Jump to content

DDOS is back


chrstgtr
 Share

Recommended Posts

15 minutes ago, Ceres said:

For clarification:

Do these DDOS attacks happen to the affected people in general or only when playing/ hosting 0 A.D.? Sorry that I ask this only now.

@Dizaka
@Yekaterina
What are your thoughts about my "Ad 2)" before?

It conveniently happens when you're enjoying yourself.  9/10 times it's likely intentional.

For @2 I don't think people, in general, appreciate things that make stuff easier or protect them as you do not notice those things.  Therefore, you tend to underappreciate them.  Conversely, people definitely don't appreciate things that create agony and make it known.  Therefore, a lot of effort that has been put into DDOS prevention goes unappreciated (e.g., password games, user1 taking time to read my pms and those of others, etc).  Mainly because ddos isn't an issue until it is an issue.

@Angenwho implemented password protected games has a great idea on a whitelist that ties in with buddies list and makes passwords unnecessary.  I really look forward to the alpha that has that feature as more people will be likely to use it as password don't 'flow.'

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

I agree with everything what Dizaka wrote, very well summarized, and as Dizaka described we spent significant time on some effort to track the username which was harvesting IPs at that time, Dizaka described the process how we did it and unlike him I believe we were able to narrow the username down. The question now is - How does that help?

First of all, nobody would believe me that we did it honestly and correctly and with no offence most of the people do not even have technical knowledge to understand it to make correct judgement. Anyone could just say that we picked someone we didn't like.

And second of all, the username was using VPNs to connect to the lobby, their IP kept changing and I bet they use multiple accounts. Block one username or IP address and the ddoser will just create a new account from different IP provided by a VPN.

We can make it more challenging for the ddoser as Dizaka described but there is imo no ultimate solution with the way how the game hosting works/size of the community/no will of players to do anything to prevent the ddos and obviously anyone who's been doing that for more than a year has enough motivation to get through some barriers.

  • Like 3
  • Thanks 1
Link to comment
Share on other sites

Note: @aixois 100x more competent in Computer Networks as he does it professionally.

I'm just someone who studied it in college and can understand the concepts and basics of what is happening.  I definitely don't have the knowledge that @aixo has.  Whatever @aixo says is probably more correct than what I say on Computer Networks.

Link to comment
Share on other sites

18 hours ago, aixo said:

I agree with everything what Dizaka wrote, very well summarized, and as Dizaka described we spent significant time on some effort to track the username which was harvesting IPs at that time, Dizaka described the process how we did it and unlike him I believe we were able to narrow the username down. The question now is - How does that help?

First of all, nobody would believe me that we did it honestly and correctly and with no offence most of the people do not even have technical knowledge to understand it to make correct judgement. Anyone could just say that we picked someone we didn't like.

And second of all, the username was using VPNs to connect to the lobby, their IP kept changing and I bet they use multiple accounts. Block one username or IP address and the ddoser will just create a new account from different IP provided by a VPN.

We can make it more challenging for the ddoser as Dizaka described but there is imo no ultimate solution with the way how the game hosting works/size of the community/no will of players to do anything to prevent the ddos and obviously anyone who's been doing that for more than a year has enough motivation to get through some barriers.

If you narrowed it down and there is a known player on the list that you dont want to accuse in public, i would be intrested in your pm

Link to comment
Share on other sites

8 minutes ago, BreakfastBurrito_007 said:

@bad player why is it funny?

I already said why but i could elaborate since youre asking me to.

Considering this mighty and humongous piece of software that has been in development for over a decade is losing a fight against someone who most likely is a teenager (adults wouldnt waste time on ddosing some game for lulz) - yes i find that funny

By losing I dont mean that its the end of 0ad as in its not losing whole battle, but it is losing these mini fights and community has been getting annoyed by these ddoses since some long time ago. I am sure that some people even quitted 0ad (maybe permanently even) due to these ddoses.

Ddosing in simple terms means grieffing and oh boy players do quit games cus of that, and they always talk poorly about the game after.

Edited by bad player
Link to comment
Share on other sites

I have experienced suspected ddos attacks twice in the past 3 days. I'll describe what happened.

While hosting a team game of 0 A.D., all of a sudden, I saw an "Exit" button at the center of the screen and a message that I had lost connection to the server. I consider this odd because I was the host, but maybe the message was referring to the wildfiregames lobby.

After a few minutes I clicked Exit, and the lobby was completely empty of players and games.

