Server got attacked.

[Foley]

Yeah, as the topic title says, server I was administrating got attacked by some person.

And by attacked, I mean a huge connection flooding which could cause many bugs if it wasnt prevented, I'm attaching the logs so if anyone of you experience similar situation, you might be prepared.

Code: [Select]

09-03-14 16:27:03 95.24.194.128:1168 requesting game (Banned by an admin)...
09-03-14 16:27:03 95.24.194.128:1169 requesting game (Banned by an admin)...
09-03-14 16:27:04 95.24.194.128:1170 requesting game (Banned by an admin)...
09-03-14 16:27:05 95.24.194.128:1171 requesting game (Banned by an admin)...
09-03-14 16:27:05 95.24.194.128:1172 requesting game (Banned by an admin)...
09-03-14 16:27:06 95.24.194.128:1173 requesting game (Banned by an admin)...
09-03-14 16:27:06 95.24.194.128:1174 requesting game (Banned by an admin)...
09-03-14 16:27:07 95.24.194.128:1175 requesting game (Banned by an admin)...
09-03-14 16:27:08 95.24.194.128:1176 requesting game (Banned by an admin)...
09-03-14 16:27:08 95.24.194.128:1177 requesting game (Banned by an admin)...
09-03-14 16:27:09 95.24.194.128:1178 requesting game (Banned by an admin)...
09-03-14 16:27:10 95.24.194.128:1179 requesting game (Banned by an admin)...
09-03-14 16:27:10 95.24.194.128:1180 requesting game (Banned by an admin)...
09-03-14 16:27:11 95.24.194.128:1181 requesting game (Banned by an admin)...
09-03-14 16:27:12 95.24.194.128:1182 requesting game (Banned by an admin)...
09-03-14 16:27:13 95.24.194.128:1183 requesting game (Banned by an admin)...
09-03-14 16:27:14 95.24.194.128:1184 requesting game (Banned by an admin)...
09-03-14 16:27:15 95.24.194.128:1185 requesting game (Banned by an admin)...
09-03-14 16:27:15 95.24.194.128:1186 requesting game (Banned by an admin)...
09-03-14 16:27:17 95.24.194.128:1187 requesting game (Banned by an admin)...

Banned by admin because I've done this, however this is not the whole log, here's how it started:

Code: [Select]

09-03-14 16:24:57 Major joining game (78.106.231.80:52552)
09-03-14 16:24:57 restart cipher 1
09-03-14 16:24:58 Major(1) joining game (78.106.231.80:52808)
09-03-14 16:24:58 restart cipher 1
...
09-03-14 16:24:57 Major joining game (78.106.231.80:52552)
09-03-14 16:24:57 restart cipher 1
09-03-14 16:24:58 Major(1) joining game (78.106.231.80:52808)
09-03-14 16:24:58 restart cipher 1
...
09-03-14 16:25:08 78.106.231.80:1109 requesting game...
09-03-14 16:25:08 78.106.231.80:1110 requesting game...
09-03-14 16:25:08 78.106.231.80:1111 requesting game...
09-03-14 16:25:09 78.106.231.80:1112 requesting game...
09-03-14 16:25:10 78.106.231.80:1113 requesting game...
09-03-14 16:25:10 78.106.231.80:1114 requesting game...
09-03-14 16:25:11 78.106.231.80:1115 requesting game...
09-03-14 16:25:12 78.106.231.80:1116 requesting game...
09-03-14 16:25:12 78.106.231.80:1117 requesting game...
...
09-03-14 16:25:38 Major joining game (78.106.231.80:54357)
09-03-14 16:25:38 restart cipher 1
09-03-14 16:25:39 Major(1) joining game (78.106.231.80:54868)
09-03-14 16:25:39 restart cipher 1

etc.

This happened on an R/S server so only R/S(maybe R too) are his targets.
I didn't clear the IP out of here on purphose, maybe you would like to ban that person on-the-fly.

This person (as you can notice) has more than one IP range so banning one might not help.

EDIT: Known (by me) bugs of that kind of attack:
- everyone loses guns (massive drop bug)
- you can't enter the server (unknown server error)
- wrong map version errors
- map gets reset (eg. changes to first from the list)
- server shutdowns, unstability?

This kind of thing is possible to be prevented if you act fast.
(didn't post for some time did I)

[EnEsCe]

Use the search function.

[Foley]

Use the search function.

Question mark.

EDIT: I know, I know, but maybe someone didn't knew about that, hosts his/her own server and wants to be prepared.

