Author Topic: Flooding attack (Read 7654 times)

elMorvano · « **on:** April 01, 2014, 08:35:35 am »

Hey guys, few times a very bad guy is trying to crash our server:

14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).

After server takes 98% of processor and its impossible to join.
Do you know this IP?
Do you know a way of protecting against this? Something another than iptables?

Akinaro · « **Reply #1 on:** April 01, 2014, 08:52:16 am »

Its seems like random IP, looking at google I see that this ip show up few times as forum spam bot.
I had in my database only: 93.114.43.141 with nicks: Major, x-Aro-x, Jeben and few other majors.

Its "hole" in soldat security... For past few years I tried loots of things to block it... nothing.

darDar · « **Reply #2 on:** April 01, 2014, 08:54:41 am »

Quote from: elMorvano on April 01, 2014, 08:35:35 am

14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).

Since it says "Admin disconnected" this guy obviously has your admin login or port.
It would say Admin failed to connect else if im right. (?)
Change your adminlog or port and see if it is getting better. He is located in Romania.

install that to your machine:
fail2ban

Bonecrusher · « **Reply #3 on:** April 01, 2014, 09:07:36 am »

http://nixcraft.com/showthread.php/1427-Iptables-block-ip-address

Akinaro · « **Reply #4 on:** April 01, 2014, 09:28:35 am »

Quote from: darDar on April 01, 2014, 08:54:41 am

Since it says "Admin disconnected" this guy obviously has your admin login or port.
It would say Admin failed to connect else if im right. (?)
Change your adminlog or port and see if it is getting better. He is located in Romania.

Not it dont have logins.
There is app called [dont even think that I give you name] that... crash soldat servers, Its pain in the A$$ that almost everyone can use it. Its so simple that you need to just write [something] to crash it...

elMorvano · « **Reply #5 on:** April 01, 2014, 09:31:29 am »

Quote from: darDar on April 01, 2014, 08:54:41 am

Quote from: elMorvano on April 01, 2014, 08:35:35 am
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
Since it says "Admin disconnected" this guy obviously has your admin login or port.
It would say Admin failed to connect else if im right. (?)
Change your adminlog or port and see if it is getting better. He is located in Romania.

install that to your machine:
fail2ban

15:57:06) Admin failed to connect (x.x.x.x).
(15:57:07) Admin disconnected (x.x.x.x).
When I tried to connect with bad PW

skrX · « **Reply #6 on:** April 01, 2014, 09:54:39 am »

Xestor · « **Reply #7 on:** April 01, 2014, 10:08:08 am »

isnt it called a DDoS?

Akinaro · « **Reply #8 on:** April 01, 2014, 10:09:48 am »

DDoS (Distributed Denial of Service) attacks are sent by two or more persons, or bots.

elMorvano · « **Reply #9 on:** April 01, 2014, 01:13:58 pm »

(19:43:52) Admin failed to connect (79.141.166.25).
(19:43:52) Admin failed to connect (79.141.166.25).
(19:43:52) Admin failed to connect (79.141.166.25).

Someone tried to login and i checked processor : 98%. After i turned off server and turned on again. It shows:

14-04-01 13:59:12 Admin disconnected (79.141.166.25).
14-04-01 13:59:12 Admin disconnected (79.141.166.25).
14-04-01 13:59:12 Admin disconnected (79.141.166.25).
14-04-01 13:59:12 Admin disconnected (79.141.166.25).

I changed my adminlog to 'very hard' version. Very strange... I also changed pw to my VPS.

Akinaro · « **Reply #10 on:** April 01, 2014, 01:17:17 pm »

changing pass doesn't help here, this app that crash servers use just ip of you server, its dont need anything else, thats why its so damn hard to block it, especially if attacker can change ip.

elMorvano · « **Reply #11 on:** April 01, 2014, 01:21:22 pm »

Yeah but it shows like he knows my password

btw what about change AdminPassword='' - without password nobody can join as admin?

btw. Probably this attacker read this topic, because I didn't block previous IP and he changed this anyway. He attacked before always with same IP.

Akinaro · « **Reply #12 on:** April 01, 2014, 01:28:57 pm »

its not that he trying to log as an admin, this app is for crashing server using security bug in soldat, that send more than 10 fake admin login request to server. such massive amount of logins to one port create huge lags that crash your server

I had this few time, I even have this app, trying to find solution for this and nothing. only blocking IP can help, but only for one IP... if attacker can change his address... you can only wait until he get bored...

elMorvano · « **Reply #13 on:** April 01, 2014, 05:52:32 pm »

4th IP attacked us

Hosting: Kaia and voxility

Shoozza · « **Reply #14 on:** April 02, 2014, 01:18:17 am »

I didn't see that kind of flood attack yet though, thanks for sharing!

I hope we will find time to improve the flooding protection after 1.6.7.

Szaman · « **Reply #15 on:** April 05, 2014, 04:12:52 pm »

Quote from: Shoozza on April 02, 2014, 01:18:17 am

I didn't see that kind of flood attack yet though, thanks for sharing!

I hope we will find time to improve the flooding protection after 1.6.7.

