• Anti DDoS
    118 replies, posted
  • Avatar of thegrb93
  • So what needs to happen is Activision be sued for being an accomplice in malicious internet use if they fail to fix the problem. They provided the exploited software so that makes them an accomplice. They are providing the way for uncontrollable internet spam by making these servers exploitable. That should be illegal right? All you'd need to do to prove it is to run the same shit everyone else is doing and record the packet traffic.
  • I can use the Ping command to flood others, does that mean I can sue Microsoft for including this command? No. You can't sue a company simply because they do not fix a bug/exploit in their system. It's the users that are held at fault for abusing any exploits.
  • Avatar of Ruzza
  • [QUOTE=B!N4RY;34157956]I can use the Ping command to flood others, does that mean I can sue Microsoft for including this command? No. You can't sue a company simply because they do not fix a bug/exploit in their system. It's the users that are held at fault for abusing any exploits.[/QUOTE] Ping requests are blockable, cod4 drdos is not. Unless patched somehow with linux or an addon.
  • [QUOTE=JustSoFaded;34154398]Listen bud, if you have a good firewall, raw socket bull shit isn't going to effect you (except for the first couple of seconds for the exact reason you just stated). Obviously is has to look into the packet header, but smart firewalls will look at packet consistencies etc Also, quit being a punk. Looking at your past threads it seems your programming knowledge is pretty..[b][i][u]limited, at best[/u][/i][/b], and you don't seem to know exactly what you are talking about.[/QUOTE] If I hit you with a statusResponse DRDoS, and you go into your firewall (for example say some variant of Linux, Windows' is shit) and you say something like [CODE]iptables -A INPUT -m string --string 'statusResponse' -j DROP[/CODE] then yes, packets will be blocked from reaching your applications but that 100MB internet connection you have between your server and the internet is still being used. Unless you are filtering these packets out well before they reach your line, it really doesn't make a difference. If the attack is larger than your connection, then you are essentially fucked, no matter how many filters or firewalls you have in place. If you can't block it before it reaches your line, it still saturates it. [SUB]For my next post, if needed, I will paint a pretty picture...[/SUB]
  • Avatar of technicolour
  • Man, where do you people find these admins? The circle of build/wire servers I frequent have never had problems like this.
  • [QUOTE=Ruzza;34158445]Ping requests are blockable, cod4 drdos is not. Unless patched somehow with linux or an addon.[/QUOTE] You don't have to be specific about it, that was merely an example. Nontheless, I'm pretty sure it is blockable as Revenge282 mentioned as these kind of ping requests have some kind of unique identifier.
  • Since we got our new server we have banned 65 people using Sethhack in 61 days, a few of them even added me and were all like 'HURR DURR DEVNULL TIME FGT', yet we have experienced no lag or crashes, so I can only assume that either the connection can handle it or PlugPayPlay know what they are doing.
  • Avatar of Ruzza
  • [QUOTE=B!N4RY;34160096]You don't have to be specific about it, that was merely an example. Nontheless, I'm pretty sure it is blockable as Revenge282 mentioned as these kind of ping requests have some kind of unique identifier.[/QUOTE] You do have to be specific about it, if you had a COD4 server with an anti-spam query system which disallows the ip from requesting info for lets say... 5 minutes, then that would stop the outcoming traffic from the server being high, as the server downloads very little, it uploads much much more.
  • [QUOTE=Ruzza;34164519]You do have to be specific about it, if you had a COD4 server with an anti-spam query system which disallows the ip from requesting info for lets say... 5 minutes, then that would stop the outcoming traffic from the server being high, as the server downloads very little, it uploads much much more.[/QUOTE] You clearly are not getting my point at all. I am not telling you how/what you can do to block them, that was not my focus of topic. I was only using an example to state that you cannot sue a company over bugs that can be unintended used for malicious reasons by users.
  • Avatar of zzaacckk
  • [QUOTE=Banana Lord.;34133823]I think the better question is why wouldn't they add some sort of anti spam to begin with[/QUOTE] Because he probably query's one server, then the next, then the next until the list is over.
  • Avatar of Ruzza
  • [QUOTE=B!N4RY;34171459]You clearly are not getting my point at all. I am not telling you how/what you can do to block them, that was not my focus of topic. I was only using an example to state that you cannot sue a company over bugs that can be unintended used for malicious reasons by users.[/QUOTE] Yeah but a company that acknowledges that there is a bug there and does nothing about it leaving it exploitable should mean something.
