1. Post #41
    Ruzza's Avatar
    December 2011
    1,137 Posts
    You clearly are not getting my point at all. I am not telling you how/what you can do to block them, that was not my focus of topic. I was only using an example to state that you cannot sue a company over bugs that can be unintended used for malicious reasons by users.
    Yeah but a company that acknowledges that there is a bug there and does nothing about it leaving it exploitable should mean something.
    Reply With Quote Edit / Delete Reply Windows 7 Australia Show Events Agree Agree x 2 (list)

  2. Post #42
    Wait... so if I write anything here, it's going to show up under my name?
    B!N4RY's Avatar
    December 2009
    7,483 Posts
    Yeah but a company that acknowledges that there is a bug there and does nothing about it leaving it exploitable should mean something.
    That was already discussed. Activision doesn't care about bugs in the COD franchise as long as it doesn't affect gameplay and they're earning money. It's nothing surprising or new.
    Reply With Quote Edit / Delete Reply Windows 7 Canada Show Events Agree Agree x 1 (list)

  3. Post #43
    Gold Member
    katbug's Avatar
    January 2010
    6,579 Posts
    Well, on most games servers, you are able to block users from using over a certain amount of connectivity/only connect a certain amount of times. Ddos, however, is much harder to stop than just a dos. This is because they use vast bonets not originating from a specific location.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Late Late x 1Dumb Dumb x 1 (list)

  4. Post #44
    Get your own DarkRP Server!
    FPtje's Avatar
    January 2006
    5,720 Posts
    To those defending the firewall idea:

    Why would an end point firewall help if hundreds of COD servers are sending packages? Yes, the packages will be rejected, but they have to arrive first in order to be rejected. A firewall can't stop messages that haven't arrived to the machine's network card yet.

    The COD DDoS as a bandwidth flood. It doesn't matter if the COD4 packages are read and interpreted by the end machine. The only thing that matters is that all those packages are going over the line, eating up all bandwidth.

    That is what people in here mean with line saturation. it's the network cables and the end point routers closest to the server that are being flooded, not the server itself. This is why you often hear that several servers go offline in an attack.

    Edited:

    That was already discussed. Activision doesn't care about bugs in the COD franchise as long as it doesn't affect gameplay and they're earning money. It's nothing surprising or new.
    I think in court you would have a decent case since
    - the COD servers send data to those who don't need it
    - they are aware of the exploit
    - it can be easily fixed (by using an acknowledge system. It will take one Round Trip Time longer to get server info though)
    - they refuse to fix it
    - Companies have been successfully sued in similar cases (there was some Spanish company that sued game studios for similar reasons I believe)
    Reply With Quote Edit / Delete Reply Linux Netherlands Show Events Agree Agree x 4 (list)

  5. Post #45
    justosay1123's Avatar
    January 2012
    36 Posts
    As far I know leaving smurf amplifiers open even after notification is a good case for a lawsuit yes.

  6. Post #46
    Gold Member
    Fleamonji's Avatar
    April 2010
    627 Posts
    Because he probably query's one server, then the next, then the next until the list is over.
    Not when it comes in at a couple hundred thousand PPS

  7. Post #47
    zzaacckk's Avatar
    June 2009
    2,152 Posts
    Ive been undergoing a DDoS attack from devnull for like the past two days, I have a private firewall and IPS on my boxes and they don't experience downtime from the attack, we are only getting hit with like 200 - 250 mbits max. The only issue is it running up our bandwidth, not it giving us downtime.

    Its really starting to piss my DC off.

