• Anti DDoS
    118 replies, posted
  • Avatar of slayer3032
  • [QUOTE=FPtje;34205537]Most pessimistic post I've seen so far :( on this issue. I didn't know srcds had such exploits. But if that's the case, would you even have to distribute your DoS to take down srcds if you use the exploits?[/QUOTE] What exactly do you mean by distribute and "exploits"? An average booter hosted by a single server on at least 100mbps used to be plenty to take down SRCDS, I personally had a intense whitelist based IPTables ruleset on my dedicated servers for the last year at least so I'm not sure what attacks still work short of line saturation.. The Garry's Mod community seems to have a huge issue with DoS attacks, someone once brought to my attention that many gameservers for other games are ran on bottom dollar servers that could even be on 10mbps lines. 1gbps being required for a single small community is something which is absolutely unique to us. However, I'd like to think that the stakes are higher and the money is more lucrative as if you play your cards right it's simple to make more than a full time job at minimum wage in certain situations off "donations". The people who develop things for Garry's Mod are also significantly more intelligent than lets say the plugin developers for Minecraft or the developers of almost every single sourcemod. This brings just as many intelligent people who see an opportunity to make fucking bank off of little kids which throw their parent's money/credit cards around like they do their in-game monies. Places like GangwarsRP who have no self respect and let people simply pay2win only add to this by inviting the further devaluation of real money in a game. [i]Micro[/i]transactions don't help either as many games these days are enabling players to dump hundreds or even thousands of dollars into games. When people get this far in with hundreds and thousands of hours played people won't look at that $100 program which lets them ruin it all for anyone who wronged them as "overpriced" at all. I'm not all that pessimistic, it's just that things are starting to shift into something completely new that hasn't fully taken place yet. Things definitely aren't the same as they were back in 07 and I just don't think many people are bringing us in a better direction.
  • Avatar of justosay1123
  • I agree that taking down the CoD4 exploit might make stan simply move over to DNS Amplification based attacks, and eventually make the attacks DevNull can do several times stronger as a revenge. The best option we have now is to get rid of stan himself from the internet scene, and not the exploit he's using because there are still a dozen other exploits out there that he can switch over to. The only positive thing about DNS Amplification attacks is that they are relatively easier to block at ISP level because all attacks will always come from port 53 and you can just block all incoming traffic coming from port 53 except your own set of name servers.
  • Avatar of Ruzza
  • [QUOTE=justosay1123;34208482]I agree that taking down the CoD4 exploit might make stan simply move over to DNS Amplification based attacks, and eventually make the attacks DevNull can do several times stronger as a revenge. The best option we have now is to get rid of stan himself from the internet scene, and not the exploit he's using because there are still a dozen other exploits out there that he can switch over to. The only positive thing about DNS Amplification attacks is that they are relatively easier to block at ISP level because all attacks will always come from port 53 and you can just block all incoming traffic coming from port 53 except your own set of name servers.[/QUOTE] Fixing the exploit on cod and et servers will be good too because after stan is gone someone else will take his place and might use the same exploits
  • Avatar of slayer3032
  • [QUOTE=justosay1123;34208482]The only positive thing about DNS Amplification attacks is that they are relatively easier to block at ISP level because all attacks will always come from port 53 and you can just block all incoming traffic coming from port 53 except your own set of name servers.[/QUOTE] Tell that to LSTN or other datacenters when their ISP null routes your IP at their level because it's been using 4gbps for 2 weeks. [QUOTE=Ruzza;34211254]Fixing the exploit on cod and et servers will be good too because after stan is gone someone else will take his place and might use the same exploits[/QUOTE] Not very many people have the intelligence to work more than 600mbps out of CoD, there's more to it than you might think at first.
  • Avatar of lorde banana
  • [QUOTE=slayer3032;34214196]Tell that to LSTN or other datacenters when their ISP null routes your IP at their level because it's been using 4gbps for 2 weeks.[/QUOTE] I dunno what you did to stay online for quite a bit while being hammered but they nullroute pretty much for anything over 400Mbit for me.
  • [QUOTE=Banana Lord.;34214591]I dunno what you did to stay online for quite a bit while being hammered but they nullroute pretty much for anything over 400Mbit for me.[/QUOTE] I've only had SniperBoys get null routed once by LSTN after we got hit by 3gbps. But aside from that, we have had a few 300mbps-600mbps, and it has been resolved without any null routing. I guess we are lucky...
  • Avatar of Jetsurf
  • I agree slayer, those rules are exactly the best, they do have a few valid rules in there... and any bit to help mitigate skiddys DoSing your servers for the hell of it helps.
