Jump to content

Attacks on 0ad (suspected DoS/DDoS)


Recommended Posts

Hi,

Ok, we all have pretty much seen what is happening the last times to some team games : unexplained crashes.

It occurs principaly in the games of "known players". So it's legitim to think they don't happen randomly but are through someone or some people who is/are targetting 0ad for a reason which is not clear yet.

The community was not silencious about those attacks and many tried for some to find who is doing that and others to find how to face them.  Event if many are developers, it is not always evident.

I - The facts:

All the clients lose almost simultaneously the connexion to the server. This process seems irreversible as there are not actually connexion issues and way to fix it.

II - The responses:

A - Finding the author(s)

Here is a screenshot of online people a day when many attacks happened.

 

ddos.thumb.png.aa0800ba69eb5f4b57a9a67663f8232b.png

Image by reza-math.

This screenshot is interesting because attacks here happened where there was not a lot of people online.

B - Make a protection against the attacks

The first idea to protecting against that attacks is to close the ports used by the author(s). The issue is that this solution is not very effective when the author(s) can only change attack port.

Another fact is that they need to go through 0ad to do their attacks.

And about that we know the port used by 0ad lobby : 5222. Confer to the discussion below dated of November 2013.1166154199_Capturedcran2020-11-26154433.thumb.png.7f05fd2a441d6fc4bcbf566dc8e30948.png
 

Refering to this, we easily see that all the threads are going through there. So for an attack, many connnexions can be simulated. So, we are probably facing DoS/DDoS attacks.

We easily see that by running `netstat`

180568383_Capturedcran2020-11-26163352.png.1777fd9b7857db126c92f1a6e778ab7a.png

Even if the will of the author(s) is not known yet, we suppose they only want to destroy the game or some players.

However, what we must do is to face that attacks as it should be.

C - What I am experimenting

Knowing that, it is clear that closing all connexions using a firewall on the port 5222 won't solve the issue.

But in another hand, the attacks are coming from tiers through pyrogenesis.

And this is our luck !

In fact, Operating Systems allow using firewalls on applications to only allow secure (or encrypted) connexions (even not tiers?) trusted by those applications(or only coming from them?).

After doing that stuff, I performed many tests on the game and the result was pretty surprising.

On 7 games (by a day with many attacks), 6 ended well and the 7th was according to me due to a connexion issue from me.

What I have noticed and what is making me confidant on this is that we have often felt the attack coming (the connexions were dropping slowly). And my hypothesis is that the author(s) of the attacks was/were trying to perform his/their attack when my firewalls were at the same time stopping their entering connexions.

That is pretty much all.

I'm waiting for your remarks and suggestions.

I will publish soon a detailed guide on how to perform the solution proposed here on Windows and Debian cores (if it's agreed by the community).

Kind regards,

Edited by BoredRusher
  • Like 2
Link to post
Share on other sites
  • BoredRusher changed the title to Attacks on 0ad (suspected DoS/DDoS)

The attack is directed at the router creating a saturation on that point and not on the computer or pyrogenesis as the whole house loses connection when happens.

I managed to avoid it by using my smarthphone data connection with wifi tethering as it looks more difficult to ddos the game that way and seems to be working (don't expose your real IP)

  • Like 1
Link to post
Share on other sites

Also DDOS was proven by Dakara that it recieved abnormal packet trafic over short period of time.

 

Firewall  solution is most likely only additional overkill to your router. it is chain reaction.. coz your router need additional cpu to resolve and inspect every packet. with very strong routers it is doable.. but not for every player who host game.

if DDOS comes from multiple sources you have 0 success with encrypting or firewalling for sure.. You can search topics on google or amazon cloud tries to be DDOSed.. very interestign reads

Link to post
Share on other sites
1 hour ago, go2die said:

Also DDOS was proven by Dakara that it recieved abnormal packet trafic over short period of time.

