1. Post #1
    Gold Member
    thegrb93's Avatar
    June 2006
    1,371 Posts
    In the past week of playing garrysmod, there have been at least five people who got banned or kicked for griefing and their response is DDoSing the server, making it unplayable even ever after they have disconnected. I would make this myself if I had any knowledge of source, but I don't, so I would be really grateful if this was made and given to garry to add to the game, or even better, given to valve to stop the problem for all source games. I've already sent valve a request for their stance on DDoS and I'll post it when I get a response.

    I don't really know the technical details behind DDoS so I understand if it may not be possible to defend against, but to anyone who does have an idea and makes it, everyone will be very grateful.

    Perhaps this will help with finding solutions.
    http://wiki.alliedmods.net/SRCDS_Hardening#Lag.2FDOS
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Funny Funny x 9Optimistic Optimistic x 4Friendly Friendly x 2 (list)

  2. Post #2
    www.garryspin.com
    LuaMilkshake's Avatar
    December 2007
    361 Posts
    Most DDoS attacks can't be dealt with at the application level, they need to be mitigated at the network level.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 22Lua King Lua King x 1Disagree Disagree x 1 (list)

  3. Post #3
    We Are No Idiots
    Aide's Avatar
    March 2010
    4,653 Posts
    The source engine is flawed.
    The GSP's are helpless software doesn't always help.
    Using iptables doesn't always help.
    Anyone can obtain access to dos ability now.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 8Dumb Dumb x 1 (list)

  4. Post #4

    January 2012
    22 Posts
    Protip: Blacklist CoD4 master server.

    cod4master.activision.com
    Reply With Quote Edit / Delete Reply Windows 7 Anonymous Proxy Show Events Dumb Dumb x 3Agree Agree x 2Disagree Disagree x 1 (list)

  5. Post #5
    Bawbag's Avatar
    December 2011
    530 Posts
    Protip: Blacklist CoD4 master server.

    cod4master.activision.com
    that just stops your server being used in a drdos
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Agree Agree x 4Disagree Disagree x 1 (list)

  6. Post #6
    JustSoFaded's Avatar
    December 2011
    432 Posts
    that just stops your server being used in a drdos
    It stops DevNull's reflected dos system from working properly. Since Stan relies on cod4 servers.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Disagree Disagree x 4Agree Agree x 2 (list)

  7. Post #7
    Gold Member
    thegrb93's Avatar
    June 2006
    1,371 Posts
    This little shit that got his admin demoted keeps ddosing my favorite server. FUCK. I hope valve gets back with my request soon.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Funny x 11Optimistic x 2Dumb x 2Useful x 1Friendly x 1 (list)

  8. Post #8
    zzaacckk's Avatar
    June 2009
    2,140 Posts
    What I do when my box is attacked is first start wireshark if I can access the box, then call my datacenter to mitigate the attack. If I have his IP I will email his ISP regarding it and with enough complaints they will do something about it.

    You also should make sure people aren't spamming A2S_INFO packets, which will crash your server, you can find a mod on AlliedModers that will protect it.

    There isn't much you can do about a DDoS except mitigate it or wait it out.

    Also, valve wont be able to help me.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Dumb Dumb x 1Agree Agree x 1 (list)

  9. Post #9
    Gold Member
    maurits150's Avatar
    February 2007
    1,809 Posts
    Protip: Blacklist CoD4 master server.

    cod4master.activision.com
    That doesn't work. That just prevents you from looking up CoD4 servers. Stan can still lookup the masterlist and get a list of servers to use against you.
    Reply With Quote Edit / Delete Reply Windows 7 Netherlands Show Events Agree Agree x 2 (list)

  10. Post #10
    zzaacckk's Avatar
    June 2009
    2,140 Posts
    That doesn't work. That just prevents you from looking up CoD4 servers. Stan can still lookup the masterlist and get a list of servers to use against you.
    AFAIK what he does is send a packet to the CoD4 master server with your IP spoofed and it sends you the full server list consistently.

    [editline]

    I guess I am wrong.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Disagree Disagree x 4 (list)

  11. Post #11
    metromod.net
    _Chewgum's Avatar
    April 2010
    2,216 Posts
    A server i'm helping with has been getting hit by cod4, 'statusRespone', attacks at 580mbit/s. Then there's the generic 22mbit source engine query attack which removes the server from the master list.

