Jump to content

Attacks on 0ad (suspected DoS/DDoS)


BoredRusher
 Share

Recommended Posts

Hi,

Ok, we all have pretty much seen what is happening the last times to some team games : unexplained crashes.

It occurs principaly in the games of "known players". So it's legitim to think they don't happen randomly but are through someone or some people who is/are targetting 0ad for a reason which is not clear yet.

The community was not silencious about those attacks and many tried for some to find who is doing that and others to find how to face them.  Event if many are developers, it is not always evident.

I - The facts:

All the clients lose almost simultaneously the connexion to the server. This process seems irreversible as there are not actually connexion issues and way to fix it.

II - The responses:

A - Finding the author(s)

Here is a screenshot of online people a day when many attacks happened.

 

ddos.thumb.png.aa0800ba69eb5f4b57a9a67663f8232b.png

Image by reza-math.

This screenshot is interesting because attacks here happened where there was not a lot of people online.

B - Make a protection against the attacks

The first idea to protecting against that attacks is to close the ports used by the author(s). The issue is that this solution is not very effective when the author(s) can only change attack port.

Another fact is that they need to go through 0ad to do their attacks.

And about that we know the port used by 0ad lobby : 5222. Confer to the discussion below dated of November 2013.1166154199_Capturedcran2020-11-26154433.thumb.png.7f05fd2a441d6fc4bcbf566dc8e30948.png
 

Refering to this, we easily see that all the threads are going through there. So for an attack, many connnexions can be simulated. So, we are probably facing DoS/DDoS attacks.

We easily see that by running `netstat`

180568383_Capturedcran2020-11-26163352.png.1777fd9b7857db126c92f1a6e778ab7a.png

Even if the will of the author(s) is not known yet, we suppose they only want to destroy the game or some players.

However, what we must do is to face that attacks as it should be.

C - What I am experimenting

Knowing that, it is clear that closing all connexions using a firewall on the port 5222 won't solve the issue.

But in another hand, the attacks are coming from tiers through pyrogenesis.

And this is our luck !

In fact, Operating Systems allow using firewalls on applications to only allow secure (or encrypted) connexions (even not tiers?) trusted by those applications(or only coming from them?).

After doing that stuff, I performed many tests on the game and the result was pretty surprising.

On 7 games (by a day with many attacks), 6 ended well and the 7th was according to me due to a connexion issue from me.

What I have noticed and what is making me confidant on this is that we have often felt the attack coming (the connexions were dropping slowly). And my hypothesis is that the author(s) of the attacks was/were trying to perform his/their attack when my firewalls were at the same time stopping their entering connexions.

That is pretty much all.

I'm waiting for your remarks and suggestions.

I will publish soon a detailed guide on how to perform the solution proposed here on Windows and Debian cores (if it's agreed by the community).

Kind regards,

Edited by BoredRusher
  • Like 2
Link to comment
Share on other sites

  • BoredRusher changed the title to Attacks on 0ad (suspected DoS/DDoS)

The attack is directed at the router creating a saturation on that point and not on the computer or pyrogenesis as the whole house loses connection when happens.

I managed to avoid it by using my smarthphone data connection with wifi tethering as it looks more difficult to ddos the game that way and seems to be working (don't expose your real IP)

  • Like 1
Link to comment
Share on other sites

1 hour ago, go2die said:

Also DDOS was proven by Dakara that it recieved abnormal packet trafic over short period of time.

 

Firewall  solution is most likely only additional overkill to your router. it is chain reaction.. coz your router need additional cpu to resolve and inspect every packet. with very strong routers it is doable.. but not for every player who host game.

if DDOS comes from multiple sources you have 0 success with encrypting or firewalling for sure.. You can search topics on google or amazon cloud tries to be DDOSed.. very interestign reads

That it not false. I will take a more deep look at that.

Link to comment
Share on other sites

13 hours ago, badosu said:

You meant @Dizakaperhaps?

Or maybe dakeyras, dakora, darkcity.. :rofl:

@mysticjim even called @Dakara as @Dizaka liberally and interchangeably in one of his videos!

@BoredRusher generally, if everyone disconnects, the host is on the receiving end of the DDoS.  There are different levels of attacks that the attacker does. 

