When playing 0ad whole network disconnects. Network otherwise stable.

[Dizaka]

On 10/5/2020 between 9:00 pm and 11:00 pm eastern time the lobby users are being hit hard by who ever is the DDOS child.  I'm being ignored for some reason.  Mgically, a number of users who rarely, if ever, log in logged in.  The first topic on these user's mind was DDOS.  Peculiar but just speculation.

 

Below is a WAN chart of traffic since 9/11.  Most peaks, if not all, except between 9/15 and 9/16, are when I disconnected from 0ad due to, what I believe, were ddos attacks.

 

Below is the corresponding LAN chart.  Notice how traffic between 9/15 and 9/16 can be seen on LAN?  That's because it goes past the router and isn't blocked/discarded like a DDOS attack.  The 9/15-9/16 traffic is a 4 tb download.

 

Edited October 6, 2020 by Dizaka

[vinme]

THE PLOT THICKENS 

happened to me too 

btw dizaka who did you piss off so much?

we need names for just in case you dissapear we can know what you knew 

im not a computer guy but this isnt gonna turn out to be some huge hac atac on all 0ad ppl attacking eachother and spreading some hac virus and in the end the masterminds presses a button and we all lose our money and our shameful collection of extremely ugly pug pictures gets leaked online while this guy laughs maniacally in his secret lair under a volcano while eating peanut butter with his bare hands and maybe setting up plans having his minion write down the dates and time to destroy other ppl in other games hes played who pissed him off?

[Dizaka]

9 hours ago, vinme said:

THE PLOT THICKENS 

happened to me too 

btw dizaka who did you piss off so much?

we need names for just in case you dissapear we can know what you knew 

im not a computer guy but this isnt gonna turn out to be some huge hac atac on all 0ad ppl attacking eachother and spreading some hac virus and in the end the masterminds presses a button and we all lose our money and our shameful collection of extremely ugly pug pictures gets leaked online while this guy laughs maniacally in his secret lair under a volcano while eating peanut butter with his bare hands and maybe setting up plans having his minion write down the dates and time to destroy other ppl in other games hes played who pissed him off?

Not sure.  The person is being more covert than overt.  Like as if they were afraid of repercussions for their actions.  Like as if they didn't have a pair (male or female pair, either of the the two or both - I don't judge).   Total wussies.

 

Edit:  Apparently there is at least one person who has the audacity to allege that I'm the DDoSer who ruins games.  See below (General Lobby Chat from 10/5/2020, eastern time zone):

 

Edited October 6, 2020 by Dizaka

[Dizaka]

10/6/2020 around 1:23 pm Eastern Time.  Clearly hit a nerve with someone through my last post.  Internet/0Ad WAN port down due to DDoS.

 

1:36 pm.  Whoever is doing this #gohardorgohome.  My ISP hasn't called yet.

 

1:41 pm.  It stopped.  Chart is below.

 

 

What's interesting is whoever is doing this is optimizing the attack.  I've noticed that they are starting to send more packets now but lower bandwidth utilization.  For example, see below:

 

185,054,775 packets received.  That's like 100x higher than usual.  Therefore, whoever is doing this is trying to, using what some people call a brain, to optimize the attack.

 

 

 

Edited October 6, 2020 by Dizaka

[Dizaka]

Found something weird going through logs.  Could be relevant or could be not relevant.

Threat Management Alert 2: Potentially Bad Traffic. Signature ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)). From: A.B.C.D:53180, to: 104.31.64.171:80, protocol: TCP    3:55 pm    09/23/2020    
Threat Management Alert 2: Potentially Bad Traffic. Signature ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)). From: A.B.C.D:53084, to: 104.31.65.171:80, protocol: TCP    3:54 pm    09/23/2020    
Threat Management Alert 2: Potentially Bad Traffic. Signature ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)). From: A.B.C.D:52919, to: 172.67.180.106:80, protocol: TCP    3:53 pm    09/23/2020    
Threat Management Alert 2: Potentially Bad Traffic. Signature ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)). From: A.B.C.D:52909, to: 216.105.38.13:80, protocol: TCP

Threat Management Alert 2: Misc Attack. Signature ET CINS Active Threat Intelligence Poor Reputation IP group 21. From: 45.129.33.81:41427, to: A.B.C.D:20595, protocol: TCP    9:50 pm    09/19/2020    
Threat Management Alert 2: Misc Attack. Signature ET DROP Dshield Block Listed Source group 1. From: 45.129.33.81:41427, to: A.B.C.D:20595, protocol: TCP    9:50 pm    09/19/2020    

The bad IP addresses:

104.31.64.171
172.67.180.106
216.105.38.13
45.129.33.81

 

Odd thing is that here:

Threat Management Alert 2: Misc Attack. Signature ET DROP Dshield Block Listed Source group 1. From: 45.129.33.81:41427, to: A.B.C.D:20595, protocol: TCP    9:50

Specifically the 20595 port is being addressed.  That's the 0Ad game port.

Look here:  https://www.dshield.org/block.txt  .  The IP is on the Dshield.org website ...  I guess abuse@ipvolume.net is getting an email.  1954 indicates that the 45.129.33.0 address group is a Canada and/or Fort Lauderdale regional ownershipo.

