Urban Terror Forums: DRDoS - Urban Terror Forums

Jump to content

 Login | Register 
Advertisement
  • (27 Pages)
  • +
  • « First
  • 22
  • 23
  • 24
  • 25
  • 26
  • Last »
  • You cannot start a new topic
  • This topic is locked

DRDoS Rate Topic: ***** 1 Votes

Server used as reflector fro DRDoS

#231 User is offline   Diggs Icon

  •   verified donator   
  • Account: diggs
  • Joined: 28-February 10
  • Posts: 89

Posted 22 March 2012 - 12:51 AM

I haven't followed this thread for the last 10 pages so pardon me if this has already been posted - this DRDoS exploit has been around for some time and has been handled in the past using iptables on *nix machines (if you have the access).

http://www.altfire.c...php?news_id=586
続けてゲーム

#232 User is offline   Fallen2 Icon

  • Account: fallen2
  • Main tag:
  • Country:
  • Joined: 30-October 10
  • Posts: 39

Posted 23 March 2012 - 12:20 PM

hmm.

can this, eventualy cause a loss of hits on the server?

From what i'm currently awere, our servers started running the code a while ago. it's true we changed box, but it's in the exact same place, so it's suposed to have the same quality.

After we did it, this started to happen:

I know there are alot of factors that can cause bad hits, but from self experience, i can tell this is happening from the server, since is always happening, with different enemys. our connections are fine btw.

cheers

#233 User is offline   Nitro Icon

  •   QA member   
  • Account: nitro
  • Main tag: |P|
  • Country:
  • Joined: 15-March 10
  • Posts: 1,133

Posted 23 March 2012 - 09:36 PM

View PostFallen2, on 23 March 2012 - 12:20 PM, said:

hmm.

can this, eventualy cause a loss of hits on the server?




in brief, no.

this only limits status updates (which clients dont use ingame unless they issue the rcon command /rcon status)
Lian Li pc-o11dw Der 8auer Edition · Gigabyte x570 Aorus Xtreme · AMD Ryzen 9 5950x 16-Core
32GB DDR4 3800MHz CL16 · 2x 1TB Samsung NVMe RAID 0 · 16GB Radeon RX 6900XT Liquid Cooled

#234 User is offline   Rambetter Icon

  •   community dev   
  • Account: rambetter
  • Joined: 28-February 10
  • Posts: 1,140

Posted 23 March 2012 - 09:52 PM

Correction NITRO.
"/rcon status" and getstatus are 2 different things.

#235 User is offline   Zamy Icon

  • Account: zamy
  • Country:
  • Joined: 01-March 10
  • Posts: 65

Posted 28 March 2012 - 03:39 PM

Great job guys.
And really thanks for your work.

By the way, any news about the legal process?

bullet_loaderAdvertisement

#236 User is offline   ipwnn00bs Icon

  • Account: ipwnn00bs
  • Joined: 06-June 10
  • Posts: 23

Posted 28 March 2012 - 07:28 PM

RAM, I am sending you a PM, probably a minor threat ongoing or I don't know :P

#237 User is offline   LammeSnail Icon

  • Account: lammesnail
  • Main tag: =KRH=
  • Country:
  • Joined: 17-March 10
  • Posts: 61

Posted 01 April 2012 - 10:05 PM

View PostRambetter, on 09 March 2012 - 07:31 PM, said:

An attacker who understands the latest patch will be able to write an attack that lets the getstatus packets trickly in at a rate of 3 per 2 second period. Then they will be able to successfully project 1.5 getstatus responses per second without triggering the blocking code.

See, this is why there is no real solution to fix this problem other than to modify the Q3 protocol.



In the last week I can detect this kind of attack. My server pings are higher, all players complain to high ping and lags.
I have a special snort rate limit rule before the servers and this bans attacker IPs so my urt servers doesn't need to drop attacker requests since they don't land.
The change in the last week I think is that the attacker changes the source/destination IP very fast, so it bypasses the ban.
But the attack loses the purpose of the original attack of using the urt servers as amplifiers of the attack (from 10-20 to 1000+).
So what does it mean then? Many targets or just killing the urbanterror community/servers?
Please note: my server with higher rank gets more UDP packets. Is it maybe intentional? (I would welcome a report from the owners of the top 25 servers at gametracker if they recognize this).

