Hello.

 

My root-server has been blocked/closed by my provider. Reason was that I would perform DDOS attacks on other servers.

 

Heres the logfile:

http://vpservers.ru/abuse/2/msm_85.25.208.235.txt (vpservers.ru is the provider who was DDOSed)

 

Thats what the logfile says in general:

...

24/08/2012 01:30:35 UDP recv 85.25.208.235:28960 -> 85.192.44.65:27015 (555) reject by FFFFFFD0 IDS: allow dos

24/08/2012 01:30:36 UDP recv 85.25.208.235:28961 -> 85.192.44.65:27015 (738) reject by FFFFFFD0 IDS: allow dos

24/08/2012 01:30:36 UDP recv 85.25.208.235:28960 -> 85.192.44.65:27015 (555) reject by FFFFFFD0 IDS: allow dos

...

 

 

85.25.208.235 is my server IP and 28960/28961 are the ports of my two IW4M servers ...

85.192.44.65:27015 is/was some kind of russian Counter-Strike server i guess (i googled it)

 

now my question:

on alterIW NTA had certain "ideas" that led him to implement DDOS code in AlterIW. Is that the case again? Are there any others like me?

 

regards

It's highly unlikely that those were for denial of service. 1-3 udp packets a second? Plus it stops for a bit, and starts again.

As i've posted in the german section, try this:

 

http://rankgamehosting.ru/index.php?showtopic=1320

 

It seems be a known bug/security issue on cod4 linux/(windows?, not sure ) servers and some people are providing fixes for it. Might be the same issue for IW4M servers... Maybe NTA can clarify this.

This isn't DDOS as DDOS require more then 1 attacker, and for DOS it would require much more then few UDP packets.

 

the logfile only logs my ip. but there are other servers. and they "DDOSed" 85.192.44.65:27015 at the same time:

http://vpservers.ru/abuse/2/msm_216.244.65.122.txt

 

so are more than one attacker at the same time :/

 

and i cant give you any more infos as for my server is blocked for now. but what do you want to know?

 

 

EDIT: found the full server log of that time. there are other servers.

http://vpservers.ru/abuse/2/msm.log.gz (33MB -> unpacked 454MB)

 

regards

EDIT: found the full server log of that time. there are other servers.

http://vpservers.ru/abuse/2/msm.log.gz (33MB -> unpacked 454MB)

 

regards

 

Oh, holy crap. :roll:

Well most of them are IW3 servers i'd guess, but that doesn't change the fact that this issue needs to be solved... BTW: Have you tried the iptables settings?

 

 

EDIT:

 

> This bug is a known bug in the Q3 server engine software. Usually,
> these are a popular FPS series 4 game-servers. A fix for this problem is
> described below:
>
> "So we're getting reports of DDoS attacks, where botnets will send
> infostring queries to IW3 dedicated servers as fast as possible
> with spoofed addresses. They send a small UDP packet, and the
> server replies with a larger packet to the faked address. Multiply
> this by however fast you can stuff UDP packets into the server's
> incoming packet buffer per frame, times 7500+ public IW3 servers,
> and you can really bring a victim to its knees with a serious flood
> of unwanted packets.

 

source: http://rankgamehosting.ru/index.php?showtopic=1320

oh, holy crap. :roll:

Well most of them are IW3 servers i'd guess, but that doesn't change the fact that this issue needs to be solved... BTW: Have you tried the iptables settings?

 

nope, cause its still a windows server, but im about to "fix" that ^^

also its still closed and out of my grasp...

 

EDIT: ty banz.

so it seems my server was choosen "random" by an unknown person to do that?!

well i guess ill try the ip tables fix when i got rid of windows

 

regards

Had the same issue, even the same IP got ddos'd. I stopped hosting servers after the abuse warning from my provider.. Here is the logfile: http://vpservers.ru/abuse/1/msm2_78.111.78.11.txt

I really wonder why only a few people seem to care about this security issue.

There are lots of people who already got in trouble (servers got shutdown by provider etc), because of their server becoming part of a botnet DDoSing companies. You (the server owners) are the ones who are responsible for their servers security and not the provider (at least in most european countries i'd guess).

You could even get sued by the companies which are getting attacked from your servers, although its not very likely.

Maybe NTA can look into this and code his own solution, but anyway the one which i've attached here was created by the man responsible for porting cod4 servers to linux. The version he posted was for linux servers, and some other guy ported it to windows.

 

 

informations about the security issue (which highly likely also exists for iw4m servers):

Ryan: "So we're getting reports of DDoS attacks, where botnets will send 
infostring queries to COD4 dedicated servers as fast as possible with 
spoofed addresses. They send a small UDP packet, and the server replies 
with a larger packet to the faked address. Multiply this by however fast 
you can stuff UDP packets into the server's incoming packet buffer per 
frame, times 7500+ public COD4 servers, and you can really bring a 
victim to its knees with a serious flood of unwanted packets."
...
"Ryan, this isn't limited to just COD4 servers, is it?"
...
"Yes it applies to all games which support the quake 3 protocol."
Steve
...

source/more info:

http://icculus.org/pipermail/cod/2011-August/015397.html

(copy the link yourself pls, the word filter....)

 

solutions: (dll's or through iptables)

http://rankgamehosting.ru/index.php?showtopic=1320

 

download the windows fix which will most likely work with iw4m servers:

(Note this is meant for servers only)

 

Virustotal.com: https://www.virustotal.com/file/34bd920 ... 346263680/

I really wonder why only a few people seem to care about this security issue.

There are lots of people who already got in trouble (servers got shutdown by provider etc), because of their server becoming part of a botnet DDoSing companies. You (the server owners) are the ones who are responsible for their servers security and not the provider (at least in most european countries i'd guess).

You could even get sued by the companies which are getting attacked from your servers, although its not very likely.

Maybe NTA can look into this and code his own solution, but anyway the one which i've attached here was created by the man responsible for porting IW3 servers. The version he posted was for linux servers, and some other guy ported it to windows.

 

 

informations about the security issue (which highly likely also exists for iw4m servers):

Ryan: "So we're getting reports of DDoS attacks, where botnets will send 
infostring queries to IW3 dedicated servers as fast as possible with 
spoofed addresses. They send a small UDP packet, and the server replies 
with a larger packet to the faked address. Multiply this by however fast 
you can stuff UDP packets into the server's incoming packet buffer per 
frame, times 7500+ public IW3 servers, and you can really bring a 
victim to its knees with a serious flood of unwanted packets."
...
"Ryan, this isn't limited to just IW3 servers, is it?"
...
"Yes it applies to all games which support the quake 3 protocol."
Steve
...

source/more info:

http://icculus.org/pipermail/cod/2011-August/015397.html

(copy the link yourself pls, the word filter....)

 

solutions: (dll's or through iptables)

http://rankgamehosting.ru/index.php?showtopic=1320

 

download the windows fix which will most likely work with iw4m servers:

(Note this is meant for servers only)

 

Virustotal.com: https://www.virustotal.com/file/34bd920 ... 346263680/

I've tested it and at the 11st packet the server stops sending data, but if I re-start the program and do the test i can still receive 10 packets.(without any patch)