Grapjas Posted December 10, 2020 Report Share Posted December 10, 2020 Being Ddos'd into oblivion as we speak. Was playing in @nani 's game. The usual thing, can't do anything for a few mins outside of 0ad too. Cannot even connect to the lobby for a good while even though internet works again. Network showing spikes too. commands.txtmetadata.json 1 1 Quote Link to comment Share on other sites More sharing options...
nani Posted December 10, 2020 Report Share Posted December 10, 2020 29 minutes ago, Grapjas said: Being Ddos'd into oblivion as we speak. Was playing in @nani 's game. The usual thing, can't do anything for a few mins outside of 0ad too. Cannot even connect to the lobby for a good while even though internet works again. Network showing spikes too. commands.txt 594 kB · 0 downloads metadata.json 136 kB · 0 downloads Can confirm he couldn't rejoin. I was using mobile data and stun which makes ddosing the host (me) more hard/ineffective so he probably went for @Grapjas. I recommend people to use mobile tethering with data enabled for when playing a 0ad game as it seems to deter the attacker. 1 Quote Link to comment Share on other sites More sharing options...
mralex Posted December 10, 2020 Report Share Posted December 10, 2020 In addition to the answers of 4.2. ("What sources, methods or tools can we use to collect all the information about the previous and future attacks?"): I don't know if WireShark could be used in this case. I have used it several years ago, but maybe we could see all the details of the malicious traffic. I will experiment with it, but please let me know if it is a dead end, or if you have tips how to use it effectively in this case. Are replays useful, @user1? Can we help you analyzing more? Can we help you collecting more? Should the developers implement automatic gathering of relevant data? Should the users be asked more prominently to provide attack reports? In the Multiplayer Lobby's right column's top? In chat messages? Something like this? "IF YOU GET DISCONNECTED, PLEASE READ THIS [LINK](link-to-replay-uploading)" Should we attach additional information to the replays? Do replays contain network data, error messages and all the relevant info? Can we be sure that the attacker is unable to create misleading replays? Can the attacker pretend to be someone else on the forum? Quote Link to comment Share on other sites More sharing options...
king reza the great Posted December 11, 2020 Report Share Posted December 11, 2020 u can use this way 1 - make a group in discord (or other messenger) and use it as lobby. players need to be online there if they want to play. 2- lets suppose there r 8 online players in the group and they want to play. then the host first must change his ip by a vpn ( there r many free vpns like hotspot or psiphon), after that the host should host out of the lobby. other players can join him by the ip. 1 Quote Link to comment Share on other sites More sharing options...
Silier Posted December 11, 2020 Report Share Posted December 11, 2020 replays contain only commands for the game. any network traffic is logged in mainlog file. 1 Quote Link to comment Share on other sites More sharing options...
mralex Posted December 11, 2020 Report Share Posted December 11, 2020 Thank you for the advice @king reza the great. Does the Discord+VPN method help, even if the attacker already knows my real IP? I guess he knows the IP of all of us. Quote Link to comment Share on other sites More sharing options...
mralex Posted December 11, 2020 Report Share Posted December 11, 2020 Thanks @Angen, but %USERPROFILE%\AppData\Local\0ad\logs\mainlog.html doesn't contain any info about the network traffic in my case. Just lines starting with "Loading config" and similar stuff. I don't know why. Quote Link to comment Share on other sites More sharing options...
Silier Posted December 11, 2020 Report Share Posted December 11, 2020 there will be only logs from 0ad net traffic itself, what is relevant for it, like messages and such, nothing outside of 0ad application and certainly not everything from 0ad, sorry if I was misleading, but if anything it would be there and not in replays. 1 Quote Link to comment Share on other sites More sharing options...
mralex Posted December 11, 2020 Report Share Posted December 11, 2020 You were helpful. Now that we know there's no unusal log entry of 0ad network traffic in the mainlog, we can focus on other information sources instead. Currently, I'm learning Wireshark. Quote Link to comment Share on other sites More sharing options...