Yeah...
http://bugs.soldat.pl/view.php?id=487 (reported in december 2013...)

dominikkk26 · « **Reply #16 on:** April 05, 2014, 05:24:58 pm »

I do not know Did I I'm doing that I write this unto you but you can yes block servers using two programs known to me:
- *****
- *****

------
Delete post

dominikkk26 · « **Reply #17 on:** April 05, 2014, 05:26:00 pm »

If you want to have to change yourself's security port or ip and the best name to a hacker he could not find it so quickly.

Szaman · « **Reply #18 on:** April 06, 2014, 10:49:38 am »

Yeah... great solution

Maybe let secure server by turning it off ?

Bonecrusher · « **Reply #19 on:** April 07, 2014, 12:41:57 am »

Just direct all your troubles to your host, he should be able to sort it out in no time.

Szaman · « **Reply #20 on:** April 07, 2014, 04:34:00 am »

@Bonecrusher - but we are now talking about people who hosts Soldat Servers by themselves. What shoud they do?

Bonecrusher · « **Reply #21 on:** April 07, 2014, 05:03:16 am »

I suppose there is a firewall in almost every modern router, may take a while to block all the different ip's but it's possible.

example: http://www.dslreports.com/forum/r19798124-Creating-router-firewall-rules-to-block-IP-addresses

Szaman · « **Reply #22 on:** April 07, 2014, 05:05:45 am »

OK, you can. But we are trying to find some universal (semi-)automatic solution for that problem.

Btw, can someone confirm that admin port (by TCP) is NOT used while normal gaming? I mean - if you play, you use only UDP communcation?

Bonecrusher · « **Reply #23 on:** April 07, 2014, 05:15:45 am »

You can block TCP and you will not be able to connect via admin programs. You will be able to join the server and play though.

Szaman · « **Reply #24 on:** April 07, 2014, 05:21:14 am »

OK. Thanks for info

Bonecrusher · « **Reply #25 on:** April 07, 2014, 05:44:40 am »

Not sure if it will prevent flooding attacks, you will have to test it.

Szaman · « **Reply #26 on:** April 07, 2014, 05:57:42 am »

Afaik those attack are via TCP. So blocking TCP port should prevent them.

jrgp · « **Reply #27 on:** April 07, 2014, 09:39:27 pm »

Quote from: elMorvano on April 01, 2014, 08:35:35 am

Hey guys, few times a very bad guy is trying to crash our server:

14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).

After server takes 98% of processor and its impossible to join.
Do you know this IP?
Do you know a way of protecting against this? Something another than iptables?

The Linux tool fail2ban can be configured to watch the soldat logfiles in realtime and automatically block IPs that do weird things like what you pasted. It adds a new chain to iptables which it manages by itself and adds IPs to (and optionally removes them after)

Quote from: Bonecrusher on April 07, 2014, 05:15:45 am

You can block TCP and you will not be able to connect via admin programs. You will be able to join the server and play though.

You also won't be able to download custom maps/sceneries.

Szaman · « **Reply #28 on:** April 08, 2014, 02:21:37 am »

1. But fail2ban has a delay with checking the log (interval checking)
2. Soldat has also an interval of logs updating (next delay)
3. There are some cases when Soldat is not producing/updating logs while being attacked
4. Due to those delays Soldat server will crash minimum once
5. Am I wrong or the maps are maintained on the other port (admin port + 123 if I remember correctly) ?

Bonecrusher · « **Reply #29 on:** April 08, 2014, 02:52:38 am »

5. TCP is join port + 10.

jrgp · « **Reply #30 on:** April 08, 2014, 04:28:05 am »

Quote from: Szaman on April 08, 2014, 02:21:37 am

1. But fail2ban has a delay with checking the log (interval checking)
2. Soldat has also an interval of logs updating (next delay)
3. There are some cases when Soldat is not producing/updating logs while being attacked
4. Due to those delays Soldat server will crash minimum once

You can use the functionality provided by CSF (a front end to iptables) that automatically blocks IPs which open too many connections during a set interval on a specific TCP port. That may help this.

Have you tried keeping a 'tcpdump dst port 23083' open that logs the mallicous traffic you're getting? Have you looked in dmesg to see if you're getting packet flooding that sets off messages in the kernel log?

dominikkk26 · « **Reply #31 on:** April 08, 2014, 08:03:03 am »

Hmm developers should give the option to choose ports for clients (administrators) when connecting.

elMorvano · « **Reply #32 on:** April 08, 2014, 04:39:20 pm »

Okay... Soldat killed me now totally. I know an EASY way to kill the server. I'll write only with devs about this. PRIV.

Probably without any protecion all servers will just go mad.

Falcon` · « **Reply #33 on:** April 08, 2014, 05:21:58 pm »

I didn't read the whole topic, but i had once a problem like this. Solution was to add some pre-soldat authentication system that would open the admin port for given IP address. In my case i've used port knocking

Szaman · « **Reply #34 on:** April 08, 2014, 05:26:09 pm »

@FalconPL: very good idea

elMorvano · « **Reply #35 on:** April 08, 2014, 05:36:04 pm »

Temporary solution against my way (ofc. I won't tell you which way, this can even kill your machine) is: run your soldatserver by soldatserver_legacy. Thanks.

And now my scripts don't work - GG. I'm really tired of Soldat's bugs T_T

News:

Author Topic: Flooding attack (Read 7654 times)