2

My gaming machine is under DDoS attack and when I used Wireshark I found the following string "TSource Engine Query" in all UDP packets coming from random IP's.

I found using Google that some gaming studios use this function to connect to server. Is that true or it is malware?

Can someone explain what is TSource Engine Query?

How to solve it?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
Satish
  • 133
  • 1
  • 7

3 Answers3

2

Can someone explain what is TSource Engine Query?

I add to @schroeder answer. This is a common Distributed Reflective Denial of Service (DRDoS) attack. You can read about an analysis done on an number of games that are vulnerable to the attack.

How to solve it?

Changing IP address is not going to help you as an attacker will easily find your new game server.

Read UDP-Based Amplification Attacks from US-Cert on two mitigations of DRDoS: Source verification and Traffic Shaping. You many need to setup an IPS (e.g. Suricata or Snort) on your game server to achieve this.

Alternatively, you can use DDoS protections services that are mainly paid solutions.

Community
  • 1
Dr. mattle
  • 300
  • 1
  • 10
  • 1
    You are assuming that the OP is running a game server. From the source that I quote, such an attack can be performed against the client, not necessarily against the server. – schroeder Sep 17 '15 at 23:37
  • Does iptables will help here? I think if attack is about flood then how IPtable will stop it? – Satish Sep 18 '15 at 01:37
  • @Satish it can help to throttle the traffic. I have write about using hashlimit module [here](http://security.stackexchange.com/a/100291/86689). – Dr. mattle Sep 18 '15 at 23:18
  • @mattle, Thanks but by the way what is `Source verification` ? How does it work? – Satish Sep 21 '15 at 19:33
  • There are different techniques to detected spoofed UDP packets (e.g. ingress filtering). Check out [Spoofer Project](http://spoofer.caida.org/) for more detail. – Dr. mattle Sep 27 '15 at 22:16
2

Source Engine Query (that T in front is part of header) is part of routine communications between clients and game servers using Valve Software protocol (A2S_INFO packet), makers of Steam engine. You might see this traffic if you're playing on a remote server or hosting a game. As explained above, it has been also used as part of DoS attacks.

kravietz
  • 412
  • 2
  • 7
1

An example of a DRDoS using source involves querying the master server of a game and bouncing the replies towards your victim continuously. The packet will probably look something like " TSource Engine Query"

https://facepunch.com/showthread.php?t=1098550

It's not malware, it's the traffic flood that causing your problems.

Ask your ISP to change your IP.

schroeder
  • 123,438
  • 55
  • 284
  • 319