 

Firewall  solution is most likely only additional overkill to your router. it is chain reaction.. coz your router need additional cpu to resolve and inspect every packet. with very strong routers it is doable.. but not for every player who host game.

if DDOS comes from multiple sources you have 0 success with encrypting or firewalling for sure.. You can search topics on google or amazon cloud tries to be DDOSed.. very interestign reads

That it not false. I will take a more deep look at that.

Link to post
Share on other sites
13 hours ago, badosu said:

You meant @Dizakaperhaps?

Or maybe dakeyras, dakora, darkcity.. :rofl:

@mysticjim even called @Dakara as @Dizaka liberally and interchangeably in one of his videos!

@BoredRusher generally, if everyone disconnects, the host is on the receiving end of the DDoS.  There are different levels of attacks that the attacker does. 

  • Small attacks to make you lag so that host boots/kicks you.   Maybe you're annoying enough to them.
  • Larger attacks to make your connection seem unstable.  You can drop from game.  You could be pushing the right buttons.
  • Even large attacks if you anger particular players.  You likely will drop from game and/or unable to access internet for 2-5 mins.  At this point DDoSr is emotionally invested.
  • Largest attack has been about a 25-35 min disconnection from the internet on commercial-grade equipment using a 200mbit connection.  Probably because the DDoS'er has no emotional self control.
  • Attacks on host to disconnect everyone.  Maybe because they wanted to get in on a game but don't want to wait for one to end?
  • Random night attacks.  My guess whoever does this has a script running through IPs at night to agitate other players with blind shots.  This could be just to deflect attention from them and onto players for "having bad internet connections."  Interestingly, there's a limited number of players in lobby mocking others for "crappy internet."

The only way to stop attacks, from my perspective, is through 'bot hosts' hosted on Amazon, Azure, or some other cloud service with DDoS protection who rejoin the 'lobby' upon disconnections so players can rejoin.  This protects players from joining hosts of compromised players who do those attacks (therefore, they can't get new IPs).  Additionally, this prevents someone from lobby getting the host IP addresses (player IP addresses) and, instead, getting a cloud IP address that has the counter measures necessary to alleviate the DDoS.

In general, 0ad has GOOD network code and a majority of players have GOOD connections.  The issue is some dumbass from the community ruining it for others pretending he has a NASA host.  In the end your realize it's a child with a lot of growing who is afraid to reveal who they are.

Finally, whoever does this has interesting control over the attack.  I've noticed two ways attacks are done:

  • Large packets being sent to you.
  • Tons of small packets being sent.

I haven't setup Wireshark but there are players who have (who, actually, professionally do telecom) agree that it is a DDoS.

 

 

 

@BoredRusherAlso, not saying it's berhudar (could be someone else if Wolo has static/same ip) but worth cross-checking IP his addresses with those of other players and also checking if he plays behind a proxy.  An admin maybe could do that.

Edited by Dizaka
  • Thanks 1
  • Haha 1
Link to post
Share on other sites
5 hours ago, Angen said:

some routers offer ddos protection, it is just not enabled by default. 

also using VPN could help

I doubt home routers will have that capability. I would assume who ever does this would know how to to actually knock out a router. DoS detection is a complex problem. Usually, DoS attacks starve out the end host, not the hardware in between. Home routers with limited memory aren't hard to starve unfortunately.

Find where it comes from, find what it sends, null route all trafic that match the both criteria. You aren't running a server, you can safely block out entire regions.

  • Like 1
Link to post
Share on other sites
On 28/11/2020 at 12:48 AM, Dizaka said:

@mysticjim even called @Dakara as @Dizaka liberally and interchangeably in one of his videos!

@BoredRusher generally, if everyone disconnects, the host is on the receiving end of the DDoS.  There are different levels of attacks that the attacker does. 