  8. Post #48
    Gold Member
    Adzter's Avatar
    September 2009
    2,033 Posts
    Apologies if I'm not understanding this right, but couldn't someone write something that checks all the CoD servers, then adds them to a blocklist, it runs say, once a day since people add/remove servers often? That would take care of the majority of it, unless there's something I'm missing, again I'm not 100% sure on how the whole thing operates so apologies if this is dumb. Although this doesn't cater for what FPtje said about;
    Why would an end point firewall help if hundreds of COD servers are sending packages? Yes, the packages will be rejected, but they have to arrive first in order to be rejected. A firewall can't stop messages that haven't arrived to the machine's network card yet.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Dumb Dumb x 1 (list)

  9. Post #49
    metromod.net
    _Chewgum's Avatar
    April 2010
    2,216 Posts
    Apologies if I'm not understanding this right, but couldn't someone write something that checks all the CoD servers, then adds them to a blocklist, it runs say, once a day since people add/remove servers often? That would take care of the majority of it, unless there's something I'm missing, again I'm not 100% sure on how the whole thing operates so apologies if this is dumb. Although this doesn't cater for what FPtje said about;
    you can block ips/packets(with iptables) from reaching your application, but then it'll still go into your network and use bandwidth. but your provider can stop things in the switch before it reaches your servers network card

    i think
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 1 (list)

  10. Post #50
    Gold Member
    Adzter's Avatar
    September 2009
    2,033 Posts
    It's quite scary how there's not really a solution to it.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Agree Agree x 3 (list)

  11. Post #51
    DylanWilson's Avatar
    January 2010
    273 Posts
    Listen bud, if you have a good firewall, raw socket bull shit isn't going to effect you (except for the first couple of seconds for the exact reason you just stated). Obviously is has to look into the packet header, but smart firewalls will look at packet consistencies etc

    Also, quit being a punk. Looking at your past threads it seems your programming knowledge is pretty..limited, at best, and you don't seem to know exactly what you are talking about.
    Well, I'm glad you did your research. To further your investigation I'll inform you are correct, I'm not strong in C/C++ but I'm pretty beast in Python, web languages (I took 6 web design classes in high school, was an easy A and my schools only computer class so I kept taking them) and I'm decent in Lua.

    I'm also happy that I'm entirely wrong except for the only point I made.

    Regardless, Revenge's post stands true that it doesn't matter, because in many of these attacks your internet connection isn't made to handle that amount of data, and simply doesn't, even before it reaches the server.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Friendly Friendly x 2 (list)

  12. Post #52
    Get your own DarkRP Server!
    FPtje's Avatar
    January 2006
    5,720 Posts
    you can block ips/packets(with iptables) from reaching your application, but then it'll still go into your network and use bandwidth. but your provider can stop things in the switch before it reaches your servers network card

    i think
    The provider can, but is often reluctant to. At least they were in my experience.
    I was once DDoSed, I called my provider to ask them if they could do anything. They acknowledged: "Well it LOOKS like you're getting a lot of inbound traffic!". I said "I know that, I'm being DDoSed, can you do anthing about it?".

    They replied with "Have you tried restarting your computer/router?". It pissed me the fuck off.

    But yeah in theory the ISP's can both detect and kill DDoS attacks at network level. Why? Because they own and control the routers that lead to your house/datacenter, and they are able to drop the packages as soon as they pass one of their routers. Killing the attack before it even reaches your house/datacenter.

  13. Post #53
    Chill Moderator
    Grea$eMonkey's Avatar
    May 2007
    6,302 Posts
    As things stand now it's not much of an issue to Activision and everyone's ISPs/hosting. Now if there was a class-action law suit with a good platform, which from the looks of things there already is when everyone has their terminology correct, there is a serious chance that Activision would make an easy fix.

    Look at it this way, they either make an easy fix that takes a short amount of time to complete, or they get into legal issues with a group of people who they either need to pay off or pay for layers to fight. Put in that situation they're going to lose some amount of money no matter what. Compared to how much they already have it could be a negligible loss, but they can only fight it for so long before they have to fix it or win the case.

    Then your problem is finding and organizing people to take part in the whole thing, which is the hard part.