  • [QUOTE=Ruzza;34173004]Yeah but a company that acknowledges that there is a bug there and does nothing about it leaving it exploitable should mean something.[/QUOTE] That was already discussed. Activision doesn't care about bugs in the COD franchise as long as it doesn't affect gameplay and they're earning money. It's nothing surprising or new.
  • Well, on most games servers, you are able to block users from using over a certain amount of connectivity/only connect a certain amount of times. Ddos, however, is much harder to stop than just a dos. This is because they use vast bonets not originating from a specific location.
  • Avatar of FPtje
  • To those defending the firewall idea: Why would an end point firewall help if hundreds of COD servers are sending packages? Yes, the packages will be rejected, but they have to arrive first in order to be rejected. A firewall can't stop messages that haven't arrived to the machine's network card yet. The COD DDoS as a [url=http://www.surasoft.com/articles/ddosa.php#bdwconsumption]bandwidth flood[/url]. It doesn't matter if the COD4 packages are read and interpreted by the end machine. The only thing that matters is that all those packages are going over the line, eating up all bandwidth. That is what people in here mean with line saturation. it's the network cables and the end point routers closest to the server that are being flooded, not the server itself. This is why you often hear that several servers go offline in an attack. [editline]12th January 2012[/editline] [QUOTE=B!N4RY;34173323]That was already discussed. Activision doesn't care about bugs in the COD franchise as long as it doesn't affect gameplay and they're earning money. It's nothing surprising or new.[/QUOTE] I think in court you would have a decent case since - the COD servers send data to those who don't need it - they are aware of the exploit - it can be easily fixed (by using an acknowledge system. It will take one Round Trip Time longer to get server info though) - they refuse to fix it - Companies have been successfully sued in similar cases (there was some Spanish company that sued game studios for similar reasons I believe)
  • Avatar of justosay1123
  • As far I know leaving smurf amplifiers open even after notification is a good case for a lawsuit yes.
  • Avatar of Fleamonji
  • [QUOTE=zzaacckk;34172492]Because he probably query's one server, then the next, then the next until the list is over.[/QUOTE] Not when it comes in at a couple hundred thousand PPS
  • Avatar of zzaacckk
  • Ive been undergoing a DDoS attack from devnull for like the past two days, I have a private firewall and IPS on my boxes and they don't experience downtime from the attack, we are only getting hit with like 200 - 250 mbits max. The only issue is it running up our bandwidth, not it giving us downtime. Its really starting to piss my DC off.
  • Apologies if I'm not understanding this right, but couldn't someone write something that checks all the CoD servers, then adds them to a blocklist, it runs say, once a day since people add/remove servers often? That would take care of the majority of it, unless there's something I'm missing, again I'm not 100% sure on how the whole thing operates so apologies if this is dumb. Although this doesn't cater for what FPtje said about; [quote] Why would an end point firewall help if hundreds of COD servers are sending packages? Yes, the packages will be rejected, but they have to arrive first in order to be rejected. A firewall can't stop messages that haven't arrived to the machine's network card yet. [/quote]
  • Avatar of Chewgum
  • [QUOTE=Adzter;34180054]Apologies if I'm not understanding this right, but couldn't someone write something that checks all the CoD servers, then adds them to a blocklist, it runs say, once a day since people add/remove servers often? That would take care of the majority of it, unless there's something I'm missing, again I'm not 100% sure on how the whole thing operates so apologies if this is dumb. Although this doesn't cater for what FPtje said about;[/QUOTE] you can block ips/packets(with iptables) from reaching your application, but then it'll still go into your network and use bandwidth. but your provider can stop things in the switch before it reaches your servers network card i think :v:
  • Avatar of DylanWilson
  • [QUOTE=JustSoFaded;34154398]Listen bud, if you have a good firewall, raw socket bull shit isn't going to effect you (except for the first couple of seconds for the exact reason you just stated). Obviously is has to look into the packet header, but smart firewalls will look at packet consistencies etc Also, quit being a punk. Looking at your past threads it seems your programming knowledge is pretty..[b][i][u]limited, at best[/u][/i][/b], and you don't seem to know exactly what you are talking about.[/QUOTE] Well, I'm glad you did your research. To further your investigation I'll inform you are correct, I'm not strong in C/C++ but I'm pretty beast in Python, web languages (I took 6 web design classes in high school, was an easy A and my schools only computer class so I kept taking them) and I'm decent in Lua. I'm also happy that I'm entirely wrong except for the only point I made. Regardless, Revenge's post stands true that it doesn't matter, because in many of these attacks your internet connection isn't made to handle that amount of data, and simply doesn't, even before it reaches the server.
