Author Topic: Flooding attack  (Read 3299 times)

0 Members and 1 Guest are viewing this topic.

Offline elMorvano

  • Major(1)
  • Posts: 44
  • Center Of Soldat
    • Center Of Soldat
Flooding attack
« on: April 01, 2014, 08:35:35 am »
Hey guys, few times a very bad guy is trying to crash our server:

14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).

After server takes 98% of processor and its impossible to join.
Do you know this IP?
Do you know a way of protecting against this? Something another than iptables?
www.facebook.com/coSoldat

Center Of Soldat

Offline Akinaro

  • Flagrunner
  • ****
  • Posts: 749
Re: Flooding attack
« Reply #1 on: April 01, 2014, 08:52:16 am »
Its seems like random IP, looking at google I see that this ip show up few times as forum spam bot.
I had in my database only: 93.114.43.141 with nicks: Major, x-Aro-x, Jeben and few other majors.

Its "hole" in soldat security... For past few years I tried loots of things to block it... nothing.

Offline darDar

  • Soldat Beta Team
  • Flagrunner
  • ******
  • Posts: 810
  • 2004 - 2018
    • #Soldat Gather - Community on Discord
Re: Flooding attack
« Reply #2 on: April 01, 2014, 08:54:41 am »
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
Since it says "Admin disconnected" this guy obviously has your admin login or port.
It would say Admin failed to connect else if im right. (?)
Change your adminlog or port and see if it is getting better. He is located in Romania.

install that to your machine:
fail2ban
« Last Edit: April 01, 2014, 08:57:06 am by darDar »
Soldat Gather 'Matchmaking Community on Discord'

gather.soldat.pl

| My Maps: ctf_Pyramid, ctf_Replay, ctf_Blako, ctf_R6, ctf_Ntex, ctf_Caro, ctf_Bizar & vs_mode mappack |

Offline Bonecrusher

  • Global Moderator
  • Veteran
  • *****
  • Posts: 1396
  • High above
    • Zabijaka.pl

Im chill like that

Offline Akinaro

  • Flagrunner
  • ****
  • Posts: 749
Re: Flooding attack
« Reply #4 on: April 01, 2014, 09:28:35 am »

Since it says "Admin disconnected" this guy obviously has your admin login or port.
It would say Admin failed to connect else if im right. (?)
Change your adminlog or port and see if it is getting better. He is located in Romania.


Not it dont have logins.
There is app called [dont even think that I give you name] that... crash soldat servers, Its pain in the A$$ that almost everyone can use it. Its so simple that you need to just write [something] to crash it...

Offline elMorvano

  • Major(1)
  • Posts: 44
  • Center Of Soldat
    • Center Of Soldat
Re: Flooding attack
« Reply #5 on: April 01, 2014, 09:31:29 am »
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
Since it says "Admin disconnected" this guy obviously has your admin login or port.
It would say Admin failed to connect else if im right. (?)
Change your adminlog or port and see if it is getting better. He is located in Romania.

install that to your machine:
fail2ban
15:57:06) Admin failed to connect (x.x.x.x).
(15:57:07) Admin disconnected (x.x.x.x).
When I tried to connect with bad PW
www.facebook.com/coSoldat

Center Of Soldat

Offline skrX

  • Soldier
  • **
  • Posts: 112
  • x ye.
Re: Flooding attack
« Reply #6 on: April 01, 2014, 09:54:39 am »
bug?

Offline Xestor

  • Major(1)
  • Posts: 41
Re: Flooding attack
« Reply #7 on: April 01, 2014, 10:08:08 am »
isnt it called a DDoS?

Offline Akinaro

  • Flagrunner
  • ****
  • Posts: 749
Re: Flooding attack
« Reply #8 on: April 01, 2014, 10:09:48 am »
DDoS (Distributed Denial of Service) attacks are sent by two or more persons, or bots.

Offline elMorvano

  • Major(1)
  • Posts: 44
  • Center Of Soldat
    • Center Of Soldat
Re: Flooding attack
« Reply #9 on: April 01, 2014, 01:13:58 pm »
(19:43:52) Admin failed to connect (79.141.166.25).
(19:43:52) Admin failed to connect (79.141.166.25).
(19:43:52) Admin failed to connect (79.141.166.25).



