Totem Arts Staff TK0104 Posted June 4, 2016 Totem Arts Staff Share Posted June 4, 2016 So I wanted to play some RenX and joined almost full server. 1 minute later it gets Ddossed. Everyone switched to 2nd one.....gets Ddossed 1 minute later. Switch to 3rd one.............Ddossed again. EDIT: 4th and 5th server Ddossed DDOS LET US PLAY SOME RENEGADE X AND GET A LIFE FFS!!!!!!!!!!!!!!!!!!!!!!! We need even better servers that are 100% Ddos proof or this game might die Quote Link to comment Share on other sites More sharing options...
Ryz Posted June 4, 2016 Share Posted June 4, 2016 No server will be 100% DDOS proof, but I am sure the CT server will have protection soon... Quote Link to comment Share on other sites More sharing options...
Profane Pagan Posted June 4, 2016 Share Posted June 4, 2016 Do you have a suspect, who could attack us with DDOS? Quote Link to comment Share on other sites More sharing options...
Flamezz|Ninja Posted June 4, 2016 Share Posted June 4, 2016 the better question is why? why would someone go through the trouble of ddosing a renx server? there's only a small number of people that play. its a free game.. what the hell is the point of DDOS'ing !?!?!? Quote Link to comment Share on other sites More sharing options...
Profane Pagan Posted June 4, 2016 Share Posted June 4, 2016 We'd need an ethical hacker to track the culprit down. I was asking what do you think, because I have a suspect, although I know you might wouldn't agree with me. I noticed a player, for his behaviour, his name is MAX. The well known troll. I dislike him pretty much. From my perception, I have never seen him in a game which got shut down because of DDOS. To tell you the truth, at the beginning I only considered him as an ill mannered player, and I was glad he got banned from constructive tyranny. But one day he got kicked out from another server, and in 5 minutes our game was cut short because of the DDOS attack. I have just realized, I could imagine him enjoying the trolling of others, and then ruining their game in various ways. Later in constructive ty. server, I saw him again. But that was the server he got banned from! Someone commented he has methods to get back in the game with the same name, regardless of the ban. Is it so far-fetched to assume, MAX is the one behind the DDOS attacks with this kind of knowledge and reputation? True, I might despise him too much, and I don't know much about the nuances, but right now he is my suspect number 1. I just want to ask you whether you saw him ingame during a DDOS attack? I have never. Look out for him. He is a worthless player in the game, a bad team member, and I can imagine him as an avenger too. Quote Link to comment Share on other sites More sharing options...
MrSeriousOak Posted June 4, 2016 Share Posted June 4, 2016 the better question is why? why would someone go through the trouble of ddosing a renx server? there's only a small number of people that play. its a free game.. what the hell is the point of DDOS'ing !?!?!? 1:) They could hate the dev team 2:) *this one is most likely to be bs* He/she is an EA fanboy/girl and they hate renx for being independent 3:) They got pwned by a sniper 4:) They lost their SBH spy by being driven over by a stank 5:) They want RenX to die for reasons unknown to man\ 6:) They are a troll who is willing to go through all the trouble to troll on this level. We'd need an ethical hacker to track the culprit down. I was asking what do you think, because I have a suspect, although I know you might wouldn't agree with me. I noticed a player, for his behaviour, his name is MAX. The well known troll. I dislike him pretty much. From my perception, I have never seen him in a game which got shut down because of DDOS. To tell you the truth, at the beginning I only considered him as an ill mannered player, and I was glad he got banned from constructive tyranny. But one day he got kicked out from another server, and in 5 minutes our game was cut short because of the DDOS attack. I have just realized, I could imagine him enjoying the trolling of others, and then ruining their game in various ways. Later in constructive ty. server, I saw him again. But that was the server he got banned from! Someone commented he has methods to get back in the game with the same name, regardless of the ban. Is it so far-fetched to assume, MAX is the one behind the DDOS attacks with this kind of knowledge and reputation? True, I might despise him too much, and I don't know much about the nuances, but right now he is my suspect number 1. I just want to ask you whether you saw him ingame during a DDOS attack? I have never. Look out for him. He is a worthless player in the game, a bad team member, and I can imagine him as an avenger too. It is at this moment most likely to be him Quote Link to comment Share on other sites More sharing options...
RoundShades Posted June 4, 2016 Share Posted June 4, 2016 The guy is usually always the same guy as before, and we know exactly who that was, but there's no point in going on an offense against him. Hopefully, DoctorB0ng will figure out a traffic filtering solution. Quote Link to comment Share on other sites More sharing options...
