Client Spam Attack 1/2/2011

[hermxiv]

There have been a number of client spam attacks on Tremulous 1.1 servers tonight, 1/2/2011. It started on W server, progressed to A server, I managed to safeguar W/A/Z/X but then it moved to AA and I couldn't get on in time before it filled up, so I couldn't ban them there. It left AA, killed BB, then attacked AussieAssault. These are all I know of at time of posting. Some of the xserverx staff (myself included) have warned other server administrators.

The attacker does not appear to be changing their ip and is using the ip "118.210.226.10". The provider for this is internode.on.net (phein found it). I am preparing a report to their abuse site, and I am asking that any other administrators that are attacked please post logs here or email them to me (hermxiv@gmail.com). I currently have logs from 2 servers (W/A) and will be receiving them from AA, hopefully BB, and uBP if it gets attacked (and adeya will give me the logs, phein things he will).

Perhaps tremulous.net should nullroute him so he cannot access the master server.

Thanks for your assistance.

HermXIV

[Toma]

I killed the N server.

[Creative1]

Well, after Herm came and warned uBP, he gave me the IP,(118.210.226.10) using this command uBP has, I got all this information:

Location of ISP: Adelaide, South Austrailia, Australia
ISP: lnternode (lns20.adl5.internode)

So I'm guessing just report this to 'Internode' may help

If he tried to DDoS uBP, I'll get you the server logs for a report.

<3
Creative

Edit: We've had a few bans with a simliar IP:
One Aliased as Splink with the IP 118.210.152.13
Then he ban evaded with the Alias Goon, and IP being 118.210.181.17/16

[Adeya]

It wasn't a DoS nor a DDoS attack, someone just spammed servers with bots. If it was a DoS or DDoS attack they wouldn't need to connect to the server. A subnetban should take care of it. They tried the attack on uBP but was stopped before more then 3 bots were able to come in. Doubtful any other attacks will happen on uBP but if they do I'm willing to share the logs of it.

[OhaiReapd]

Protip: 1.1 sucks.

[Rezyn]

If your server is using a game.qvm with g_maxGhosts, set it to a sane value, maybe around 1/4 of the max players, and the zombie connections will be nothing more than a nuisance on the scoreboard.

http://rezyn.mercenariesguild.net/patches/trem_1_1/rez_l050_lak550_verify_guid_ip_ghost.patch

[hermxiv]

Thanks for that Rezyn. I am not sure if our qvm has it, but I will check when I get home.

Adeya, if I could get logs solely from that attack, that would be great. It is probably unnecessary to send a report to his ISP, but I would like to attempt to stop this from happening again. And ISPs always respond better with evidence.

Also, I saw the attack on 3 more servers (Trinity clan server, Aussie PBOT, and another I forget the name of). It appeared he was just going after every server, trying to generally make things unpleasant.

[Forty-Two]

There was someone with the IP 118.210.226.100 who spammed at least two Australian servers with bots yesterday, if this helps. He first turned up on AussieAssault early in the morning, and I only managed to get in through luck. I banned him, kicked his bots, and he did not turn up again. However I then saw that he was doing the same thing to Trinity, another Australian server, which I couldn't do anything about. Funnily enough his IP had turned up on the (AussieAssault) server as a normal player several times within the last few days, but besides a couple other regular players being in the 118.210.*.* range I still don't know who it was. However, on talking to the server owner of AussieAssault (which I am an admin on) he said that he had cross-checked the IP against his logs and knew who he was, and that he would talk to him about it. None of the IPs posted in this thread match exactly with anything that I have, except for that extra 0 on the end.
As for Splink and Goon - there is a player known as Goon here, and one known as Spl!nzky who are both regular players. The former has a completely different IP to those posted, while the latter is in the 118.210.*.* range, but I don't believe he would've done it.
I have been told that the spammer used my name in one of their attacks, which is why I'm posting here

Edit: Okay, I have been talking to the guys behind this. Apparently, there were two of them involved. One of them says he only attacked AussieAssault, and used it as a 'test' and did not think it would work. (This was the IP 118.210.226.100.) After this, he claims that the other person, I believe a friend of his, went and used this script against lots of other servers. I am still awaiting confirmation from the other person about this. Only problem is, the IPs of this other person are in the 118.201.*.* and 118.208.*.* ranges. He will neither confirm nor deny his involvement, and the first person has since gone offline so I can't ask him. So, I really don't know what to think at the moment.
I doubt it will happen again though.

[F50]

Since a service (a server to play on) was maliciously denied, it was a Denial of Service attack, its just that it requires less than 100 maintained connections to DoS a tremulous server.

[Undeference]

Since a service (a server to play on) was maliciously denied, it was a Denial of Service attack, its just that it requires less than 100 maintained connections to DoS a tremulous server.

The "malicious" part is not necessary for a denial of service.
And the part about 100 "maintained connections" is pretty much completely wrong.

[F50]

Since a service (a server to play on) was maliciously denied, it was a Denial of Service attack, its just that it requires less than 100 maintained connections to DoS a tremulous server.

The "malicious" part is not necessary for a denial of service.
And the part about 100 "maintained connections" is pretty much completely wrong.

A "proper" use of a service would be neither called an "attack" nor a "denial" of service. So while it is conceivable that maliciousness isn't required, its very uncommon to make an "attack" of "denial of service" without being malicious. Again, connections usually aren't "maintained" in DoSes usually, but they also usually requires a larger number of computers, to be dedicated (not completely of course) to such an attack.

Sorry for being a bit inaccurate. I have not studied to be a hacker.

[Qrntz]

Sorry for being a bit inaccurate. I have not studied to be a hacker.

Now you need that to participate in the Tremulous forums!
By the way, DoS attack is not always a DDoS attack. If one is using some open vulnerability in the target system, a single malformed packet can render the target dead.
DoS attacks happen in the wild, without any maliciousness applied. tl;dr too much people == server overloaded. That rarely applies to game servers, as they have a fixed maximum client number, though the server machine can be attacked from 'the outside', targeting not the game server as an application, but the host itself.
IMHO, attack ITT can be called a DoS one. It could be called even a bit of a UDP flood attack, if you wish, though not specializing on purely flooding ports with packets.

[khalsa]

Wow been ages since I've seen this.

Here's one solution:

Code: [Select]

iptables -I INPUT -p udp -i eth1 -m state --state NEW -m recent --set
iptables -I INPUT -p udp -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP