Jump to content

DDOS is back


chrstgtr
 Share

Recommended Posts

Given the lobby changes to hide your IP from the lobby, we might be able to trisect which lobby user is malicious (and then act upon that). For the host who experiences a DDOS, please attach your mainlog.html to this thread (see https://trac.wildfiregames.com/wiki/GameDataPaths for where to find it). Make sure you to save the mainlog before you start 0ad again, since it will be overwritten. In that file all connection attempts are present, see the lines of the form

XmppClient: Recieved request for connection data from {username}

If one can change their IP address before the game, we have even more information (since the malicious user might store the IP to use later).

  • Like 2
Link to comment
Share on other sites

57 minutes ago, Ceres said:

Please accept my apologies for my ignorance about these IT-related specifities, but I wonder if 0 A.D. could get an IP blocker implemented, just like a router has. Or is it too late or impossible at this layer to block or ignore traffic from a "banned IP"?

The problem is not really the origin IP.  Sure if you could find the DDOSer's IP address you could try to block him, but he might change his IP and start again. As long as he has your new IP, which he can now only get if he joins a match with you, he can DDOS you.

  • Thanks 1
Link to comment
Share on other sites

5 hours ago, Ceres said:

proposed a while ago using a whitelist for the lobby. While I'm not playing online matches, I found the idea interesting. Whether it could help versus these nasty DDOS attacks, I don't know, though.

Whitelist can prevent the hacker from finding out new victims to attack. However, it is believed that the hacker already has a hitlist: an IP of players who like hosting. Direct connect and password protected matches might help if you are not on their hit list. 

Some observations:

1. I have never been ddosed while using a smurf account. Even in the heights of DDOS back in A24, I hosted games with a smurf account and no-one ddosed me. It could be a coincidence but could also mean the hacker is picking targets, or the IP protection is working. 

2. Those who liked to host in A23 got hit the worst. woodpecker was one of the most targeted victims and he hosted a lot back in A23. This is because A23 had no ip protection but A25 does. 

 

 

Link to comment
Share on other sites

There's code relevant to this. See:

https://trac.wildfiregames.com/changeset/24728

https://trac.wildfiregames.com/ticket/3556

https://trac.wildfiregames.com/changeset/23374

https://trac.wildfiregames.com/ticket/1088

https://trac.wildfiregames.com/ticket/6136

 

The lobby used to publish the IP address of any user hosting a match. Since 24728 the power to decide who gets the IP address has been given to the host which allows it to keep the IP address as private as it likes it to be. The lobby doesn't publish any IP address. It ought to be that using a fresh IP address and keeping it private does completely or virtually eliminate the possibility of any sort of cyber attack in general.

 

See also:

 

@Dizaka

@wraitii

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

@chrstgtr@BreakfastBurrito_007@Player of 0AD@Gurken Khan@sarcoma@Ceres@bb_@Yekaterina

 

Guys, 0ad already has a DDOS countermeasure and it works well.  Use password-protected games. 

DO NOT HOST GAMES WITHOUT A PASSWORD.  I REPEAT, DO NOT HOST GAMES WITHOUT A PASSWORD.

Having a password prevents your IP to be shared with the lobby.  Put the game password in the game name.  It makes it more difficult for whoever does the DDOS stupidity. (and, if you know how, it can help narrow down the person as @bb_ pointed out)

ALSO, CHANGE YOUR IP ADDRESSES weekly if you cannot do it daily.

 

https://trac.wildfiregames.com/ticket/6136

 

Also, it's likely multiple randoms doing this.  I do not believe it is one individual.  This is not something that can be moderated and/or stopped easily.  However, it's getting to the point where features in 0ad alpha are being implement that make DDOS more difficult to perform and the culprits can be narrowed down (Narrowed down by name and not by what IPs are DDOSing you).

11 hours ago, bb_ said:

Given the lobby changes to hide your IP from the lobby, we might be able to trisect which lobby user is malicious (and then act upon that). For the host who experiences a DDOS, please attach your mainlog.html to this thread (see https://trac.wildfiregames.com/wiki/GameDataPaths for where to find it). Make sure you to save the mainlog before you start 0ad again, since it will be overwritten. In that file all connection attempts are present, see the lines of the form

XmppClient: Recieved request for connection data from {username}

If one can change their IP address before the game, we have even more information (since the malicious user might store the IP to use later).

I have one instance of this, going back 2-3 months, where I changed my IP and hosted 2 games.  The 2nd game was DDOSed.  I do not believe I have the replays but have the mainlog and extracted names from the mainlog (made a simple python script to do it).  Also, I have 1-2 instances of it happening after 3-6 games but I kept the mainlog for all games and have all names that joined. 

Basically, before each day I changed my IP address.  I would only host games.  I would not join any games.  For each game I hosted that day I saved the mainlog file (and/or wouldn't restart client to continue adding to mainlog file).  When DDOS would happen, only on my host,  I'd stop and save the mainlog file.  Then I'd change my IP address.  Repeat and only host.  If DDOS happened on a player joining my game I'd either rehost (usually w/o that player since their IP is compromised and they likely don't know how to change their IP address), if player couldn't rejoin, (while saving mainlog) and wait till I get hit.