  14. Post #54

    January 2012
    9 Posts
    That's wrong, if you block the servers in your firewall or iptables or however you do it, it can't send you the data. it's not like the server takes in all your data and then goes "Ohhh....nvm, hes blocked delete that !".
    Asking Seth questions so you can sound smart on facepunch I see.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Dumb Dumb x 2 (list)

  15. Post #55
    JustSoFaded's Avatar
    December 2011
    432 Posts
    Asking Seth questions so you can sound smart on facepunch I see.
    0/10, try harder.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Dumb Dumb x 1Disagree Disagree x 1 (list)

  16. Post #56
    Gold Member
    thegrb93's Avatar
    June 2006
    1,414 Posts
    Just found this. Seems to be relevant to the problem. http://wiki.alliedmods.net/SRCDS_Hardening#Lag.2FDOS
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Dumb Dumb x 4 (list)

  17. Post #57
    Gold Member
    Jetsurf's Avatar
    June 2011
    177 Posts
    Just found this. Seems to be relevant to the problem. http://wiki.alliedmods.net/SRCDS_Hardening#Lag.2FDOS
    Nah, this is what you want

    https://forums.alliedmods.net/showthread.php?t=151551
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Informative Informative x 1 (list)

  18. Post #58
    Gold Member
    thegrb93's Avatar
    June 2006
    1,414 Posts
    That's pretty useful, but what about windows servers?
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Funny Funny x 1 (list)

  19. Post #59
    Gold Member
    slayer3032's Avatar
    November 2007
    3,496 Posts
    To those defending the firewall idea:

    Why would an end point firewall help if hundreds of COD servers are sending packages? Yes, the packages will be rejected, but they have to arrive first in order to be rejected. A firewall can't stop messages that haven't arrived to the machine's network card yet.

    The COD DDoS as a bandwidth flood. It doesn't matter if the COD4 packages are read and interpreted by the end machine. The only thing that matters is that all those packages are going over the line, eating up all bandwidth.

    That is what people in here mean with line saturation. it's the network cables and the end point routers closest to the server that are being flooded, not the server itself. This is why you often hear that several servers go offline in an attack.

    Edited:


    I think in court you would have a decent case since
    - the COD servers send data to those who don't need it
    - they are aware of the exploit
    - it can be easily fixed (by using an acknowledge system. It will take one Round Trip Time longer to get server info though)
    - they refuse to fix it
    - Companies have been successfully sued in similar cases (there was some Spanish company that sued game studios for similar reasons I believe)
    Being able to reject packets from reaching the application layer is a pretty huge thing, SRCDS doesn't take kindly to unwarranted udp traffic pointed at it and your generic booters could take them offline fairly well. You don't need to saturate the line at all to take down a SRCDS instance.

    You won't have a court case, there isn't a single court in the world which would care short of suing stan for damages over the services he runs.

    No one maintains any of the games being used in these attacks, there really aren't any developers who work on these games. If you want them fixed your best bet is to start abusing the fuck out of them against anything related to the people who are responsible for the development of the game. It's a rather sad reality but most of the time you have to get your hands a little dirtier than most people are comfortable these days. No one gives a single fuck about a problem unless it becomes their own, developers have no pride in the programs they work on anymore.

    The worst part is that these meaningless gameserver DRDoS attacks aren't anything compared to what is in store if these rather worthless exploits are patched. Stan never sold his good shit until he had something better. Even if all the gameserver refection attacks were to be fixed that still leaves the much more powerful DNS based attacks which will never be fixed thanks to how the internet works.

    The only thing which can stop a DoS attack is the attacker themself. If no desired outcome of an action is provided there won't be a desire to do the action. If the attacks don't work, they don't happen.

    That's pretty useful, but what about windows servers?
    they are a lost cause

    Most of this stuff isn't very specific at all, the methods he uses to distinguish traffic are pretty terrible. I'm not an expert with IPTables but I don't see any possible advantage to using really broad rules over a more specific matching based rule.

    The could possible be a performance increase or something by comparing length instead of matching hex or strings but I never noticed one which was justifiable. It is rather stupid for him to be suggesting people to use rules which they would have very little knowledge of what they do as they will only cause more problems than they would most likely fix.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 4Informative Informative x 1Winner Winner x 1Funny Funny x 1 (list)

  20. Post #60
    Get your own DarkRP Server!
    FPtje's Avatar
    January 2006
    5,720 Posts
    Being able to reject packets from reaching the application layer is a pretty huge thing, SRCDS doesn't take kindly to unwarranted udp traffic pointed at it and your generic booters could take them offline fairly well. You don't need to saturate the line at all to take down a SRCDS instance.