Someone tried to login and i checked processor : 98%. After i turned off server and turned on again. It shows:

14-04-01 13:59:12 Admin disconnected (79.141.166.25).
14-04-01 13:59:12 Admin disconnected (79.141.166.25).
14-04-01 13:59:12 Admin disconnected (79.141.166.25).
14-04-01 13:59:12 Admin disconnected (79.141.166.25).

I changed my adminlog to 'very hard' version. Very strange... I also changed pw to my VPS.
www.facebook.com/coSoldat

Center Of Soldat

Offline Akinaro

  • Flagrunner
  • ****
  • Posts: 749
Re: Flooding attack
« Reply #10 on: April 01, 2014, 01:17:17 pm »
changing pass doesn't help here, this app that crash servers use just ip of you server, its dont need anything else, thats why its so damn hard to block it, especially if attacker can change ip.

Offline elMorvano

  • Major(1)
  • Posts: 44
  • Center Of Soldat
    • Center Of Soldat
Re: Flooding attack
« Reply #11 on: April 01, 2014, 01:21:22 pm »
Yeah but it shows like he knows my password :o btw what about change AdminPassword='' - without password nobody can join as admin?

btw. Probably this attacker read this topic, because I didn't block previous IP and he changed this anyway. He attacked before always with same IP.
www.facebook.com/coSoldat

Center Of Soldat

Offline Akinaro

  • Flagrunner
  • ****
  • Posts: 749
Re: Flooding attack
« Reply #12 on: April 01, 2014, 01:28:57 pm »
its not that he trying to log as an admin, this app is for crashing server using security bug in soldat, that send more than 10 fake admin login request to server. such massive amount of logins to one port create huge lags that crash your server

I had this few time, I even have this app, trying to find solution for this and nothing. only blocking IP can help, but only for one IP... if attacker can change his address... you can only wait until he get bored...

Offline elMorvano

  • Major(1)
  • Posts: 44
  • Center Of Soldat
    • Center Of Soldat
Re: Flooding attack
« Reply #13 on: April 01, 2014, 05:52:32 pm »
4th IP attacked us :D Hosting: Kaia and voxility
www.facebook.com/coSoldat

Center Of Soldat

Offline Shoozza

  • Retired Soldat Developer
  • Veteran
  • ******
  • Posts: 1631
  • Soldat's Babysitter
    • Website
Re: Flooding attack
« Reply #14 on: April 02, 2014, 01:18:17 am »
I didn't see that kind of flood attack yet though, thanks for sharing!

I hope we will find time to improve the flooding protection after 1.6.7.
Rules
Tools: ARSSE - SARS - SRB - chatMod

Offline Szaman

  • Soldier
  • **
  • Posts: 145
Re: Flooding attack
« Reply #15 on: April 05, 2014, 04:12:52 pm »
I didn't see that kind of flood attack yet though, thanks for sharing!

I hope we will find time to improve the flooding protection after 1.6.7.

Yeah...
http://bugs.soldat.pl/view.php?id=487 (reported in december 2013...)

Offline dominikkk26

  • Camper
  • ***
  • Posts: 404
    • PMGsite
Re: Flooding attack
« Reply #16 on: April 05, 2014, 05:24:58 pm »
I do not know Did I I'm doing that I write this unto you but you can yes block servers using two programs known to me:
- *****
- *****

------
Delete post
« Last Edit: April 06, 2014, 06:24:21 am by dominikkk26 »

Offline dominikkk26

  • Camper
  • ***
  • Posts: 404
    • PMGsite
Re: Flooding attack
« Reply #17 on: April 05, 2014, 05:26:00 pm »
If you want to have to change yourself's security port or ip and the best name to a hacker he could not find it so quickly.

Offline Szaman

  • Soldier
  • **
  • Posts: 145
Re: Flooding attack
« Reply #18 on: April 06, 2014, 10:49:38 am »
Yeah... great solution :D Maybe let secure server by turning it off ? ;)

Offline Bonecrusher

  • Global Moderator
  • Veteran
  • *****
  • Posts: 1396
  • High above
    • Zabijaka.pl
Re: Flooding attack
« Reply #19 on: April 07, 2014, 12:41:57 am »
Just direct all your troubles to your host, he should be able to sort it out in no time.

Im chill like that