For the past couple of months, the European TF2 scene has been under attack of a rather old DoS exploit that exists in all servers running the Orange Box engine. The script kiddie floods the server with bogus requests for the server and player info. Responding to these requests takes about 4 times as much bandwidth and much more CPU power than asking for it. This makes it possible for a single attacker to take down a gameserver.
You don't have to be Neo for this attack
Over the past few weeks Ronny of nice-servers.com and I have worked on solutions for this problem. First I’ve created a whitelisting system, blocking all access to a gameserver except for trusted IP addresses. Meanwhile Ronny worked on a more friendly solution, and today we present the script that has kept our gameservers safe for now.
It works by limiting the amount of player and server info request that can be sent to the gameserver per second. This way an attacker can’t overwhelm the gameserver with these requests. We currently limit this to 20 request per second per server, but you might have to experiment with upping/lowering these values for best results. The only side-effect of this solution is that the server will not be visible in the server browser during an attack, but you can still connect to it normally through the ‘connect’ command in console.
If you’re one of the few people that operates a Linux dedicated server, you can implement this fix yourself by using our script. If you’re renting a gameserver from a GSP, you’ll need to contact the GSP and request that he implements our fix or a similar solution.
It’s important to note that this fix doesn’t prevent players from being attacked directly. It’s therefore still very important for players to make sure their IPs aren’t known to the attacker. The easiest way for an attacker to find out your IP is for him to hop on to Quakenet and check out your clan’s channel. By default an IP will show up using a simple ‘whois’ on the person being targeted. Please use ‘//mode $me +x’ (for mIRC users) to hide your IP on Quakenet.
View/download the script here: pastie.org
Cheers,
- 
Arie
FakkelBrigade
- 
Ronny
Nice Servers
53 comments
Tweetnice-servers.com is currently under construction ;-)
- # - nice! +2Internationally renowned heroes of tf2.
it’s nice!
These ddddos attacks ruined so many games :(
- # - nice! +3It was up like 5 minutes ago :P
- # - nice! +2good job you 2 !!
- # - nice! +2Arie & Ronny are amazing! :)
- # - nice! +7Arie has nice beard!
Awesomeness!
- # - nice! +3FINALLY!
- # - nice! +2great job chaps!
Really hope this fixes the problems. You guys deserve lots of praise for your efforts either way.
Will it work on relays also?
- # - nice! +3as far as I know Arie tried it on the FB relays and it worked. it should work as a sourcetv is a normal gameserver instance which response to this type of messages.
- # - nice! +3Nice : )
- # - nice! +0*hands over hand crafted heroes of TF2 medals*
WEAR WITH PRIDE LADS.
- # - nice! +3me likes this guys! great work, thumbs up°
- # - nice! +0Arie and Ronny are kredit to team!
- # - nice! +1Give them a community item!
- # - nice! +3n1, you have recreated sv_max_queries_sec_global
- # - nice! +0Pro Arie is pro!
- # - nice! +2@lol sv_max_queries_sec and related options do fuck all, but you’d known that if you’d actually tried to protect a server using those settings.
good work guys
- # - nice! +0thanks for your hard work.
:)
good work fellas
- # - nice! +0Yay!
- # - nice! +3Very good work, thumbs up !
- # - nice! +0Well done Arie and Ronny our networking/Linux Guru’s :)
Shall look forward to casting some premier games again!
Cheers
Byte
- # - nice! +4@lol .. who’s the spastic aliasing and pretending they’re a genius? gtfo eh
awesome work Arie and Ronny, the TF2 community is incredibly lucky to have you. I do find it a tad frustrating that it’s taken you ~2 weeks to work on whilst Valve have managed to ignore the problem, or have been unable to fix it for nearly 3 years… :D
For gods sake someone give em a community weapon this instant!
- # - nice! +0The hacker is me. Deposit $1,000,000 in account 4581 at the Bank of Zurich in Switzerland, and I’ll stop.
If you don’t comply, I will be forced to DDOS all future competitive TF2 matches.
