This is an extremely frustrating problem that has popped up for me all of a sudden. My scrds garrysmod servers cause a mass amount of System Interrupts which uses nearly %100 of the cpu and crashes everything. Sometimes the issue starts immeadiatley when I start the server, other times it takes some minutes of the server working fine after which the problem starts and everything freezes (unless I manage to X out the server quickly enough).
This issue started yesterday about 10 minutes after NFO filtered an attack of the form "a Source connection flood/2" against my server. I suspect the filtering response may be causing it, but I have also had the issue when the server is running on a different IP than the one attacked. I have used Windows Performance Analyzer and the DPC interrupts are mainly coming from NETIO.sys and ntoskrnl.exe, implying it's a networking related issue (I use windows server 2012 r2). I've tried just about everything I can think of - different IPs, fresh addon free servers, etc, and they all seem to be affected.
SCRDS.exe Causing Mass System Interrupts and freezing machine
-
- New to forums
- Posts: 2
- https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
- Joined: Tue Aug 04, 2015 8:35 pm
-
- New to forums
- Posts: 2
- Joined: Tue Aug 04, 2015 8:35 pm
Re: SCRDS.exe Causing Mass System Interrupts and freezing machine
found something new. I think it might be being caused by an unfiltered DDOS. Here's wireshark while no servers are running:
http://i.imgur.com/mMQfEeC.png
Some of the packets say "Source engine query" so it seems that's what is being spammed. How would you filter these without blocking legit traffic?
http://i.imgur.com/mMQfEeC.png
Some of the packets say "Source engine query" so it seems that's what is being spammed. How would you filter these without blocking legit traffic?
Re: SCRDS.exe Causing Mass System Interrupts and freezing machine
Unfortunately, the attack you're seeing cannot be effectively mitigated in general since it's mimicking legitimate traffic, a Windows environment also doesn't help. Though, I'd recommend disabling BFE on Windows as there is a current performance issue with it right now that can cause small attacks to completely lock up the machine. This can be done by opening an elevated command prompt window and issuing these command.
If your problem is what I think it is, that should stop it from occurring. Now there is always the chance that the game server will now freak out due to the traffic. Sadly, Source Engine games are terrible at dealing with these types of attacks and will crumple under even a small amount of it. If disabling BFE does not work, I'd recommend using the firewall tab in your control panel to apply a lose rate-limit for "Source Engine Queries", and by lose I mean use our pre-made rule, but edit the rate-limit option from 50 to something like 150 and see how it performs. If it doesn't help drop it down 125..etc. Unfortunately, since this traffic is mimicking legitimate traffic, any firewall rule applied run the risk of blocking legitimate clients :/
Code: Select all
sc config PolicyAgent start= disabled
sc config IKEEXT start= disabled
sc config MpsSvc start= disabled
sc config bfe start= disabled
net stop policyagent
net stop ikeext
net stop mpssvc
net stop bfe
@Kraze^NFo> Juski has a very valid point
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
Re: SCRDS.exe Causing Mass System Interrupts and freezing machine
What versions of Windows server is affected?kraze wrote:Though, I'd recommend disabling BFE on Windows as there is a current performance issue with it right now that can cause small attacks to completely lock up the machine.
Re: SCRDS.exe Causing Mass System Interrupts and freezing machine
Wink2k8 R2 is what we mainly use, but it's possible this performance issue spreads to other Windows based systems.
@Kraze^NFo> Juski has a very valid point
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!