Profane Pagan Posted June 4, 2016 Share Posted June 4, 2016 You know him?, good to know. And who is he? Is he a player too? Quote Link to comment Share on other sites More sharing options...
RoundShades Posted June 4, 2016 Share Posted June 4, 2016 You know him?, good to know. And who is he? Is he a player too? You'd think if I were going to publicly list his name, I'd have done it long ago. We intentionally avoid sharing whatever alias he happens to be going by, but you probably don't know him. If someone else who knew who it was or discovered who it was, thought it was a good idea, they too would have done it long ago. If they want to share a name, it would be up to them, not I. Quote Link to comment Share on other sites More sharing options...
Profane Pagan Posted June 5, 2016 Share Posted June 5, 2016 All right, fair enough. It is just a shame this guy won't buzz off. And hereby I whitdraw my case against MAX. Quote Link to comment Share on other sites More sharing options...
ex_member Posted June 5, 2016 Share Posted June 5, 2016 (edited) ... Edited September 22, 2018 by ex_member Quote Link to comment Share on other sites More sharing options...
Totem Arts Staff TK0104 Posted June 5, 2016 Author Totem Arts Staff Share Posted June 5, 2016 And another server Ddossed. And I must say, there was a guy called Max in game but I don't know it's the same as MAX (If he's not the same one, never mind). But he wasn't very nice to some people, he wanted to kick me for no reason (only because he didn't like me). And for the guy Max: Make friends with RenX and don't hate other people..... Quote Link to comment Share on other sites More sharing options...
Profane Pagan Posted June 5, 2016 Share Posted June 5, 2016 Yeah, I am glad you saw him in the game. That proves me wrong. I must admit I can't stand him, he is a god-awful fellow, and I was very suspicious of him. But in the past weeks, the distrust has grew in me, so I wanted to share my opinion. About DDoS attack, I still believe going against the culprit would be justifiable, because it is a crime in many countries, and the punishment could vary from 12 months to years. All right, let's say this is just a fantasy. Then I can promise you, if he lives in Hungary or in neighbouring countries, I can still visit him to trash his hardware. The emperor would be proud of me: "Yes, yes, Let the hate flow through you!" Quote Link to comment Share on other sites More sharing options...
Fujiwara Chika Posted June 5, 2016 Share Posted June 5, 2016 I have a friend outside of this community who, if he commits to it, can make a script and blacklist this DDoSer, taking him out the moment he tries to do anything. Though, I doubt I can convince him to help since he's rather apathetic about RenX. Quote Link to comment Share on other sites More sharing options...
ex_member Posted June 5, 2016 Share Posted June 5, 2016 (edited) ... Edited September 22, 2018 by ex_member Quote Link to comment Share on other sites More sharing options...
Totem Arts Staff yosh56 Posted June 5, 2016 Totem Arts Staff Share Posted June 5, 2016 It's also a host of UDK specific attacks. We've been through this before. Just a question if server owners ever read the post on how to actually protect their servers that b0ng wrote forever ago and gave to servers. If they don't care, that's on them . Quote Link to comment Share on other sites More sharing options...
RoundShades Posted June 5, 2016 Share Posted June 5, 2016 It's also a host of UDK specific attacks. We've been through this before. Just a question if server owners ever read the post on how to actually protect their servers that b0ng wrote forever ago and gave to servers. If they don't care, that's on them . But CT was brought down as well. Quote Link to comment Share on other sites More sharing options...
Mystic~ Posted June 5, 2016 Share Posted June 5, 2016 I'm sure if B0ng moves to a better-protected server again people will/can contribute to the cost of running it. Quote Link to comment Share on other sites More sharing options...
DoctorB0NG Posted June 5, 2016 Share Posted June 5, 2016 Current status: DDoS protected server costs twice as much as the current server and I'm worried about funding for it. I'd also need to recruit someone to help manage the capture of TCP dump files to analyze attacks and make sure the current iptables rules are still blocking the malicious traffic. I unfortunately don't have the time to monitor the server nearly to the level I used to as I have a new job. And actually part of the reason I have my new job is because of my Linux skills I gained from handling the DDoS attacks last fall. Tldr: afraid of funding, need to train 1-2 people to run tcpdump during attacks so I can later analyze the logs with wireshark Quote Link to comment Share on other sites More sharing options...