  12. Post #12
    DylanWilson's Avatar
    January 2010
    272 Posts
    AFAIK what he does is send a packet to the CoD4 master server with your IP spoofed and it sends you the full server list consistently.
    no, he gets the master serverlist for himself, and then uses this list to get every single COD4 server to send their status info to your server constantly, which allows him to multiply his amount of data sent to you

    Example: his server sends a relatively short phrase that looks like this €€€€200 in a packet that says it's from the target server, and then the server replies to you it it's entire playerlist, pings, frags, map, gamemode, etc. which is quite a big jump in how much data is being sent to you
    now calculate in the... 900 COD4 servers online right now according to gametracker.com

    --edit--
    oh nvm, it decided to filter out nonUS servers, 6350 servers
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Dumb Dumb x 2Agree Agree x 1 (list)

  13. Post #13
    Ruzza's Avatar
    December 2011
    1,137 Posts
    Having some sort of automatic system where you get all cod4 and quake3 servers and block all the ips would be pretty sweet
    Reply With Quote Edit / Delete Reply Australia Show Events Dumb Dumb x 1Optimistic Optimistic x 1 (list)

  14. Post #14
    DylanWilson's Avatar
    January 2010
    272 Posts
    Having some sort of automatic system where you get all cod4 and quake3 servers and block all the ips would be pretty sweet
    the problem isn't ignoring the requests as much as it is that the sheer amount of data makes it impossible to process everything to ignore it in the first place
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 2 (list)

  15. Post #15
    Gold Member
    I am God.'s Avatar
    November 2011
    134 Posts
    Why doesn't Activision filter out this problem, then?
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 2 (list)

  16. Post #16

    December 2011
    350 Posts
    Why doesn't Activision filter out this problem, then?
    Because if they fixed it they wouldn't make any more money than if they left it
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Agree Agree x 4Dumb Dumb x 1 (list)

  17. Post #17
    Gold Banana
    Banana Lord.'s Avatar
    May 2010
    6,581 Posts
    I think the better question is why wouldn't they add some sort of anti spam to begin with
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 2 (list)

  18. Post #18
    pennerlord's Avatar
    February 2011
    503 Posts
    I think the better question is why wouldn't they add some sort of anti spam to begin with
    As long as they make money they won't care about that problem.
    Or they are too busy with releasing the next 20 CoD games.
    Reply With Quote Edit / Delete Reply Windows 7 Germany Show Events Agree Agree x 9Zing Zing x 2Winner Winner x 1Dumb Dumb x 1 (list)

  19. Post #19
    JustSoFaded's Avatar
    December 2011
    432 Posts
    the problem isn't ignoring the requests as much as it is that the sheer amount of data makes it impossible to process everything to ignore it in the first place
    That's wrong, if you block the servers in your firewall or iptables or however you do it, it can't send you the data. it's not like the server takes in all your data and then goes "Ohhh....nvm, hes blocked delete that !".
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Dumb Dumb x 2 (list)

  20. Post #20
    Gold Member
    Revenge282's Avatar
    July 2007
    268 Posts
    That's wrong, if you block the servers in your firewall or iptables or however you do it, it can't send you the data. it's not like the server takes in all your data and then goes "Ohhh....nvm, hes blocked delete that !".
    No matter if you have a firewall, iptables, etc., the only thing it can do is prevent traffic from reaching the applications. The packets are still present, and they are still saturating your line. In some cases, those CoD status packets are enough to knock a normal server offline just by purely over-saturating the line.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 5 (list)

  21. Post #21
    DylanWilson's Avatar
    January 2010
    272 Posts
    No matter if you have a firewall, iptables, etc., the only thing it can do is prevent traffic from reaching the applications. The packets are still present, and they are still saturating your line. In some cases, those CoD status packets are enough to knock a normal server offline just by purely over-saturating the line.
    This is what I meant, I was just simplifying it because he probably doesn't know what saturating the line means

    and JustSoFaded, if you don't think your computer takes these packets in when it tries to filter them, how do you think iptables works? at some point in time it has to process the header information of the packet to decide whether to allow, drop, or deny it.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Friendly Friendly x 3 (list)

  22. Post #22
    JamieH is a retarded bitch <3
    Pantho's Avatar
    July 2008
    2,191 Posts
    Ugh, how I hate cod :(

    With a 1GB line (and a decent host, one who will actually give you 1gb) then you could probably eat a cod4 drdos. I'd still expect some decent lag though.

