Jump to content

Are you aware of the scale of DoS attacks?


Recommended Posts

26 minutes ago, badosu said:


 

Highly likely the attacks are manual with the person idling in chat on one of the accounts.  I believe game time vs idle time in the multiplayer lobby should be monitored.  Players who have extensive idle time in relation to games should be kicked and/or banned from lobby.  I mean like 12-24 hrs online without starting and/or playing a game.   Maybe this could be "nullified" if players are vetter somehow such as the application to be a dev/contributor.

Around/after 10:00 pm U.S. Easter Time a lot of this subsides and you can play games.  This sort of supports the theory that the attacks are manual.  Additionally, the attacks are dynamic.  When the attacks are not working different types of attacks are utilized.  There are the standard ICMP/UDP packet attacks and they have sometimes been switched to NTP attacks.

Edited by Dizaka
  • Thanks 1
Link to post
Share on other sites
  • Replies 55
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

It's every single TG on regular hours on every single day of the week! Really, nobody can play a TG on regular hours anymore. It's not a sporadic issue.

Being Ddos'd into oblivion as we speak. Was playing in @nani 's game. The usual thing, can't do anything for a few mins outside of 0ad too. Cannot even connect to the lobby for a good while even thoug

Do not split community with different lobbies ;/.  A lot of players in 0ad but not enough for multiple multiplayer lobbies.

29 minutes ago, Grapjas said:

Being Ddos'd into oblivion as we speak. Was playing in @nani 's game. The usual thing, can't do anything for a few mins outside of 0ad too. Cannot even connect to the lobby for a good while even though internet works again. Network showing spikes too.

commands.txt 594 kB · 0 downloads metadata.json 136 kB · 0 downloads

Can confirm he couldn't rejoin. I was using mobile data and stun which makes ddosing the host (me) more hard/ineffective so he probably went for @Grapjas. I recommend people to use mobile tethering with data enabled for when playing a 0ad game as it seems to deter the attacker.

  • Like 1
Link to post
Share on other sites

In addition to the answers of 4.2. ("What sources, methods or tools can we use to collect all the information about the previous and future attacks?"):

  • I don't know if WireShark could be used in this case. I have used it several years ago, but maybe we could see all the details of the malicious traffic. I will experiment with it, but please let me know if it is a dead end, or if you have tips how to use it effectively in this case.
  • Are replays useful, @user1?
    • Can we help you analyzing more?
    • Can we help you collecting more?
      • Should the developers implement automatic gathering of relevant data?
      • Should the users be asked more prominently to provide attack reports?
        • In the Multiplayer Lobby's right column's top?
        • In chat messages?
        • Something like this? "IF YOU GET DISCONNECTED, PLEASE READ THIS [LINK](link-to-replay-uploading)"
    • Should we attach additional information to the replays?
    • Do replays contain network data, error messages and all the relevant info?
    • Can we be sure that the attacker is unable to create misleading replays?
    • Can the attacker pretend to be someone else on the forum?
Link to post
Share on other sites

u can use this way

1 - make a group in discord (or other messenger) and use it as lobby. players need to be online there if they want to play.
2- lets suppose there r 8 online players in the group and they want to play. then the host first must change his ip by a vpn ( there r many free vpns like hotspot or psiphon), after that the host should host out of the lobby. other players can join him by the ip.

  • Thanks 1
Link to post
Share on other sites

there will be only logs from 0ad net traffic itself, what is relevant for it, like messages and such, nothing outside of 0ad application and certainly not everything from 0ad, sorry if I was misleading, but if anything it would be there and not in replays. 

  • Like 1
Link to post
Share on other sites

Imagine you have a phone number. You call someone, who notes your number. Then he becomes annoying, calling you 42 times an hour. You regret using your phone number, so next time you want to talk with him, you call me instead and ask me to dial the annoying guy on my other phone so that you can talk with him without you calling him directly. This time he'll see my phone number, instead of yours. But here's the problem: he can call you anytime on your own phone number, because he has noted it during your first call. So hiding is pointless. But I'm not an expert, so I might be wrong.

EDIT
I will read this link too, to understand VPNs better:
https://www.quora.com/When-I-connect-to-a-virtual-private-network-will-my-IP-address-change

Edited by mralex
added link
Link to post
Share on other sites
36 minutes ago, king reza the great said:

when u use vpn it changes ur ip! its why i asked to change ip by vpn before hosting

Problem is the VPN uses the original IP.  If DDOSer has original IP and you did not change original IP then DDOSing the original IP will knock out your VPN connection.

Though I believe you know that but just putting it out there.  VPN doesn't solve everything.  VPN is good for being a client.  But as a client your IP isn't compromised unless you host.

