Jump to content

Need better DDos Proof Servers


TK0104

Recommended Posts

  • Totem Arts Staff

So I wanted to play some RenX and joined almost full server. 1 minute later it gets Ddossed. Everyone switched to 2nd one.....gets Ddossed 1 minute later. Switch to 3rd one.............Ddossed again.

EDIT: 4th and 5th server Ddossed

DDOS LET US PLAY SOME RENEGADE X AND GET A LIFE FFS!!!!!!!!!!!!!!!!!!!!!!!

We need even better servers that are 100% Ddos proof or this game might die

Link to comment
Share on other sites

We'd need an ethical hacker to track the culprit down. I was asking what do you think, because I have a suspect, although I know you might wouldn't agree with me.

I noticed a player, for his behaviour, his name is MAX. The well known troll. I dislike him pretty much. From my perception, I have never seen him in a game which got shut down because of DDOS. To tell you the truth, at the beginning I only considered him as an ill mannered player, and I was glad he got banned from constructive tyranny. But one day he got kicked out from another server, and in 5 minutes our game was cut short because of the DDOS attack. I have just realized, I could imagine him enjoying the trolling of others, and then ruining their game in various ways. Later in constructive ty. server, I saw him again. But that was the server he got banned from! Someone commented he has methods to get back in the game with the same name, regardless of the ban. Is it so far-fetched to assume, MAX is the one behind the DDOS attacks with this kind of knowledge and reputation? True, I might despise him too much, and I don't know much about the nuances, but right now he is my suspect number 1. I just want to ask you whether you saw him ingame during a DDOS attack? I have never. Look out for him. He is a worthless player in the game, a bad team member, and I can imagine him as an avenger too.

Link to comment
Share on other sites

the better question is why? why would someone go through the trouble of ddosing a renx server? there's only a small number of people that play. its a free game.. what the hell is the point of DDOS'ing !?!?!?

1:) They could hate the dev team

2:) *this one is most likely to be bs* He/she is an EA fanboy/girl and they hate renx for being independent

3:) They got pwned by a sniper

4:) They lost their SBH spy by being driven over by a stank

5:) They want RenX to die for reasons unknown to man\

6:) They are a troll who is willing to go through all the trouble to troll on this level.

We'd need an ethical hacker to track the culprit down. I was asking what do you think, because I have a suspect, although I know you might wouldn't agree with me.

I noticed a player, for his behaviour, his name is MAX. The well known troll. I dislike him pretty much. From my perception, I have never seen him in a game which got shut down because of DDOS. To tell you the truth, at the beginning I only considered him as an ill mannered player, and I was glad he got banned from constructive tyranny. But one day he got kicked out from another server, and in 5 minutes our game was cut short because of the DDOS attack. I have just realized, I could imagine him enjoying the trolling of others, and then ruining their game in various ways. Later in constructive ty. server, I saw him again. But that was the server he got banned from! Someone commented he has methods to get back in the game with the same name, regardless of the ban. Is it so far-fetched to assume, MAX is the one behind the DDOS attacks with this kind of knowledge and reputation? True, I might despise him too much, and I don't know much about the nuances, but right now he is my suspect number 1. I just want to ask you whether you saw him ingame during a DDOS attack? I have never. Look out for him. He is a worthless player in the game, a bad team member, and I can imagine him as an avenger too.

It is at this moment most likely to be him

Link to comment
Share on other sites

You know him?, good to know. And who is he? Is he a player too?

You'd think if I were going to publicly list his name, I'd have done it long ago. We intentionally avoid sharing whatever alias he happens to be going by, but you probably don't know him.

If someone else who knew who it was or discovered who it was, thought it was a good idea, they too would have done it long ago. If they want to share a name, it would be up to them, not I.

Link to comment
Share on other sites

  • Totem Arts Staff

And another server Ddossed. And I must say, there was a guy called Max in game but I don't know it's the same as MAX (If he's not the same one, never mind). But he wasn't very nice to some people, he wanted to kick me for no reason (only because he didn't like me).

And for the guy Max: Make friends with RenX and don't hate other people.....

Link to comment
Share on other sites

Yeah, I am glad you saw him in the game. That proves me wrong. I must admit I can't stand him, he is a god-awful fellow, and I was very suspicious of him. But in the past weeks, the distrust has grew in me, so I wanted to share my opinion.

