Jump to content

When playing 0ad whole network disconnects. Network otherwise stable.


Dizaka
 Share

Recommended Posts

On 10/5/2020 between 9:00 pm and 11:00 pm eastern time the lobby users are being hit hard by who ever is the DDOS child.  I'm being ignored for some reason.  Mgically, a number of users who rarely, if ever, log in logged in.  The first topic on these user's mind was DDOS.  Peculiar but just speculation.

 

Below is a WAN chart of traffic since 9/11.  Most peaks, if not all, except between 9/15 and 9/16, are when I disconnected from 0ad due to, what I believe, were ddos attacks.

image.thumb.png.c314f8d8627ada5d6c66159ec4666232.png

 

Below is the corresponding LAN chart.  Notice how traffic between 9/15 and 9/16 can be seen on LAN?  That's because it goes past the router and isn't blocked/discarded like a DDOS attack.  The 9/15-9/16 traffic is a 4 tb download.

image.thumb.png.48bf9836f5ee91dcb496de37182faa17.png

 

Edited by Dizaka
  • Thanks 1
Link to comment
Share on other sites

THE PLOT THICKENS 

happened to me too 

btw dizaka who did you piss off so much?

we need names for just in case you dissapear we can know what you knew 

im not a computer guy but this isnt gonna turn out to be some huge hac atac on all 0ad ppl attacking eachother and spreading some hac virus and in the end the masterminds presses a button and we all lose our money and our shameful collection of extremely ugly pug pictures gets leaked online while this guy laughs maniacally in his secret lair under a volcano while eating peanut butter with his bare hands and maybe setting up plans having his minion write down the dates and time to destroy other ppl in other games hes played who pissed him off?

  • Haha 1
Link to comment
Share on other sites

9 hours ago, vinme said:

THE PLOT THICKENS 

happened to me too 

btw dizaka who did you piss off so much?

we need names for just in case you dissapear we can know what you knew 

im not a computer guy but this isnt gonna turn out to be some huge hac atac on all 0ad ppl attacking eachother and spreading some hac virus and in the end the masterminds presses a button and we all lose our money and our shameful collection of extremely ugly pug pictures gets leaked online while this guy laughs maniacally in his secret lair under a volcano while eating peanut butter with his bare hands and maybe setting up plans having his minion write down the dates and time to destroy other ppl in other games hes played who pissed him off?

Not sure.  The person is being more covert than overt.  Like as if they were afraid of repercussions for their actions.  Like as if they didn't have a pair (male or female pair, either of the the two or both - I don't judge).   Total wussies.

 

Edit:  Apparently there is at least one person who has the audacity to allege that I'm the DDoSer who ruins games.  See below (General Lobby Chat from 10/5/2020, eastern time zone):

 

image.png.93735ac3e0596f6a19272759d3fd48eb.png

image.png.8b04d3c080824cb6f45157ceabf0b3b7.png

image.png.81f17078772eab1f9c1ec0ba3c4dab85.png

Edited by Dizaka
Link to comment
Share on other sites

10/6/2020 around 1:23 pm Eastern Time.  Clearly hit a nerve with someone through my last post.  Internet/0Ad WAN port down due to DDoS.

 

1:36 pm.  Whoever is doing this #gohardorgohome.  My ISP hasn't called yet.

 

1:41 pm.  It stopped.  Chart is below.

image.png.2f4fa2d1ebd416a592bfe58a97d345ce.png

 

 

What's interesting is whoever is doing this is optimizing the attack.  I've noticed that they are starting to send more packets now but lower bandwidth utilization.  For example, see below:

image.png.cd11a52de0680c2f9335096fd73b0a2c.png

 

185,054,775 packets received.  That's like 100x higher than usual.  Therefore, whoever is doing this is trying to, using what some people call a brain, to optimize the attack.

 

 

 

Edited by Dizaka
  • Thanks 1
Link to comment
Share on other sites

Found something weird going through logs.  Could be relevant or could be not relevant.

Threat Management Alert 2: Potentially Bad Traffic. Signature ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)). From: A.B.C.D:53180, to: 104.31.64.171:80, protocol: TCP    3:55 pm    09/23/2020    
Threat Management Alert 2: Potentially Bad Traffic. Signature ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)). From: A.B.C.D:53084, to: 104.31.65.171:80, protocol: TCP    3:54 pm    09/23/2020    
Threat Management Alert 2: Potentially Bad Traffic. Signature ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)). From: A.B.C.D:52919, to: 172.67.180.106:80, protocol: TCP    3:53 pm    09/23/2020    
Threat Management Alert 2: Potentially Bad Traffic. Signature ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)). From: A.B.C.D:52909, to: 216.105.38.13:80, protocol: TCP

Threat Management Alert 2: Misc Attack. Signature ET CINS Active Threat Intelligence Poor Reputation IP group 21. From: 45.129.33.81:41427, to: A.B.C.D:20595, protocol: TCP    9:50 pm    09/19/2020    
Threat Management Alert 2: Misc Attack. Signature ET DROP Dshield Block Listed Source group 1. From: 45.129.33.81:41427, to: A.B.C.D:20595, protocol: TCP    9:50 pm    09/19/2020    

The bad IP addresses:

104.31.64.171
172.67.180.106
216.105.38.13
45.129.33.81

 

Odd thing is that here:

Threat Management Alert 2: Misc Attack. Signature ET DROP Dshield Block Listed Source group 1. From: 45.129.33.81:41427, to: A.B.C.D:20595, protocol: TCP    9:50

Specifically the 20595 port is being addressed.  That's the 0Ad game port.


