Urban Terror Forums: DRDoS - Urban Terror Forums

Jump to content

 Login | Register 
Advertisement
  • (27 Pages)
  • +
  • « First
  • 3
  • 4
  • 5
  • 6
  • 7
  • Last »
  • You cannot start a new topic
  • This topic is locked

DRDoS Rate Topic: ***** 1 Votes

Server used as reflector fro DRDoS

#41 User is offline   ipwnn00bs Icon

  • Account: ipwnn00bs
  • Joined: 06-June 10
  • Posts: 23

Posted 17 December 2011 - 07:17 AM

Hi

Everything working "fine". Maybe blocking the IP's more time will be good. It seems that the IPs are being restricted only some time and after that the IP is unblocked and reblocked again LOL. I am not sure, because I haven't understand totally how it works this new patch. Maybe the last code do this?

And, what are these messages?

NET_SendPacket: Invalid argument



Sometimes I have receiving a lot. Probably an idiot flooding with corrupted packets? I am not sure about these (a tcpdump output when these messages were flooding my console):


23:35:40.370184 IP X.X.X.X.0 > X.X.X.X.27960: UDP, length 14
        0x0000:  4500 002a f968 0000 f211 d9a6 b4bd 9b7e  E..*.h.........~
        0x0010:  1fab 85cc 0000 6d3a 0016 651a ffff ffff  ......m:..e.....
        0x0020:  6765 7473 7461 7475 730a                 getstatus.



#42 User is offline   Derfull Icon

  • Account: derfull
  • Main tag: |U`u|
  • Country:
  • Joined: 28-February 10
  • Posts: 39

Posted 21 December 2011 - 01:43 AM

Hi,

Same problem in another part of the world :)

Actualy i use the rambetter version freshly compiled since 2 day.

In addition i use iptable after the crash of one server (i host two servers) and i don't want and no time to explain it ;)

For iptable i use this, i limit all packet who contain the strings getinfo/getstatus
iptables -A INPUT -i eth0 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getstatus" -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getstatus" -j DROP
iptables -A INPUT -i eth0 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getinfo" -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getinfo" -j DROP

I filter almost all the requests (eg: 400 answers for 36000 requests from one attacker).
Who said that problem is marginal :)

All seems ok with regular clients (urt, qtracker, xqf, ...)

This post has been edited by Derfull: 21 December 2011 - 01:52 AM


#43 User is offline   farflame Icon

  • Account: farflame
  • Joined: 06-December 11
  • Posts: 7

Posted 22 December 2011 - 07:00 PM

Using the ioUrt version patched. Compiled with old glibs 2 days after release.
Everything seems to work fine.

#44 User is offline   LammeSnail Icon

  • Account: lammesnail
  • Main tag: =KRH=
  • Country:
  • Joined: 17-March 10
  • Posts: 61

Posted 23 December 2011 - 11:20 AM

View Postnitro, on 11 December 2011 - 08:24 PM, said:


Update your server!



Thanks for your help nitro and all!
I had the same issue and requested help here, but now I hope my servers are going to be OK.

Thanks!

#45 User is offline   Courgette Icon

  •   community dev   
    B3 bot developer
  • Account: courgette
  • Main tag: [B3]
  • Country:
  • Joined: 09-June 09
  • Posts: 204

Posted 24 December 2011 - 01:41 AM

View Postapath0, on 08 December 2011 - 10:59 AM, said:

the connectlimit.patch just exists for ioquake3-UrT-server-4.1!
so i compiled that one, but the issues are not resolved =/ i'm pretty sure sv_limitConnectPacketsPerIP worked though, because b3 behaved strangely (announcing 'player from country connected' every single round)


B3 behaves strangely because you used the ioquake3 engine. B3 was designed to work for ioUrT only and won't work properly on ioQuake3




#46 User is offline   Nitro Icon

  •   former FS member   
  • Account: nitro
  • Main tag: |PWNY|
  • Country:
  • Joined: 15-March 10
  • Posts: 1,130

Posted 24 December 2011 - 01:55 AM

View PostCourgette, on 24 December 2011 - 01:41 AM, said:

B3 behaves strangely because you used the ioquake3 engine. B3 was designed to work for ioUrT only and won't work properly on ioQuake3


both me and ram worked together to bring ioQuake3 engine upto par with ioUrT, in terms of logging both engines now produce the same log out format, I use ioQ3 on my CTF without any current B3 issues.
Corsair 230T Orange | Intel 6600K @ 4.8GHz | 16GB DDR4 2133MHz | 512GB Samsung 950pro NVMe SSD | 8GB AMD Radeon RX-480

#47 User is offline   Rambetter Icon

  •   community dev   
  • Account: rambetter
  • Joined: 28-February 10
  • Posts: 1,140

Posted 24 December 2011 - 05:25 AM

View Postnitro, on 24 December 2011 - 01:55 AM, said:

both me and ram worked together to bring ioQuake3 engine upto par with ioUrT, in terms of logging both engines now produce the same log out format, I use ioQ3 on my CTF without any current B3 issues.


