Urban Terror Forums: DRDoS - Urban Terror Forums

Jump to content

 Login | Register 
Advertisement
  • (27 Pages)
  • +
  • « First
  • 23
  • 24
  • 25
  • 26
  • 27
  • You cannot start a new topic
  • This topic is locked

DRDoS Rate Topic: ***** 1 Votes

Server used as reflector fro DRDoS

#241 User is offline   LammeSnail Icon

  • Account: lammesnail
  • Main tag: =KRH=
  • Country:
  • Joined: 17-March 10
  • Posts: 61

Posted 04 April 2012 - 03:51 PM

View PostRambetter, on 03 April 2012 - 07:05 PM, said:

Can you maybe post the packets that you captured that you feel are attack packets, and are related to the "disconnect" thingy you describe?


Hi Rambetter,

Thank you for your response! To be honest my binary is based on the mickael binary since on some our clan servers are smoke nades disabled and therefore I needed the lua scripting (we replaced yours in December 2011). I don't know if your binary acts the same way onto fake UDP packets.
Here is a little peace from the 10,000 packets-capture, click to download.
You can view it with Wireshark.
It contains fake-flood UDP packets and some sample of the "usual-drdos".
If you have any question, just write me.
Thanks for any help!

View PostRambetter, on 03 April 2012 - 07:05 PM, said:

Also can you describe what you think is going on more clearly?


So what do you think? The fake packets do network flood + CPU burn only on my server and not on any website then what should I think? The fake packets are not a random/ocassional thing, since this attack makes high pings in the last 1-2 weeks and still lasts. Sooner our snort rate limit rule was perfectly effective against the usual drdos packets.
So I am sure that this kind of attack is against the urbanterror server directly, I am just curios if our clan is the target or more (all) urbanterror servers are concerned.

Thanks for your answer in advance:

Snail

This post has been edited by LammeSnail: 04 April 2012 - 05:17 PM


#242 User is offline   Rambetter Icon

  •   community dev   
  • Account: rambetter
  • Joined: 28-February 10
  • Posts: 1,140

Posted 04 April 2012 - 08:08 PM

I'm at a loss to explain what's going on.

But here are some observations.

I'm looking at your packet capture, in particular take for example frames 42 and 43. I assume you have a UrT server running on 78.131.57.154:27977. Frame 42 is from IP address 66.55.137.175, which seems to be the offending IP address. Of course this could be spoofed IP address.

I'm not sure what to make of frame 43. I see "disconnect" at the end of the packet sent from the server, but what is all that crap before it? In code/server/sv_main.c, there is this bit of code:

        // if we received a sequenced packet from an address we don't recognize,                                                       
        // send an out of band disconnect packet to it                                                                                 
        NET_OutOfBandPrint( NS_SERVER, from, "disconnect" );



... which is at the bottom of function SV_PacketEvent(). Does this bit of code correspond to the "disconnect" packet we're seeing? I'm not sure what NET_OutOfBandPrint() does, but somehow I doubt that it would write those bytes _before_ "disconnect". I think we need an expert here to help us diagnose which code in the server is sending the "disconnect" packets.

In any case, the offending IP address: http://www.gametrack....55.137.175&=GO - appears that there is a "fake" Team Fortress 2 server running on this IP address. Don't know if someone is trying to attack it or something?

If this is indeed a springboard attack, it's not very effective because each request that is sent to the server results in a response of pretty much the same size. I don't see why someone would use this as an attack.

I think we need to bring in more experts here.

#243 User is offline   Nitro Icon

  •   QA member   
  • Account: nitro
  • Main tag: |P|
  • Country:
  • Joined: 15-March 10
  • Posts: 1,133

Posted 04 April 2012 - 10:20 PM

is this "disconnect" packet something that would prevent clients from loading a map and get stuck at say "awaiting gamestate" ?