Silier Posted December 11, 2020 Report Share Posted December 11, 2020 but keep in mind logs override themselves with every application start 1 Quote Link to comment Share on other sites More sharing options...
mralex Posted December 11, 2020 Report Share Posted December 11, 2020 Oh, good to know, thanks! I'll keep my eyes on the mainlog then, and let you know if there's something relevant. Quote Link to comment Share on other sites More sharing options...
king reza the great Posted December 11, 2020 Report Share Posted December 11, 2020 6 hours ago, mralex said: Thank you for the advice @king reza the great. Does the Discord+VPN method help, even if the attacker already knows my real IP? I guess he knows the IP of all of us. when u use vpn it changes ur ip! its why i asked to change ip by vpn before hosting Quote Link to comment Share on other sites More sharing options...
mralex Posted December 11, 2020 Report Share Posted December 11, 2020 (edited) Imagine you have a phone number. You call someone, who notes your number. Then he becomes annoying, calling you 42 times an hour. You regret using your phone number, so next time you want to talk with him, you call me instead and ask me to dial the annoying guy on my other phone so that you can talk with him without you calling him directly. This time he'll see my phone number, instead of yours. But here's the problem: he can call you anytime on your own phone number, because he has noted it during your first call. So hiding is pointless. But I'm not an expert, so I might be wrong. EDIT I will read this link too, to understand VPNs better:https://www.quora.com/When-I-connect-to-a-virtual-private-network-will-my-IP-address-change Edited December 11, 2020 by mralex added link Quote Link to comment Share on other sites More sharing options...
Dizaka Posted December 11, 2020 Report Share Posted December 11, 2020 36 minutes ago, king reza the great said: when u use vpn it changes ur ip! its why i asked to change ip by vpn before hosting Problem is the VPN uses the original IP. If DDOSer has original IP and you did not change original IP then DDOSing the original IP will knock out your VPN connection. Though I believe you know that but just putting it out there. VPN doesn't solve everything. VPN is good for being a client. But as a client your IP isn't compromised unless you host. Quote Link to comment Share on other sites More sharing options...
smiley Posted December 11, 2020 Report Share Posted December 11, 2020 On 10/12/2020 at 11:03 PM, mralex said: What method would a central server use to withstand the attacks? Why can't the same approach be applied to player hosts and clients? Basic enterprise grade hardware can withstand a DoS. A DDoS on the other hand, while expensive to launch is also expensive to mitigate, which is why you rent virtual servers on the cloud. The previous thread regarding this topic has somehow been locked down now, I am not sure if its global or just for me, but I can't reply to that in my own discretion now. I would want to be once again the bearer of bad news, but I no longer care and its getting old at this point. Quote Link to comment Share on other sites More sharing options...
smiley Posted December 11, 2020 Report Share Posted December 11, 2020 1 minute ago, Dizaka said: Though I believe you know that but just putting it out there. VPN doesn't solve everything. VPN is good for being a client. But as a client your IP isn't compromised unless you host. Seems like you don't need to host to incur the wrath of the DoS gods. On 11/12/2020 at 1:02 AM, Grapjas said: Being Ddos'd into oblivion as we speak. Was playing in @nani 's game. Quote Link to comment Share on other sites More sharing options...
Dizaka Posted December 11, 2020 Report Share Posted December 11, 2020 (edited) @smiley Just get a new IP address assigned from your ISP. You're good until you host a game. When you host a game you expose IP to lobby. That's how DDOSr primarly targets games. If you don't change IP addresses after hosting that is how you get targeted as a client. Also, by changing IP addresses you narrow down who can be DDOSing you b/c you know who was previous host. The general rules are: 1) Lobby knows host IP addresses. 2) Host knows client IP addresses but not lobby. Clients always safe until they host (or somehow end up in the DDOS'rs game and get compromised this way). If clients host you expose your IP to all in lobby. Edited December 11, 2020 by Dizaka Quote Link to comment Share on other sites More sharing options...
smiley Posted December 11, 2020 Report Share Posted December 11, 2020 18 minutes ago, Dizaka said: If you don't change IP addresses after hosting that is how you get targeted as a client. Who does that? Quote Link to comment Share on other sites More sharing options...
Dizaka Posted December 11, 2020 Report Share Posted December 11, 2020 1 hour ago, smiley said: Who does that? The DDOSr targets of course. Quote Link to comment Share on other sites More sharing options...
smiley Posted December 12, 2020 Report Share Posted December 12, 2020 12 hours ago, Dizaka said: The DDOSr targets of course. I get the theory behind it of course. Merely remarking the absurdity of the solution. Quote Link to comment Share on other sites More sharing options...