Yeah, the issue with the logging in ioquake3 was the IP address and port. One of them (ioUrT or ioquake) writes the port in the clientuserinfo, the other does not. I forget which is which. We fixed that.

#48 User is offline   H3NRY Icon

  • Account: h3nry
  • Main tag: .um
  • Country:
  • Joined: 28-February 10
  • Posts: 2,785

Posted 27 December 2011 - 02:44 AM

today i recieved an email from my isp stating my computer might be infected with a botnet, guess i will have to get this and hope it works well.
ramb, got any windows binaries with the latest changes? (you said you were changing things still last time )
{got to do the same type of workaround for my cod}


oh and i like the idea that was sent to me in the email from my ISP, it pertains to the COD servers but i am certain can be used for the urbanterror side aswell.
read this post to understand
http://rankgamehosti...?showtopic=1320

This post has been edited by H3NRY: 27 December 2011 - 11:38 AM

Urban Mulchers, .um, H3NRY.um
Hacker?, GTFO! we don't care who you are if you hack.

sadly no servers at the moment

#49 User is offline   Nitro Icon

  •   former FS member   
  • Account: nitro
  • Main tag: |PWNY|
  • Country:
  • Joined: 15-March 10
  • Posts: 1,130

Posted 27 December 2011 - 10:00 PM

adding the attackers ip to a banlist would cut down further spam as it would prevent even replying to the first few packets on any additional attacks in the short term

I think the ip should be banned from responses for 1 hour + 10mins for every packet after the agreed amount has been reached, however this would be more complicated and more coding effort than just an "add ip to blacklist" method where server admins can manually remove an address if it caused any problems, then said blacklists could also be shared between server admins, and even used for other game servers such as cod4 or even for Iptables too as a general catch all block for all games hosted.


also depending on how you host your servers (I have a hardware cisco firewall on my servers network), that could use these blacklisted IP address to prevent Incoming and Outgoing packets ever reaching my server from set ip addresses.
Corsair 230T Orange | Intel 6600K @ 4.8GHz | 16GB DDR4 2133MHz | 512GB Samsung 950pro NVMe SSD | 8GB AMD Radeon RX-480

#50 User is offline   Nitro Icon

  •   former FS member   
  • Account: nitro
  • Main tag: |PWNY|
  • Country:
  • Joined: 15-March 10
  • Posts: 1,130

Posted 28 December 2011 - 10:43 PM

I modified the iptables rules above to get this:




iptables -I INPUT 1 -i eth1 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getstatus" -m limit --limit 3/s --limit-burst 10 -j ACCEPT;
iptables -I INPUT 2 -i eth1 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getstatus" -j DROP; 
iptables -I INPUT 3 -i eth1 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getinfo" -m limit --limit 3/s --limit-burst 10 -j ACCEPT;
iptables -I INPUT 4 -i eth1 -p udp -m udp --dport 27000:29000 -m string --algo bm --string "getinfo" -j DROP;




its adds the rules to the start of your input chain making sure that they are the first rules to be matched against, also i increased the limits to help with master server updates etc, also I have a small program that I use to test against the spam and its seem to be fine as the burst rate would tripped every time meaning all packets would get blocked unless they where from legitimate sources that where not spamming.

this also works for other q3 based games like COD2 and COD4 (tried and tested on my cod2 server) in theory it should work with wolfenstein and other q3 based games so long as the games server ports lie between 27000 and 29000 although you can adjust this as needed.

also Its limited only to the interface that will be affected by this attack, in this case i use "eth1"

for those of you with access to iptables but without the custom binary for UrT or have other Q3 based games then this may help you.

This post has been edited by nitro: 28 December 2011 - 10:44 PM

Corsair 230T Orange | Intel 6600K @ 4.8GHz | 16GB DDR4 2133MHz | 512GB Samsung 950pro NVMe SSD | 8GB AMD Radeon RX-480

  • (27 Pages)
  • +
  • « First
  • 3
  • 4
  • 5
  • 6
  • 7
  • Last »
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

Advertisement


Copyright © 1999-2019 Frozensand Games Limited  |  All rights reserved  |  Urban Terror™ and FrozenSand™ are trademarks of Frozensand Games Limited

Frozensand Games is a Limited company registered in England and Wales. Company Reg No: 10343942