About DDoS attack, I still believe going against the culprit would be justifiable, because it is a crime in many countries, and the punishment could vary from 12 months to years. All right, let's say this is just a fantasy. Then I can promise you, if he lives in Hungary or in neighbouring countries, I can still visit him to trash his hardware. The emperor would be proud of me: "Yes, yes, Let the hate flow through you!" :)

Link to comment
Share on other sites

  • Totem Arts Staff

It's also a host of UDK specific attacks. We've been through this before. Just a question if server owners ever read the post on how to actually protect their servers that b0ng wrote forever ago and gave to servers. If they don't care, that's on them .

Link to comment
Share on other sites

It's also a host of UDK specific attacks. We've been through this before. Just a question if server owners ever read the post on how to actually protect their servers that b0ng wrote forever ago and gave to servers. If they don't care, that's on them .

But CT was brought down as well. :eek:

Link to comment
Share on other sites

Current status: DDoS protected server costs twice as much as the current server and I'm worried about funding for it. I'd also need to recruit someone to help manage the capture of TCP dump files to analyze attacks and make sure the current iptables rules are still blocking the malicious traffic.

I unfortunately don't have the time to monitor the server nearly to the level I used to as I have a new job. And actually part of the reason I have my new job is because of my Linux skills I gained from handling the DDoS attacks last fall.

Tldr: afraid of funding, need to train 1-2 people to run tcpdump during attacks so I can later analyze the logs with wireshark

Link to comment
Share on other sites

Is fffreak9999 and glacious available? I don't want to volunteer anyone, just usually they are available for this.

As far as funding, I believe you have a link already, so we can only hope it's important enough to get people's attention.

Also, maybe development should consider a way to reroute people from dropped servers, into other servers automatically. Maybe even split full servers upon game end into 2 servers. This way, servers migrate automatically, and keep the DDOS chasing it's own tail.

Link to comment
Share on other sites

I can only offer. I have some experience and no busy life. At least I could be one of the redundant backups, in case you can find 2 other solid people. I have been less burnt out because I took a bit more space than most lately. Most I have going parallel, is sadly enough as this may seem, the #TIBA, but I can't in all good conscious use that as an excuse that I'm too busy, if anything, it just means I have no life whatsoever and should have tons of time to be available.

Link to comment
Share on other sites

All I really need is people to "watch" the server and run tcpdump during an attack and then send me a message with the time they captured the attack.

I will be able to analyze the attacks very quickly as I've been doing this for a while. The tough part is just getting the captures which is what I need people for.

The other option is setting the packet captures to run automatically via a cron script of some other means. I would need to have some sort of logrotate though to prevent the captures from completely filling up the hard drive.

If anyone in the community is a shell scripting/automation wizard, please let me know.

Link to comment
Share on other sites

Usually I am working from home these weeks, so if I can setup IRC so it won't bother me unless there is a need to, I can help with this if you guys want me to. I am sure there are people who are higher on your list of nominees, but let me know.

Request for donates, for example when we played the PUG, could also bring in more money. I just had to wait for half a year for my clients to pay me, but now money is coming in I am sure I will donate if needed!

Link to comment
Share on other sites

can someone explain this like im 5. Cant a server differentiate between traffic coming from a DDOS program and traffic coming from the actual renegade game? I mean when you launch a game through the ingame multiplayer surely it must have some sort of unique identifying characteristic right?

The main problem is that even if a program has the ability to differentiate malicious vs real player packets (which UDK does a terrible job/doesn't do at all) the program would still have to accept the packet, analyze it, then drop it.

When you get up into 50K+ PPS range, that's still far too much data to process and even drop for a program that isn't optimized for it. This is where iptables shines. iptables is the userspace extension of a kernel module called netfilter. Because netfilter is written into the kernel and was designed from the ground up to be as efficient as possible, it can filter the traffic much better than any user space program ever could.

Luckily I already have a solid list of iptables rules that will likely block 98% of the attacks however, a few stragglers will likely make it through and that's why I'm gonna need other members to help me capture those few that may get through.

Link to comment
Share on other sites

People need to step and say they're willing to help. So far I have freak and crowsey who are willing to help.

If you'd like to help, please explicitly state so in this thread and I'll make sure I PM the details to you after I figure out some semantics.

PS: the new server is already ordered, just waiting for it to be delivered. After I get the server, the setup will take a few hours.

If donations don't pan out during the first month, I will not renew the server so keep that in mind, folks.

Link to comment
Share on other sites

@itweek with the cisco asa, have you turned logging on and had a look at the logs when an attack occurs? It will tell you what type of packet it is, as well the source ip address(es).

Depending on your config, it sounds like you're accepting INBOUND traffic from DDoS'er, you need to analyse the logs and see where it is coming, then create a DENY rule accordingly.