I have seen that happen a few times even with such things like B3 disabled.
Lian Li pc-o11dw Der 8auer Edition · Gigabyte x570 Aorus Xtreme · AMD Ryzen 9 5950x 16-Core
32GB DDR4 3800MHz CL16 · 2x 1TB Samsung NVMe RAID 0 · 16GB Radeon RX 6900XT Liquid Cooled

#244 User is offline   LammeSnail Icon

  • Account: lammesnail
  • Main tag: =KRH=
  • Country:
  • Joined: 17-March 10
  • Posts: 61

Posted 05 April 2012 - 07:42 PM

View PostRambetter, on 04 April 2012 - 08:08 PM, said:

I'm at a loss to explain what's going on.

I think we need to bring in more experts here.


Hi there,

Well ok I made some consultation with my jedi master: =0g=babbler and here is the hopefully understandable translation of his explanation:

By his explanation not that is important what you were watching: the disconnect packets. What is important: the previous packets with the invalid length (onto which the urt server sends the disconnect answers).
So the keyword is the invalid length.
This means we have (receive) packets with invalid length. Those packets should be dropped. We are not sure if the game can see the length.

Babbler means that the operating system (we have Ubuntu 10.04 LTS) should drop it. We didn't get it how the UDP packets with invalid length could get through the firewall (pf sense) and then the Ubuntu...
But the most important is that the urbanterror servers should be prepared to these.

There is one more thing in this packets: after the getstatus there is a byte which isn't always the same. At packets with invalid length this is 0x10. At an other packet with "normal" drdos attack this is 0x0a.

I hope I could help a bit, waiting for your kind replay and have a nice day and a lots of headshots:

Snail

#245 User is offline   Rambetter Icon

  •   community dev   
  • Account: rambetter
  • Joined: 28-February 10
  • Posts: 1,140

Posted 05 April 2012 - 10:06 PM

I think I'm missing something here.
On which frame number (i.e. #42) do you see an invalid length? And what exactly do you mean by invalid length on that frame? I'm using Wireshark too so you can describe what you see in your app.

bullet_loaderAdvertisement

#246 User is offline   LammeSnail Icon

  • Account: lammesnail
  • Main tag: =KRH=
  • Country:
  • Joined: 17-March 10
  • Posts: 61

Posted 06 April 2012 - 09:57 AM

View PostRambetter, on 05 April 2012 - 10:06 PM, said:

I think I'm missing something here.
On which frame number (i.e. #42) do you see an invalid length? And what exactly do you mean by invalid length on that frame? I'm using Wireshark too so you can describe what you see in your app.


By Babbler the packet 42 is a perfect sample. In the UDP header the length is 8. That is the minimum, since the header itself has the lenght of 8. But then there is no data count.
This is quite conspicous in Wireshark since at the UDP part of the tree is no data field (42). Packet 43 has data field.

Thanks and BB:

Snail

This post has been edited by LammeSnail: 06 April 2012 - 09:58 AM


#247 User is offline   LammeSnail Icon

  • Account: lammesnail
  • Main tag: =KRH=
  • Country:
  • Joined: 17-March 10
  • Posts: 61

Posted 08 April 2012 - 07:28 PM

This attack is unacceptable for me: it makes really high ping for all players:
Posted Image
Sooner this was: 0,4,0, A (packet loss, ping, jitter, grade).

Since with the invalid UDP packets senders can't attack websites (only few "disconnect" packets from the urt server) for me it seems that my urt servers are the flood-targets.
I will take a look to other urt servers if I can detect the higher pings and lags and if don't, I will be sure that some competitors spotted the improving rank of my game servers.
:mad:

Then this is going to change the direction of my further investigation.

This post has been edited by LammeSnail: 08 April 2012 - 07:29 PM


#248 User is offline   Nitro Icon

  •   QA member   
  • Account: nitro
  • Main tag: |P|
  • Country:
  • Joined: 15-March 10
  • Posts: 1,133

Posted 08 April 2012 - 08:02 PM

where is your server located?

if its from your home then you can pretty much expect those results when you run multiple game servers on a consumer broadband line.