    I'm playing with linux atm to swap my UK host over to it, but alas gmod with linux :(
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Disagree Disagree x 2 (list)

  23. Post #23
    Map in a box's Avatar
    July 2009
    7,199 Posts
    If isps were smart enough to help block (d)doses, their solution is to just shut the client off the network

  24. Post #24
    Gold Member
    Revenge282's Avatar
    July 2007
    268 Posts
    If isps were smart enough to help block (d)doses, their solution is to just shut the client off the network
    Same rule applies for them as it does for Activision that was stated earlier:
    Because if they fixed it they wouldn't make any more money than if they left it
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 1 (list)

  25. Post #25
    DaemonServers UK
    Shepsie's Avatar
    April 2009
    432 Posts
    If ISP blocked spoofed UDP packets at the network level it would stop this method altogether.

    Or take stan to court but unsure how would you turn chinese whispers into something that would hold in court.

  26. Post #26
    Gold Member
    Jetsurf's Avatar
    June 2011
    177 Posts
    Welcome to the club! Sethhack skiddies hit our server almost daily for 2 weeks over the holidays. Our solution? Get LSN to put up a filter :P. They even said some of them got up to 200+ MBPS. Even WITHOUT LSN's filters, they failed to fully take down a single one of our servers :V


  27. Post #27
    Gold Banana
    Banana Lord.'s Avatar
    May 2010
    6,581 Posts
    Welcome to the club! Sethhack skiddies hit our server almost daily for 2 weeks over the holidays. Our solution? Get LSN to put up a filter :P. They even said some of them got up to 200+ MBPS. Even WITHOUT LSN's filters, they failed to fully take down a single one of our servers :V

    They get mad when you get 8Gbit though
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Funny Funny x 4 (list)

  28. Post #28
    Gold Member
    Revenge282's Avatar
    July 2007
    268 Posts
    They get mad when you get 8Gbit though
    This... Very much this...

  29. Post #29
    JustSoFaded's Avatar
    December 2011
    432 Posts
    This is what I meant, I was just simplifying it because he probably doesn't know what saturating the line means

    and JustSoFaded, if you don't think your computer takes these packets in when it tries to filter them, how do you think iptables works? at some point in time it has to process the header information of the packet to decide whether to allow, drop, or deny it.
    Listen bud, if you have a good firewall, raw socket bull shit isn't going to effect you (except for the first couple of seconds for the exact reason you just stated). Obviously is has to look into the packet header, but smart firewalls will look at packet consistencies etc

    Also, quit being a punk. Looking at your past threads it seems your programming knowledge is pretty..limited, at best, and you don't seem to know exactly what you are talking about.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Dumb Dumb x 14 (list)

  30. Post #30
    Gold Member
    Jetsurf's Avatar
    June 2011
    177 Posts
    Listen bud, if you have a good firewall, raw socket bull shit isn't going to effect you (except for the first couple of seconds for the exact reason you just stated). Obviously is has to look into the packet header, but smart firewalls will look at packet consistencies etc

    Also, quit being a punk. Looking at your past threads it seems your programming knowledge is pretty..limited, at best, and you don't seem to know exactly what you are talking about.
    Network Security != Programming Knowledge
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 11 (list)

  31. Post #31
    Gold Member
    thegrb93's Avatar
    June 2006
    1,371 Posts
    So what needs to happen is Activision be sued for being an accomplice in malicious internet use if they fail to fix the problem. They provided the exploited software so that makes them an accomplice. They are providing the way for uncontrollable internet spam by making these servers exploitable. That should be illegal right? All you'd need to do to prove it is to run the same shit everyone else is doing and record the packet traffic.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Dumb Dumb x 3Agree Agree x 2Funny Funny x 2 (list)