    You won't have a court case, there isn't a single court in the world which would care short of suing stan for damages over the services he runs.

    No one maintains any of the games being used in these attacks, there really aren't any developers who work on these games. If you want them fixed your best bet is to start abusing the fuck out of them against anything related to the people who are responsible for the development of the game. It's a rather sad reality but most of the time you have to get your hands a little dirtier than most people are comfortable these days. No one gives a single fuck about a problem unless it becomes their own, developers have no pride in the programs they work on anymore.

    The worst part is that these meaningless gameserver DRDoS attacks aren't anything compared to what is in store if these rather worthless exploits are patched. Stan never sold his good shit until he had something better. Even if all the gameserver refection attacks were to be fixed that still leaves the much more powerful DNS based attacks which will never be fixed thanks to how the internet works.

    The only thing which can stop a DoS attack is the attacker themself. If no desired outcome of an action is provided there won't be a desire to do the action. If the attacks don't work, they don't happen.



    they are a lost cause



    Most of this stuff isn't very specific at all, the methods he uses to distinguish traffic are pretty terrible. I'm not an expert with IPTables but I don't see any possible advantage to using really broad rules over a more specific matching based rule.

    The could possible be a performance increase or something by comparing length instead of matching hex or strings but I never noticed one which was justifiable. It is rather stupid for him to be suggesting people to use rules which they would have very little knowledge of what they do as they will only cause more problems than they would most likely fix.
    Most pessimistic post I've seen so far :( on this issue.

    I didn't know srcds had such exploits. But if that's the case, would you even have to distribute your DoS to take down srcds if you use the exploits?
    Reply With Quote Edit / Delete Reply Linux Netherlands Show Events Agree Agree x 2 (list)

  21. Post #61
    Gold Member
    slayer3032's Avatar
    November 2007
    3,496 Posts
    Most pessimistic post I've seen so far :( on this issue.

    I didn't know srcds had such exploits. But if that's the case, would you even have to distribute your DoS to take down srcds if you use the exploits?
    What exactly do you mean by distribute and "exploits"?

    An average booter hosted by a single server on at least 100mbps used to be plenty to take down SRCDS, I personally had a intense whitelist based IPTables ruleset on my dedicated servers for the last year at least so I'm not sure what attacks still work short of line saturation..

    The Garry's Mod community seems to have a huge issue with DoS attacks, someone once brought to my attention that many gameservers for other games are ran on bottom dollar servers that could even be on 10mbps lines. 1gbps being required for a single small community is something which is absolutely unique to us.

    However, I'd like to think that the stakes are higher and the money is more lucrative as if you play your cards right it's simple to make more than a full time job at minimum wage in certain situations off "donations". The people who develop things for Garry's Mod are also significantly more intelligent than lets say the plugin developers for Minecraft or the developers of almost every single sourcemod.

    This brings just as many intelligent people who see an opportunity to make fucking bank off of little kids which throw their parent's money/credit cards around like they do their in-game monies. Places like GangwarsRP who have no self respect and let people simply pay2win only add to this by inviting the further devaluation of real money in a game.

    Microtransactions don't help either as many games these days are enabling players to dump hundreds or even thousands of dollars into games. When people get this far in with hundreds and thousands of hours played people won't look at that $100 program which lets them ruin it all for anyone who wronged them as "overpriced" at all.

    I'm not all that pessimistic, it's just that things are starting to shift into something completely new that hasn't fully taken place yet. Things definitely aren't the same as they were back in 07 and I just don't think many people are bringing us in a better direction.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 5Winner Winner x 1Disagree Disagree x 1 (list)

  22. Post #62
    justosay1123's Avatar
    January 2012
    36 Posts
    I agree that taking down the CoD4 exploit might make stan simply move over to DNS Amplification based attacks, and eventually make the attacks DevNull can do several times stronger as a revenge. The best option we have now is to get rid of stan himself from the internet scene, and not the exploit he's using because there are still a dozen other exploits out there that he can switch over to.