 

Edit:  Ooops.  Country code is from Seychelles, East Africa.  Code is 2047 for 45.129.33.*.  Not sure where 1956 came from.

Edited October 6, 2020 by Dizaka

[Dizaka]

3:05 pm eastern time.  Another DDOS on WAN for 0Ad.

3:24 or so, back online.

Edited October 6, 2020 by Dizaka

[Dizaka]

7:20 eastern time.  Ddosed as a player.  Will update as time progresses.

7:41 pm, still offline on that WAN port.

7:50 pm.  Still offline.

7:55 pm, or so.  DDoS ended.

 

Edited October 7, 2020 by Dizaka

[Dizaka]

Before last DDoS it appears Borg and Chetnik also got DDoSed.

Note, 9:00 pm and I think DDoS has subsided.

[Tomba]

Hi @Dizaka, the exact same thing is happening to me.

I'm in a game and my internet is suddenly gone for 2,5,10 minutes or so. You are not the only one. Also almost every game I play the host gets disconnected and game end. 

I dont know whats happening but... this seems dirty play.

[badosu]

Not the hero we deserved but the hero we needed!


btw, is it really distributed? can your monitor show unique ip or location count?

Edited October 7, 2020 by badosu

[vinme]

finally som1 is getting it @badosu.

whoever it is might be paying som1 for the ddos services cuz i mean who would take the time to just annoy the shlt out of dizaka atleast few bucks is reasonable or it seems so i mean what could dizaka do anyway online.did u like slaughter someones family to the 7th generation all north korea style @Dizaka cuz its obvious theres some beef going on here and ur not telling us shlt

[smiley]

16 hours ago, Dizaka said:

The bad IP addresses:

104.31.64.171
172.67.180.106
216.105.38.13
45.129.33.81

All of them are from the United States from my lookup. Some behind Cloudflare. The last one from an ISP that usually host servers.

Seychelles has some blocks close to that last IP, but it doesn't own that specific range.

45.66.35.0/24

45.67.14.0/23

45.134.12.0/24

45.141.59.0/24

45.148.164.0/24

[vinme]

y idk what taht means.but how can u reveal the guy if he was smart enough to hide? wouldt that ruin the point of hiding then?

 

[Dizaka]

11:30 pm or so on 10/6/2020.  While in bed tablet device wasn't connecting to internet (WiFi was working).  I guess this explains why I fell asleep earlier last night.  Attacks are pretty boring and old now.  In any case, DDoS'r - can you do this more often at 11:30 pm, or so?  I got some good sleep and this is helping my insomnia.

 

Anyway, #gohardorgohome.  Waiting for that ISP phone call.

 

Edited October 7, 2020 by Dizaka

[Dizaka]

20 minutes ago, smiley said:

Ok this is just getting unprofessional from devs now...

1. Imagine if someone with a rather pricy internet connection is on the recieving end.

2. This is actively ruining the multiplayer experience from what I can tell.

3. Thread was made in September 13 and no one with a blue nick has even bothered replying here.

At least implement a central relaying proxy so people don't have to expose their public IPs.

I will reply to my own post as well because I literally know the response.

"This is an unpaid volunteer project"

There isn't much that can be done.  This post is more about showing that there is an issue and that there are bad actors.  We don't even know what the motivation is behind these bad actors.  Is it to end games so that they can play 0Ad (lulz)?  Is it to grief players (2x lulz)?  It is unknown.  Mostly b/c the actors are covert and not overt.  The people doing this are afraid of any RL repercussions, otherwise they'd post their personal information. 

In conclusion, I will actually defend the devs and all the volunteers.   They are doing an amazing job with this game and I wouldn't be posting here if they weren't.

The person doing the DDoS is just going to DDoS.  DDoS'r, please spend more $$ on your DDoS or get some skillz. 

[Dizaka]

10/7/2020 @ 12:50 pm.  Wasn't doing anything and didn't even realize it happened but it's there in the logs.  LOL.

 

What's interesting is the attacks are now asking my router to send back data ...

 

Edited October 8, 2020 by Dizaka

[Dizaka]

Apparently two DDoS attacks happened at night.  At least highly unusual logs.

 

10/8/2020 @ 12:40 am.

 

10/8/2020 @ 2:00 am.

 

 

I thought DDoS' attacks are intended to disrupt service and anger people?  These done at night impact me so much that I realize after the fact that they happened.  lulz.

[Boudica]

The main takeaway for me is that I'm your lobby buddy. Yay!

[Dizaka]

10/9/2020 @  2:05 am US eastern time (Was sleeping, no games/replays).

 

WAN port:

 

LAN:

 

 

Looking at last 2 mos of traffic logs latency at 2:05 am, or so, is not normal [Edit:  wrote wrongly].  Currently, over last few days, when playing 0Ad (2-3 games?) or during daytime no issues.

 

Edited October 9, 2020 by Dizaka

[Dizaka]

3:55 pm eastern US time.  Internet was down (per ISP device being restarted as managed by Switch).  Short downtime that I didn't realize happened.