<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font size="-1"><font face="Verdana">90% of the reflections attacks
I see are against HL ports (garry's mod servers... as it's this
one)</font></font><br>
<br>
Il 25/10/2011 22:49, escapedturkey ha scritto:
<blockquote
cite="mid:CALCvV0wiP0ChULUa+Yb6rEufJFQjxRtxOx-HSd95d9zgVS+eyA@mail.gmail.com"
type="cite">Interesting, that's an HL port.<br>
<br>
<div class="gmail_quote">On Tue, Oct 25, 2011 at 4:22 PM, Marco
Padovan <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:evcz@evcz.tk">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div text="#000000" bgcolor="#FFFFFF"> Reflection is now
targeting someone else:<br>
208.43.236.122 (port 27015)<br>
(cod2 only)<br>
<br>
pps rate still quite high :(<br>
<br>
Il 25/10/2011 17:14, Luca Farflame Fabbro ha scritto:
<div>
<div class="h5">
<blockquote type="cite">Same here
<div><span style="white-space:pre-wrap"> </span>same
destination IP same port (5121)</div>
<div><span style="white-space:pre-wrap"> </span>500
pps on 2 instances of cod 2, cod 4 servers not
affected.</div>
<div>incoming traffic just less than 768 Kbit/s.
Probably they have good upload "pipes" from where
they start the attack.</div>
<div><br>
<div>
<div>On Oct 25, 2011, at 3:06 PM, Marco Padovan
wrote:</div>
<br>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000"> <font
size="-1"><font face="Verdana">Looks like
the trend is increasing :|<br>
<br>
currently one of our network filters is
reporting:<br>
rx: 7.14 Mbit/s 11064 p/s
tx: 3.62 Mbit/s 2764 p/s<br>
<br>
disabling the filters and passing
everything to the cod2 servers the
resulting tx bandwidth is a constant
25mbit/sec stream :/<br>
<br>
current IP being spoofed targeting cod2
servers (all versions "exploited"... both
1.0 and 1.3):<br>
208.93.152.122 (port 5121)<br>
<br>
to check out if your server is currently
being exploited:<br>
tcpdump -nn host </font></font><font
size="-1"><font face="Verdana">208.93.152.122</font></font><br>
<font size="-1"><font face="Verdana"><br>
<br>
</font></font><br>
Il 25/10/2011 12:43, Luca Farflame Fabbro ha
scritto:
<blockquote type="cite">
<pre>Hi Ryan
in one of your previous messages you mentioned that this patch can be "ported" also to the other COD servers. Is there any plan to do this?
Now it seems that even if the server are less in number they target the COD2 servers to do the DDOS attacks. Don't have any COD server running so I don't know if also those are used as reflectors.
Just one simple question regarding the patch fort the COD4 server.
If you leave the server up'n running for a certain period of time (no restart for 3 weeks let's say) it seems that when the
sv_queryIgnoreMegs
limit is reached (our servers don't have a lot of players) the server starts to reply to the query with the spoofed IP's. A restart of the server solves the problem.
I know that it will be better to restart the server before that time but would it be a possible solution to flush the stored bad IP's and restart the check on the new incoming packets when the predefined memory is full or just before this happens (% or minimum sv-ignore free memory)? Usually the attackers use the server as a reflector only for a certain amount of time (form 1 hour or less to a maximum of 2 - 3 days) then a lot of time will pass before having the same IP used as destination of the DDOS attack.
Regards
Luca
_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<br>
<pre>_______________________________________________
cod mailing list
<a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true" href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>EscapedTurkey.com Billing and Support<br>
</div>
<div><a moz-do-not-send="true"
href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>