    The only positive thing about DNS Amplification attacks is that they are relatively easier to block at ISP level because all attacks will always come from port 53 and you can just block all incoming traffic coming from port 53 except your own set of name servers.

  23. Post #63
    Ruzza's Avatar
    December 2011
    1,137 Posts
    I agree that taking down the CoD4 exploit might make stan simply move over to DNS Amplification based attacks, and eventually make the attacks DevNull can do several times stronger as a revenge. The best option we have now is to get rid of stan himself from the internet scene, and not the exploit he's using because there are still a dozen other exploits out there that he can switch over to.


    The only positive thing about DNS Amplification attacks is that they are relatively easier to block at ISP level because all attacks will always come from port 53 and you can just block all incoming traffic coming from port 53 except your own set of name servers.
    Fixing the exploit on cod and et servers will be good too because after stan is gone someone else will take his place and might use the same exploits
    Reply With Quote Edit / Delete Reply Australia Show Events Agree Agree x 1 (list)

  24. Post #64
    Gold Member
    slayer3032's Avatar
    November 2007
    3,496 Posts
    The only positive thing about DNS Amplification attacks is that they are relatively easier to block at ISP level because all attacks will always come from port 53 and you can just block all incoming traffic coming from port 53 except your own set of name servers.
    Tell that to LSTN or other datacenters when their ISP null routes your IP at their level because it's been using 4gbps for 2 weeks.

    Fixing the exploit on cod and et servers will be good too because after stan is gone someone else will take his place and might use the same exploits
    Not very many people have the intelligence to work more than 600mbps out of CoD, there's more to it than you might think at first.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Funny Funny x 1 (list)

  25. Post #65
    Gold Banana
    Banana Lord.'s Avatar
    May 2010
    6,852 Posts
    Tell that to LSTN or other datacenters when their ISP null routes your IP at their level because it's been using 4gbps for 2 weeks.
    I dunno what you did to stay online for quite a bit while being hammered but they nullroute pretty much for anything over 400Mbit for me.

  26. Post #66
    Gold Member
    Revenge282's Avatar
    July 2007
    330 Posts
    I dunno what you did to stay online for quite a bit while being hammered but they nullroute pretty much for anything over 400Mbit for me.
    I've only had SniperBoys get null routed once by LSTN after we got hit by 3gbps. But aside from that, we have had a few 300mbps-600mbps, and it has been resolved without any null routing. I guess we are lucky...

  27. Post #67
    Gold Member
    Jetsurf's Avatar
    June 2011
    177 Posts
    I agree slayer, those rules are exactly the best, they do have a few valid rules in there... and any bit to help mitigate skiddys DoSing your servers for the hell of it helps.

  28. Post #68
    Gold Member
    Hentie's Avatar
    May 2010
    2,129 Posts
    There's a fix for CoD4 servers that prevent your server for being used in a DDoS attack, but I think it's for linux servers only. How about we multitask, if Activision isn't fixing it soon why don't we get CoD4 servers owners to fix it? After that we can go for the other master servers that DevNull is using, like Enemy Territory and so on.

    I don't know why CoD4 doesn't put a limit on how frequent you can refresh the master server.

  29. Post #69

    December 2011
    350 Posts
    There's a fix for CoD4 servers that prevent your server for being used in a DDoS attack, but I think it's for linux servers only. How about we multitask, if Activision isn't fixing it soon why don't we get CoD4 servers owners to fix it? After that we can go for the other master servers that DevNull is using, like Enemy Territory and so on.

    I don't know why CoD4 doesn't put a limit on how frequent you can refresh the master server.
    Surely the more valid fix here is using tcp instead of udp so people cant spoof the source address

  30. Post #70
    DylanWilson's Avatar
    January 2010
    273 Posts
    There's a fix for CoD4 servers that prevent your server for being used in a DDoS attack, but I think it's for linux servers only. How about we multitask, if Activision isn't fixing it soon why don't we get CoD4 servers owners to fix it? After that we can go for the other master servers that DevNull is using, like Enemy Territory and so on.

