The best way to prevent DoS attacks is by treating disruptive players with kid gloves -- kicking and banning them, but being very civil about it.
But, that doesn't always work, and sometimes servers get attacked despite this.
If you feel that you might be getting attacked and you aren't sure who is doing it, I would recommend taking a look at a dump of the traffic to the server to see if anything about it is unusual, such as one person sending large numbers of packets or packets that are all the same size (one common attack on Source servers involves UDP packet with a zero-length payload).
More specifically, on your Windows server, install WinPcap
and then run WinDump
from the command line. It will show all packets coming in and out of your machine.
If you isolate a single IP, such as 220.127.116.11, that is flooding you or doing something otherwise malicious, you can block it with IPSec, which is built into Windows. To add an ipsec rule, you can use their snap-in, but I personally like to do it through the command line, using the ipseccmd tool that you can find in the Windows XP SP2 support tools
. An example command line to block this IP (both in and out) would be:
ipseccmd -f "0+18.104.22.168"
Some DoS attacks on HL1/Source servers (such as some exploits to crash the server) that we hear about attack bugs in the game itself, or its plugins, however, and would not be obvious in the packet output. In that case, you might try disabling or upgrading your plugins, or running a plugin that is designed to address deficiencies in the engine (if one exists for your particular type of DoS).