Below are the files, with date of game + my host IP address for those games.  DDOSER here zip file is the one with 2 games. see HERE [Note:  files uploading]).  The person I was collaborating with is @aixo and he narrowed it down to people but to me it seemed like its randoms and multiple people doing it.  This is because before A25 I had a notepad where I'd write names of people who joined games.  However, you could get IP from lobby so it was pointless.

@bb_ @Angen @wraitii Could it be possible, for administrative purposes, for the clients to send this data (stripped down and/or narrowed down) automatically to the 0ad server?  This information, before being sent, could have private information hashed/removed by client. Based on "interactions" and "changed IP addresses" rank each player on probability of being a DDOSer.  It could be used to map and narrow down the people who do this.  Players then could "limit observers to clean players" or something along those lines.

Edited by Dizaka
  • Like 1
  • Thanks 3
Link to comment
Share on other sites

Has anyone ever cared where the IPs come from? I don't mean to have countries or other details mentioned here in the public forum, but think about something else: Do these IPs maybe belong to a certain segment that can be completely blocked? I understand that innocent people might thus get banned, too, but then there's maybe a solution for this, too. Could it be that the IPs of the attackers belong to people that have a special interest to harm a free open source software game like 0 A.D., as they see it as a competitive game to some commercial ones (about which they have interests)? I don't understand why else someone could be so ill behaving, having fun to mess with other peoples' joy, but maybe I'm just too naive. These ugly things (besides having kids, whom I certainly don't want to expose to all this) are the main reason why I never play online (WAN). BTW, is using a VPN-secured line between host and whitelisted chaps maybe a way to filter out the dirt? Anyway, I wish you success with this. Don't let yourself get down by stupid people.

Link to comment
Share on other sites

@Ceres

The data packets are different kinds depending on what DDOS person wants/orders.  Person who does it has specific, but not granular, control of the kind of data being sent.  They have done DDOS using ICMP messages and other types of data/messages (e.g., NTP). I do not believe that they are a programmer but rather someone sitting in lobby using a service.  The DDOS attacks seem to happen during time slots rather than at will.  Suggesting that 'orders' are made but that is speculation.

When, as a host, you use a service that provides 1 port over an IP address shared by multiple users the attacker would modify to specifically attack the individual port (e.g., hosting using a 3G /4G provider or through service provided by many ISPs in Europe, not US).  So whoever is doing this is actually investing time in doing it.  It's not automatic.  When they get bored they get bored as seen by recent lull.  It's also unlikely 1 person doing it but different people over time and over-lapped time.

Edited by Dizaka
Link to comment
Share on other sites

5 hours ago, Ceres said:

Has anyone ever cared where the IPs come from?

I believe one of the Ds stands for 'Distributed', meaning an attacker would use several machines aka 'bots'. Makes the attack stronger, maybe not trackable to their own machine. I think they might also choose which IP range/area those bots operate from; or maybe spoof it.

An IP or IP range could be blocked because they spam requests. At some ~anonymous place I was hit several times with an area ban because someone supposedly from my area misbehaved; I had to request a code snippet via IRC.

Link to comment
Share on other sites

Why would somebody with a botnet care to DDOS 0 A.D.? Instead, they could send spoof mails to collect personal data that can be turned into money.

Is there a possibility that 0 A.D. gets abused via some "stack overflow" (I don't know the exact and correct term), so malicious code gets executed on host and guests?

Link to comment
Share on other sites

It's very likely that I misunderstood or not understood previous explanations, so please forgive me that I ask a similar question once more: Why couldn't whitelists help here? When people who like to play online have an account in this forum, they can PM their IPs, and 0 A.D. could use them and block all others. No?

Link to comment
Share on other sites

54 minutes ago, Ceres said:

It's very likely that I misunderstood or not understood previous explanations, so please forgive me that I ask a similar question once more: Why couldn't whitelists help here? When people who like to play online have an account in this forum, they can PM their IPs, and 0 A.D. could use them and block all others. No?

That would make it very secure indeed. However, there are still 2 problems with whitelist:

1. The hacker already knows woodpecker's IP address, so he will get attacked directly, even when he is not playing 0ad. The hacker can just attack his home network at any time they want. 

2. Whitelisting makes genuine new players too difficult to join, which might discourage some from multiplayer.

 

  • Thanks 1
Link to comment
Share on other sites

Ad 1) Only changing the IP might help, plus other measures on the private network.

Ad 2) I agree. The hurdle for new players should not be too high to join. On the other hand, they would maybe feel even more attracted to 0 A.D. when they learnt that some extra layer helps to protect themselves and other players.

Edited by Ceres
Link to comment
Share on other sites

58 minutes ago, Yekaterina said:

2. Whitelisting makes genuine new players too difficult to join, which might discourage some from multiplayer.

There lies the problem.  You want community to grow and not put barriers in front of that growth. 

Putting up barriers discourages growth.  Hence, a good number of ideas, including mine, are bad but could/would work.

Basically, as a moderator, user1 is between a rock and a hard place.  Currently, no tools.  However, even if there were tools (e.g., private chat) they may make the lobby dead and discourage others from joining 0ad.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...