Rambetter, on 29 February 2012 - 08:36 PM, said:
broadcast: print "^7server:^3 Possible DRDoS attack to address 69.162.100.43, ignoring getinfo/getstatus connectionless packet"
I'm a little worried about the line above.
My patch didn't have a broadcast message going out to all players saying that a DRDoS attack was being made. You don't really need this.
In any case, the patch I made will limit the amount of outgoing traffic from your server, since it's limiting getstatus/getinfo responses. However, the patch will do nothing to prevent incoming traffic, since there is no way to do that.
Probably this is something in the new executable? I am using your ioquake trunk, so I don't know how your patches were applied. Or is a custom mod by him?
I received some mails too. Was suspended in one of my servers, so I am already monitoring what is happening. Even with the game off, the server is answering packets, so I am looking to tcpdump.
05:02:27.902314 IP my.ip.ad.rr > vi.ctim.ip.add: ICMP my.ip.ad.rr udp port 27960 unreachable, length 50
05:03:10.804744 IP my.ip.ad.rr > vi.ctim.ip.add : ICMP my.ip.ad.rr udp port 27960 unreachable, length 50
0x0000: 45c8 0046 48cd 0000 4001 025f 4e2f db28 E..FH...@.._N/.(
0x0010: 183d ed2e 0303 2be8 0000 0000 4508 002a .=....+.....E..*
0x0020: 38b1 0000 f611 5d46 183d ed2e 4e2f db28 8.....]F.=..N/.(
0x0030: 0050 6d38 0016 2bbc ffff ffff 6765 7473 .Pm8..+.....gets
0x0040: 7461 7475 730a tatus.
So, they found a way to spoof this packets on icmp, and the server is answering? Again, the game isn't running :|
Looking now to filter this stuff with iptables n_n
PS: Btw, I've contacted the poor guy who was sending all these complains to our hosting companies, and told him this issue was patched... but I think we are wrong this time :S
Edit:
According to this
http://en.wikipedia....er#UDP_scanning
It seems they are running a modified bot with a kind of port scanner with the spoofed packets, so our servers are answering with ICMP. I am not tried with the server running, but probably it answers normally with the list of players/settings. This isn't really a large scale issue, and probably can be blocked in our firewalls or blocked via our ISP/hosters. I don't know too much about this stuff, so maybe I am wrong. Just an hypothesis.
Edit 2:
Seems that this ICMP packets are not answered in all the networks, and I guess they are getting blocked automatically by the ISP routers, but not in all the cases.
To block this kind of packets I did this
iptables -I OUTPUT -p icmp --icmp-type 3 -j DROP
This will stop answering, but for nmap is reporting falsely as all the ports are open because the scanner waits for the ICMP packet. Looking for another solution
Also, if you get the server running, this ICMP stuff stops, but still the blocking isn't good enough to stop the issue.
And for the people seeing lots of traffic consumed despite the patch applied, there is no way to stop this. An UDP flood can't be stopped to reduce your bandwidth consumption, unless you block at the router of your network.
This post has been edited by ipwnn00bs: 01 March 2012 - 07:03 AM