Server Attack?.. (today, just a few minutes ago)

belenus · Post by **belenus** » Thu Mar 09, 2006 3:18 pm

Hi,

I think someone just attacked several AA servers.

I was playing with several others on the FE server when suddenly everyone got disconnected and it was impossible to reconnect for a while.

Then I tried CVS, (which is currently total messed up) and "you need help" who was only one there said that is just crashed too.

Any other servers that crashed or behave weird?

bel

PS: got a nice message from my router...

router log wrote:2006-03-09 14:50:30 - UDP Flood - Source:86.64.109.20,54491,WAN - Destination:84.44.139.65,4534,LAN

whois wrote:inetnum: 86.64.64.0 - 86.64.127.255
netname: N9UF-PRO
descr: MPLS network
country: FR
admin-c: LDC50-RIPE
tech-c: LDC76-RIPE
status: ASSIGNED PA
mnt-by: LDCOM-MNT
mnt-by: LDCOM-PRO-MNT
source: RIPE # Filtered

role: NEUF PRO
address: neuf telecom
address: Immeuble Quai Ouest
address: 40-42 Quai du point du jour
address: 92659 Boulogne Billancourt
address: France
fax-no: +33 1 70 18 29 10
admin-c: HN532-RIPE
admin-c: GT705-RIPE
tech-c: LDC76-RIPE
nic-hdl: LDC50-RIPE
abuse-mailbox: abuse@gaoland.net
mnt-by: LDCOM-MNT
source: RIPE # Filtered

role: LDCOM Networks Tech Contact
address: neuf telecom
address: Immeuble Quai Ouest
address: 40-42 Quai du point du jour
address: 92659 Boulogne Billancourt
address: France
fax-no: +33 1 70 18 15 70
admin-c: LM5867-RIPE
tech-c: DG1056-RIPE
nic-hdl: LDC76-RIPE
abuse-mailbox: abuse@gaoland.net
mnt-by: LDCOM-MNT
source: RIPE # Filtered

% Information related to '86.64.0.0/12AS15557'

route: 86.64.0.0/12
descr: LDCOM-NET
origin: AS15557
mnt-by: LDCOM-MNT
source: RIPE # Filtered

If whoever did that attack reads this post, we've got your IP, do it again and your provider will get a mail.

Luke-Jr · Post by **Luke-Jr** » Thu Mar 09, 2006 3:35 pm

Unless maybe he confesses, says how he did it, and helps fix the bug...

Post by **dlh** » Thu Mar 09, 2006 3:40 pm

Luke-Jr wrote:Unless maybe he confesses, says how he did it, and helps fix the bug...

Except it is not a bug in AA. It is a UDP DoS.

http://www.cert.org/advisories/CA-1996-01.html

Edit: The game could implement something to monitor for DoS attacks if this becomes more frequent. I don't think it will.

belenus · Post by **belenus** » Thu Mar 09, 2006 3:52 pm

Well, it depends... everything else thats running on the server was working just fine, it was just impossible to connect to AA.

Anyone know if it is possible to block UDP floods (maybe with iptables) before they reach the AA server daemon?

Post by **dlh** » Thu Mar 09, 2006 4:01 pm

Maybe someone found Luigi's binaries? Doesn't the fake player bug still effect every version?

Post by **Tank Program** » Thu Mar 09, 2006 6:11 pm

Funky. I can't say I've heard/experienced anything how you've described it.

Website · Post by **Z-Man** » Thu Mar 09, 2006 6:36 pm

The IP is a static IP, it turns up a lot on the master server logs. I've also seen it on the CVS test server logs and know the player name. I tried to talk with the guy, when he was online some minutes ago, but got not a single reaction. I've banned the IP, when he tries to join again, he'll be redirected here (Bans now support reasons given to the banned).
If that doesn't work, I'll see whether I can do the same with my master server. It's not running the right code right now, though.

The messup on CVS Test was purely CVS Test related

The CVS code had a little problem with cycle turns, and later the setting problem that only five players were allowed on every team. The recordings show no sign of attack from the given IP, since the packets were directed at the AA port, they'd have been logged.

Luigis exploits are as fixed as they can ever be; the programs simulate clients connecting that time out and as long as we want to be a little nice to clients with bad network connection, there will always be some impact of such an attack. But without control over multiple public IP adresses or the ability to spoof the sender, a single attacker cannot do much. I think. I'll better tripple check.

iptables has a way to drop packets if they come in too often, you can give it the option "--limit 50/second", like

Code: Select all

$IPTABLES -A allow-tron-traffic -p udp -s $GLOBAL_NETWORK -d $GLOBAL_NETWORK --limit 50/second --dport 4530:4550 -j ACCEPT

Err, the $GLOBAL_NETWORK stuff probably does not make too much sense here...

Of course, the value should be tweaked, and if the problem is that the attacker has a bigger network pipe than you, that does not help.

belenus · Post by **belenus** » Thu Mar 09, 2006 7:32 pm

Found that user in my logs too... at least I now know who he is

spirit · Post by **spirit** » Thu Mar 09, 2006 8:21 pm

belenus wrote: at least I now know who he is

Well done Belenus but let me say just one thing. If I read this from the top down I read many things I don´t really understand but that´s ok for me cause I´m a medical and no pc expert. BUT if I was a hacker - whatever you want to call this person - I wouldn´t be pretty much scared. Much bla bla nothing more.....
So now I want to ask a question: If you got the IP. Why don´t you just do write an email and don´t just talk about it? I personally think if someone attacks a server that person deserves a punishment or do you think that the attack happened by accident?

belenus · Post by **belenus** » Thu Mar 09, 2006 8:38 pm

{Vertigo} wrote:Why don´t you just do write an email and don´t just talk about it? I personally think if someone attacks a server that person deserves a punishment or do you think that the attack happened by accident?

No, I do not think that is was an accident, how so? It was directly aimed at the port AA is running on.

I do not send an email because it just isn't worth the trouble AND in case it really was an accident. If it happens again, well... I know it wasn't.

spirit · Post by **spirit** » Thu Mar 09, 2006 8:45 pm

belenus wrote: No, I do not think that is was an accident, how so? It was directly aimed at the port AA is running on.

Of course it was... That should have been a rethorical question....

belenus wrote: I do not send an email because it just isn't worth the trouble.....

Which trouble? If you didn´t want to make any troubles so why this thread?

belenus · Post by **belenus** » Thu Mar 09, 2006 9:28 pm

This almost sounds as if you were the person who did it.

Well, if you can explain me HOW you make an UDP flood on the only port thats vulnerable to it on accident, feel free to elaborate

spirit · Post by **spirit** » Thu Mar 09, 2006 10:25 pm

Hehe sure and I´m also Santa Clause on 24/25th of December.

country: FR
address: France

No for real now: I`m curious why you won´t do anything about it if you got his IP.... I remember how it was when Tigers Network was down. That´s wasn´t so nice tho.

Post by **Tank Program** » Thu Mar 09, 2006 10:48 pm

Doesn't look like the IP turns up in any of my logs.

Website · Post by **Z-Man** » Fri Mar 10, 2006 12:52 am

Relax, it *may* have been just a client bug, or maybe his "p" key got stuck in the server browser (which wouldn't have that effect).

Belenus: do you know what exactly your router log means with UDP flood? It can be about anything.