Bad luck if your server is hosted by someone and you don't get the root access to deny the ip.

[jrgp]

Can you try getting your host to run something like:

iptables -I INPUT -s 78.106.231.80 -j DROP
iptables -I INPUT -s 95.24.194.128 -j DROP

as root for you?

Tell them that a malicious person is trying deliberately to screw you (and them) over. That should give them ample motivation.

[Furai]

I've made smiliar topic to this some time ago and it got locked and I was worned for not reading forum rules. Anyways, I've seen that attack earlier. It causes scriptcore corruption, too.

[Foley]

iptables -I INPUT -s 78.106.231.80 -j DROP
iptables -I INPUT -s 95.24.194.128 -j DROP

78.106.*.*
95.24.*.*

Ranges maybe? The server I've been admining is hosted not by me, I'll message them.

[mar77a]

there's a fix for this, use the server patch which MM released (search, as enesce said)

[Shoozza]

there's a fix for this, use the server patch which MM released (search, as enesce said)

That's not true the fix (which I created and MM released) was only against the demo hack, the cipher and mapload problem.
Because the flooding problem is much more complicated and soldat 1.5.0 will be released soon I don't think I'll force myself to debug/disassemble and binary patch the soldatserver for that -_-. It was enough pain to do the other patches.

[Leo]

iptables -I INPUT -s 78.106.231.80 -j DROP
iptables -I INPUT -s 95.24.194.128 -j DROP

78.106.*.*
95.24.*.*

Ranges maybe? The server I've been admining is hosted not by me, I'll message them.

Yeah, I have banned same IP ranges for months now...

[mar77a]

09-03-14 16:24:57 Major joining game (78.106.231.80:52552)
09-03-14 16:24:57 restart cipher 1
09-03-14 16:24:58 Major(1) joining game (78.106.231.80:52808)
09-03-14 16:24:58 restart cipher 1
...
09-03-14 16:24:57 Major joining game (78.106.231.80:52552)
09-03-14 16:24:57 restart cipher 1
09-03-14 16:24:58 Major(1) joining game (78.106.231.80:52808)
09-03-14 16:24:58 restart cipher 1

...


... Shoozza...,,, ,,SHOOOZAA!??!?

!?=!???!?!?!? TT_!?!???nfaㄹ워ㅏㅜㄴㅇㅁㄹ!_

[Shoozza]

cripher 1 means that the player doesn't encript the packets right.
Which means is no original client like you may have arleady realized by now.

[Laser Guy]

Just happened DO TW server, 12 minutes ago.
A hacker joined, we votekicked him, and the flooding started. Everyone started loosing weps and all the other stuff too... And then the unknown server error... Demo contains only flooding effects. If I can I'll get the server log too, but since it's a server rented from EnEsCe I'm pretty sure he can get it himself...

Code: [Select]