- # - nice! +2awesome work Arie and Ronny, the TF2 community is incredibly lucky to have you. I do find it a tad frustrating that it’s taken you ~2 weeks to work on whilst Valve have managed to ignore the problem, or have been unable to fix it for nearly 3 years… :D
just this!
- # - nice! +0Well done guys!
- # - nice! +0Good job! :)
- # - nice! +0Afaik Hiperz implemented this already.
- # - nice! +0^ trying to get multiplay to do the same
- # - nice! +0A nice addition would be to log the person.. see forums.srcds.com/viewpost/7729... for a old post which has some logging too.
- # - nice! +0Also remember to secure STVs and relays during coming WASM, pm Mumsku!
- # - nice! +0@Snelvuur
There’s little use to logging. The attacks use spoofed origin IPs and ports. You’d just fill your log with randomly generated IPs.
- # - nice! +0We had a huge amount of these kinds of dos attack during yesterdays TF2TV casts. The firewall rules in the script mentioned above were too open. I’ve changed the ones on nice-servers.com gameservers to: –limit 1/s
This did the trick for the final match. There was still an attack ongoing but it did not affect the gameserver.
- # - nice! +2BoX2 vs. Team Fruit apparently suffered DDOS.
Whoever did that, what a prick.
I mean who would want to DDOS a match with a div3 team ffs :DDDDD
- # - nice! +1i still don’t understand how this works…
one bored person stands hours on his computer with a program that pings servers that he selects because he has no life?
or is it automatically?
i remember there was a time that this was on CSS -.-’
- # - nice! +1&btw, there is a program (addon maybe) for all i remember that bans the current COMPUTER (not ip or steam id) from the server and this computer can no longer see that server (through connect, server browser or view game information)
- # - nice! +0i think it’s called zBlock, maybe you should try it on some of your servers ronny.. =)
haha skaz,
zBlock was the first thing being checked, but it’s not solving the issue.
Arie and ronny already worked a way out to block that exploit, scroll down some news. its working.
and about real ddos: check what ronny said.. he instantly changed the server settings yesterday, and it worked perfectly.
- # - nice! +0you’re so fast marco <3
if we're already talking about lags/lagging etc, then how come Havok and that other blight guy from canada have a better ping then me in EU servers!!! AGHHHHHHHHH.
looking forward for some mental and some internet help.
- # - nice! +0thanks
@zblock: It might work but it just does not support TF2. Thats all. It fails when you start it ;-)
@havok’s ping. He just fakes the scoreboard ping with his net settings. His real ping is ~200.
Cheers,
Ronny
- # - nice! +0nice-servers.com
The attacks must have weakened then because other then 2 timeouts the semifinal looked fine?
- # - nice! +0Our script kiddie is still trying to attack the servers around the world and had a small success tonight in our pcw agains YYT. The server lagged a bit during a heavy attack. I changed the firewall rules once again to
-m limit –limit 1/s –limit-burst 1
and everything was fine then. After the match I saw that the attack was still ongoing but it didn’t affect the gameserver. So update your firewall or get a server from us. ;-)
Cheers,
Ronny
nice-servers.com
He’s still doing it despite not having ruined a match for around a match for this long? Holy shit lol.
- # - nice! +2etf2l.org/forum/leaguea/topic-...
- # - nice! +0quite likely he has a script set up to monitor some servers and bang em when they have ppl on
- # - nice! +2as a heads up, something like this has been happening in Australia since the latest patch on all of our pug/scrim servers :S
- # - nice! +1More power to the attackers I say… Valve might actually fucking do something now :D
- # - nice! +0Putting hide_server 1 in your server config seems enough to prevent this from happening. Only nasty side-effects of this are
- # - nice! +01. Friends can’t see your game info at all – and that means they also can’t join your game through that method.
2. You can’t add servers with this setting to favourites (well, technically you can – but they won’t show up in the server browser).
I’m really confident that Arie and me managed to protect the game servers from beeing attacked by our firewall rules. It worked fine for our final between Epsilon and blight.
Unlucky I had a typo in my fw rules (should c&p next time) so my servers were still vulnerable. Should be fixed now.
Cheers,
Ronny
- # - nice! +0nice-servers.net