  • Small attacks to make you lag so that host boots/kicks you.   Maybe you're annoying enough to them.
  • Larger attacks to make your connection seem unstable.  You can drop from game.  You could be pushing the right buttons.
  • Even large attacks if you anger particular players.  You likely will drop from game and/or unable to access internet for 2-5 mins.  At this point DDoSr is emotionally invested.
  • Largest attack has been about a 25-35 min disconnection from the internet on commercial-grade equipment using a 200mbit connection.  Probably because the DDoS'er has no emotional self control.
  • Attacks on host to disconnect everyone.  Maybe because they wanted to get in on a game but don't want to wait for one to end?
  • Random night attacks.  My guess whoever does this has a script running through IPs at night to agitate other players with blind shots.  This could be just to deflect attention from them and onto players for "having bad internet connections."  Interestingly, there's a limited number of players in lobby mocking others for "crappy internet."

The only way to stop attacks, from my perspective, is through 'bot hosts' hosted on Amazon, Azure, or some other cloud service with DDoS protection who rejoin the 'lobby' upon disconnections so players can rejoin.  This protects players from joining hosts of compromised players who do those attacks (therefore, they can't get new IPs).  Additionally, this prevents someone from lobby getting the host IP addresses (player IP addresses) and, instead, getting a cloud IP address that has the counter measures necessary to alleviate the DDoS.

In general, 0ad has GOOD network code and a majority of players have GOOD connections.  The issue is some dumbass from the community ruining it for others pretending he has a NASA host.  In the end your realize it's a child with a lot of growing who is afraid to reveal who they are.

Finally, whoever does this has interesting control over the attack.  I've noticed two ways attacks are done:

  • Large packets being sent to you.
  • Tons of small packets being sent.

I haven't setup Wireshark but there are players who have (who, actually, professionally do telecom) agree that it is a DDoS.

 

 

 

@BoredRusherAlso, not saying it's berhudar (could be someone else if Wolo has static/same ip) but worth cross-checking IP his addresses with those of other players and also checking if he plays behind a proxy.  An admin maybe could do that.

Edited by Dizaka
  • Thanks 1
  • Haha 1
Link to comment
Share on other sites

5 hours ago, Angen said:

some routers offer ddos protection, it is just not enabled by default. 

also using VPN could help

I doubt home routers will have that capability. I would assume who ever does this would know how to to actually knock out a router. DoS detection is a complex problem. Usually, DoS attacks starve out the end host, not the hardware in between. Home routers with limited memory aren't hard to starve unfortunately.

Find where it comes from, find what it sends, null route all trafic that match the both criteria. You aren't running a server, you can safely block out entire regions.

  • Like 1
Link to comment
Share on other sites

On 28/11/2020 at 12:48 AM, Dizaka said:

@mysticjim even called @Dakara as @Dizaka liberally and interchangeably in one of his videos!

@BoredRusher generally, if everyone disconnects, the host is on the receiving end of the DDoS.  There are different levels of attacks that the attacker does. 

  • Small attacks to make you lag so that host boots/kicks you.   Maybe you're annoying enough to them.
  • Larger attacks to make your connection seem unstable.  You can drop from game.  You could be pushing the right buttons.
  • Even large attacks if you anger particular players.  You likely will drop from game and/or unable to access internet for 2-5 mins.  At this point DDoSr is emotionally invested.
  • Largest attack has been about a 25-35 min disconnection from the internet on commercial-grade equipment using a 200mbit connection.  Probably because the DDoS'er has no emotional self control.
  • Attacks on host to disconnect everyone.  Maybe because they wanted to get in on a game but don't want to wait for one to end?
  • Random night attacks.  My guess whoever does this has a script running through IPs at night to agitate other players with blind shots.  This could be just to deflect attention from them and onto players for "having bad internet connections."  Interestingly, there's a limited number of players in lobby mocking others for "crappy internet."

The only way to stop attacks, from my perspective, is through 'bot hosts' hosted on Amazon, Azure, or some other cloud service with DDoS protection who rejoin the 'lobby' upon disconnections so players can rejoin.  This protects players from joining hosts of compromised players who do those attacks (therefore, they can't get new IPs).  Additionally, this prevents someone from lobby getting the host IP addresses (player IP addresses) and, instead, getting a cloud IP address that has the counter measures necessary to alleviate the DDoS.