Look here:  https://www.dshield.org/block.txt  .  The IP is on the Dshield.org website ...  I guess abuse@ipvolume.net is getting an email.  1954 indicates that the 45.129.33.0 address group is a Canada and/or Fort Lauderdale regional ownershipo.

 

Edit:  Ooops.  Country code is from Seychelles, East Africa.  Code is 2047 for 45.129.33.*.  Not sure where 1956 came from.

Edited by Dizaka
Link to comment
Share on other sites

Hi @Dizaka, the exact same thing is happening to me.

I'm in a game and my internet is suddenly gone for 2,5,10 minutes or so. You are not the only one. Also almost every game I play the host gets disconnected and game end. 

I dont know whats happening but... this seems dirty play.

  • Like 1
Link to comment
Share on other sites

finally som1 is getting it @badosu.

whoever it is might be paying som1 for the ddos services cuz i mean who would take the time to just annoy the shlt out of dizaka atleast few bucks is reasonable or it seems so i mean what could dizaka do anyway online.did u like slaughter someones family to the 7th generation all north korea style @Dizaka cuz its obvious theres some beef going on here and ur not telling us shlt -_-

Link to comment
Share on other sites

16 hours ago, Dizaka said:

The bad IP addresses:

104.31.64.171
172.67.180.106
216.105.38.13
45.129.33.81

All of them are from the United States from my lookup. Some behind Cloudflare. The last one from an ISP that usually host servers.

Seychelles has some blocks close to that last IP, but it doesn't own that specific range.

45.66.35.0/24

45.67.14.0/23

45.134.12.0/24

45.141.59.0/24

45.148.164.0/24

Link to comment
Share on other sites

11:30 pm or so on 10/6/2020.  While in bed tablet device wasn't connecting to internet (WiFi was working).  I guess this explains why I fell asleep earlier last night.  Attacks are pretty boring and old now.  In any case, DDoS'r - can you do this more often at 11:30 pm, or so?  I got some good sleep and this is helping my insomnia.

 

Anyway, #gohardorgohome.  Waiting for that ISP phone call.

 

image.png.825852f619ab8dd573c7717978b2cb21.png

Edited by Dizaka
  • Thanks 1
Link to comment
Share on other sites

20 minutes ago, smiley said:

Ok this is just getting unprofessional from devs now...

1. Imagine if someone with a rather pricy internet connection is on the recieving end.

2. This is actively ruining the multiplayer experience from what I can tell.

3. Thread was made in September 13 and no one with a blue nick has even bothered replying here.

At least implement a central relaying proxy so people don't have to expose their public IPs.

I will reply to my own post as well because I literally know the response.

"This is an unpaid volunteer project"

There isn't much that can be done.  This post is more about showing that there is an issue and that there are bad actors.  We don't even know what the motivation is behind these bad actors.  Is it to end games so that they can play 0Ad (lulz)?  Is it to grief players (2x lulz)?  It is unknown.  Mostly b/c the actors are covert and not overt.  The people doing this are afraid of any RL repercussions, otherwise they'd post their personal information. 

In conclusion, I will actually defend the devs and all the volunteers.   They are doing an amazing job with this game and I wouldn't be posting here if they weren't.

The person doing the DDoS is just going to DDoS.  DDoS'r, please spend more $$ on your DDoS or get some skillz. 

Link to comment
Share on other sites

Apparently two DDoS attacks happened at night.  At least highly unusual logs.

 

10/8/2020 @ 12:40 am.

image.png.031421580c6c768f3527ed158a34c0dd.png

 

10/8/2020 @ 2:00 am.

image.png.5b6674c2af3b39df31439ba39bf25ef5.png

 

 

I thought DDoS' attacks are intended to disrupt service and anger people?  These done at night impact me so much that I realize after the fact that they happened.  lulz.

Link to comment
Share on other sites

  • Guest changed the title to 10/9/2020 - 12:30 am Central European Time - Possible DDoS (IP address may be compromised, will change later)
  • Guest changed the title to 10/9/2020 - 00:30 Central European Time - Possible DDoS (IP address may be compromised, will change later)

10/9/2020 @  2:05 am US eastern time (Was sleeping, no games/replays).

 

WAN port:

image.png.30578ad68f0d979fb0d00c8656220968.png

 

LAN:

image.png.902d4ab902fbf7751e40a24fe1f28d7e.png

 

 

Looking at last 2 mos of traffic logs latency at 2:05 am, or so, is not normal [Edit:  wrote wrongly].  Currently, over last few days, when playing 0Ad (2-3 games?) or during daytime no issues.

 

Edited by Dizaka
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...