  32. Post #32
    Wait... so if I write anything here, it's going to show up under my name?
    B!N4RY's Avatar
    December 2009
    7,217 Posts
    I can use the Ping command to flood others, does that mean I can sue Microsoft for including this command? No. You can't sue a company simply because they do not fix a bug/exploit in their system. It's the users that are held at fault for abusing any exploits.
    Reply With Quote Edit / Delete Reply Mac Canada Show Events Agree Agree x 2Dumb Dumb x 2 (list)

  33. Post #33
    Ruzza's Avatar
    December 2011
    1,137 Posts
    I can use the Ping command to flood others, does that mean I can sue Microsoft for including this command? No. You can't sue a company simply because they do not fix a bug/exploit in their system. It's the users that are held at fault for abusing any exploits.
    Ping requests are blockable, cod4 drdos is not. Unless patched somehow with linux or an addon.
    Reply With Quote Edit / Delete Reply Windows 7 Australia Show Events Agree Agree x 2Disagree Disagree x 1 (list)

  34. Post #34
    Gold Member
    Revenge282's Avatar
    July 2007
    268 Posts
    Listen bud, if you have a good firewall, raw socket bull shit isn't going to effect you (except for the first couple of seconds for the exact reason you just stated). Obviously is has to look into the packet header, but smart firewalls will look at packet consistencies etc

    Also, quit being a punk. Looking at your past threads it seems your programming knowledge is pretty..limited, at best, and you don't seem to know exactly what you are talking about.
    If I hit you with a statusResponse DRDoS, and you go into your firewall (for example say some variant of Linux, Windows' is shit) and you say something like
    Code:
    iptables -A INPUT -m string --string 'statusResponse' -j DROP
    then yes, packets will be blocked from reaching your applications but that 100MB internet connection you have between your server and the internet is still being used. Unless you are filtering these packets out well before they reach your line, it really doesn't make a difference.

    If the attack is larger than your connection, then you are essentially fucked, no matter how many filters or firewalls you have in place. If you can't block it before it reaches your line, it still saturates it.

    [SUB]For my next post, if needed, I will paint a pretty picture...[/SUB]
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 5Artistic Artistic x 1 (list)

  35. Post #35
    technicolour's Avatar
    January 2008
    108 Posts
    Man, where do you people find these admins? The circle of build/wire servers I frequent have never had problems like this.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Dumb Dumb x 2Funny Funny x 1 (list)

  36. Post #36
    Wait... so if I write anything here, it's going to show up under my name?
    B!N4RY's Avatar
    December 2009
    7,217 Posts
    Ping requests are blockable, cod4 drdos is not. Unless patched somehow with linux or an addon.
    You don't have to be specific about it, that was merely an example. Nontheless, I'm pretty sure it is blockable as Revenge282 mentioned as these kind of ping requests have some kind of unique identifier.

  37. Post #37
    Gold Member
    Cushie's Avatar
    February 2005
    2,277 Posts
    Since we got our new server we have banned 65 people using Sethhack in 61 days, a few of them even added me and were all like 'HURR DURR DEVNULL TIME FGT', yet we have experienced no lag or crashes, so I can only assume that either the connection can handle it or PlugPayPlay know what they are doing.

  38. Post #38
    Ruzza's Avatar
    December 2011
    1,137 Posts
    You don't have to be specific about it, that was merely an example. Nontheless, I'm pretty sure it is blockable as Revenge282 mentioned as these kind of ping requests have some kind of unique identifier.
    You do have to be specific about it, if you had a COD4 server with an anti-spam query system which disallows the ip from requesting info for lets say... 5 minutes, then that would stop the outcoming traffic from the server being high, as the server downloads very little, it uploads much much more.

  39. Post #39
    Wait... so if I write anything here, it's going to show up under my name?
    B!N4RY's Avatar
    December 2009
    7,217 Posts
    You do have to be specific about it, if you had a COD4 server with an anti-spam query system which disallows the ip from requesting info for lets say... 5 minutes, then that would stop the outcoming traffic from the server being high, as the server downloads very little, it uploads much much more.
    You clearly are not getting my point at all. I am not telling you how/what you can do to block them, that was not my focus of topic. I was only using an example to state that you cannot sue a company over bugs that can be unintended used for malicious reasons by users.

  40. Post #40
    zzaacckk's Avatar
    June 2009
    2,140 Posts
    I think the better question is why wouldn't they add some sort of anti spam to begin with
    Because he probably query's one server, then the next, then the next until the list is over.