GunChleoc Posted December 12, 2020 Report Share Posted December 12, 2020 Well, you can't expect the 0AD team to call up your internet provider and to this for you... that would be even more absurd. Of course, players shouldn't have to do that either, but it is what it is. Quote Link to comment Share on other sites More sharing options...
pulli23 Posted December 17, 2020 Report Share Posted December 17, 2020 On 10/12/2020 at 7:03 PM, mralex said: What method would a central server use to withstand the attacks? Why can't the same approach be applied to player hosts and clients? You would use a CDN (such as cloudfare) to make the site available from several points on the internet - thus using the underlying T1 internet infrastructure to mitigate this problem. This would mean that only nation-wide ddos attacks would be succesful, as anything less just means an increase in ping (of the lobby). A cdn also includes often processes to notice attacks, and then mitigate it by temporary banning ips higher upstream. As a private person, getting a cdn is.. Non trivial, it's both not cheap, as well as hard to get. A cdn often needs a verification of ownership of hte IP address, so you would need to find someone who trusts you enough even though the owner is an ISP and the ISP might change at will. What would happen is that you have a central server everyone knows - but that is protected and identity is guaranteed by something like cloudfare. All communication in the lobby happens through the main server, so no one can see each other. Writing such a lobby shouldn't be too much of a task, a simple built in browser and some javascript I have made similar applications and that would take me like 2-3 months fulltime. Then upon agreeing to a game, your lobby process would either disconnect (or not not really relevant). And the people who agree to start a server a server are given the host's ip address, while the host is (because the players connect to him) the players address. And they have a "private" game that is hidden from the lobby. This part, I have no idea how long it would take to implement I've not looked into 0ad code nor am I versed enough with c++ to say anything. (Been 10+ years since I touched c++) That way for an attacker to actually do a ddos on a game, he's have to join the game (either as spectator or player). This makes it much harder to automate, as well as give a layer where we can "find" the ddos. If you would still get ddos one of the players must be the attacker - or be infected by a worm from the the attacker or something. This could then be reported back to the lobby host who can analyze the data and find the actual attackers. Similarly other defense mechanism could be added, like adding newest recaptcha to the lobby site to enable the power of google to find automated bots. Making a dedicated lobby is the *only* step towards a solution that can be taken. (Further steps are playing the whole game on the server and not having p2p gaming at all - like modern games do). Quote Link to comment Share on other sites More sharing options...
woodpecker Posted December 19, 2020 Report Share Posted December 19, 2020 (edited) Ideally setup a linux machine between your router and WAN to log all connections with wireshark or something with the same functionality. I cant do it as i share wan with my neighbours. Log will reveal IPs, connectiontype and a whole lot of other good info. Wireshark is pretty easy to setup and use. But you must intercept all traffic to your network outside any fiŕewall. The router in my house stops the incomming connections but they still choke the line when it happens. The router does not have tools to gain the info you get with wireshark. Use no firewall on the wireshark/logging computer that as you want to log it all. Linux is good, stable and pretty secure. But dont use a machine with any personal info or things you care about. Kali Linux is probably the best OS for the task. Best regards Woody Edited December 19, 2020 by woodpecker Quote Link to comment Share on other sites More sharing options...
smiley Posted December 19, 2020 Report Share Posted December 19, 2020 2 hours ago, woodpecker said: Ideally setup a linux machine between your router and WAN to log all connections with wireshark or something with the same functionality. I cant do it as i share wan with my neighbours. Log will reveal IPs, connectiontype and a whole lot of other good info. So does your router. A compromised machine forging L3 packets would do more harm than a DoS ever could. Your router would be blindly routing all of them. Quote Link to comment Share on other sites More sharing options...
pulli23 Posted December 19, 2020 Report Share Posted December 19, 2020 Logging gives very little information that is useful: the ip ranges won't be from the attacker, instead - for ddos at least - it's just a list of infected people. The attacker never really connects to you, they'll be sitting high and dry and let infected hosts attack you. 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.