I closed 0ad and tried to visit websites, but could not load any websites. I couldn't even ping the router or access the router's administration interface. The Internet activity light was blinking a lot.

I powered off the router for several minutes, then powered it back on. It worked and I could surf the net again.

Today the same thing happened.

In both cases the problem occurred at a key event. In the first game, enemy players were on the ropes (losing with odds of 40/60 at best), and the suspected ddos occurred as soon as I had battering rams moving toward an enemy base. In the second game, I had been rushing an enemy player frequently in the early game, so he was likely angry at me. When they reached city phase, the two closest enemies attacked me and had just destroyed my base, but were being counter attacked by one of my teammates. Then the second suspected ddos occurred. These were basically the tipping points of the games.

Ideas on how to prevent this in the future?

Link to comment
Share on other sites

9 minutes ago, BreakfastBurrito_007 said:

@bad player

I don't get your sense of humor. And to be honest, I had been thinking you could be a perpetrator seeking a ransom, since your profile name is "bad player" and you found the situation funny.

Joined 8 hrs ago.  Knows about this game developed for decades.

  • Confused 1
Link to comment
Share on other sites

16 hours ago, BreakfastBurrito_007 said:

I don't get your sense of humor. And to be honest, I had been thinking you could be a perpetrator seeking a ransom, since your profile name is "bad player" and you found the situation funny.

There is no need to accuse people without serious suspicions. If it wasn't an accusation, I would say that there is no need to post something that could be seen as an accusation.

 

15 hours ago, Dizaka said:

Joined 8 hrs ago.  Knows about this game developed for decades.

Yeah, how does someone new to the forum know this big secret?

  • Haha 2
Link to comment
Share on other sites

  

8 hours ago, LetswaveaBook said:

There is no need to accuse people without serious suspicions. If it wasn't an accusation, I would say that there is no need to post something that could be seen as an accusation.

Big difference between an accusation and a thought.  Jumping to the accusation based on what was written by @BreakfastBurrito_007 is concerning.  There was only a thought without supporting evidence that may imply something.

 

8 hours ago, LetswaveaBook said:

Yeah, how does someone new to the forum know this big secret?

Yea, how does one know of something that isn't a secret?

  • Like 1
Link to comment
Share on other sites

It seems like I owe some clarification. The first post I read was very suspect to me, which I hope you guys understand in retrospect. A few alarm bells went off in my head before he replied. Obviously I understand that there is no way a ransom would be paid, but it is not out of the question that someone could try to set this up.

Link to comment
Share on other sites

2 hours ago, BreakfastBurrito_007 said:

It was very frustrating to watch.  I do not remember this type of ddos behavior from the previous waves of attacks.

Same thing as previously.  Except person has been quiet and gathered everyone's IP addresses.  Makes it look like bad connections.  However, it is not.  I haven't reset my IP in like 4 mos.

Edited by Dizaka
Link to comment
Share on other sites

  • 3 weeks later...

I was hit by another suspected ddos attack on Sunday, October 10th at about 23:20 UTC. The symptoms were very similar to the ddos attacks that I experienced on September 19th and 21st, except that the game hitched for a while, indicating that all players were losing connection, then the players disconnected and the game continued. I paused the game in order to wait for them to reconnect. Unfortunately, the ddos lasted for about 5 minutes, and my game was no longer listed in the lobby when I regained connection.

Here are the circumstances at the time: in the 4v4 team game, there were back-and-forth attacks, but at the 35 minute mark, which is when the ddos attack hit, my side was likely losing the battle. One teammate had his economy shut down, rams were hitting the extremities of another teammate base, and I was busy defending a barracks and tower. Also, opponents had control of the metal deposits at the center of the map.

My guess as to the motive of the attacker: he wanted the game to end sooner so he could get players in a different game. I advise that we not reward him for this behavior. Instead, players can refuse to join another game for 10 minutes when a player uses a ddos for this apparent purpose.

Also, we're still waiting for information from one of the players who was present in a different game and had a potential motive for hitting me with the ddos that I experienced on September 21. When I asked for his observations about the situation, he said in the game lobby on September 22 at 14:46 UTC, "i noticed only strong games get ddosed". I asked him to post observations like that on the forum. Note that I have seen games that included only players of average skill level get ddosed.