If you want some help analysing this, i'm happy to help.

@Bong, I'd be happy to help analyse any wireshark captures and translate these to new ACL deny rules on a router or a firewall.

I'm a network engineer by trade, so i'm very well rehearsed when it comes to layers 1- 4

Link to comment
Share on other sites

  • Totem Arts Staff
@itweek with the cisco asa, have you turned logging on and had a look at the logs when an attack occurs? It will tell you what type of packet it is, as well the source ip address(es).

Depending on your config, it sounds like you're accepting INBOUND traffic from DDoS'er, you need to analyse the logs and see where it is coming, then create a DENY rule accordingly.

If you want some help analysing this, i'm happy to help.

@Bong, I'd be happy to help analyse any wireshark captures and translate these to new ACL deny rules on a router or a firewall.

I'm a network engineer by trade, so i'm very well rehearsed when it comes to layers 1- 4

He's using more than one location, he has a botnet from what I understand

Link to comment
Share on other sites

@itweek with the cisco asa, have you turned logging on and had a look at the logs when an attack occurs? It will tell you what type of packet it is, as well the source ip address(es).

Depending on your config, it sounds like you're accepting INBOUND traffic from DDoS'er, you need to analyse the logs and see where it is coming, then create a DENY rule accordingly.

If you want some help analysing this, i'm happy to help.

@Bong, I'd be happy to help analyse any wireshark captures and translate these to new ACL deny rules on a router or a firewall.

I'm a network engineer by trade, so i'm very well rehearsed when it comes to layers 1- 4

He's using more than one location, he has a botnet from what I understand

No. It's all spoofed UDP floods originating from one server/a small group of servers. And before anyone asks, no, you cannot just track the attack back because if you look up the reverse DNS on the spoofed IPs, it will give you random people's IPs across the world because they're spoofed.

@sterps I might just give you full access to the box and well have to talk details some night in teamspeak

@itweek The Cisco ASA routers that OVH offers have too low of a spec for PPS and even proper and efficient rules will still makes the firewall choke and sputter.

Link to comment
Share on other sites

  • Totem Arts Staff

Personally I just setup a batch file in windows to packet capture every minute, date and time stamp. Then when an attack happens just grab however many minutes you need. PM me or something if you want more info b0ng

It worked great for me and never failed, I still have that pcap I sent you to analyze :P (jk it was tcp so i blocked tcp entirely)

Link to comment
Share on other sites

I'd be up for that, let me know when you're free (we'll have to translate the time difference).

If they're using UDP (which UDP port(s)), are you able to have these/ask your ISP to drop data on UDP ports? Unless renx use some UDP ports..

Link to comment
Share on other sites

I'm going to start keeping Teamspeak3 and IRC open. So PM me with instructions.

@cronus How big did the caps end up being after a day? Did you have TCP dump running with a time parameter instead of a packet limit parameter?
Besides logging literally every 5 minute interval of the day, can you run another script to dump all logs older than 45 minutes? I couldn't imagine the logs piling up THAT bad in just 45 minutes.
Damn... do you have control of the router connected the server? If the ISP does, enquire if they can configure:

'ip verify unicast reverse-path'

This might be worth checking, if there is a way you can verify reverse-path for users and simply dump their packet earlier.

Link to comment
Share on other sites

  • Totem Arts Staff
RenX exclusively uses UDP. The attacks are targeted at the UDP port that the game server is bound to.

@cronus How big did the caps end up being after a day? Did you have TCP dump running with a time parameter instead of a packet limit parameter?

I just through it together quick to do a packet limit parameter, figured out about how much runs in a minute. I think when I calculated I had like 1-3 months to clear old pcaps. I think I only had 100GB free at the time. So its a great quick solution to get the pcaps, just check disk space every month or two heh

I just checked my old logs, and for 3 days ish work of pcaps it was 6GB

Link to comment
Share on other sites

RenX exclusively uses UDP. The attacks are targeted at the UDP port that the game server is bound to.

@cronus How big did the caps end up being after a day? Did you have TCP dump running with a time parameter instead of a packet limit parameter?

I just through it together quick to do a packet limit parameter, figured out about how much runs in a minute. I think when I calculated I had like 1-3 months to clear old pcaps. I think I only had 100GB free at the time. So its a great quick solution to get the pcaps, just check disk space every month or two heh

I just checked my old logs, and for 3 days ish work of pcaps it was 6GB

The only problem with that is if we run the dump every X seconds with the duration parameter specified in total packets, there's a high probability that we'll either miss some packets or run overlapping dumps.

How did you work around this?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...