Jump to content

Are you aware of the scale of DoS attacks?


Recommended Posts

Even though we would like to do something, we really cannot do much. Since your IP in the lobby is made public, everyone can figure that out. Yes it has been made harder to figure it out in svn, but in theory one always can figure it out. When someone is DDOS'ing your network. That is 100% out of our control.

I only can give some advice:

- Try setting another port when hosting your game (a stupid DDOS dude would only try the default, so might help a bit)

- Use direct hosting/joining (you will need to share your IP via some other platform)

- Contact your ISP, maybe they can blacklist some IP's

Link to comment
Share on other sites

2 hours ago, bb_ said:

- Try setting another port when hosting your game (a stupid DDOS dude would only try the default, so might help a bit)

To an extent this won't work if your ISP provides a public IP.  DDOS is performed on all/random ports.  Goal is to choke the pipe to prevent any bandwidth from getting out.  It's a sufficient choke of the bandwidth to bring down a 200 mbit connection. @aixo

Edited by Dizaka
  • Like 1
Link to comment
Share on other sites

From your graphs, it looks like the router is being overloaded with packets, not necessarily bandwidth. A million tiny packets on a home router would still starve it.

7 hours ago, badosu said:

Is there a way to make some functionality to deregister from lobby after game starts? That could help.

All this need in an interface to do. Alternatively, proxy the requests done through the lobby. That way, the DDoSer would need to connect to the host before he can get a public IP. Basically, don't advertise public IPs, just relay them to the actual host when they want to connect.

  • Like 1
Link to comment
Share on other sites

4 hours ago, badosu said:

I'd be up to making a mod to help with this, but I'm not sure I understand your tips.

There are two functions exposed to JS in the lobby. You can use these functions. See, https://github.com/0ad/0ad/blob/d15248f72db6116fec09fe11b50f55a39aba5917/source/lobby/scripting/JSInterface_Lobby.h#L44
 

void SendRegisterGame(ScriptInterface::CmptPrivate* pCmptPrivate, JS::HandleValue data);
void SendUnregisterGame(ScriptInterface::CmptPrivate* pCmptPrivate);

 

Link to comment
Share on other sites

> Is there a way to make some functionality to deregister from lobby after game starts? That could help.

This is possible, in fact it is even possible to hack some naive way into the A23 lobby. Note to someone coding it: make sure dropped players can return. Late observers maybe less important. @badosuto do this one needs to adapt the lobby bots: only send the games which satisfy certain conditions to the clients. To actually implement it in the lobby, we should update the lobby bots we run. I am not able to do this but I guess user1 can (and otherwise I can ping other ppl). I think the easiest way to propose the change is making a phab revision with the changes (a mod won't work for this issue, since we need to change the serverside).

Also a proactive ddos'er can still store the ip's of games being hosted and kill them when they disappear (obviously it will make it harder for the ddos'er).

  • Like 1
Link to comment
Share on other sites

Related topics

"DDOS"?
By @Emperior, May 26, 2019 in Help & Feedback

Strange disconnection issue. [PLEASE UPLOAD REPLAYS]
By @user1, June 11, 2020 in Help & Feedback

When playing 0ad whole network disconnects. Network otherwise stable.
By @Dizaka, September 2, 2020 in Gameplay Discussion

Nedris (currently 1422) will DDOS without you pissing him off directly
By @JohnDoe2, October 13, 2020 in General Discussion

Attacks on 0ad (suspected DoS/DDoS)
By @BoredRusher, November 26, 2020 in Bug reports

Are you aware of the scale of DoS attacks?
By @badosu, December 6, 2020 in Game Development & Technical Discussion

Link to comment
Share on other sites

We get attacked constantly, this is crazy! It doesn't make sense to start a game, because it will be over in a few minutes because of a (D)DoS attack. All the players get disconnected. The host crashes. It's over. All the time. We can't use the multiplayer mode because of this vulnerability. It's not fun anymore... We have to focus on this issue and solve it together. The whole 0 A.D. community should know how serious this issue is. I hate (D)DoS attacks, I hate getting disconnected from games. Some hosts claim they are protected, then their game crashes too. Multiplayer 0 A.D. is dying. Developers, please help us! How can we help you? Players, please think together! How to prevent these attacks, or how to get immune to them? This is more than frustrating!

