

Upon further thought is it possible that the attacker is simply sending correctly formatted rst packets to the client connection port of the csgo server while spoofing IP? It would be fairly simple to craft such packets in either C or with almost any modern network accessing dev kit such as an arduino or raspberry pi. If there is an outlier with a large number of packets who does not have a connection (yes, I know udp is connectionless) to your game you can *probably* add them to the iptables.


You might also try whitelisting players IPs from a website form? Personally I would use wireshark dumps and a small php/c program to get a breakdown of all the incoming packet source IPs and correlate them with the players in the actual game. If there is no relation then the attack is probably either done from a large number of distinct accounts or a side channel attack like using hping to flood the game servers buffer on Z port or something similar. If they arent crashing your server outright you should end up with a large number of client join logs and if X player is always joining Y server right before it is attacked you can probably narrow it down to a small handful of players quickly. I would use GetClientIP with a threaded query called in the OnClientPostAdminCheck event imo. I would probably code a plugin that adds all the players IP's, steam ids, server host and a timestamp to a database table each time they connect and use deductive reasoning to work out who is doing it.