  • Avatar of FPtje
  • [QUOTE=_Chewgum;34180160]you can block ips/packets(with iptables) from reaching your application, but then it'll still go into your network and use bandwidth. but your provider can stop things in the switch before it reaches your servers network card i think :v:[/QUOTE] The provider can, but is often reluctant to. At least they were in my experience. I was once DDoSed, I called my provider to ask them if they could do anything. They acknowledged: "Well it LOOKS like you're getting a lot of inbound traffic!". I said "I know that, I'm being DDoSed, can you do anthing about it?". They replied with "Have you tried restarting your computer/router?". It pissed me the fuck off. But yeah in theory the ISP's can both detect and kill DDoS attacks at network level. Why? Because they own and control the routers that lead to your house/datacenter, and they are able to drop the packages as soon as they pass one of their routers. Killing the attack before it even reaches your house/datacenter.
  • Avatar of Grea$eMonkey
  • As things stand now it's not much of an issue to Activision and everyone's ISPs/hosting. Now if there was a class-action law suit with a good platform, which from the looks of things there already is when everyone has their terminology correct, there is a serious chance that Activision would make an easy fix. Look at it this way, they either make an easy fix that takes a short amount of time to complete, or they get into legal issues with a group of people who they either need to pay off or pay for layers to fight. Put in that situation they're going to lose some amount of money no matter what. Compared to how much they already have it could be a negligible loss, but they can only fight it for so long before they have to fix it or win the case. Then your problem is finding and organizing people to take part in the whole thing, which is the hard part.
  • [QUOTE=JustSoFaded;34138766]That's wrong, if you block the servers in your firewall or iptables or however you do it, it can't send you the data. it's not like the server takes in all your data and then goes "Ohhh....nvm, hes blocked delete that !".[/QUOTE] Asking Seth questions so you can sound smart on facepunch I see.
  • Avatar of JustSoFaded
  • [QUOTE=ethile_2;34181273]Asking Seth questions so you can sound smart on facepunch I see.[/QUOTE] 0/10, try harder.
  • Avatar of thegrb93
  • Just found this. Seems to be relevant to the problem. [url]http://wiki.alliedmods.net/SRCDS_Hardening#Lag.2FDOS[/url]
  • Avatar of Jetsurf
  • [QUOTE=thegrb93;34189840]Just found this. Seems to be relevant to the problem. [url]http://wiki.alliedmods.net/SRCDS_Hardening#Lag.2FDOS[/url][/QUOTE] Nah, this is what you want [URL="https://forums.alliedmods.net/showthread.php?t=151551"]https://forums.alliedmods.net/showthread.php?t=151551[/URL]
  • Avatar of thegrb93
  • [QUOTE=Jetsurf;34192393]Nah, this is what you want [URL="https://forums.alliedmods.net/showthread.php?t=151551"]https://forums.alliedmods.net/showthread.php?t=151551[/URL][/QUOTE] That's pretty useful, but what about windows servers?
