All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Network magican, source engine + spoofed ips
Hi,
I run community game servers for CS2, lately I have been having daily a2s query attacks or other attacks with udp spoof,
I am looking for a person to deal with these attacks on my server, I am not interested in external ddos protection (increase in latency + players in my country are sensitive to such changes)
As I understand this analysis from wireshark shows the number of ip addresses that are involved, this is a dump somehow of a second (271k ips) each sends a small number of packets
https://i.imgur.com/ChoA2tX.png
I'm interested in solving the problem with a2s query attacks (Tsource Engine Query) and getting rid of the attacks that I submit in the dump (those udp floods with spoofed ips)
For those interested, I can send a dump for review
The dedicated server itself is not going down, there is only a problem with the application (game servers)
Comments
Please forgive me if this is wrong (I am not a professional in networking). But this reminds me a bit of the issue, Tor relay operators faced some days ago:
See this here:
https://delroth.net/posts/spoofed-mass-scan-abuse/
https://blog.torproject.org/defending-tor-mitigating-IP-spoofing/
Maybe this helps you to investigate your problem a little bit better. If you find a solution, please share.
If this is something completely different to your problem, just forget my post
I guess something like this should help you: https://github.com/Synkstar/xdpa2scache
Yep. Crunchbits was really sure I was 'hacked' despite telling them the system's locked down and it was likely spoofed as another NetCup instance got the same complaint.
Asked for pcaps or anything beyond that, and no response.
They got another, doubled down, so I cancelled renewal on the VMs.
Previously great service, but I don't need rookies deciding to suspend my VM with no proof, ignoring the actual issue going on (mass spoofing on tor relay IPs). Also the PA move with zero notice was a mess.
I though Crunchbits would be able to deal with this better. Any proof?
Even though this spoofing attack cost me several VPS and hosting accounts, it also showed me which of my hosting providers value their customers and which don't care about them at all and just want money.
While some simply blocked the server permanently after a single abuse report, without further discussion, others took the time to listen to my explanations and reacted appropriately and helpful.
I will do better without the shitty companys of the first group…
Me too, it was sad cancelling, but the writing's on the wall. Was surprised it's amateur hour over there.
Not even a ticket, it was some 'Abuse Manager Pro' shitty WHMCS module that locked down all access during my vacation until I replied to them.
The Level 0 tech couldn't even mark the abuse properly 'Phishing' ? That got my attention so I had to buy Starlink access where I was to reply.
Their response me, telling them exactly what was occurring was: make sure all ports are blocked on the server?
Then a week later:
I opened a ticket telling them I'd be cancelling renewals if they didn't start to properly address abuse reports and never was responded to. Today, I closed it myself. Hopefully they can pass that around the Discord as to not alienate previously happy clients.
Abuse department is out of their league, and not getting suspended because of slap-dash staffing.
Yep, exactly my thoughts. False abuse reports are where the rubber meets the road.
Reminds me of late 90's AOL where you could get any screenname ToS'd / suspended with 3 false abuse reports from German AOL accounts. Just took a copied and pasted fake conversation into a plain-text box. 3 unique reports, screen name ToS'd instantly.
Once I saw I was working with that level of incompetence in 2024, I cancelled for end of term. I'd rather stay with ISPs who don't rapid fire off false abuse reports threatening to suspend.
Also, smarter providers who use their PoPs as I like the PA location. Not Abuse telling me to close all the ports on my server. It's a shame because network and hardware was just fine.
Extremely disappointing end to what was a favorite provider of mine.
@Kris
OP clearly told what this thread is about,
What's you personal crusade against @crunchbits to do with the topic?
Stop derailing this thread so OP hopefully can find the help he needs.
I asked him, because I was curious, that's all.
He isn't derailing the thread with one post.
If there is an abuse with NAT, its pain, especially with KVM.
If you don't have any network recording running, which we don't.
Topic is not about any hosting or person
it's just that someone has been trying for a long time to shut down my servers that I keep for people, and I lack the skills to solve it completely.
