[-VRz-Kritya]

Hi,

Recently my server started to lag a lot unlike normally and gave A LOT higher ping.

Then i got an email from my VPS host that my VPS is doing DDOS activity.

I started the servers again and the problem still was there.

Then i went to the console and found this:

I could only copy a small part of it as I was using SSH. ( I have pasted that at the bottom)
The server is hosted on Linux(Cent OS 6)

Can someone please help me how to stop this ?
As this is create huge Outgoing traffic from my VPS ( while usually a server would be get a lot Incoming traffic than outgoing traffic)

ionless packet
broadcast: print "^7server:^3 Possible DRDoS attack to address 87.210.126.221, ignoring getinfo/getstatus connectionless packet"
broadcast: print "^7server:^3 Possible DRDoS attack to address 69.162.100.43, ignoring getinfo/getstatus connectionless packet"
Possible DRDoS attack to address 69.162.100.43, ignoring getinfo/getstatus connectionless packet
Possible DRDoS attack to address 63.143.36.202, ignoring getinfo/getstatus connectionless packet
Possible DRDoS attack to address 69.162.100.43, ignoring getinfo/getstatus connectionless packet
Possible DRDoS attack to address 93.93.65.39, ignoring getinfo/getstatus connectionless packet

Would some kind of firewall would be help full ?
and i have downloaded the latest security update and restarted the server.


Thanks

[rfx]

I was contacted through my ISP too today about the problem, and I'm running a patched server.

Err. I was. I decided I've finally enough of all this and shut them all down. Unfortunately. But relieving.

But, nevertheless, I'm wondering if there's a new kind of attack vector now ...

[-VRz-Kritya]

rfx, on 28 February 2012 - 08:16 PM, said:

I was contacted through my ISP too today about the problem, and I'm running a patched server.

Err. I was. I decided I've finally enough of all this and shut them all down. Unfortunately. But relieving.

But, nevertheless, I'm wondering if there's a new kind of attack vector now ...

Yea i also was forced to shut down my servers.

[-=GF=-stefan1200]

rfx, on 28 February 2012 - 08:16 PM, said:

I was contacted through my ISP too today about the problem, and I'm running a patched server.

Same here. Our servers are still running, but it seems they are laggy currently. Added some firewall rules to handle it, but it's not the best solution and it's still laggy. This attack has to stop...but how?

This post has been edited by stefan1200: 29 February 2012 - 02:18 PM

[-VRz-Kritya]

stefan1200, on 29 February 2012 - 02:17 PM, said:

Same here. Our servers are still running, but it seems they are laggy currently. Added some firewall rules to handle it, but it's not the best solution and it's still laggy. This attack has to stop...but how?

Well by being forced i mean that it was VERY laggy like 300 ping in place of 100.

And it consuming my bandwidth like shit.

1 hour consumed 15GB.

And what firewall did u placed ?

[|P|Nitro]

are you guys using the official patch from FS or the one that rambetter released, I dont know about the FS release, or how they tested it but rambetters one is proven to work, also remember the patch only helps prevent your server from responding to spoofed addresses after they have spammed X amount per second. it also does not prevent the incoming traffic, you'll need to discuss that with your server provider or if you have a colo server like me contact the people that provide the bandwidth and ask them nicely to look into prevent the attack on their network.

if you are finding that the few packets that ARE getting through are laggin your game servers, then thats your own problem for choosing to host multiple games (or even just one) on a vps solution or at home!

This post has been edited by Nitro: 29 February 2012 - 05:54 PM

[rfx]

Nitro, on 29 February 2012 - 03:18 PM, said:

are you guys using the official patch from FS or the one that rambetter released

For my part, I used the Rambetter patch directly as I couldn't wait for FS because the bandwidth without it skyrocketed. The other option would have been to stop the servers temporarily; an option I didn't really wanted. Now I shut them down indefinitely, so in retrospective, I guess I choose the wrong option.

This post has been edited by rfx: 29 February 2012 - 03:28 PM

[Rambetter]

broadcast: print "^7server:^3 Possible DRDoS attack to address 69.162.100.43, ignoring getinfo/getstatus connectionless packet"

I'm a little worried about the line above.
My patch didn't have a broadcast message going out to all players saying that a DRDoS attack was being made. You don't really need this.

