English LoL Gamer crashing NoPain server (Proof)

128 replies
Goto Page
To the start Previous 1 2 3 4 5 6 7 Next To the start
16.06.12 02:23:54 pm
Up
DannyDeth
User
Offline Off
user SD has written:
Quite effective way to protect yourself from attacks like these is to ban specific (presumably hacker's) IP address

Most ISPs provide dynamic IP addresses, and most of those provide it by default. Simply restarting your DSL router will give you a change in IP in these circumstances. IP bans work well where there are extremely large numbers of internet users, which would acount for a large portion of Europe, ( I know several ISPs in Britain at least give static IP's to their customer by default. ) but if you try to do this to people from countries that are in South America an most of Africa, you won't succeed.

EDIT: One solution to the problem would be to log packet data and then look at the series of packets coming in when the server is crashed, then monitor the incoming packet traffic to your server port and reject packets from an IP address if there are a large number ( say, 1000 or maybe less depending on how many packets are needed before the server crashes ) of that type of packet from said IP address.

An example, if you recieve 1500 packets of this structure ( note: not actual packets from CS2D ):
Code:
1
Message Number = 0; content = 0x61 0x6F 0x42

Then, after that, do not let packets with that contents through to the CS2D server. It's not something someone who hasn't got a large amount of programming experience and knowledge of system-dependant promiscuous packet monitoring can do, however.
16.06.12 03:16:31 pm
Up
SD
User
Offline Off
Here, Internet service providers rarely provide dynamic IP addresses. You can still ban whole subnet then. This command would block all IP addresses from 255.255.255.0 to 255.255.255.255 (class C subnet).
Code:
1
iptables -I INPUT -s 255.255.255.0/24 -j DROP

255.0.0.0 (8 bits in the network section) = A.
255.255.0.0 (16 bits in the network section) = B.
255.255.255.0 (24 bits in the network section) = C.
Therefore this will ban a larger subnet.
Code:
1
iptables -I INPUT -s 255.255.0.0/16 -j DROP

Or you can ban a range of IP addresses. This will block everything from 127.0.0.1 to 128.0.0.1.
Code:
1
iptables -A INPUT -m iprange --src-range 127.0.0.1-128.0.0.1 -j DROP

If you want to log all the transferred packets, install tcpdump.
Code:
1
apt-get install tcpdump

Then start it. This will log all the UDP packets. Log file will be saved in the current working directory.
Code:
1
tcpdump -w udpcap.log udp

You can later copy the log file to Wireshark, and analyze is graphically
16.06.12 08:04:39 pm
Up
PyKemis
User
Offline Off
@user DannyDeth: Well you can't log them because most of these attacks are not on the port cs2d is running on. You would either need to open an additional program listening for spam on other ports.

Then in that case, you would need to further check if the packets coming in are spam or not.

Ex. http requests, or other games running on the same virtual/dedicated machine--which would be impossible to detect for every single game.
20.06.12 08:04:31 pm
Up
Cirium
User
Offline Off
I would have to disagree, I would say most of the attacks crashing the servers are port specified. A DoS attack.

DoS - Usually port specified to take down process's.
DDoS - Usually specified to take down the entire host. (Port 80 usually.)

On another note, SD's packet capture idea is pretty neat. I'm looking at the packet activity of my host for the last hour.
20.06.12 10:59:36 pm
Up
PyKemis
User
Offline Off
You said that they can be port specified...

Therefore, the attacker could choose to attack any port open, and that doesn't need to be cs2d's port.

That means you need to setup a logger on your httpd server as well as others if the port is open (minecraft etc).
20.06.12 11:07:35 pm
Up
SD
User
Offline Off
From what I've seen so far, they flood the port that CS2D server is running on in order to crash it. By the way, flooding random ports should do no harm to CS2D servers, unless it's massive DDoS attack.
20.06.12 11:34:35 pm
Up
PyKemis
User
Offline Off
So do you see like "unexpected message" in the cs2d console?

Eventually, cs2d ignores them and they are not great enough to make a difference.
20.06.12 11:48:09 pm
Up
SD
User
Offline Off
I think that not all of them seem to be ignored, when server ignores specific packets, console sends something similar to this.
Code:
1
[17:37:11] FLOOD WARNING: 178.93.235.208 seems to flood msg type inforeq - ignoring.

Lots of my servers often crash just after bunch of messages like this.
Code:
1
[13:03:57] NET: Received msg from unexpected sender (12, 89.223.135.0:1058)

So I suppose that attack goes on the port that CS2D server is running on and they are flooding specific packets to make server crash. I have also noticed that one IP is always not enough to crash a server - it always turns out that more than two IP addresses were attacking the server.
edited 1×, last 21.06.12 01:35:24 am
21.06.12 01:03:43 am
Up
Cirium
User
Offline Off
user SD has written:
So I suppose that attack goes on the port that CS2D server is running and they are flooding specific packets to make server crash. I have also noticed that one IP is always not enough to crash a server - it always turns out that more than two IP addresses were attacking the server.


Usually its one or two IP address's, fortunately for me I'm hiding behind a firewall. It takes more than two to even touch my host.
21.06.12 01:52:34 am
Up
PyKemis
User
Offline Off
If it's more than one ip, then it's a ddos, also once you see those messages, it means that they past your firewall.
21.06.12 08:27:39 am
Up
ohaz
User
Offline Off
user Cirium has written:
I would have to disagree, I would say most of the attacks crashing the servers are port specified. A DoS attack.

DoS - Usually port specified to take down process's.
DDoS - Usually specified to take down the entire host. (Port 80 usually.)