I thought on to set my ratelimit for a VERY STRICT value and therefore I would welcome from this community a WHITELIST with legal tracker and monitor IPs (e.g. gametracker, etc).
Of course others could occure as well like urtknifers or me (clankrh.com) to this list who have any server query and this could function as the powerban: who wants to use it, can use it.

So I agree with Rambetter: currently there I don't see a perfect solution, doesn't matter if the servers answer or the requests are dropped on the firewall: until the attackers are not stopped the UDP packets are coming in a huge amount.
(BTW what is with Pussnboots legal way?)

Snail

#238 User is offline   looza Icon

  • Account: looza
  • Main tag: gXS.
  • Country:
  • Joined: 21-September 10
  • Posts: 56

Posted 02 April 2012 - 06:33 AM

I got some help from a proffessional with iptbles :D


iptables -A INPUT -p udp \
-d xx.xx.xx.xx \
-m multiport --dports 27960,27961,27962,27963,27964 \
-m string --algo bm --string "getstatus" --from 30 --to 45 \
-m hashlimit --hashlimit-name "URT_GETSTATUS" --hashlimit-mode srcip,dstip,dstport --hashlimit-above 1/s --hashlimit-htable-expire 10000 \
-j DROP

this iptables limits the requests per attacking ip, with that you wont have issues with "friendly" server query’s and you don’t need to set up a whitelist.
i use this in combination with the rambetters code and works very well for me :)

you only need to replace xx.xx.xx.xx with your public server ip

hm ok i know not everyone have access to iptables on his server but maybe it helps some ppls.

#239 User is offline   LammeSnail Icon

  • Account: lammesnail
  • Main tag: =KRH=
  • Country:
  • Joined: 17-March 10
  • Posts: 61

Posted 02 April 2012 - 08:12 PM

View Postlooza, on 02 April 2012 - 06:33 AM, said:

and you don’t need to set up a whitelist.


Hi,

Thanks, but I am using snort and a unique rate limit rule from a professional.
This works like the Rambetter rate limit but it puts to a blocklist of attacker IP-s for an hour.
This helps that the attacks doesn't land on the urt servers.
Currently I have 166 IP-s in this list, this means almost 3 new IP-s per minute.

But I have a more serious problem.
We made some investigation and limited packet capture to 10k (10,000). This amount was accessed IN 3 SECONDS!!!
Na OK you can say no problem, my firewall saves my little *ss. But not.
Almost 1/3 of these UDP packets (about 1,000/second) are fake and therefore firewall lets through to the urt servers. The urt server can not understand it and sends a "disconnect" back.

So this attack made me clear, that the targets are partly the urbanterror servers, since the fake attacks burn only the urt server CPU and floods the internet causing high ping overall (not just in the game) and doesn't attack anybody else with the magnifying effect of drdos.

Waiting for any response if only I have these fake UDP packets and the disconnect message on the urt servers?
Or any help appretiate.

Thanks:

Snail

#240 User is offline   Rambetter Icon

  •   community dev   
  • Account: rambetter
  • Joined: 28-February 10
  • Posts: 1,140

Posted 03 April 2012 - 07:05 PM

Someone else mentioned something about a disconnect packet a few days ago.
I guess I'll have to look into this. Eventually. Not really sure what the problem is.

Can you maybe post the packets that you captured that you feel are attack packets, and are related to the "disconnect" thingy you describe?

Also can you describe what you think is going on more clearly?

This post has been edited by Rambetter: 03 April 2012 - 07:09 PM


  • (27 Pages)
  • +
  • « First
  • 22
  • 23
  • 24
  • 25
  • 26
  • Last »
  • You cannot start a new topic
  • This topic is locked

2 User(s) are reading this topic
0 members, 2 guests, 0 anonymous users

Advertisement


Copyright © 1999-2024 Frozensand Games Limited  |  All rights reserved  |  Urban Terror™ and FrozenSand™ are trademarks of Frozensand Games Limited

Frozensand Games is a Limited company registered in England and Wales. Company Reg No: 10343942