We're also still waiting for information from another player about a supposed ddos attack that he experienced recently. He mentioned it in the game lobby on October 10th at 02:24 UTC. Let's assign a pseudonym of "harry" to the accuser, and a pseudonym of "carl" to the accused. I'm not publicly naming names because I support the principle of "innocent until proven guilty". The statements were:

[02:24] <harry> im waiting for ur second ddos carl
[02:24] <harry> for this night
...
[03:59] <harry> i got ddosed by carl today

I would like to ask "harry" to please share how you know for sure that it was a ddos attack, and how you know with certainty the name of the person who did it. At 04:00 on that same day, "harry" agreed to post in this forum thread about it. Still waiting...

Most ddos attacks aren't directly traceable to a definite individual without detective work since the source IP address is not the IP address of the person initiating the attack. So IF "harry" was actually hit by a ddos attack, and actually knows the name of the person who did it, then he must have done some detective work, so please share the detailed proof with trusted investigator admins. Otherwise, I am calling out the claim as not based on fact.

Speaking of which, I have additional evidence which I can share with trusted investigator admins in order to demonstrate how I know that I was likely hit by a ddos each of the times that I have described.

Edited by Norse_Harold
  • Like 1
Link to comment
Share on other sites

11 hours ago, Norse_Harold said:

I was hit by another suspected ddos attack on Sunday, October 10th at about 23:20 UTC. The symptoms were very similar to the ddos attacks that I experienced on September 19th and 21st, except that the game hitched for a while, indicating that all players were losing connection, then the players disconnected and the game continued. I paused the game in order to wait for them to reconnect. Unfortunately, the ddos lasted for about 5 minutes, and my game was no longer listed in the lobby when I regained connection.

Here are the circumstances at the time: in the 4v4 team game, there were back-and-forth attacks, but at the 35 minute mark, which is when the ddos attack hit, my side was likely losing the battle. One teammate had his economy shut down, rams were hitting the extremities of another teammate base, and I was busy defending a barracks and tower. Also, opponents had control of the metal deposits at the center of the map.

My guess as to the motive of the attacker: he wanted the game to end sooner so he could get players in a different game. I advise that we not reward him for this behavior. Instead, players can refuse to join another game for 10 minutes when a player uses a ddos for this apparent purpose.

Also, we're still waiting for information from one of the players who was present in a different game and had a potential motive for hitting me with the ddos that I experienced on September 21. When I asked for his observations about the situation, he said in the game lobby on September 22 at 14:46 UTC, "i noticed only strong games get ddosed". I asked him to post observations like that on the forum. Note that I have seen games that included only players of average skill level get ddosed.

We're also still waiting for information from another player about a supposed ddos attack that he experienced recently. He mentioned it in the game lobby on October 10th at 02:24 UTC. Let's assign a pseudonym of "harry" to the accuser, and a pseudonym of "carl" to the accused. I'm not publicly naming names because I support the principle of "innocent until proven guilty". The statements were:

[02:24] <harry> im waiting for ur second ddos carl
[02:24] <harry> for this night
...
[03:59] <harry> i got ddosed by carl today

I would like to ask "harry" to please share how you know for sure that it was a ddos attack, and how you know with certainty the name of the person who did it. At 04:00 on that same day, "harry" agreed to post in this forum thread about it. Still waiting...

Most ddos attacks aren't directly traceable to a definite individual without detective work since the source IP address is not the IP address of the person initiating the attack. So IF "harry" was actually hit by a ddos attack, and actually knows the name of the person who did it, then he must have done some detective work, so please share the detailed proof with trusted investigator admins. Otherwise, I am calling out the claim as not based on fact.

Speaking of which, I have additional evidence which I can share with trusted investigator admins in order to demonstrate how I know that I was likely hit by a ddos each of the times that I have described.

I was present there that 10th octuber and i asked "Harry" if got proof BC i know "Carl" and i couldnt believe he does that.

Today this "Harry" entered a Game i hosted about 6pm -3gmt, but with a diferent nickname. I asked this "NEWharry" if he was a smurf of "Harry" and if that was the case i was waiting the proof against My friend carl. he only replies "ok" and leaves.

Then we started Game and 5 minutes later i got all player with high ping, then They leave, but i was still connected to the Game and could chat on lobby. Ping Google worked, but some websites don't. Ppl could rejoin Game but someone missing so we decided to re. Same thing happen. U were there @Norse_Harold maybe u remember.

quite coincidence with this "Harry" "NEWharry".....

Again. About 11 -3gmt hosted two games normally but The third Game it was clearly a ddos because My router just stop responding and after a while i Lost all internet connection. I'm posting through My cellophone and i don't have screenshots here. Tomorrow Will post them but i don't think they Will show nothing important BC software was not the appropiate one and i was not aware of the mainlog.HTML file that @bb_ mention before and restarted Game so probably it was modified.