In any case, the patch I made will limit the amount of outgoing traffic from your server, since it's limiting getstatus/getinfo responses. However, the patch will do nothing to prevent incoming traffic, since there is no way to do that.

[ipwnn00bs]

Rambetter, on 29 February 2012 - 08:36 PM, said:

broadcast: print "^7server:^3 Possible DRDoS attack to address 69.162.100.43, ignoring getinfo/getstatus connectionless packet"

I'm a little worried about the line above.
My patch didn't have a broadcast message going out to all players saying that a DRDoS attack was being made. You don't really need this.

In any case, the patch I made will limit the amount of outgoing traffic from your server, since it's limiting getstatus/getinfo responses. However, the patch will do nothing to prevent incoming traffic, since there is no way to do that.

Probably this is something in the new executable? I am using your ioquake trunk, so I don't know how your patches were applied. Or is a custom mod by him?


I received some mails too. Was suspended in one of my servers, so I am already monitoring what is happening. Even with the game off, the server is answering packets, so I am looking to tcpdump.

05:02:27.902314 IP my.ip.ad.rr > vi.ctim.ip.add: ICMP my.ip.ad.rr udp port 27960 unreachable, length 50

05:03:10.804744 IP my.ip.ad.rr > vi.ctim.ip.add : ICMP my.ip.ad.rr udp port 27960 unreachable, length 50
        0x0000:  45c8 0046 48cd 0000 4001 025f 4e2f db28  E..FH...@.._N/.(
        0x0010:  183d ed2e 0303 2be8 0000 0000 4508 002a  .=....+.....E..*
        0x0020:  38b1 0000 f611 5d46 183d ed2e 4e2f db28  8.....]F.=..N/.(
        0x0030:  0050 6d38 0016 2bbc ffff ffff 6765 7473  .Pm8..+.....gets
        0x0040:  7461 7475 730a                           tatus.

So, they found a way to spoof this packets on icmp, and the server is answering? Again, the game isn't running :|

Looking now to filter this stuff with iptables n_n

PS: Btw, I've contacted the poor guy who was sending all these complains to our hosting companies, and told him this issue was patched... but I think we are wrong this time :S


Edit:
According to this
http://en.wikipedia....er#UDP_scanning

It seems they are running a modified bot with a kind of port scanner with the spoofed packets, so our servers are answering with ICMP. I am not tried with the server running, but probably it answers normally with the list of players/settings. This isn't really a large scale issue, and probably can be blocked in our firewalls or blocked via our ISP/hosters. I don't know too much about this stuff, so maybe I am wrong. Just an hypothesis.

Edit 2:
Seems that this ICMP packets are not answered in all the networks, and I guess they are getting blocked automatically by the ISP routers, but not in all the cases.
To block this kind of packets I did this

iptables -I OUTPUT -p icmp --icmp-type 3 -j DROP

This will stop answering, but for nmap is reporting falsely as all the ports are open because the scanner waits for the ICMP packet. Looking for another solution

Also, if you get the server running, this ICMP stuff stops, but still the blocking isn't good enough to stop the issue.

And for the people seeing lots of traffic consumed despite the patch applied, there is no way to stop this. An UDP flood can't be stopped to reduce your bandwidth consumption, unless you block at the router of your network.

This post has been edited by ipwnn00bs: 01 March 2012 - 07:03 AM

[-VRz-Kritya]

Rambetter, on 29 February 2012 - 08:36 PM, said:

broadcast: print "^7server:^3 Possible DRDoS attack to address 69.162.100.43, ignoring getinfo/getstatus connectionless packet"

I'm a little worried about the line above.
My patch didn't have a broadcast message going out to all players saying that a DRDoS attack was being made. You don't really need this.

In any case, the patch I made will limit the amount of outgoing traffic from your server, since it's limiting getstatus/getinfo responses. However, the patch will do nothing to prevent incoming traffic, since there is no way to do that.

Can you please give me a link to your mod ?

Thanks