RoundShades Posted June 5, 2016 Share Posted June 5, 2016 Is fffreak9999 and glacious available? I don't want to volunteer anyone, just usually they are available for this. As far as funding, I believe you have a link already, so we can only hope it's important enough to get people's attention. Also, maybe development should consider a way to reroute people from dropped servers, into other servers automatically. Maybe even split full servers upon game end into 2 servers. This way, servers migrate automatically, and keep the DDOS chasing it's own tail. Quote Link to comment Share on other sites More sharing options...
DoctorB0NG Posted June 5, 2016 Share Posted June 5, 2016 freak said he would be willing to. Glacious will have no interest in this (we're still pretty burnt out from Ren-X issues in the fall). I'd actually likely need 3-5 people so we have so redundancy and a solid crew to help. Quote Link to comment Share on other sites More sharing options...
RoundShades Posted June 5, 2016 Share Posted June 5, 2016 I can only offer. I have some experience and no busy life. At least I could be one of the redundant backups, in case you can find 2 other solid people. I have been less burnt out because I took a bit more space than most lately. Most I have going parallel, is sadly enough as this may seem, the #TIBA, but I can't in all good conscious use that as an excuse that I'm too busy, if anything, it just means I have no life whatsoever and should have tons of time to be available. Quote Link to comment Share on other sites More sharing options...
ex_member Posted June 5, 2016 Share Posted June 5, 2016 (edited) ... Edited September 22, 2018 by ex_member Quote Link to comment Share on other sites More sharing options...
DoctorB0NG Posted June 5, 2016 Share Posted June 5, 2016 All I really need is people to "watch" the server and run tcpdump during an attack and then send me a message with the time they captured the attack. I will be able to analyze the attacks very quickly as I've been doing this for a while. The tough part is just getting the captures which is what I need people for. The other option is setting the packet captures to run automatically via a cron script of some other means. I would need to have some sort of logrotate though to prevent the captures from completely filling up the hard drive. If anyone in the community is a shell scripting/automation wizard, please let me know. Quote Link to comment Share on other sites More sharing options...
ex_member Posted June 5, 2016 Share Posted June 5, 2016 (edited) ... Edited September 22, 2018 by ex_member Quote Link to comment Share on other sites More sharing options...
Ryz Posted June 5, 2016 Share Posted June 5, 2016 Usually I am working from home these weeks, so if I can setup IRC so it won't bother me unless there is a need to, I can help with this if you guys want me to. I am sure there are people who are higher on your list of nominees, but let me know. Request for donates, for example when we played the PUG, could also bring in more money. I just had to wait for half a year for my clients to pay me, but now money is coming in I am sure I will donate if needed! Quote Link to comment Share on other sites More sharing options...
Flamezz|Ninja Posted June 5, 2016 Share Posted June 5, 2016 can someone explain this like im 5. Cant a server differentiate between traffic coming from a DDOS program and traffic coming from the actual renegade game? I mean when you launch a game through the ingame multiplayer surely it must have some sort of unique identifying characteristic right? Quote Link to comment Share on other sites More sharing options...
DoctorB0NG Posted June 5, 2016 Share Posted June 5, 2016 can someone explain this like im 5. Cant a server differentiate between traffic coming from a DDOS program and traffic coming from the actual renegade game? I mean when you launch a game through the ingame multiplayer surely it must have some sort of unique identifying characteristic right? The main problem is that even if a program has the ability to differentiate malicious vs real player packets (which UDK does a terrible job/doesn't do at all) the program would still have to accept the packet, analyze it, then drop it. When you get up into 50K+ PPS range, that's still far too much data to process and even drop for a program that isn't optimized for it. This is where iptables shines. iptables is the userspace extension of a kernel module called netfilter. Because netfilter is written into the kernel and was designed from the ground up to be as efficient as possible, it can filter the traffic much better than any user space program ever could. Luckily I already have a solid list of iptables rules that will likely block 98% of the attacks however, a few stragglers will likely make it through and that's why I'm gonna need other members to help me capture those few that may get through. Quote Link to comment Share on other sites More sharing options...
ex_member Posted June 5, 2016 Share Posted June 5, 2016 (edited) ... Edited September 22, 2018 by ex_member Quote Link to comment Share on other sites More sharing options...