Link to comment
Share on other sites

Rigorously speaking, one could fix this *only for the hosts dropping* by changing the codebase to allow for dedicated hosts: that includes bots commands to set map, civs, teams, etc. and gamesetup and headless mode. *Then* servers would have to be purchased and setup for that.

This still would not prevent players being attacked, perhaps would increase surface area for attacker enough to get it mitigated though. To prevent players from being attacked the whole lobby infrastructure would have to be rewritten to be centralized so only the dedicated server knows player IPs.

This would be huge, at least months if not years indeed.

A tentative mitigation strategy with mods to make the attack as difficult as possible or an investigation on the perpetrator modus operandi with a tutorial on how to prevent being attacked currently seems the only feasible approach in the short term.

  • Sad 1
Link to comment
Share on other sites

1. That's a good question, it seems attacker sends packets that look like NTPv2 packets so pattern matching on that could help but they can change approach. No extensive (public) investigation on the attack was performed yet AFAIK tho.

2. It can, as I said on short term a tutorial on how to defend yourself is one short term attempt. Unfeasible though for non technical-savvy players.

Edited by badosu
  • Like 1
Link to comment
Share on other sites

On 06/12/2020 at 7:57 PM, go2die said:

just make another lobby for players who paid for that... mothly fee $10 wont hurt much

If it isn't much for you why do you think it's not the same for the one doing those attacks.


A proxy service backed by a ddos mitigation service like azure or cloudflare would solve the issue. Would also reduce the need for people to fiddle with their own firewalls. As 0ad is free and open source it shouldn't be all that difficult to get a sponsorship deal if a couple hundred dollars yearly are hard to bear.

Link to comment
Share on other sites

We should know everything about the attacks.

  1. What symptomps make us think that we are under attack?
  2. Which symptomps are unrelated to the attacks?
  3. Which symptomps are the real signs of the attacks?
  4. How can we analyze the attacks?
    1. How can we educate ourselves on hacking, what topics should we focus on?
    2. What sources, methods or tools can we use to collect all the information about the previous and future attacks?
  5. How can we categorize the attacks, based on targets, sources, timing, intensity, effects, methods etc.?
    1. Who are the targets?
    2. Where are the attacks coming from?
    3. When are we attacked?
    4. How long do attacks last?
    5. What do we know about the instensity (in Mb/s, number of packets, etc.)?
    6. Do all the attacks have the exact same effect?
    7. Do all the attacks use the exact same method?
  6. How could we copy the attacks, to test our systems?
  7. How can we predict, detect, analyze all the attack faster and more precisely?

In my opinion, we have to know every little detail about the attacks, in order to come up with the best solution.
Can these questions be improved? What else should we clarify? Do you have an answer? Please comment.

Link to comment
Share on other sites

1. Multiple hosts and players with hardware or software monitoring were able to see extremely high loads unrelated to the game itself, happens only when playing 0ad. Most notably one can see on aforementioned Dizaka thread.
2. Regular connection issues
3. Extremely high load when playing 0ad, sometimes shutting off all of the user's networking.
4. Good question, I'd like to see that. The best way is to have hardware monitoring capabilities, though some seem to have been able to track via tcpdump
5. Same as above, still not fully described, but Dizakas insights are relevant here.
6. ..
7 ..
 

  • Thanks 1
Link to comment
Share on other sites

26 minutes ago, badosu said:


 

Highly likely the attacks are manual with the person idling in chat on one of the accounts.  I believe game time vs idle time in the multiplayer lobby should be monitored.  Players who have extensive idle time in relation to games should be kicked and/or banned from lobby.  I mean like 12-24 hrs online without starting and/or playing a game.   Maybe this could be "nullified" if players are vetter somehow such as the application to be a dev/contributor.

Around/after 10:00 pm U.S. Easter Time a lot of this subsides and you can play games.  This sort of supports the theory that the attacks are manual.  Additionally, the attacks are dynamic.  When the attacks are not working different types of attacks are utilized.  There are the standard ICMP/UDP packet attacks and they have sometimes been switched to NTP attacks.

Edited by Dizaka
  • Thanks 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...