This post has been edited by NITRO: 08 April 2012 - 08:06 PM

Lian Li pc-o11dw Der 8auer Edition · Gigabyte x570 Aorus Xtreme · AMD Ryzen 9 5950x 16-Core
32GB DDR4 3800MHz CL16 · 2x 1TB Samsung NVMe RAID 0 · 16GB Radeon RX 6900XT Liquid Cooled

#249 User is offline   LammeSnail Icon

  • Account: lammesnail
  • Main tag: =KRH=
  • Country:
  • Joined: 17-March 10
  • Posts: 61

Posted 08 April 2012 - 10:06 PM

View PostNITRO, on 08 April 2012 - 08:02 PM, said:

where is your server located?

if its from your home then you can pretty much expect those results when you run multiple game servers on a consumer broadband line.


Hey NITRO, old body :)
You already asked me about my hosting and wondering that I am hosting my servers at home. Normaly I have low pings with more and full servers. I have optical internet (fibre channel) and not ADSL. And 80Mbit/25Mbit.
This is a new test result, looks closer to the normal value:
Posted Image
still the jitter is higher then usual.
Servers are located in Hungary.

At this ping test result I have on my firewall:
states: 435
CPU: 6%

At the previous test result (B) I had 1000 states and 20+% CPU.
(and when the rule could not filter the empty UDP packets it was 60,000+ states)

The "normal" drdos attacks can be banned by my special rate limit firewall filtering.
None of you detected any higher pings, or different kind of UDP packets on the firewall? Hm.

Thanks for your help!

This post has been edited by LammeSnail: 08 April 2012 - 11:05 PM


#250 User is offline   Nitro Icon

  •   QA member   
  • Account: nitro
  • Main tag: |P|
  • Country:
  • Joined: 15-March 10
  • Posts: 1,133

Posted 08 April 2012 - 11:53 PM

If your CPU is hitting 20% at the server level then i'd hate to see what the routers cpu is at..
even with fibre your consumer router will probably have a limit to how many connections/sessions it can handle.
it will beable to handle the bandwidth but the connections/sessions are a different story.

for example, my home ADSL router has a 533MHz cpu that the manufacturer rates at 300,000 connections/session. (thats probably them being either optimistic or what the cpu takes before its reaches 100%)

even then I still impose a limit on the router at 16834 connections that way the routers cpu has plenty of overhead.

so first of all check that the router isn't being bottlenecked. if you think it is then it might be a good idea to play about with UDP timeout settings to strike a better balance at when the router drops expired UDP connections.

secondly are you hosting the servers from a client OS such as windows XP/vista or 7? or a server os such as windows server, osx server, or linux?

Is the pc dedicated to only hosting the games or are you also gaming from the same pc?

whats the specs of the PC hosting the server?


Its hard to help since I havent experienced this myself, my regular ping to my own server from my crappy 4meg adsl is 48ms in game, and even during drdos attacks it remains at 48ms.

infact the only way i know my server is even involved is when I see my servers bandwidth stats are slightly higher than usual lol.

This post has been edited by NITRO: 08 April 2012 - 11:54 PM

Lian Li pc-o11dw Der 8auer Edition · Gigabyte x570 Aorus Xtreme · AMD Ryzen 9 5950x 16-Core
32GB DDR4 3800MHz CL16 · 2x 1TB Samsung NVMe RAID 0 · 16GB Radeon RX 6900XT Liquid Cooled

  • (27 Pages)
  • +
  • « First
  • 23
  • 24
  • 25
  • 26
  • 27
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

Sponsored link
https://www.urbanterror.info/members/donate/


Copyright © 1999-2024 Frozensand Games Limited  |  All rights reserved  |  Urban Terror™ and FrozenSand™ are trademarks of Frozensand Games Limited

Frozensand Games is a Limited company registered in England and Wales. Company Reg No: 10343942