Jump to content

When playing 0ad whole network disconnects. Network otherwise stable.


Recommended Posts

Weird issue.  I can't play 0ad because of this ...

When in the 0ad lobby, or in a game, what will happen is I'll time out with a "stun endpoint error."  What will happen afterwards is that my WHOLE network will disconnect from the web.  This only happens with 0ad.

I thought maybe it's my computer.  So I formatted, did most recent windows updates, and installed 0ad.  Same thing.

 

Anyone have ideas on how to troubleshoot?  When I write the whole network disconnects I literally mean that the the whole network disconnects from the internet.  Nani experienced my disconnects when he was a host of a game I joined.  This has started recently (like late this week).  Has the network code changed for this game somehow recently?

 

Here is my only guess currently:

1)  Try playing through VPN and see if this is a DDoS attack that happens.

Edited by Dizaka
Link to post
Share on other sites

I went through my router logs.  The only odd thing I've found is this:

<table style="width:100%">
  <tr>
    <th>Threat Management Alert 1: A Network Trojan was Detected. Signature ET MALWARE Win32/Zonebac Traffic Redirect. </th>
    <th>From: X.X.X.X:57153, </th>
    <th>to: 173.239.8.164:80, </th>
    <th>protocol: TCP	</th>
    <th>9:21 am	09/11/2020</th>
  </tr>
  <tr>
    <th>Threat Management Alert 1: A Network Trojan was Detected. Signature ET MALWARE Win32/Zonebac Traffic Redirect. </th>
    <th>From: X.X.X.X:54879, </th>
    <th>to: 173.239.8.164:80, </th>
    <th>protocol: TCP	</th>
    <th>8:34 am	09/11/2020	</th>
  </tr>
  <tr>
    <th>Threat Management Alert 1: A Network Trojan was Detected. Signature ET MALWARE Win32/Zonebac Traffic Redirect. </th>
    <th>From: X.X.X.X:50000, </th>
    <th>to: 213.247.47.190:80, </th>
    <th>protocol: TCP	</th>
    <th>2:43 pm 09/05/2020	</th>
  </tr>
  <tr>
    <th>Threat Management Alert 1: A Network Trojan was Detected. Signature ET MALWARE Win32/Zonebac Traffic Redirect. </th>
    <th>From: X.X.X.X:57829, </th>
    <th>to: 173.239.8.164:80, </th>
    <th>protocol: TCP	</th>
    <th>8:14 pm	09/03/2020</th>
  </tr>
</table>

Are the "to" IPs associated with any user logins?

Those "threats" are the main reasons for formatting my machine ...  It's also weird but the above logs are from around the time from when disconnects of the WHOLE network started.

 

Additionally, maybe this will be useful, but the disconnects, to date, have only happened in a "game lobby" (before a game starts but not in main chat lobby) or in a "hosted/started game."
 

Edited by Dizaka
  • Like 1
Link to post
Share on other sites

Looking at my traffic logs for today (don't have previous logs, unfortunately) I can see that my networks gets hit with a lot of traffic in a short period of time.  This is the WAN port on my router.  I believe at around 6:00 I was in a game lobby trying to play with bbleft and bonescape(sp?)  I couldn't play as my whole internet connection went out again.

 

Note:  The traffic is over a time period of 20-25 minutes.

 

image.png.683ea749d493a49c9cfa6f83b4057e80.png

Edited by Dizaka
  • Like 1
Link to post
Share on other sites

On 9/13/2020 around 7:10-22 p.m.  Happened again. 

 

Game hosted by Phyzik.  Ingame players were Isam_96 (1438), czar1812 (1326), _zoro_ (sleeping), anuragn (11115), and myself.

 

image.png.441285c4af3f47ea9cdee9474d25fe5e.png

 

Edited by Dizaka
Link to post
Share on other sites

Players ig:  thankfor pie, sabdala, furqan, randomid, Dizaka, Ivaylo_Uzunov, TheIlusiveman, Exvtheow

Specs:  Issh, Boudica, Ricsand, felixix

image.thumb.png.af9f5701b26fabe63c6d17616e77ef94.png

 

Had a minor attack (Didn't disconnect from game lobby, just game).  After I reconnected my guess is host got hit.  Game disconnected completely.  Gametime was around 11:00 am eastern time zone (US/NYC).