  • Avatar of slayer3032
  • [QUOTE=FPtje;34176023]To those defending the firewall idea: Why would an end point firewall help if hundreds of COD servers are sending packages? Yes, the packages will be rejected, but they have to arrive first in order to be rejected. A firewall can't stop messages that haven't arrived to the machine's network card yet. The COD DDoS as a [url=http://www.surasoft.com/articles/ddosa.php#bdwconsumption]bandwidth flood[/url]. It doesn't matter if the COD4 packages are read and interpreted by the end machine. The only thing that matters is that all those packages are going over the line, eating up all bandwidth. That is what people in here mean with line saturation. it's the network cables and the end point routers closest to the server that are being flooded, not the server itself. This is why you often hear that several servers go offline in an attack. [editline]12th January 2012[/editline] I think in court you would have a decent case since - the COD servers send data to those who don't need it - they are aware of the exploit - it can be easily fixed (by using an acknowledge system. It will take one Round Trip Time longer to get server info though) - they refuse to fix it - Companies have been successfully sued in similar cases (there was some Spanish company that sued game studios for similar reasons I believe)[/QUOTE] Being able to reject packets from reaching the application layer is a pretty huge thing, SRCDS doesn't take kindly to unwarranted udp traffic pointed at it and your generic booters could take them offline fairly well. You don't need to saturate the line at all to take down a SRCDS instance. You won't have a court case, there isn't a single court in the world which would care short of suing stan for damages over the services he runs. No one maintains any of the games being used in these attacks, there really aren't any developers who work on these games. If you want them fixed your best bet is to start abusing the fuck out of them against anything related to the people who are responsible for the development of the game. It's a rather sad reality but most of the time you have to get your hands a little dirtier than most people are comfortable these days. No one gives a single fuck about a problem unless it becomes their own, developers have no pride in the programs they work on anymore. The worst part is that these meaningless gameserver DRDoS attacks aren't anything compared to what is in store if these rather worthless exploits are patched. Stan never sold his good shit until he had something better. Even if all the gameserver refection attacks were to be fixed that still leaves the much more powerful DNS based attacks which will [b]never[/b] be fixed thanks to how the internet works. The only thing which can stop a DoS attack is the attacker themself. If no desired outcome of an action is provided there won't be a desire to do the action. If the attacks don't work, they don't happen. [QUOTE=thegrb93;34201941]That's pretty useful, but what about windows servers?[/QUOTE] they are a lost cause [QUOTE=Jetsurf;34192393]Nah, this is what you want [URL="https://forums.alliedmods.net/showthread.php?t=151551"]https://forums.alliedmods.net/showthread.php?t=151551[/URL][/QUOTE] Most of this stuff isn't very specific at all, the methods he uses to distinguish traffic are pretty terrible. I'm not an expert with IPTables but I don't see any possible advantage to using really broad rules over a more specific matching based rule. The could possible be a performance increase or something by comparing length instead of matching hex or strings but I never noticed one which was justifiable. It is rather stupid for him to be suggesting people to use rules which they would have very little knowledge of what they do as they will only cause more problems than they would most likely fix.
  • Avatar of FPtje
  • [QUOTE=slayer3032;34205447]Being able to reject packets from reaching the application layer is a pretty huge thing, SRCDS doesn't take kindly to unwarranted udp traffic pointed at it and your generic booters could take them offline fairly well. You don't need to saturate the line at all to take down a SRCDS instance. You won't have a court case, there isn't a single court in the world which would care short of suing stan for damages over the services he runs. No one maintains any of the games being used in these attacks, there really aren't any developers who work on these games. If you want them fixed your best bet is to start abusing the fuck out of them against anything related to the people who are responsible for the development of the game. It's a rather sad reality but most of the time you have to get your hands a little dirtier than most people are comfortable these days. No one gives a single fuck about a problem unless it becomes their own, developers have no pride in the programs they work on anymore. The worst part is that these meaningless gameserver DRDoS attacks aren't anything compared to what is in store if these rather worthless exploits are patched. Stan never sold his good shit until he had something better. Even if all the gameserver refection attacks were to be fixed that still leaves the much more powerful DNS based attacks which will [b]never[/b] be fixed thanks to how the internet works. The only thing which can stop a DoS attack is the attacker themself. If no desired outcome of an action is provided there won't be a desire to do the action. If the attacks don't work, they don't happen. they are a lost cause Most of this stuff isn't very specific at all, the methods he uses to distinguish traffic are pretty terrible. I'm not an expert with IPTables but I don't see any possible advantage to using really broad rules over a more specific matching based rule. The could possible be a performance increase or something by comparing length instead of matching hex or strings but I never noticed one which was justifiable. It is rather stupid for him to be suggesting people to use rules which they would have very little knowledge of what they do as they will only cause more problems than they would most likely fix.[/QUOTE] Most pessimistic post I've seen so far :( on this issue. I didn't know srcds had such exploits. But if that's the case, would you even have to distribute your DoS to take down srcds if you use the exploits?