Jump to content

When playing 0ad whole network disconnects. Network otherwise stable.


Recommended Posts

6:10 pm Eastern Time.  Net down.  Private no specs game with Nani.

Update: 6:24 net still down.  Maybe a new record?

Update: 6:32 net still down.

Update: 6:34 ... :)

Update: 6:46 ... :) Watching Netflix through a diff network ...

Update: 6:49 back online

Pic below is the start of the DDOS.  There's no middle b/c it was another big one.

image.png.2ba1e53688033d508efbffbdeb545a3b.png

Edited by Dizaka
Link to post
Share on other sites
  • Replies 71
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Looking at my traffic logs for today (don't have previous logs, unfortunately) I can see that my networks gets hit with a lot of traffic in a short period of time.  This is the WAN port on my router. 

Posted Images

image.png.184dd6e73d296b180a06343311b2e979.png

 

1)  Kristian solo disconnect.

image.png.b9e2e2cbda317ceba8f39eeecc57490c.png

image.png.692a6a01da71b3e464e74c5e0e27fbaa.png

image.png.b3774c8fadff61cec7d4a73eaca30373.png

 

 

Either a potatoe for a PC or ...  .  Previously, and in general, his potatoe PC doesn't have issues with his games.

 

2)  Kristian/Cesar duo disconnect.

image.png.e6dca4176a7beda43389b5d3e4fd1267.png

image.png.46447db21f2501c5f6db477f69bd9c00.png

image.png.d4f510722cc60bafc6c29febed839248.png

 

Game ended afterwards.  No sure if Cesar/Kristian or other team was winning or whether it was close to end of game.  Was banned by Phyzik for being a silent spec.  Don't have replay on what happened.

image.png

Edited by Dizaka
Link to post
Share on other sites

image.thumb.png.be120038172e52e3f8200df5ad5effae.png

 

6:24 -- Go2die and Acero left spec.

 

6:27 -- Chetnik kicked for flimsy connection  (Possibly on same IP as previously)

image.png.31863391fe4cfbd948374fdbbaf9c5c5.png

 

6:47 -- Ricsand joined game.

image.png.e8c39a65f765781f5149d25fc3d34dbe.png

Join failed.  Looks normal though.

image.png.01f6e1e5315952a73b175b2cedee08a1.png

6:59 -- FrankStallone left game

7:01 -- game ended.  

 

Honestly, this was a normal 0ad game.  No multiple critical-player disconnects, etc.  It's possible that Chetnik did a whole net disco from DDOS as his IP was previously compromised.  Either way, uneventful game and done.  Ricsand probably had issues reconnecting midgame to a max 200 4v4 game with movement on all units.

 

Edited by Dizaka
Link to post
Share on other sites

8:48 -- Borg disconnected. 

 

Players IG:

image.png.001a20bd92237917330da563fc49673e.png

 

8:52 -- Was lagging.  Host kicked me.

 

8:59 -- Lapacientos lagged and was kicked.

9:00 -- Lapacientos rejoined.  Game continues.

9:03 -- Borg kicked due to timeout.

9:09 -- Borg rejoins lobby.  Must have been a somewhat strong ddos.

image.png.3676a0ebc4bb91dc6943904656916c16.png

9:24 -- Something new.  Game at a standstill.  Noone showing as lagging.  Eventually borg disconnects/times out.

9:24 -- Phyzik leaves the game.

 

Conclusion:  Way too many disconnects and reconnects this game.  Typical game has maybe a person disconnect and then come back fairly fast.  This game was all over the place for whatever reason.

Edited by Dizaka
Link to post
Share on other sites

Your ISP will never call, because they have no clue this is even happening. Their threshold will be set a lot higher.

The game logs doesn't really help.

You can either run wireshark and find out what traffic is, where it's coming from, and null route it on your router or you can request a new public IP and never host a game on the lobby. The former will fix it regardless of whether it's a DoS attack or not. And I think your router is an EdgeRouter. Maybe enable logging, but given that its already dying, that might not be the best idea.

I mean it could be a SYN flood, an ICMP flood, a UDP flood (this might be the case because of how much traffic is going through), illegal TCP flood, etc. Or even unroutable IPs. Impossible to determine with the information available.

Regardless, nothing much anyone else can do here.

Link to post
Share on other sites
2 hours ago, smiley said:

Your ISP will never call, because they have no clue this is even happening. Their threshold will be set a lot higher.

Accordingly, it's safe to assume that me calling them for this small fish is pointless as there likely won't be a good enough response.

Dear small fish, you reading this?  Go big or go home.

 

2 hours ago, smiley said:

The game logs doesn't really help.

Conclusory statement.  All of yesterday no attacks on me.  Those one or two attacks could or couldn't have been something.  Looking at my logs I couldn't figure it out as I was testing something else out that rendered the charts unusable.  However, overall yesterday my 0ad experience was fairly stable, minus the one or two weird disconnects I had. 