 

image.png.544bfea07e84c8ab4d859da40fde5968.png

 

 

Edited by Dizaka
Link to post
Share on other sites

Well, call your ISP I guess. They are supposed to prevent DDoS attacks. (I guess that's dependent on the ISP, to be fair, most analytics will ignore a few gig spikes). I expect all of them to give you a comprehensive report upon request though. Or just run wireshark locally and see where it's coming from.

Sure thats not a download or something? those graphs show a very wierd DDoS attack, it instantly falls of a cliff.

Edited by smiley
Link to post
Share on other sites
1 hour ago, badosu said:

@DizakaWhat are you using to monitor? Gonna try setting something up and see from my end too...

Looks like his router's dashboard I think.

8 minutes ago, Loki1950 said:

He appears to be using Windows default Task Monitor WireShark should give you more detailed info.

I don't think so, the windows default thing suck big time and is almost useless beyond seeing why a download is being somewhat slow.

Link to post
Share on other sites

Specing a game.  Players were felixix, Rauls, Ivayo_Uzunov, ffm, PhyZic, thankforpie, eskro141, Edwarf 

Host was randomid.

Specs were Issh, Carthage, Myself.

First disconnect was Rauls.  Rejoined game.

 

Had a conversation w/ Phyzik (approximation below):

Me:  First blood at min 18.

Him:  Happy?

Me:  No, can you smile for camera?

 

......... disconnect.  Checking logs ....

 

image.png.0a7be218683401f265cf007ef9dbc276.png

 

This was around 4:00 pm Eastern time, US time.

 

(Courtesy jab:  Phyzik's allies resigned.)

 

Edited by Dizaka
Link to post
Share on other sites

4:16, game hosted.  

Players:image.thumb.png.1528f5410630e4e9a617dc9e04891abb.png

4:18 pm eastern time.:  On launch kristian disconnected.  Probably nothing.

 

(Inbetween Phyzik asks me to stop raging / get mental help. )

4:23 pm eastern time:  Kicked by randomid for lagging.  Logs below.

 

image.png.cc52c5f55796c8f051af47a0f81c418e.png

Edited by Dizaka
Link to post
Share on other sites

Lagged out around 4:55 Eastern Time.  Logs again show a spike in traffic.

 

Honestly, no idea who it is.  This was from a game lobby as randomid started hosting.  However, the spikes don't appear to be random/unintentional and are related to 0ad.  

Game chat provided below to list players inside the lobby.  Note, I haven't reset my public IP so I can be bombed even if the person is not in 0ad.

 

image.png.79e486b59c0b6137c17fbe19e6fb2a15.png

 

 

image.png

Edited by Dizaka
Link to post
Share on other sites

Actually totally offline on home network.  5:13pm.  Rejoined randomids game but immediately lagged out and internet died.  I think biggest timeframe regarding downtime.

As expected internal network works fine.  It's just an issue with WAN receiving a hug of love.

Edited by Dizaka
Link to post
Share on other sites

Actually waiting for them to call me.  I know if I call them it's not a problem really and won't take it seriously.  If they call me then they'll take it seriously and at least have a record of this in their system. 

If whoever is doing this lives in the USA they have the CFAA to worry about.

Currently still needs offline.

Back online 5:40 pm eastern time.

Edited by Dizaka
Link to post
Share on other sites

Update:

People in game (I was a spec):

image.png.d801a89386843ad9ef7fedb7902085f8.png

 

It started around this time.  My guess the peak isn't shown b/c the person was going for an all time world record?  Guinness book of world records?

image.png.8e26ff737ecc39e85d89537fbd146d85.png

Edited by Dizaka
Link to post
Share on other sites

6:10 pm Eastern Time.  Net down.  Private no specs game with Nani.

Update: 6:24 net still down.  Maybe a new record?

Update: 6:32 net still down.

Update: 6:34 ... :)

Update: 6:46 ... :) Watching Netflix through a diff network ...

Update: 6:49 back online

Pic below is the start of the DDOS.  There's no middle b/c it was another big one.

image.png.2ba1e53688033d508efbffbdeb545a3b.png

Edited by Dizaka
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...