DoctorB0NG Posted June 5, 2016 Share Posted June 5, 2016 People need to step and say they're willing to help. So far I have freak and crowsey who are willing to help. If you'd like to help, please explicitly state so in this thread and I'll make sure I PM the details to you after I figure out some semantics. PS: the new server is already ordered, just waiting for it to be delivered. After I get the server, the setup will take a few hours. If donations don't pan out during the first month, I will not renew the server so keep that in mind, folks. Quote Link to comment Share on other sites More sharing options...
iTweek. Posted June 5, 2016 Share Posted June 5, 2016 may I ask you something? where is have a server found with a better ddos protection? the support ovh says only that an administrator looking at that on Monday. Quote Link to comment Share on other sites More sharing options...
DoctorB0NG Posted June 5, 2016 Share Posted June 5, 2016 There's a thread that I made that you have access to that describes (step by step) how to implement the anti DDoS solution that I used in the fall. For some reason every server owner keeps ignoring it... Quote Link to comment Share on other sites More sharing options...
iTweek. Posted June 5, 2016 Share Posted June 5, 2016 have a hardware firewall Cisco ASA before does not help. the costs 170euro 14 days course set I can only wait for the support Quote Link to comment Share on other sites More sharing options...
ex_member Posted June 5, 2016 Share Posted June 5, 2016 There's a thread that I made that you have access to that describes (step by step) how to implement the anti DDoS solution that I used in the fall. For some reason every server owner keeps ignoring it... Can you provide a link to that post ? Quote Link to comment Share on other sites More sharing options...
iTweek. Posted June 5, 2016 Share Posted June 5, 2016 He certainly thinks this here viewtopic.php?f=178&p=163633#p163633 Quote Link to comment Share on other sites More sharing options...
ex_member Posted June 5, 2016 Share Posted June 5, 2016 (edited) ... Edited September 22, 2018 by ex_member Quote Link to comment Share on other sites More sharing options...
iTweek. Posted June 5, 2016 Share Posted June 5, 2016 Oh only server owners sektion Quote Link to comment Share on other sites More sharing options...
Totem Arts Staff yosh56 Posted June 6, 2016 Totem Arts Staff Share Posted June 6, 2016 Ren-X hasn't been free-to-play since September. Quote Link to comment Share on other sites More sharing options...
sterps Posted June 6, 2016 Share Posted June 6, 2016 @itweek with the cisco asa, have you turned logging on and had a look at the logs when an attack occurs? It will tell you what type of packet it is, as well the source ip address(es). Depending on your config, it sounds like you're accepting INBOUND traffic from DDoS'er, you need to analyse the logs and see where it is coming, then create a DENY rule accordingly. If you want some help analysing this, i'm happy to help. @Bong, I'd be happy to help analyse any wireshark captures and translate these to new ACL deny rules on a router or a firewall. I'm a network engineer by trade, so i'm very well rehearsed when it comes to layers 1- 4 Quote Link to comment Share on other sites More sharing options...
Totem Arts Staff NodSaibot Posted June 6, 2016 Totem Arts Staff Share Posted June 6, 2016 @itweek with the cisco asa, have you turned logging on and had a look at the logs when an attack occurs? It will tell you what type of packet it is, as well the source ip address(es).Depending on your config, it sounds like you're accepting INBOUND traffic from DDoS'er, you need to analyse the logs and see where it is coming, then create a DENY rule accordingly. If you want some help analysing this, i'm happy to help. @Bong, I'd be happy to help analyse any wireshark captures and translate these to new ACL deny rules on a router or a firewall. I'm a network engineer by trade, so i'm very well rehearsed when it comes to layers 1- 4 He's using more than one location, he has a botnet from what I understand Quote Link to comment Share on other sites More sharing options...
DoctorB0NG Posted June 6, 2016 Share Posted June 6, 2016 @itweek with the cisco asa, have you turned logging on and had a look at the logs when an attack occurs? It will tell you what type of packet it is, as well the source ip address(es).Depending on your config, it sounds like you're accepting INBOUND traffic from DDoS'er, you need to analyse the logs and see where it is coming, then create a DENY rule accordingly. If you want some help analysing this, i'm happy to help. @Bong, I'd be happy to help analyse any wireshark captures and translate these to new ACL deny rules on a router or a firewall. I'm a network engineer by trade, so i'm very well rehearsed when it comes to layers 1- 4 He's using more than one location, he has a botnet from what I understand No. It's all spoofed UDP floods originating from one server/a small group of servers. And before anyone asks, no, you cannot just track the attack back because if you look up the reverse DNS on the spoofed IPs, it will give you random people's IPs across the world because they're spoofed. @sterps I might just give you full access to the box and well have to talk details some night in teamspeak @itweek The Cisco ASA routers that OVH offers have too low of a spec for PPS and even proper and efficient rules will still makes the firewall choke and sputter. Quote Link to comment Share on other sites More sharing options...
