP). Possibly they are using the rcon port to flood the server?

This other community has reportedly sunk some money into getting a program made to get around our protection. They seem extremely desperate. I don't know if that is true or not though. Either way, they are douchebags (IMO) for doing this.

If you need any information, we have SSH access to some of our servers, hopefully we can help you gather required information?

Regards,

Bobbobagan

[Drunken F00l]

I'd need to know what exactly they're doing in order to block it. You should know that several servers have been getting attacked the last few days by someone spamming A2S_INFO queries from spoofed IP addresses.

If that's what happening, the best thing you could do right now is rate limit queries using an IP tables rule. The downside is while an attack is occuring, people won't be able to see the server, but it won't lag anyone playing either.

[bobbobagan]

I thought A2S_INFO only affected TF2 servers, is that correct? Because we run CS:S & TF2 servers. I personally haven't seen our TF2 servers being attacked but they may have been.

We may try doing what we done last time. Turning off the server, leaving only the attacking traffic coming through and then doing a packet capture. This is how we found out who was doing what last time.

Thanks for your help. We will look into the IP Tables.

[Drunken F00l]

We may try doing what we done last time. Turning off the server, leaving only the attacking traffic coming through and then doing a packet capture.

This is a good idea. If you do it, let me know what you find. Maybe send me the capture file.

[bobbobagan]

I don't know how, but a player is connecting to the server and immediately crashing it even before getting to the motd screen.

I was using HLSW to monitor the logs, and unfortunately their steamID doesn't validate quickly enough so it just shows them as STEAM_ID_PENDING.

This is what comes out

Code:

23:03:50 L 08/13/2009 - 01:03:57: "......<10><STEAM_ID_PENDING><>" connected, address "59.167.85.20:27005"

Then the server immediately crashes. I have absolutely no clue how they are doing it, but they must be using some exploit of some kind. For now I have used addip to ban them.

[Teh_Spy]

A2S_INFO

What does this do, anyway?

[Drunken F00l]

It's what clients send to servers when asking for server name, player count, map name, etc.

[bobbobagan]

Will there be a TF2 DDoS protection update released after the latest TF2/DoD:S update?

[Drunken F00l]

Valve included some protection against A2S_INFO spam. Not sure how much it helps.

[bobbobagan]

It still blocks against the empty packet spam though doesn't it?

Just incase you are interested, here is a demo of the lag:
Actually, I will PM you it. Don't want it publicly displayed lol