17:26:05) þ>¬KÄ~à joining game (195.174.238.76:58561)
(17:26:05) Å¿2$èÇ–Ü joining game (195.174.238.76:58565)
(17:26:05) ¯I Gß)E joining game (195.174.238.76:58565)
(17:26:05) Šõ,(D-“ joining game (195.174.238.76:58565)
(17:26:06) H'›¼¾ joining game (195.174.238.76:58565)
(17:26:06) ÊÍaœo¼} joining game (195.174.238.76:58565)
(17:26:06) WÐÐ$1 joining game (195.174.238.76:58565)
(17:26:06) «:‘@]ÕPP joining game (195.174.238.76:58565)
(17:26:06) ‚’ó®V
³ü joining game (195.174.238.76:58565)
(17:26:06) Œ¸hŠ—ઠjoining game (195.174.238.76:58570)
(17:26:06) Major joining game (195.174.238.76:58570)
(17:26:06) Õ­ìF²»© joining game (195.174.238.76:58570)
(17:26:06) Major joining game (195.174.238.76:58570)
(17:26:07) ݍ±ªO joining game (195.174.238.76:58570)
(17:26:07) æˆSpåXZ| joining game (195.174.238.76:58570)
(17:26:07) ØÁ-ë} ã joining game (195.174.238.76:58570)
(17:26:07) §°æQzKü joining game (195.174.238.76:58570)
(17:26:07) Sr9/°ý ° joining game (195.174.238.76:58573)
(17:26:07) ‰¾%;à¶o joining game (195.174.238.76:58573)
(17:26:07) Major joining game (195.174.238.76:58573)
(17:26:07) s€u¬Ð@ joining game (195.174.238.76:58573)
(17:26:07) ^”Þ›A±Žà joining game (195.174.238.76:58573)
(17:26:07) \\žÆt4²Õ joining game (195.174.238.76:58573)
(17:26:08) ¿å/ÅDK³t joining game (195.174.238.76:58573)
(17:26:08) f4Í•žì‰ joining game (195.174.238.76:58573)
(17:26:08) Major joining game (195.174.238.76:58580)
(17:26:08) k joining game (195.174.238.76:58580)
(17:26:08) &J³Tɧ joining game (195.174.238.76:58580)
(17:26:08) äAá®(' joining game (195.174.238.76:58580)
(17:26:08) ij$ joining game (195.174.238.76:58580)
(17:26:08) Û{]©4Ì joining game (195.174.238.76:58580)
(17:26:08) Major joining game (195.174.238.76:58580)
(17:26:09) õ09åRÜÂ joining game (195.174.238.76:58580)
(17:26:09) —Ì남þĶ joining game (195.174.238.76:58584)
(17:26:09) äýºÇ]Q joining game (195.174.238.76:58584)
(17:26:09) ÇBÚêäë| joining game (195.174.238.76:58584)
(17:26:09) ¯`k¾±V ‚ joining game (195.174.238.76:58584)
(17:26:09) ÷üZ‚¤ joining game (195.174.238.76:58584)
(17:26:09) ΢ò{ý<2 joining game (195.174.238.76:58584)
(17:26:09) o¯ÁœÌv* joining game (195.174.238.76:58584)
(17:26:09) Ìó6Âù~ joining game (195.174.238.76:58584)
(17:26:10) “áxíÝÛ· joining game (195.174.238.76:58593)
(17:26:10) ú6'¨Ò0Ð joining game (195.174.238.76:58593)
(17:26:10) Žwo%ËÞ˜ joining game (195.174.238.76:58593)
(17:26:10) Ë7yf€³ÇP joining game (195.174.238.76:58593)
(17:26:10) šJv8§ joining game (195.174.238.76:58593)
(17:26:10) ÚWMxé¸h joining game (195.174.238.76:58593)
(17:26:10) Î@ XáÛo? joining game (195.174.238.76:58593)
(17:26:10) ¡õÈÝm
8 joining game (195.174.238.76:58593)
(17:26:10) ‰N=h¸§- joining game (195.174.238.76:58596)
(17:26:11) ô Räwƒß« joining game (195.174.238.76:58596)
(17:26:11) i”$øw'Oœ joining game (195.174.238.76:58596)
(17:26:11) Ð{"v$T¨Ñ joining game (195.174.238.76:58596)
(17:26:11) Ú'-¾FW? joining game (195.174.238.76:58596)
(17:26:11) 審”Ä joining game (195.174.238.76:58596)
(17:26:11) 0äΣ|Ǿ0 joining game (195.174.238.76:58596)
(17:26:11) k^¥m¢ÁÏt joining game (195.174.238.76:58596)
(17:26:11) WZk’é­¼ý joining game (195.174.238.76:58602)
(17:26:11) [fFë<b joining game (195.174.238.76:58602)
(17:26:12) †ƒˆ91i÷€ joining game (195.174.238.76:58602)
(17:26:12) “^_Éé­’† joining game (195.174.238.76:58602)
(17:26:12) `æ†Þ¹L— joining game (195.174.238.76:58602)
(17:26:12) ì:ù~÷4Ò joining game (195.174.238.76:58602)
(17:26:12) nþb³ÜÑ joining game (195.174.238.76:58602)
(17:26:12) d§FÜ.]i joining game (195.174.238.76:58602)
(17:26:12) ±g|„ïR joining game (195.174.238.76:58606)
(17:26:12) òEÊÚk€H¹ joining game (195.174.238.76:58606)
(17:26:12) Ulnø\•µ{ joining game (195.174.238.76:58606)
(17:26:13) ,Rj{Zv. joining game (195.174.238.76:58606)
(17:26:13) þŒtäÑ–jL joining game (195.174.238.76:58606)
(17:26:13) Ö“G¤à@Ÿ joining game (195.174.238.76:58606)
(17:26:13) xÑÝ8ùª²D joining game (195.174.238.76:58606)
(17:26:13) ö
/¢EÍ joining game (195.174.238.76:58606)
(17:26:13) G4d|Sly has been kicked and banned for 60 minutes (Vote Kicked)



Also, something wierd is going with the eC DB server ATM...

[EnEsCe]

It's already fixed in Soldat 1.5.0, you will all have to wait till then for any permanent solutions.

On the other hand, use a firewall.