On another note, SD's packet capture idea is pretty neat. I'm looking at the packet activity of my host for the last hour.
That's wrong. The only difference between DoS and DDoS is that DDoS is distributed, which means that many many hosts try to DoS one pc at the same time.
https://ohaz.engineer - Software Engineering
21.06.12 09:50:49 am
Up
Ahmad
User
Offline Off
Btw he crashed it again yesterday,i had enough i'm searching for a way to payback and DDos his internet or something like that.
21.06.12 10:11:21 am
Up
Cirium
User
Offline Off
So he commits a crime, and your going to commit one to get back at him?

just iptable his subnet. say goodbye for life. simple.
21.06.12 10:12:56 am
Up
PyKemis
User
Offline Off
If the attacker is using a vpn/socks/proxy then it doesn't work if you ban subnet.
21.06.12 11:50:12 am
Up
oxytamine
User
Offline Off
user PyKemis has written:
If the attacker is using a vpn/socks/proxy then it doesn't work if you ban subnet.

You have mental issues, maybe you should see a doctor. You're telling useless and obvious bullshit almost in every thread. It's impossible to perform a DDoS attack unless proxy is yours (fast). You're not likely to have 9000 fast proxy servers, so it's possible to ban you. Socks is proxy too (you separated them), get off it. VPN providers give you only one IP address. It's easy to ban them. My ass hurts every time I read your posts - stop it, you're like user ImSoFuckingRetarded, but instead of uploading shit, you're posting it. Think before posting - there is no postcount here, it makes no sense to post bullshit like yours.
edited 1×, last 21.06.12 12:00:14 pm
21.06.12 12:28:29 pm
Up
PyKemis
User
Offline Off
Most of the time it's quantity, not quality. Since cs2d does ignore packets after a while you need to acquire a lot of IPs instead fast powerful servers.

For example, if everyone on cs2d all of a sudden just went to one server, that server would probably crash due the number of connections. In this case, it was quantity, it was not concerned with the speed of the connection of the individual clients.
21.06.12 12:31:16 pm
Up
oxytamine
User
Offline Off
user PyKemis has written:
Most of the time it's quantity, not quality. Since cs2d does ignore packets after a while you need to acquire a lot of IPs instead fast powerful servers.

Your answer is not related to my message in any ways. However, I did not understand what do you mean. You are surely right about packets being ignored after a while - but why do I need to acquire lots of IP addresses.
user PyKemis has written:
For example, if everyone on cs2d all of a sudden just went to one server, that server would probably crash due the number of connections. In this case, it was quantity, it was not concerned with the speed of the connection of the individual clients.

It may count as DDoS actually, if viewing from server-side perspective.
21.06.12 12:34:19 pm
Up
PyKemis
User
Offline Off
user oxytamine has written:
It's impossible to perform a DDoS attack unless proxy is yours (fast). You're not likely to have 9000 fast proxy servers, so it's possible to ban you.


You stated that you need 9000 fast proxy servers. If you already have 9000 computers/servers you don't need them to be fast. 9000 is already enough to start a fake player flood.

user oxytamine has written:
but why do I need to acquire lots of IP addresses.


Well once it's ignored, it doesn't do much damage, -- almost none if that's all you have.
21.06.12 12:38:11 pm
Up
oxytamine
User
Offline Off
user PyKemis has written:
You stated that you need 9000 fast proxy servers. If you already have 9000 computers/servers you don't need them to be fast. 9000 is already enough to start a fake player flood.

Well, let's state that "over 9000" is an Internet meme. Of course you don't need 9000 proxy servers. First of all - public proxy servers are really slow. You won't crash a single server even if you'll have nearly 50-100 public proxy servers, just because they are very slow and dying fast. Some proxy servers are private and therefore paid. In this case i don't believe that you're going to waste your money to buy 50-100 private proxy servers to perform a single DDoS attack.

user PyKemis has written:
Well once it's ignored, it doesn't do much damage, -- almost none if that's all you have.

You still didn't answer my question - why do I need to acquire lots of IP addresses.
edited 1×, last 21.06.12 01:11:14 pm
21.06.12 01:24:13 pm
Up
DannyDeth
User
Offline Off
@user Cirium:
My idea, not SD's. I actually implemented it a while ago, but the server that had the source code on it is no longer in existence due to contract expiration.

@user PyKemis:
The people crashing servers usually use the packet used to get the server data as this is one of the most expensive operations. Therefore looking for packets with multiple repetitions of that packet will allow you to mark certain IP's as "dangerous" and "ban" their packets in a way.

It's a very simple idea, guys, why not have a hack at it?

EDIT:
user oxytamine has written:
user PyKemis has written:
If the attacker is using a vpn/socks/proxy then it doesn't work if you ban subnet.

You have mental issues, maybe you should see a doctor. You're telling useless and obvious bullshit almost in every thread. It's impossible to perform a DDoS attack unless proxy is yours (fast). You're not likely to have 9000 fast proxy servers, so it's possible to ban you. Socks is proxy too (you separated them), get off it. VPN providers give you only one IP address. It's easy to ban them. My ass hurts every time I read your posts - stop it, you're like user ImSoFuckingRetarded, but instead of uploading shit, you're posting it. Think before posting - there is no postcount here, it makes no sense to post bullshit like yours.

This is useless and not obvious-becuase-it-is-bullshit nonsense. If you had 300 zombie hosts at your disposal, a crash would be easy. Hell, with 6 zombie hosts and a few proxy servers could crash a CS2D server. A SINGLE HOST AND A PROXY COULD CRASH A SERVER. Speed does not matter as the proxies will generally be fast enough to send out 30 fucking UDP packets in a matter of milliseconds.
edited 1×, last 21.06.12 01:29:54 pm
To the start Previous 1 2 3 4 5 6 7 Next To the start