I also tried sqproxy (https://github.com/sqproxy/sqproxy) cache for these queries to the game server, but it doesn't do the trick.
Still the network usage of the game server is high then and some attacks are probably not tsource query
You were not addressed and you don't run a personal crusade against some provider. @Kris does, and NO it wasn't just one (1) post from him.
Let us focus on OP's request for help, please (although me not being a gamer and quite clueless in such things I sadly can't help OP, sorry).
I asked him for a simple thing, you attacked him, because he posted it.
So you pulled me in, simple that.
Don't speak to me like this, I am not your dog or something.
You don't tell me what I can and can't do.
Now you derailed the thread, congrats.
This thread has been completely derailed and gone off topic by MarkLuun. Your beef with crunchbits has nothing to do with this.
@daffyy this sounds out of your league. If you don't want remote protection there are still plenty of options that aren't remote. You can also get a server that's within 1-2ms of your provider's tunnel.
Fixing a2s query attacks is not the end of your ddos problems. It is just the beginning. The attackers will just switch to another method.
Again, nobody has a beef with @crunchbits.
He said his abuse case, wasn't the correct way it should be handled.
So I was curious, I am allowed to be curious, so I asked.
Then @jsg started then attacking people....
I did not attack you in anyway, not directly and not indirectly. And @Kris started smearing and bashing @crunchbits before your first post. And in fact I liked your post because you were asking for proof.
BS! I was polite. My '[irrelevant]' simply meant that IMO reasons (for your asking him) were not even needed. You of course could ask for proof even without reasons.
And I didn't.
So, when we both talk about something then in my case it's thread derailing while in your case it's perfectly fine. Hahaha.
That's one way to interpret it, and a very advantageous one - for him. The way I see it he tried to smear and bash crunchbits as incompetent idiots. In three posts and each time attacking crunchbits and painting them as idiots.
Thank you for answering to OP's request for help.
@jsg dude I am so done talking to you, you just making shit up right now.
Nobody called crunchbits an idiot, except you.
I asked for proof, because he claimed that his abuse has been handled incorrectly.
That is all, the rest you do just imagine in your head, end of story.
Thanks for the evidence that you don't care a flying fuck about not derailing this thread. I actually do - and hence no further discussion with you.
I currently have a server on ovh that handles other attacks reasonably well, the only problem (currently) is this a2s.
I was thinking about gre tunnel from a protected host but you won't find one that has a 1-6ms latency to ovh eu/Warsaw
OVH does not more than the most basic of basic attacks well. The fact that you say their a2s query protection doesn't work now tells me they don't bother updating it anymore.
You can find one that has <6 ms latency to ovh. Maybe not warsaw but definitely in their other locations. I don't want to name any particular ones but they are out there and not hard to find.
Ok, everyone calm down please and be respectful. Please focus on the OP's request, If you need something else, open a new thread. Thank you all.
This was brought to my attention. It was a unique case and it was handled improperly on our end, and staff that originally replied hadn't run into it before. I had personally drafted a reply, but had to sit on it for a little bit and make sure it was accurate and fair. Ticket was gone by then, oh well.
Realistically: you have promotional-only products, called staff "idiots" in your reply, and threatened to leave all because your TOR use-case (which we explicitly always mention we're not likely the best host for that use-case) needed special attention from a network admin versus level 1 support. It's not a wide-ranging issue, and if we get rapid-fire complaints it will raise eyebrows. Unless you're on a bulletproof host of some sort, I have to assume anyone running anything remotely clean trying to keep up with constant IP reputation hits is going to react to reports.
I know you only see it from your point of view rather than the other side which deals with dozens (or more) abuse reports per day, and requires us to have some level of automation with AMP. If a cordial reply and working through it with us in a sensible manner is beyond you, then I'm frankly glad you cancelled.
First and only post replying on this. Sorry if it's too OT, but I had 10+ pings in this thread alone.