 

2 hours ago, smiley said:

You can either run wireshark and find out what traffic is, where it's coming from, and null route it on your router or you can request a new public IP and never host a game on the lobby. The former will fix it regardless of whether it's a DoS attack or not. And I think your router is an EdgeRouter. Maybe enable logging, but given that its already dying, that might not be the best idea.

I mean it could be a SYN flood, an ICMP flood, a UDP flood (this might be the case because of how much traffic is going through), illegal TCP flood, etc. Or even unroutable IPs. Impossible to determine with the information available.

For a distributed denial of service attack running wireshark is likely to be a pointless exercise.  If it's distributed it's coming from multiple devices under the attacker's purview that likely excludes the attacker's device(s).  However, that is an assumption worth checking out.

 

2 hours ago, smiley said:

Regardless, nothing much anyone else can do here.

Another conclusory statement that isn't necessarily true.

Edited by Dizaka
Link to post
Share on other sites

I didn't suggest wireshark to find the attacker, but to find the methodology so you can have appropriate defences in your router.

Feel free to do what you think is right. I don't stand to gain anything here.

Link to post
Share on other sites

Hmmm.. I was thinking of adding a software level package monitor like wireshark, so would that be ineffective? Should I at least be able to track I'm being flooded?

Edited by badosu
Link to post
Share on other sites
16 minutes ago, badosu said:

Hmmm.. I was thinking of adding a software level package monitor like wireshark, so would that be ineffective? Should I at least be able to track I'm being flooded?

You would be able to verify what exactly it is.  With my graphs its simply conjecture.

Link to post
Share on other sites

Guyes who really experienced DDOS while playing 0ad? I did, and i can tell you all disconnected (nothing worked, no website able to visit, no phone on wifi could get data even connected to wifi).. and it took like 10-15 minutes when it dissapeared. 

On other hand I had many "left" from hosted game without any issues of my connectivity (everything else worked well) and usually i can rejoin game after. This is probably not related to attack. What i noted if there is big attack all players got disconnected (or most of them) so it looks like they are not under attack but "host" of the game is.

 

How to monitor it? How to detect it on regular  laptop? Other that i described symptoms?

Edited by go2die
Link to post
Share on other sites

9:50 pm easter time (NY).  DDOS again.  Can't setup the monitoring yet ...

image.png.1e6a997389ae33a7bf666005b3c6e6a3.png

 

Honestly, anytime a player disconnects from a game I'd probably blame DDOS.  It seems like few network connections these days are unstable ...

 

Note:  I've offered to pay for counseling and therapy services for whoever is doing this.  Please PM me.  

Edited by Dizaka
  • Thanks 1
Link to post
Share on other sites

i have same issue. same machine and internet can host game servers 24/7 (of not 0ad, other game) yet if im in 0ad lobby or 0ad game (mostly game, but lobby too  it happened) my wifi will stop working for a while, after a while (after random,short time)

 

could be ddos but its hard to believe someone does this stuff regularly to different 0ad players each day

Edited by thankforpieOfficial
Link to post
Share on other sites
  • 2 weeks later...
Posted (edited)

image.png.cbca1e9a0d77755cf1e90d11874ad61c.png

 

6:27 pm eastern time.

Game lagged horribly.  Sufficiently enough that it wasn't playable and host decided to end game.  It's as if the ddos is being scaled down to prevent games but not disconnect them.

Edited by Dizaka
Link to post
Share on other sites
Posted (edited)

Specing game.  Phyzik mentioned something about screenshots and Issh luled about them (ph4r em!).  Wasn't involved in game (was spec).

This happened around 6:46 pm easter us time.

First ddos during this game around 6:46.  This one disconnected me from game and sent me to lobby.

image.png.811c2abdfc0f78d0097a220e821bed8e.png

 

image.png.a5e7a4dcf758134e8d79115d2bac1b03.png

 

Received a 2nd ddos around 6:55 or so:

image.png.37668c1f627b9de888a162d68effd76a.png

image.png.0751d7f982820dc5b4b88af8a94d6077.png

 

Banned from game for connectivity issues.  Host is Bonesnscars. (He did the right thing)

 

Phyzik explicitly asked for ban.  He directly stated his ph3ar of screenshots beforehand (before game started).

 

image.png.1ffda89c61987f2f6cbe256da7158e24.png

 

Double checked who else asked for my ban, out of curiosity:

 

image.thumb.png.eb1b29e8d860ef28a35008a282ace489.png

 

Edited by Dizaka
  • Thanks 1
Link to post
Share on other sites
  • go2die changed the title to 10/9/2020 - 00:30 Central European Time - Possible DDoS (IP address may be compromised, will change later)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...