    I don't know why CoD4 doesn't put a limit on how frequent you can refresh the master server.
    you reminded me of a website i used to get exploit fixes form in JK3
    looks like he's already addressed the issue, from the looks of thing this drdos is causing CoD4 servers to go down

    http://aluigi.altervista.org/patches.htm

    lpatch can be run from any OS, maybe whoever has the initiative to contact all these owners can zip together a batch file that does (most of) any work that may be needed

  31. Post #71
    Ruzza's Avatar
    December 2011
    1,137 Posts
    Surely the more valid fix here is using tcp instead of udp so people cant spoof the source address
    SYN flood attack
    Reply With Quote Edit / Delete Reply Australia Show Events Dumb Dumb x 4 (list)

  32. Post #72

    December 2011
    350 Posts
    SYN flood attack
    That would more than half the power of it making it useless

  33. Post #73
    Bawbag's Avatar
    December 2011
    530 Posts
    SYN flood attack
    Yeah, because SYN floods hit 15gbit/s.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Agree Agree x 1 (list)

  34. Post #74
    Gold Member
    slayer3032's Avatar
    November 2007
    3,496 Posts
    There's a fix for CoD4 servers that prevent your server for being used in a DDoS attack, but I think it's for linux servers only. How about we multitask, if Activision isn't fixing it soon why don't we get CoD4 servers owners to fix it? After that we can go for the other master servers that DevNull is using, like Enemy Territory and so on.

    I don't know why CoD4 doesn't put a limit on how frequent you can refresh the master server.
    We shouldn't care because if we do get the small exploits patched that leaves the unpatchable ones which are much stronger that aren't used yet. It would pretty much be of your best interest to not get these patched sadly. It helps if you take the time to read the posts I make.

    CoD4 server owners won't give a single fuck about you anyways, most of them probably aren't even contactable.

  35. Post #75
    Ruzza's Avatar
    December 2011
    1,137 Posts
    That would more than half the power of it making it useless
    A more reliable fix would be to limit query requests from an ip. will stop ALL of the attack

  36. Post #76

    December 2011
    350 Posts
    A more reliable fix would be to limit query requests from an ip. will stop ALL of the attack
    You could still flood servers with a limit on the next query you could just do attacks in short bursts so how is that stopping the attack either? if you have enough servers to do it and its not like there is a shortage of them considering how many games are vulnerable to this.

  37. Post #77
    Ruzza's Avatar
    December 2011
    1,137 Posts
    You could still flood servers with a limit on the next query you could just do attacks in short bursts so how is that stopping the attack either? if you have enough servers to do it and its not like there is a shortage of them considering how many games are vulnerable to this.
    Is Devnull can hit 350MB max while spamming queries, I hardly doubt it will be able to hit anything more than 10MB after a query spam protection system is placed in.
    Reply With Quote Edit / Delete Reply Windows 7 Australia Show Events Dumb Dumb x 1 (list)

  38. Post #78
    Bawbag's Avatar
    December 2011
    530 Posts
    Is Devnull can hit 350MB max while spamming queries, I hardly doubt it will be able to hit anything more than 10MB after a query spam protection system is placed in.
    350MB? That's only <3 gig.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Winner Winner x 1 (list)

  39. Post #79
    Ruzza's Avatar
    December 2011
    1,137 Posts
    350MB? That's only <3 gig.
    Only enough to take out most home connections, servers with 100MB port, servers in Australia.
    Reply With Quote Edit / Delete Reply Windows 7 Australia Show Events Dumb Dumb x 1 (list)

  40. Post #80
    Gold Member
    Hentie's Avatar
    May 2010
    2,129 Posts
    We shouldn't care because if we do get the small exploits patched that leaves the unpatchable ones which are much stronger that aren't used yet. It would pretty much be of your best interest to not get these patched sadly. It helps if you take the time to read the posts I make.

    CoD4 server owners won't give a single fuck about you anyways, most of them probably aren't even contactable.
    CoD4 server owners will give a single fuck after too many master server list responses are made that will lag or even crash their servers.