New attack that this might be able to mitigate fully

[storm37000]

New layer 7 ddos attack against the core srcds with join packets using spoofed IP addresses, steamids, and usernames. Many of the steamids are invalid and not real accounts. If this could be checked here and rejected that would likely fix the issue. Keeping it from getting to the lua hooks is important as that is where the actual disruptive lag occurs because of the rate.

Client 224 [248:1317131558] connected to universe 248, but game server [G-1:3740913] is running in universe 1
Client 224 [248:1317131558] connected to universe 248, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:1:456662091
Client 224 [139:913324183] connected to universe 139, but game server [G-1:3740913] is running in universe 1
Client 224 [139:913324183] connected to universe 139, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:1:1931627610
Client 224 [147:3863255221(pending)] connected to universe 147, but game server [G-1:3740913] is running in universe 1
Client 224 [147:3863255221(pending)] connected to universe 147, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:279570602
Client 224 [83:559141204(430170%)] connected to universe 83, but game server [G-1:3740913] is running in universe 1
Client 224 [83:559141204(430170%)] connected to universe 83, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:963169328
Client 224 [C-208:1926338656] connected to universe 208, but game server [G-1:3740913] is running in universe 1
Client 224 [C-208:1926338656] connected to universe 208, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:1:1380728643
Client 224 [87:2761457287] connected to universe 87, but game server [G-1:3740913] is running in universe 1
Client 224 [87:2761457287] connected to universe 87, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:1:1910496918
Client 224 [237:3820993837] connected to universe 237, but game server [G-1:3740913] is running in universe 1
Client 224 [237:3820993837] connected to universe 237, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:1105939099
Client 224 [60:2211878198] connected to universe 60, but game server [G-1:3740913] is running in universe 1
Client 224 [60:2211878198] connected to universe 60, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:1:987919412
Client 224 [163:1975838825] connected to universe 163, but game server [G-1:3740913] is running in universe 1
Client 224 [163:1975838825] connected to universe 163, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:107437431
Client 224 [148:214874862] connected to universe 148, but game server [G-1:3740913] is running in universe 1
Client 224 [148:214874862] connected to universe 148, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:879281764
Client 224 [69:1758563528] connected to universe 69, but game server [G-1:3740913] is running in universe 1
Client 224 [69:1758563528] connected to universe 69, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:953466559
Client 224 [95:1906933118] connected to universe 95, but game server [G-1:3740913] is running in universe 1
Client 224 [95:1906933118] connected to universe 95, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:278135
Client 224 [93:556270] connected to universe 93, but game server [G-1:3740913] is running in universe 1
Client 224 [93:556270] connected to universe 93, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:45930753
Client 224 [199:91861506] connected to universe 199, but game server [G-1:3740913] is running in universe 1
Client 224 [199:91861506] connected to universe 199, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:1:1737656111
Client 224 [198:3475312223] connected to universe 198, but game server [G-1:3740913] is running in universe 1
Client 224 [198:3475312223] connected to universe 198, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:1:498498484
Client 224 [176:996996969(839599%)] connected to universe 176, but game server [G-1:3740913] is running in universe 1
Client 224 [176:996996969(839599%)] connected to universe 176, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:1:1963536912
Client 224 [8:3927073825] connected to universe 8, but game server [G-1:3740913] is running in universe 1
Client 224 [8:3927073825] connected to universe 8, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:1:1245250095
Client 224 [254:2490500191] connected to universe 254, but game server [G-1:3740913] is running in universe 1
Client 224 [254:2490500191] connected to universe 254, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:486688066
Client 224 [141:973376132] connected to universe 141, but game server [G-1:3740913] is running in universe 1
Client 224 [141:973376132] connected to universe 141, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:21963206
Client 224 [192:43926412] connected to universe 192, but game server [G-1:3740913] is running in universe 1
Client 224 [192:43926412] connected to universe 192, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:115799867
Client 224 [209:231599734(pending)] connected to universe 209, but game server [G-1:3740913] is running in universe 1
Client 224 [209:231599734(pending)] connected to universe 209, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:2053350239
Client 224 [146:4106700478] connected to universe 146, but game server [G-1:3740913] is running in universe 1
Client 224 [146:4106700478] connected to universe 146, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:1:765174900
Client 224 [104:1530349801] connected to universe 104, but game server [G-1:3740913] is running in universe 1
Client 224 [104:1530349801] connected to universe 104, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:1125705821
Client 224 [220:2251411642(214316%)] connected to universe 220, but game server [G-1:3740913] is running in universe 1
Client 224 [220:2251411642(214316%)] connected to universe 220, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:418917188
Client 224 [242:837834376] connected to universe 242, but game server [G-1:3740913] is running in universe 1
Client 224 [242:837834376] connected to universe 242, but game server [G-1:3740913] is running in universe 1
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:8212593
Client 224 [39:16425186] connected to universe 39, but game server [G-1:3740913] is running in universe 1
Client 224 [39:16425186] connected to universe 39, but game server [G-1:3740913] is running in universe 1```