  • Avatar of Hentie
  • There's a fix for CoD4 servers that prevent your server for being used in a DDoS attack, but I think it's for linux servers only. How about we multitask, if Activision isn't fixing it soon why don't we get CoD4 servers owners to fix it? After that we can go for the other master servers that DevNull is using, like Enemy Territory and so on. I don't know why CoD4 doesn't put a limit on how frequent you can refresh the master server.
  • [QUOTE=Hentie;34257784]There's a fix for CoD4 servers that prevent your server for being used in a DDoS attack, but I think it's for linux servers only. How about we multitask, if Activision isn't fixing it soon why don't we get CoD4 servers owners to fix it? After that we can go for the other master servers that DevNull is using, like Enemy Territory and so on. I don't know why CoD4 doesn't put a limit on how frequent you can refresh the master server.[/QUOTE] Surely the more valid fix here is using tcp instead of udp so people cant spoof the source address
  • Avatar of DylanWilson
  • [QUOTE=Hentie;34257784]There's a fix for CoD4 servers that prevent your server for being used in a DDoS attack, but I think it's for linux servers only. How about we multitask, if Activision isn't fixing it soon why don't we get CoD4 servers owners to fix it? After that we can go for the other master servers that DevNull is using, like Enemy Territory and so on. I don't know why CoD4 doesn't put a limit on how frequent you can refresh the master server.[/QUOTE] you reminded me of a website i used to get exploit fixes form in JK3 looks like he's already addressed the issue, from the looks of thing this drdos is causing CoD4 servers to go down [url]http://aluigi.altervista.org/patches.htm[/url] lpatch can be run from any OS, maybe whoever has the initiative to contact all these owners can zip together a batch file that does (most of) any work that may be needed
  • Avatar of Ruzza
  • [QUOTE=Dame Flawless;34259028]Surely the more valid fix here is using tcp instead of udp so people cant spoof the source address[/QUOTE] SYN flood attack
  • [QUOTE=Ruzza;34259801]SYN flood attack[/QUOTE] That would more than half the power of it making it useless
  • Avatar of Bawbag
  • [QUOTE=Ruzza;34259801]SYN flood attack[/QUOTE] Yeah, because SYN floods hit 15gbit/s.
  • Avatar of slayer3032
  • [QUOTE=Hentie;34257784]There's a fix for CoD4 servers that prevent your server for being used in a DDoS attack, but I think it's for linux servers only. How about we multitask, if Activision isn't fixing it soon why don't we get CoD4 servers owners to fix it? After that we can go for the other master servers that DevNull is using, like Enemy Territory and so on. I don't know why CoD4 doesn't put a limit on how frequent you can refresh the master server.[/QUOTE] We shouldn't care because if we do get the small exploits patched that leaves the unpatchable ones which are much stronger that aren't used yet. It would pretty much be of your best interest to not get these patched sadly. It helps if you take the time to read the posts I make. CoD4 server owners won't give a single fuck about you anyways, most of them probably aren't even contactable.
  • Avatar of Ruzza
  • [QUOTE=Dame Flawless;34259822]That would more than half the power of it making it useless[/QUOTE] A more reliable fix would be to limit query requests from an ip. will stop ALL of the attack
  • [QUOTE=Ruzza;34259855]A more reliable fix would be to limit query requests from an ip. will stop ALL of the attack[/QUOTE] You could still flood servers with a limit on the next query you could just do attacks in short bursts so how is that stopping the attack either? if you have enough servers to do it and its not like there is a shortage of them considering how many games are vulnerable to this.
  • Avatar of Ruzza
  • [QUOTE=Dame Flawless;34259923]You could still flood servers with a limit on the next query you could just do attacks in short bursts so how is that stopping the attack either? if you have enough servers to do it and its not like there is a shortage of them considering how many games are vulnerable to this.[/QUOTE] Is Devnull can hit 350MB max while spamming queries, I hardly doubt it will be able to hit anything more than 10MB after a query spam protection system is placed in.
  • Avatar of Bawbag
  • [QUOTE=Ruzza;34261091]Is Devnull can hit 350MB max while spamming queries, I hardly doubt it will be able to hit anything more than 10MB after a query spam protection system is placed in.[/QUOTE] 350MB? That's only <3 gig.
  • Avatar of Ruzza
  • [QUOTE=Bawbag;34261321]350MB? That's only <3 gig.[/QUOTE] [B]Only[/B] enough to take out most home connections, servers with 100MB port, servers in Australia.