Link to post
Share on other sites
On 10/12/2020 at 11:03 PM, mralex said:

What method would a central server use to withstand the attacks?
Why can't the same approach be applied to player hosts and clients?

Basic enterprise grade hardware can withstand a DoS. A DDoS on the other hand, while expensive to launch is also expensive to mitigate, which is why you rent virtual servers on the cloud.

The previous thread regarding this topic has somehow been locked down now, I am not sure if its global or just for me, but I can't reply to that in my own discretion now.

I would want to be once again the bearer of bad news, but I no longer care and its getting old at this point.

Link to post
Share on other sites
1 minute ago, Dizaka said:

Though I believe you know that but just putting it out there.  VPN doesn't solve everything.  VPN is good for being a client.  But as a client your IP isn't compromised unless you host.

Seems like you don't need to host to incur the wrath of the DoS gods.

On 11/12/2020 at 1:02 AM, Grapjas said:

Being Ddos'd into oblivion as we speak. Was playing in @nani 's game.

 

Link to post
Share on other sites

@smiley Just get a new IP address assigned from your ISP.  You're good until you host a game.  When you host a game you expose IP to lobby.  That's how DDOSr primarly targets games.  If you don't change IP addresses after hosting that is how you get targeted as a client.

Also, by changing IP addresses you narrow down who can be DDOSing you b/c you know who was previous host.

The general rules are:

1)  Lobby knows host IP addresses.

2)  Host knows client IP addresses but not lobby.

 

Clients always safe until they host (or somehow end up in the DDOS'rs game and get compromised this way).  If clients host you expose your IP to all in lobby.

Edited by Dizaka
Link to post
Share on other sites
On 10/12/2020 at 7:03 PM, mralex said:

What method would a central server use to withstand the attacks?
Why can't the same approach be applied to player hosts and clients?

You would use a CDN (such as cloudfare) to make the site available from several points on the internet - thus using the underlying T1 internet infrastructure to mitigate this problem. This would mean that only nation-wide ddos attacks would be succesful, as anything less just means an increase in ping (of the lobby). A cdn also includes often processes to notice attacks, and then mitigate it by temporary banning ips higher upstream.

As a private person, getting a cdn is.. Non trivial, it's both not cheap, as well as hard to get. A cdn often needs a verification of ownership of hte IP address, so you would need to find someone who trusts you enough even though the owner is an ISP and the ISP might change at will.

What would happen is that you have a central server everyone knows - but that is protected and identity is guaranteed by something like cloudfare. All communication in the lobby happens through the main server, so no one can see each other. Writing such a lobby shouldn't be too much of a task, a simple built in browser and some javascript I have made similar applications and that would take me like 2-3 months fulltime.

Then upon agreeing to a game, your lobby process would either disconnect (or not not really relevant). And the people who agree to start a server a server are given the host's ip address, while the host is (because the players connect to him) the players address. And they have a "private" game that is hidden from the lobby. This part, I have no idea how long it would take to implement I've not looked into 0ad code nor am I versed enough with c++ to say anything. (Been 10+ years since I touched c++)

 

That way for an attacker to actually do a ddos on a game, he's have to join the game (either as spectator or player). This makes it much harder to automate, as well as give a layer where we can "find" the ddos. If you would still get ddos one of the players must be the attacker - or be infected by a worm from the the attacker or something.  This could then be reported back to the lobby host who can analyze the data and find the actual attackers.

Similarly other defense mechanism could be added, like adding newest recaptcha to the lobby site to enable the power of google to find automated bots.

 

Making a dedicated lobby is the *only* step towards a solution that can be taken. (Further steps are playing the whole game on the server and not having p2p gaming at all - like modern games do).

Link to post
Share on other sites

Ideally setup a linux machine between your router and WAN to log all connections with wireshark or something with the same functionality. I cant do it as i share wan with my neighbours. 

Log will reveal IPs, connectiontype and a whole lot of other good info. Wireshark is pretty easy to setup and use. But you must intercept all traffic to your network outside any fiŕewall. The router in my house stops the incomming connections but they still choke the line when it happens. The router does not have tools to gain the info you get with wireshark. Use no firewall on the wireshark/logging computer that as you want to log it all. Linux is good, stable and pretty secure. But dont use a machine with any personal info or things you care about. Kali Linux is probably the best OS for the task.

Best regards Woody

Edited by woodpecker
Link to post
Share on other sites
2 hours ago, woodpecker said:

Ideally setup a linux machine between your router and WAN to log all connections with wireshark or something with the same functionality. I cant do it as i share wan with my neighbours. 

Log will reveal IPs, connectiontype and a whole lot of other good info.

So does your router. A compromised machine forging L3 packets would do more harm than a DoS ever could. Your router would be blindly routing all of them.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...