[danielga]

Thanks for the heads up. As it is, serversecure might not be able to extract the SteamIDs, but they seem easy to notice (most are obviously bad).

[storm37000]

right now all the usernames are just empty strings, that can be blocked but it is extremely likely they can spoof those to random values.

[danielga]

I've checked this ULX GB addon and it seems to use the CheckPassword hook, that's where that message is printed from. Following the trail back, it seems all this connection initialization stuff comes from a C2S_CONNECT packet. Knowing this, I should now be able to extract SteamID and name. I could try replicating the Steam auth step so they are validated before it goes through all the Lua hooks but no promises.

[danielga]

Also, are you sure they're spoofed IP addresses? There seems to be a challenge before being able to start the connection. Can you provide some examples of these addresses?

[storm37000]

I created a rate limit in that hook that worked back when the attack was much less advanced, when it only used 1 or 2 steam accounts. Each one was a different IP that was never repeated as far as i saw.

[storm37000]

[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:539068528
Client "unnamed" connected (24.160.196.83:39165).
Dropped unnamed from server ()
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:539068528
Client "unnamed" connected (214.253.174.103:21250).
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:539068528
S3: Duplicate client connection: UserID: dd SteamID 404310e0
S3: Duplicate client connection: UserID: dd SteamID 404310e0
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:539068528
S3: Duplicate client connection: UserID: dd SteamID 404310e0
S3: Duplicate client connection: UserID: dd SteamID 404310e0
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:539068528
S3: Duplicate client connection: UserID: dd SteamID 404310e0
S3: Duplicate client connection: UserID: dd SteamID 404310e0
Dropped unnamed from server ()
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:539068528
Client "unnamed" connected (220.134.224.115:31318).
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:539068528
S3: Duplicate client connection: UserID: de SteamID 404310e0
S3: Duplicate client connection: UserID: de SteamID 404310e0
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:539068528
S3: Duplicate client connection: UserID: de SteamID 404310e0
S3: Duplicate client connection: UserID: de SteamID 404310e0
[ULX GB] AUTHING PLAYER:  WITH SteamID: STEAM_0:0:539068528
S3: Duplicate client connection: UserID: de SteamID 404310e0
S3: Duplicate client connection: UserID: de SteamID 404310e0
220.1.120.243:34808:  password failed.
77.224.148.53:44091:  password failed.
4.210.143.150:41882:  password failed.
187.147.176.245:32998:  password failed.
116.152.159.52:8663:  password failed.
162.16.93.226:9065:  password failed.
85.112.146.51:35152:  password failed.
124.218.135.61:56724:  password failed.
199.92.151.142:42598:  password failed.
64.146.247.34:46686:  password failed.
32.101.254.52:36784:  password failed.
210.25.144.169:35230:  password failed.
68.77.27.49:1380:  password failed.
89.140.52.155:60633:  password failed.
80.213.83.138:8147:  password failed.
134.248.124.213:32317:  password failed.
205.196.184.28:7084:  password failed.
218.125.100.150:19582:  password failed.
218.206.200.220:47094:  password failed.
114.164.172.118:27720:  password failed.
...

[storm37000]

Only a very small portion of it Looked like it happened while that "unnamed" client was in the process of connecting, as it stopped when they finally timed out.

[danielga]

Thanks to help from @willox, I've got a better view of what's actually going on. They are "bypassing" the challenge and I now know how to improve it.

[danielga]

I've made a tentative fix on 1.5.37. Please try this one.

[danielga]

Created another release candidate for 1.5.37. This one uses a non-VALVe PRNG, hopefully seeded by a CSPRNG.

[storm37000]

Seems to have stopped the attacks as ive watched it mitigate it with my own eyes.

[danielga]

Seems to be resolved.