  • Avatar of Hentie
  • [QUOTE=slayer3032;34259854]We shouldn't care because if we do get the small exploits patched that leaves the unpatchable ones which are much stronger that aren't used yet. It would pretty much be of your best interest to not get these patched sadly. It helps if you take the time to read the posts I make. CoD4 server owners won't give a single fuck about you anyways, most of them probably aren't even contactable.[/QUOTE] CoD4 server owners will give a single fuck after too many master server list responses are made that will lag or even crash their servers.
  • Avatar of slayer3032
  • [QUOTE=Hentie;34265759]CoD4 server owners will give a single fuck after too many master server list responses are made that will lag or even crash their servers.[/QUOTE] No one's really noticed in the last 3 years it's been abused, what would change that now?
  • Avatar of Hentie
  • [QUOTE=slayer3032;34259854]We shouldn't care because if we do get the small exploits patched that leaves the unpatchable ones which are much stronger that aren't used yet. It would pretty much be of your best interest to not get these patched sadly. It helps if you take the time to read the posts I make.[/QUOTE] Not care about getting something patched that might reduce the strength of DevNull? Just how do you think DevNull will get stronger if we weaken it? Where is your logic?
  • Avatar of benjojo
  • [QUOTE=Ruzza;34261581][B]Only[/B] enough to take out most home connections, servers with 100MB port, [highlight]servers in Australia.[/highlight][/QUOTE] What?
  • Avatar of slayer3032
  • [QUOTE=Hentie;34274878]Not care about getting something patched that might reduce the strength of DevNull? Just how do you think DevNull will get stronger if we weaken it? Where is your logic?[/QUOTE] Maybe you should read my posts, it would only cause it to be replaced with DNS amplification which has higher output. So instead of getting the usual blockable 0.6-1.5gbps you would be getting 3-4gbps. Where is your logic? You're basically just throwing rocks at a huge bees nest instead of getting rid of it.
  • Avatar of Hentie
  • [QUOTE=slayer3032;34280342]Maybe you should read my posts, it would only cause it to be replaced with DNS amplification which has higher output. So instead of getting the usual blockable 0.6-1.5gbps you would be getting 3-4gbps. Where is your logic? You're basically just throwing rocks at a huge bees nest instead of getting rid of it.[/QUOTE] So why aren't they replacing it with DNS amplification right now?
  • Avatar of Ruzza
  • [QUOTE=benjojo;34277493]What?[/QUOTE] In america you have 1TB lines which you can put heaps of customers with 1GB ports on, in australia we have a 10GB line which limits people to 100MBit each customer/port. You can buy a 1GB line here but it will cost you a FUCK TON.
  • Avatar of slayer3032
  • [QUOTE=Hentie;34282362]So why aren't they replacing it with DNS amplification right now?[/QUOTE] [QUOTE=slayer3032;34205447]Being able to reject packets from reaching the application layer is a pretty huge thing, SRCDS doesn't take kindly to unwarranted udp traffic pointed at it and your generic booters could take them offline fairly well. You don't need to saturate the line at all to take down a SRCDS instance. You won't have a court case, there isn't a single court in the world which would care short of suing stan for damages over the services he runs. No one maintains any of the games being used in these attacks, there really aren't any developers who work on these games. If you want them fixed your best bet is to start abusing the fuck out of them against anything related to the people who are responsible for the development of the game. It's a rather sad reality but most of the time you have to get your hands a little dirtier than most people are comfortable these days. No one gives a single fuck about a problem unless it becomes their own, developers have no pride in the programs they work on anymore. [b]The worst part is that these meaningless gameserver DRDoS attacks aren't anything compared to what is in store if these rather worthless exploits are patched. Stan never sold his good shit until he had something better. Even if all the gameserver refection attacks were to be fixed that still leaves the much more powerful DNS based attacks which will never be fixed thanks to how the internet works.[/b] The only thing which can stop a DoS attack is the attacker themself. If no desired outcome of an action is provided there won't be a desire to do the action. If the attacks don't work, they don't happen. they are a lost cause Most of this stuff isn't very specific at all, the methods he uses to distinguish traffic are pretty terrible. I'm not an expert with IPTables but I don't see any possible advantage to using really broad rules over a more specific matching based rule. The could possible be a performance increase or something by comparing length instead of matching hex or strings but I never noticed one which was justifiable. It is rather stupid for him to be suggesting people to use rules which they would have very little knowledge of what they do as they will only cause more problems than they would most likely fix.[/QUOTE] When the super low bandwidth exploits in srcds were fixed, DevNull moved to using gameserver reflection. I've come to the realization that it's pointless to include my opinion based on my experience of dealing with all of this since years before DevNull since no one would even bother to take my advice since I deviate from the norm of impulsive and poorly thought out retaliations. Frankly, I don't need to care anymore since it's not my problem. Good luck, you'll need it.