Totem Arts Staff Cronus Posted June 6, 2016 Totem Arts Staff Share Posted June 6, 2016 Personally I just setup a batch file in windows to packet capture every minute, date and time stamp. Then when an attack happens just grab however many minutes you need. PM me or something if you want more info b0ng It worked great for me and never failed, I still have that pcap I sent you to analyze (jk it was tcp so i blocked tcp entirely) Quote Link to comment Share on other sites More sharing options...
sterps Posted June 6, 2016 Share Posted June 6, 2016 I'd be up for that, let me know when you're free (we'll have to translate the time difference). If they're using UDP (which UDP port(s)), are you able to have these/ask your ISP to drop data on UDP ports? Unless renx use some UDP ports.. Quote Link to comment Share on other sites More sharing options...
DoctorB0NG Posted June 6, 2016 Share Posted June 6, 2016 RenX exclusively uses UDP. The attacks are targeted at the UDP port that the game server is bound to. @cronus How big did the caps end up being after a day? Did you have TCP dump running with a time parameter instead of a packet limit parameter? Quote Link to comment Share on other sites More sharing options...
sterps Posted June 6, 2016 Share Posted June 6, 2016 Damn... do you have control of the router connected the server? If the ISP does, enquire if they can configure: 'ip verify unicast reverse-path' Quote Link to comment Share on other sites More sharing options...
RoundShades Posted June 6, 2016 Share Posted June 6, 2016 I'm going to start keeping Teamspeak3 and IRC open. So PM me with instructions. @cronus How big did the caps end up being after a day? Did you have TCP dump running with a time parameter instead of a packet limit parameter?Besides logging literally every 5 minute interval of the day, can you run another script to dump all logs older than 45 minutes? I couldn't imagine the logs piling up THAT bad in just 45 minutes.Damn... do you have control of the router connected the server? If the ISP does, enquire if they can configure: 'ip verify unicast reverse-path' This might be worth checking, if there is a way you can verify reverse-path for users and simply dump their packet earlier. Quote Link to comment Share on other sites More sharing options...
Totem Arts Staff Cronus Posted June 6, 2016 Totem Arts Staff Share Posted June 6, 2016 RenX exclusively uses UDP. The attacks are targeted at the UDP port that the game server is bound to.@cronus How big did the caps end up being after a day? Did you have TCP dump running with a time parameter instead of a packet limit parameter? I just through it together quick to do a packet limit parameter, figured out about how much runs in a minute. I think when I calculated I had like 1-3 months to clear old pcaps. I think I only had 100GB free at the time. So its a great quick solution to get the pcaps, just check disk space every month or two heh I just checked my old logs, and for 3 days ish work of pcaps it was 6GB Quote Link to comment Share on other sites More sharing options...
DoctorB0NG Posted June 6, 2016 Share Posted June 6, 2016 RenX exclusively uses UDP. The attacks are targeted at the UDP port that the game server is bound to.@cronus How big did the caps end up being after a day? Did you have TCP dump running with a time parameter instead of a packet limit parameter? I just through it together quick to do a packet limit parameter, figured out about how much runs in a minute. I think when I calculated I had like 1-3 months to clear old pcaps. I think I only had 100GB free at the time. So its a great quick solution to get the pcaps, just check disk space every month or two heh I just checked my old logs, and for 3 days ish work of pcaps it was 6GB The only problem with that is if we run the dump every X seconds with the duration parameter specified in total packets, there's a high probability that we'll either miss some packets or run overlapping dumps. How did you work around this? Quote Link to comment Share on other sites More sharing options...
Totem Arts Staff NodSaibot Posted June 6, 2016 Totem Arts Staff Share Posted June 6, 2016 Make a whitelist of IPs then LOL. People apply on forums Not sure if that would work, but worth a try? Quote Link to comment Share on other sites More sharing options...
DoctorB0NG Posted June 6, 2016 Share Posted June 6, 2016 Make a whitelist of IPs then LOL. People apply on forumsNot sure if that would work, but worth a try? Wouldn't work. Some ISPs have insanely short DHCP leases *Looks at all those weird German DSL providers using PPPoE Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.