In general, 0ad has GOOD network code and a majority of players have GOOD connections.  The issue is some dumbass from the community ruining it for others pretending he has a NASA host.  In the end your realize it's a child with a lot of growing who is afraid to reveal who they are.

Finally, whoever does this has interesting control over the attack.  I've noticed two ways attacks are done:

  • Large packets being sent to you.
  • Tons of small packets being sent.

I haven't setup Wireshark but there are players who have (who, actually, professionally do telecom) agree that it is a DDoS.

 

 

 

@BoredRusherAlso, not saying it's berhudar (could be someone else if Wolo has static/same ip) but worth cross-checking IP his addresses with those of other players and also checking if he plays behind a proxy.  An admin maybe could do that.

Hi,

Your categorization of the types of attacks is very interesting to study because it is representative, at least in appearance, of what we can find or feel in the game.

Nice job !

Link to comment
Share on other sites

7 hours ago, BoredRusher said:

Hi,

Your categorization of the types of attacks is very interesting to study because it is representative, at least in appearance, of what we can find or feel in the game.

Nice job !

Had a lot of experience with this around late August and early September.  Only time I get DDOS/latency/connection issues is after/during launching 0ad.  It had happened when chatting aggressively with other players.  Either DDOS person was reading/policing chat or on receiving end of aggression and didn't like it.

 

(Edit:  Aggression was a response to being ddosed multiple times previously and trying to figure out if it is a player element or a 0ad element.  It's definitely a player/griefer and not the game.)

 

Edited by Dizaka
  • Like 1
Link to comment
Share on other sites

Related topics

"DDOS"?
By @Emperior, May 26, 2019 in Help & Feedback

Strange disconnection issue. [PLEASE UPLOAD REPLAYS]
By @user1, June 11, 2020 in Help & Feedback

When playing 0ad whole network disconnects. Network otherwise stable.
By @Dizaka, September 2, 2020 in Gameplay Discussion

Nedris (currently 1422) will DDOS without you pissing him off directly
By @JohnDoe2, October 13, 2020 in General Discussion

Attacks on 0ad (suspected DoS/DDoS)
By @BoredRusher, November 26, 2020 in Bug reports

Are you aware of the scale of DoS attacks?
By @badosu, December 6, 2020 in Game Development & Technical Discussion

Link to comment
Share on other sites

On 05/12/2020 at 3:51 PM, aixo said:

This is how tcpdump stdout with filter for incoming UDP packets, iptables dropping any UDP packet over 10 packets per 1 second per one source and being behind my ISP NAT (so targetting only one port) looks like under the attack :)

Wtf, so they're flooding via NTP? Maybe blocking via NTPv2 pattern does it, awesome @aixo!

  • Like 1
Link to comment
Share on other sites

  • 2 months later...

i get why he ddos ing other ppl but why me tho i never anger anybody im the nicest 0ad player around! got ddosed 3 times in a row maybe 4 vs boredrusher and bofer that a bunch too.anyway i guess i should get a vpn? and a new ip?if i get ddosed while having a vpn can i reconnect with another ip?  

hackermen pls help us (these r ppl i think r hackermen) : @nani @PhyZik  @badosu @JC (naval supremacist) ... @go2die arent you like 14? how do you even understand any of this? i forget other hackermen if any1 knows pls add. 

  • Confused 1
Link to comment
Share on other sites

  • 2 weeks later...

Hi,

I wanna ask just something to have correct expectations. I am hosting a24 games behind Carrier NAT which means that I do not have a public IP on my home router. The game host IP is public IP of my provider shared with many others. That means that the IP:PORT of each game I host is different - the port always changes since It's the NAT. I set the password (new feature in a24) for joining the game lobby.

I got ddosed. Does it mean that someone had to enter the password and joined my game to get the IP:PORT information? Am I right to expect that IP:PORT of games are exposed only after providing the password and joining the game in a24?

Link to comment
Share on other sites

14 minutes ago, aixo said:

Does it mean that someone had to enter the password and joined my game to get the IP:PORT information? Am I right to expect that IP:PORT of games are exposed only after providing the password and joining the game in a24?

