Jump to content

DDOS is back


chrstgtr
 Share

Recommended Posts

Given the lobby changes to hide your IP from the lobby, we might be able to trisect which lobby user is malicious (and then act upon that). For the host who experiences a DDOS, please attach your mainlog.html to this thread (see https://trac.wildfiregames.com/wiki/GameDataPaths for where to find it). Make sure you to save the mainlog before you start 0ad again, since it will be overwritten. In that file all connection attempts are present, see the lines of the form

XmppClient: Recieved request for connection data from {username}

If one can change their IP address before the game, we have even more information (since the malicious user might store the IP to use later).

  • Like 2
Link to comment
Share on other sites

57 minutes ago, Ceres said:

Please accept my apologies for my ignorance about these IT-related specifities, but I wonder if 0 A.D. could get an IP blocker implemented, just like a router has. Or is it too late or impossible at this layer to block or ignore traffic from a "banned IP"?

The problem is not really the origin IP.  Sure if you could find the DDOSer's IP address you could try to block him, but he might change his IP and start again. As long as he has your new IP, which he can now only get if he joins a match with you, he can DDOS you.

  • Thanks 1
Link to comment
Share on other sites

5 hours ago, Ceres said:

proposed a while ago using a whitelist for the lobby. While I'm not playing online matches, I found the idea interesting. Whether it could help versus these nasty DDOS attacks, I don't know, though.

Whitelist can prevent the hacker from finding out new victims to attack. However, it is believed that the hacker already has a hitlist: an IP of players who like hosting. Direct connect and password protected matches might help if you are not on their hit list. 

Some observations:

1. I have never been ddosed while using a smurf account. Even in the heights of DDOS back in A24, I hosted games with a smurf account and no-one ddosed me. It could be a coincidence but could also mean the hacker is picking targets, or the IP protection is working. 

2. Those who liked to host in A23 got hit the worst. woodpecker was one of the most targeted victims and he hosted a lot back in A23. This is because A23 had no ip protection but A25 does. 

 

 

Link to comment
Share on other sites

There's code relevant to this. See:

https://trac.wildfiregames.com/changeset/24728

https://trac.wildfiregames.com/ticket/3556

https://trac.wildfiregames.com/changeset/23374

https://trac.wildfiregames.com/ticket/1088

https://trac.wildfiregames.com/ticket/6136

 

The lobby used to publish the IP address of any user hosting a match. Since 24728 the power to decide who gets the IP address has been given to the host which allows it to keep the IP address as private as it likes it to be. The lobby doesn't publish any IP address. It ought to be that using a fresh IP address and keeping it private does completely or virtually eliminate the possibility of any sort of cyber attack in general.

 

See also:

 

@Dizaka

@wraitii

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

@chrstgtr@BreakfastBurrito_007@Player of 0AD@Gurken Khan@sarcoma@Ceres@bb_@Yekaterina

 

Guys, 0ad already has a DDOS countermeasure and it works well.  Use password-protected games. 

DO NOT HOST GAMES WITHOUT A PASSWORD.  I REPEAT, DO NOT HOST GAMES WITHOUT A PASSWORD.

Having a password prevents your IP to be shared with the lobby.  Put the game password in the game name.  It makes it more difficult for whoever does the DDOS stupidity. (and, if you know how, it can help narrow down the person as @bb_ pointed out)

ALSO, CHANGE YOUR IP ADDRESSES weekly if you cannot do it daily.

 

https://trac.wildfiregames.com/ticket/6136

 

Also, it's likely multiple randoms doing this.  I do not believe it is one individual.  This is not something that can be moderated and/or stopped easily.  However, it's getting to the point where features in 0ad alpha are being implement that make DDOS more difficult to perform and the culprits can be narrowed down (Narrowed down by name and not by what IPs are DDOSing you).

11 hours ago, bb_ said:

Given the lobby changes to hide your IP from the lobby, we might be able to trisect which lobby user is malicious (and then act upon that). For the host who experiences a DDOS, please attach your mainlog.html to this thread (see https://trac.wildfiregames.com/wiki/GameDataPaths for where to find it). Make sure you to save the mainlog before you start 0ad again, since it will be overwritten. In that file all connection attempts are present, see the lines of the form

XmppClient: Recieved request for connection data from {username}

If one can change their IP address before the game, we have even more information (since the malicious user might store the IP to use later).

I have one instance of this, going back 2-3 months, where I changed my IP and hosted 2 games.  The 2nd game was DDOSed.  I do not believe I have the replays but have the mainlog and extracted names from the mainlog (made a simple python script to do it).  Also, I have 1-2 instances of it happening after 3-6 games but I kept the mainlog for all games and have all names that joined. 

Basically, before each day I changed my IP address.  I would only host games.  I would not join any games.  For each game I hosted that day I saved the mainlog file (and/or wouldn't restart client to continue adding to mainlog file).  When DDOS would happen, only on my host,  I'd stop and save the mainlog file.  Then I'd change my IP address.  Repeat and only host.  If DDOS happened on a player joining my game I'd either rehost (usually w/o that player since their IP is compromised and they likely don't know how to change their IP address), if player couldn't rejoin, (while saving mainlog) and wait till I get hit.

Below are the files, with date of game + my host IP address for those games.  DDOSER here zip file is the one with 2 games. see HERE [Note:  files uploading]).  The person I was collaborating with is @aixo and he narrowed it down to people but to me it seemed like its randoms and multiple people doing it.  This is because before A25 I had a notepad where I'd write names of people who joined games.  However, you could get IP from lobby so it was pointless.

@bb_ @Angen @wraitii Could it be possible, for administrative purposes, for the clients to send this data (stripped down and/or narrowed down) automatically to the 0ad server?  This information, before being sent, could have private information hashed/removed by client. Based on "interactions" and "changed IP addresses" rank each player on probability of being a DDOSer.  It could be used to map and narrow down the people who do this.  Players then could "limit observers to clean players" or something along those lines.

Edited by Dizaka
  • Like 1
  • Thanks 2
Link to comment
Share on other sites

Has anyone ever cared where the IPs come from? I don't mean to have countries or other details mentioned here in the public forum, but think about something else: Do these IPs maybe belong to a certain segment that can be completely blocked? I understand that innocent people might thus get banned, too, but then there's maybe a solution for this, too. Could it be that the IPs of the attackers belong to people that have a special interest to harm a free open source software game like 0 A.D., as they see it as a competitive game to some commercial ones (about which they have interests)? I don't understand why else someone could be so ill behaving, having fun to mess with other peoples' joy, but maybe I'm just too naive. These ugly things (besides having kids, whom I certainly don't want to expose to all this) are the main reason why I never play online (WAN). BTW, is using a VPN-secured line between host and whitelisted chaps maybe a way to filter out the dirt? Anyway, I wish you success with this. Don't let yourself get down by stupid people.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...