  • Small attacks to make you lag so that host boots/kicks you.   Maybe you're annoying enough to them.
  • Larger attacks to make your connection seem unstable.  You can drop from game.  You could be pushing the right buttons.
  • Even large attacks if you anger particular players.  You likely will drop from game and/or unable to access internet for 2-5 mins.  At this point DDoSr is emotionally invested.
  • Largest attack has been about a 25-35 min disconnection from the internet on commercial-grade equipment using a 200mbit connection.  Probably because the DDoS'er has no emotional self control.
  • Attacks on host to disconnect everyone.  Maybe because they wanted to get in on a game but don't want to wait for one to end?
  • Random night attacks.  My guess whoever does this has a script running through IPs at night to agitate other players with blind shots.  This could be just to deflect attention from them and onto players for "having bad internet connections."  Interestingly, there's a limited number of players in lobby mocking others for "crappy internet."

The only way to stop attacks, from my perspective, is through 'bot hosts' hosted on Amazon, Azure, or some other cloud service with DDoS protection who rejoin the 'lobby' upon disconnections so players can rejoin.  This protects players from joining hosts of compromised players who do those attacks (therefore, they can't get new IPs).  Additionally, this prevents someone from lobby getting the host IP addresses (player IP addresses) and, instead, getting a cloud IP address that has the counter measures necessary to alleviate the DDoS.

In general, 0ad has GOOD network code and a majority of players have GOOD connections.  The issue is some dumbass from the community ruining it for others pretending he has a NASA host.  In the end your realize it's a child with a lot of growing who is afraid to reveal who they are.

Finally, whoever does this has interesting control over the attack.  I've noticed two ways attacks are done:

  • Large packets being sent to you.
  • Tons of small packets being sent.

I haven't setup Wireshark but there are players who have (who, actually, professionally do telecom) agree that it is a DDoS.

 

 

 

@BoredRusherAlso, not saying it's berhudar (could be someone else if Wolo has static/same ip) but worth cross-checking IP his addresses with those of other players and also checking if he plays behind a proxy.  An admin maybe could do that.

Hi,

Your categorization of the types of attacks is very interesting to study because it is representative, at least in appearance, of what we can find or feel in the game.

Nice job !

Link to post
Share on other sites
7 hours ago, BoredRusher said:

Hi,

Your categorization of the types of attacks is very interesting to study because it is representative, at least in appearance, of what we can find or feel in the game.

Nice job !

Had a lot of experience with this around late August and early September.  Only time I get DDOS/latency/connection issues is after/during launching 0ad.  It had happened when chatting aggressively with other players.  Either DDOS person was reading/policing chat or on receiving end of aggression and didn't like it.

 

(Edit:  Aggression was a response to being ddosed multiple times previously and trying to figure out if it is a player element or a 0ad element.  It's definitely a player/griefer and not the game.)

 

Edited by Dizaka
  • Like 1
Link to post
Share on other sites

Related topics

"DDOS"?
By @Emperior, May 26, 2019 in Help & Feedback

Strange disconnection issue. [PLEASE UPLOAD REPLAYS]
By @user1, June 11, 2020 in Help & Feedback

When playing 0ad whole network disconnects. Network otherwise stable.
By @Dizaka, September 2, 2020 in Gameplay Discussion

Nedris (currently 1422) will DDOS without you pissing him off directly
By @JohnDoe2, October 13, 2020 in General Discussion

Attacks on 0ad (suspected DoS/DDoS)
By @BoredRusher, November 26, 2020 in Bug reports

Are you aware of the scale of DoS attacks?
By @badosu, December 6, 2020 in Game Development & Technical Discussion

Link to post
Share on other sites
On 05/12/2020 at 3:51 PM, aixo said:

This is how tcpdump stdout with filter for incoming UDP packets, iptables dropping any UDP packet over 10 packets per 1 second per one source and being behind my ISP NAT (so targetting only one port) looks like under the attack :)

Wtf, so they're flooding via NTP? Maybe blocking via NTPv2 pattern does it, awesome @aixo!

  • Like 1
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...