 

finally i want to Say that although i'm a new player and new here on forum i started hosting many often under the name Mainland TG and there is a considerable group of ppl of average, good and op lvl that has been playing my games and besides some smurf or weird name players with no rank that has been banned for rejoining lobby or spec lag rejoining, i only has been trouble with one person that use a few accounts including this two "harrys" we talking about.

next time, i'll ve prepared

 

pd: English is not My native. Hope the messsge is clear enough

 

Edited by guerringuerrin
  • Like 1
  • Thanks 1
Link to comment
Share on other sites

@alre I'll be monitoring network traffic. Ofc we could never found the Origin IP since ddos should be made through VPN and from many devices but at least I could confirm with facts that what happened to me was a DDOS and not some ISP connection issue. Ofc, they are others elements all host ddos victims has in common like hosting games very often with some "very known ppl" of the community, or being involved in trouble with the same ppl (or I should say the same person with different nicknames). But i think its important to, at least, confirm that this is in fact a DDOS and not some other issue as I said before.

Yesterday I was doing some test about game's network consumption. And after three games in a row i concluded that in a regular 20minutes game, there is about 4,5 MBytes received and about 0.08Mbytes of sent data. I attached two screenshot of the program i used to see that. (IP's has been erased for me manually to avoid share information)
First Screen: U can see amount of data transfered in bytes right before starting game with all ppl on lobby rdy up to play.
Second Screen: U can see amount of data transfered in bytes right after game finished.

I've to say i'm surprised bc its really a small amount of data received and even less sent by my pyrogenesis.exe process. I was specting more sent data since I was hosting, but I'm no developer nor IT manager so I'm aware I'm missing too many details. Also i was specting to see more IP communications bc i though that connection between players and host were directly and not through 0ad server, or at least both. But as I already said I'm no dev so.

I also supossing that all network monitor has to be done from the router or maybe before data reach It through some device and not AFTER the router send the data to my PC in the local network. But now all I can do is start monitoring network traffic in my PC until I learn how to monitor the router itself.

Finally, @Dizaka tell something about make a python script to make more human friendly the data alocated in mainlog.html file. I have some skills with python and C syntax so maybe u can help me with that to make that script and depurate this log file.

Any advice is welcome.
I couln't check amount of network activity in the ddos moment, bc game freez and the TCPView updated faster than my Print Screen key got hitted so that info is missing.

I know this is no new information for whom were suffering this ddos @#&#036;% but I want to let know dev's and all ppl taking care of this that i want to help in any way i can.

Screen 01

01 - copia.JPG

Screen 02

02 - copia.JPG

Edited by guerringuerrin
  • Like 1
Link to comment
Share on other sites

11 hours ago, guerringuerrin said:

Then we started Game and 5 minutes later i got all player with high ping, then They leave, but i was still connected to the Game and could chat on lobby. Ping Google worked, but some websites don't. Ppl could rejoin Game but someone missing so we decided to re. Same thing happen. U were there @Norse_Harold maybe u remember.

Yes, I saw this. It had some characteristics that differed and some characteristics that were similar to the ddoses that I have observed. What differed in this case is that the duration was much shorter, maybe 1 minute. Also, at least with the episodes that I saw, you were not disconnected from the lobby, and you were able to talk in the lobby after about 1 minute. However, you have stated that in at least one of the episodes you were unable to access websites. This is a trait in common with ddoses that I have observed in the past.

Currently, there are at least three likely explanations for what was happening.

  1. It could have been caused by an unstable Internet connection or modem (it would be a good idea to check whether your modem has the Intel Puma chipset).
  2. It could have been caused by an attacker sending spoofed enet disconnection packets to you and/or the clients.
  3. It could have been caused by an actual ddos attack, much shorter than the 5 minute attacks I have experienced.

In fact, each episode may have had a different cause. And, there can be other explanations that I haven't thought of.

I also appreciate the thoughts that you have about a potential suspect, and a potential motive that he might have had for the attacks.

It seems like you know what needs to be done in order to narrow down the possible causes: use the modem's admin interface to check traffic rates at the Internet connection, by packets and by bytes, before, during and after a suspected ddos attack. Capturing traffic at your computer would detect explanation #2, but it usually would not detect a ddos attack. Also, applying aixo's and Dizaka's technique of changing your IP before hosting each game, as well as using software to assist in narrowing down suspects of ddosing, are great ideas.

Edited by Norse_Harold
  • Thanks 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...