That's correct, IP should only be revealed if the correct password was entered.

Note that I think for the DDOS described earlier, only the IP needed to be known, so if you IP didn't change it's still possible you'd get DDoS-ed in principle /

Link to comment
Share on other sites

2 minutes ago, wraitii said:

That's correct, IP should only be revealed if the correct password was entered.

Is it technically possible to enter the password and get the IP:PORT info without actually appearing in game lobby as a joined user? If so, does lobby have any logging possibilities which could show what users entered the password to a specific game?

2 minutes ago, wraitii said:

Note that I think for the DDOS described earlier, only the IP needed to be known, so if you IP didn't change it's still possible you'd get DDoS-ed in principle /

IMO It depends on the type of connection. I had public IP on my home router in the past, and I did get simple UDP flood DDOS attacks which targeted my public IP on various ports and caused internet link saturation and/or overloading my router.

As I said I am currently behind Carrier NAT so I am exposed to the Internet only through my provider public IP which is hosted on some enterprise device with DDOS protection and that IP is shared by many users so you can get to "me" only through specific exposed port by NAT. It worked for a while and protected me from attacks but the attackers adjusted and started to attack the specific exposed port used by game with  NTP/Memcache Amplification DDoS attacks which keeps my internet link okay, the game is registered to the lobby but since the game port is under heavy traffic the players drop from the game, all other Internet traffic is okay.

My belief is that in my case you need to know IP:PORT to attack me successful (which means to make players to drop from the game), I do believe that the PORT is always different for each game I host and my game which had a password set got attacked. So my assumption is that the attacker had to enter the password and I do believe we could narrow it down. I know who appeared as joined in the game lobby (or I can sniff incoming traffic on socket opened by 0ad in future and collect IPs). But probably that would require some coordination behind the scene.

And yes, something I am sure about for long time. The attacks are not made by an automatic script which would target random people but by someone who actively watches the lobby and does manual actions and I believe is an active member of community which is a shame.... someone grabbed the game password to get IP:PORT info because I do believe that in my case IP is not enough.

Link to comment
Share on other sites

33 minutes ago, aixo said:

Is it technically possible to enter the password and get the IP:PORT info without actually appearing in game lobby as a joined user? If so, does lobby have any logging possibilities which could show what users entered the password to a specific game?

hello,
0ad is using xmpp client as proxy for requests to connect and answers from host of the match.
everytime you host the match in lobby, there are logged all usernames who asked you for ip and port regardless if they got it or not (there was no password, there was wrong or correct, all cases are logged).
you can see them in mainlog https://trac.wildfiregames.com/wiki/GameDataPaths.
look for "XmppClient: Recieved request for connection data from"

please also note,
once you join host, host can see your ip

  • Like 2
Link to comment
Share on other sites

1 hour ago, Angen said:

hello,
0ad is using xmpp client as proxy for requests to connect and answers from host of the match.
everytime you host the match in lobby, there are logged all usernames who asked you for ip and port regardless if they got it or not (there was no password, there was wrong or correct, all cases are logged).
you can see them in mainlog https://trac.wildfiregames.com/wiki/GameDataPaths.
look for "XmppClient: Recieved request for connection data from"

That's very useful, thank you. 

Link to comment
Share on other sites

@Angen, please verify if I understand the mainlog data correctly:

A successfully connected player will have the following logs (In some order, not sure right one atm as don't have logs open):

  • XmppClient: Received lobby auth: 3B7C919BE56E8332 from USER
  • XmppClient: Recieved request for connection data from USER
  • Net server: Received connection from A.B.C.D:XYZ

While an unsuccessfully connected player will only have the following logs:

  • XmppClient: Recieved request for connection data from USER

 

Note:  Just noticed the XmppClient: Recieved request misspells Received.

 

Thank you for the "lock" feature to counter the DDOS!

Link to comment
Share on other sites

48 minutes ago, sil-vous-plait said:

unplayable tonight, around 6-8 games ruined by DDOS in a row over the course of an hour or so, we all finally just left for good

edit: several of these were in locked games

It's possible he had you ips from before... Nothing in the logs?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...