[cod] Query limiting...
Marco Padovan
evcz at evcz.tk
Tue Oct 25 16:51:12 EDT 2011
90% of the reflections attacks I see are against HL ports (garry's mod
servers... as it's this one)
Il 25/10/2011 22:49, escapedturkey ha scritto:
> Interesting, that's an HL port.
>
> On Tue, Oct 25, 2011 at 4:22 PM, Marco Padovan <evcz at evcz.tk
> <mailto:evcz at evcz.tk>> wrote:
>
> Reflection is now targeting someone else:
> 208.43.236.122 (port 27015)
> (cod2 only)
>
> pps rate still quite high :(
>
> Il 25/10/2011 17:14, Luca Farflame Fabbro ha scritto:
>> Same here
>> same destination IP same port (5121)
>> 500 pps on 2 instances of cod 2, cod 4 servers not affected.
>> incoming traffic just less than 768 Kbit/s. Probably they have
>> good upload "pipes" from where they start the attack.
>>
>> On Oct 25, 2011, at 3:06 PM, Marco Padovan wrote:
>>
>>> Looks like the trend is increasing :|
>>>
>>> currently one of our network filters is reporting:
>>> rx: 7.14 Mbit/s 11064 p/s tx: 3.62 Mbit/s 2764 p/s
>>>
>>> disabling the filters and passing everything to the cod2 servers
>>> the resulting tx bandwidth is a constant 25mbit/sec stream :/
>>>
>>> current IP being spoofed targeting cod2 servers (all versions
>>> "exploited"... both 1.0 and 1.3):
>>> 208.93.152.122 (port 5121)
>>>
>>> to check out if your server is currently being exploited:
>>> tcpdump -nn host 208.93.152.122
>>>
>>>
>>>
>>> Il 25/10/2011 12:43, Luca Farflame Fabbro ha scritto:
>>>> Hi Ryan
>>>> in one of your previous messages you mentioned that this patch can be "ported" also to the other COD servers. Is there any plan to do this?
>>>> Now it seems that even if the server are less in number they target the COD2 servers to do the DDOS attacks. Don't have any COD server running so I don't know if also those are used as reflectors.
>>>>
>>>> Just one simple question regarding the patch fort the COD4 server.
>>>> If you leave the server up'n running for a certain period of time (no restart for 3 weeks let's say) it seems that when the
>>>> sv_queryIgnoreMegs
>>>> limit is reached (our servers don't have a lot of players) the server starts to reply to the query with the spoofed IP's. A restart of the server solves the problem.
>>>> I know that it will be better to restart the server before that time but would it be a possible solution to flush the stored bad IP's and restart the check on the new incoming packets when the predefined memory is full or just before this happens (% or minimum sv-ignore free memory)? Usually the attackers use the server as a reflector only for a certain amount of time (form 1 hour or less to a maximum of 2 - 3 days) then a lot of time will pass before having the same IP used as destination of the DDOS attack.
>>>>
>>>> Regards
>>>> Luca
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org <mailto:cod at icculus.org>
>>>> http://icculus.org/mailman/listinfo/cod
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org <mailto:cod at icculus.org>
>> http://icculus.org/mailman/listinfo/cod
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
> --
> EscapedTurkey.com Billing and Support
> https://www.escapedturkey.com/helpdesk
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20111025/619d4cc7/attachment-0001.htm>
More information about the cod
mailing list