Urban Terror Forums: DRDoS - Urban Terror Forums

well I am testing out the latest code also, it seems to be doing what it says on the tin. All I see is the same IP going into the tempban stage every 2 mins.

I am using the code from the svn://svn.clanwtf.net/repos/ioquake3-UrT-server-4.1 repo, I hope this is meant to be the right one.


EDIT: just tested spamming the ingame "get new list" button for favourite servers and got my IP temp banned for 2 mins lol.

This post has been edited by NITRO: 09 March 2012 - 04:29 AM

NITRO, on 09 March 2012 - 02:44 AM, said:

2 minutes because I think that's a good start. 1 hour is a bit harsh now because I don't know how many "innocent" IP addresses will get temp banned. I'm just testing.

The 24 ban limit. If more bans are needed, the oldest entry in the table of 24 is discarded. The new IP is banned.

Regarding the "newer code". Sorry for the confusion, but porky.nerius.com and svn.clanwtf.net resolve to the same host. I'm fixing my original post.

Rambetter, on 09 March 2012 - 05:58 AM, said:

thanks for the update ramb, I read the svn log which I saw you increase the time from 1min to 2min and realised you were probably testing out the code first. I knew you had two servers so I always thought one was for nerius.com and the other clanwtf.net I am using the latest code from the ioQ3 repo so I you would like any help with the testing just let me know what you need :D

I really hope UrT:HD allows for this kind of custom server patching.

This post has been edited by NITRO: 09 March 2012 - 12:59 PM

Hey, thx for your fix!!!

I did some ruff calculations... :) (I hope they are right, hehe)

Your fist fix limited the amount of traffic beeing send to a victim from a single server to 3 msgs per 2 sec. That means 180 msg in 2min from one server.
The latest fix now limits the nr. of msgs send to a victim to 3 msgs in 2min (if the flooder does not lower its sending rate).
This means that with the latest version/fix 98% less unnecessary traffic is beeing send.
-> Thats quite nice!!!

If we look at a victims side and assume every server has applied the new patch, a victim is receiving x * msg * size = bytes.
e.g. -> 1000 * 3 * 500bytes = 15000000bytes = ~1,43MB every 2min or ~43MB per hour
where x = number of servers, msg = nr. of message, and size = average response size.
(The numbers may be unrealistic as I can't check my previous wireshark logs at the moment and therefore have no idea about the number of servers + the average response size)
So there might be around 1Gig of useless inc-traffic for a victim per day if the spamming or flodding campaign lasts for 24 hours with the above values.
Note: By ajusting the time value (currently 2min) and simply double it the useless traffic will decrease by the half as well. So for 4min = 500MB, 8min = ~250MB per day...

I think the hard part will be to find the correct tradeoff between not banning innocent users and on the other hand not causing too much traffic.

That the reflection-attack will be rather useless with only 1,43MB per 2min should be clear. So let us hope these attacks are going to stop soon and are not intended to only cause higher traffic for us or the victims.

---> Still for future realeases I think it would be nice to change the client version and disable the Get-New-List + Refresh-Button for 2sec after pressed once!

greetings
jahtari

jahtariii, on 09 March 2012 - 02:18 PM, said:

I think he plans to increase the time from 2mins to 1 hour, but before he does I think he'll test it in stages like 5mins, 10mins, etc

reflecting on this, it might not be necessery to ban for 1 hour but rather only maybe 10mins, I have another theory which i am going to test to see if it prevents Incoming packets completely. Dont get your hopes up its just an idea but if it works I'll private message rambetter of my findings.

My theory works!! I have a solution and I cannot believe it was starring me in the face the WHOLE time!

As soon as ramb comes on his mumble I shall let him know privately how I stopped the packets completely. I cant say here because my findings also showed me that there are two seperate attacks going on! and I have a strong feeling that someone in the community is part of this..

NITRO, on 09 March 2012 - 03:39 PM, said:

sounds great even if I maybe never get the idea :D (hehe but you succeeded in making me very noisy about it. I assume it's some kind of iptables rule :))

Anyhow can't think of such a perfect solution but if it turns out to really work without infecting the users -> perfect!!! *thumbs up*

well lets just say i have a test server up and running for the last hour and a half with out a single fake getstatus/getinfo packet, plenty of Legitimate ones getting through, no spoofed ones :)

Hey Nitro, congrats

Can you give us any sight about what you did? I am very interested.

In the meanwhile, I was doing today some modification to the code, since you were thinking if the ban must be done 2 mins, one hour, etc

The new patch is fantastic, but I was thinking we need a way to ban more time if the same IPs are getting attacked again

I did this

A new type similar to receipt_t

typedef struct {
	netadr_t adr;
	int time;
	int mult;
} receipt_ban_t;

Now I save my banlist in this array

#define MAX_FLOODBANS	24
receipt_ban_t floodBans[MAX_FLOODBANS];

And instead of the 120000 ms, I do 10000ms multiplied by the multiplied 'mult'


Finally, when specificCount reach 3, I increase the multiplier

Probably needs more tuning, but seems to be working for me. In other words, each time an IP gets attacked again, the punish time increase 10 seconds more, lol. Was thinking in doing it exponentially, but maybe is overkiller.

Any idea what happens if I increase the space from 24 to lets say 128? Because one of my server is directing attacks to more than 20 subnets :S

Edit: I think my solution has a problem when the 24 spaces get filled, my punish time isn't resetted to 10 secs...

This post has been edited by ipwnn00bs: 09 March 2012 - 07:38 PM

iPwnn00bs, the solutions is very simple but it does the job well. If I post the solution it can be easily overcome, by the attacker if they are monitoring this thread. so I would rather privately discuss it with ramb first and see if we can sort it out with out revealing what it does. sorry for keeping this a secret but its the only way to keep urt servers from being attacked after this patch.

what I can say is the solution works independently of whatever server binary is used also.


my test server has gone 4 hours without any DRDOS now.

This post has been edited by NITRO: 09 March 2012 - 06:28 PM