New attack types
#1

I want to talk about several types of attacks that have recently exposed to our server.

1. Fast reconnections. I see the following in server log:

Код:
[11/06/2012 19:49:51] [join] Janson_Tikk has joined the server (8:46.0.38.51)
[11/06/2012 19:49:51] [part] Janson_Tikk has left the server (8:0)
[11/06/2012 19:49:51] [join] Janson_Tikk has joined the server (8:46.0.38.51)
[11/06/2012 19:49:51] [part] Janson_Tikk has left the server (8:0)
[11/06/2012 19:49:51] [join] Janson_Tikk has joined the server (8:46.0.38.51)
[11/06/2012 19:49:51] [part] Janson_Tikk has left the server (8:0)
[11/06/2012 19:49:51] [join] Janson_Tikk has joined the server (8:46.0.38.51)
[11/06/2012 19:49:51] [part] Janson_Tikk has left the server (8:0)
[11/06/2012 19:49:51] [join] Janson_Tikk has joined the server (8:46.0.38.51)
[11/06/2012 19:49:51] [part] Janson_Tikk has left the server (8:0)

... //~1000-2000 messages in second.
Код:
[11/06/2012 19:50:07] Invalid client connecting from 46.0.38.51
[11/06/2012 19:50:07] Invalid client connecting from 46.0.38.51
[11/06/2012 19:50:07] Invalid client connecting from 46.0.38.51
[11/06/2012 19:50:07] Invalid client connecting from 46.0.38.51
[11/06/2012 19:50:07] Invalid client connecting from 46.0.38.51
[11/06/2012 19:50:07] Invalid client connecting from 46.0.38.51
[11/06/2012 19:50:07] Invalid client connecting from 46.0.38.51
[11/06/2012 19:50:07] Invalid client connecting from 46.0.38.51
//also ~1000-2000 messages in second.
2. The second type of attack: https://sampforum.blast.hk/showthread.php?tid=349955

After these attacks online on the server is 0. (regular online 400-500 players)
Server version: 0.3e-1000p
Reply
#2

Looks like some connection exploit.

Did you already try firewall settings, like auto ban IPs on too many connections/second?
Several hundred udp connections should be quite explicit to detect, so the ip could be banned in like 0,5-1 second.
Reply
#3

Use https://sampforum.blast.hk/showthread.php?tid=320649 for first one
Reply
#4

Quote:
Originally Posted by dugi
Посмотреть сообщение
Thank you. But I would like to see protection on the server side (not at the level of scripting).
Reply
#5

I had the same problem(№1) today.
I know as do it: Player connect => mass connect on same playerid

And i have block double IP in top of my public OnPlayerConnect

Wow samp.ban:
Код:
 
46.16.150.251 [27/06/12 | 16:59:00] NONE - IP BAN
46.16.150.251 [27/06/12 | 16:59:00] NONE - IP BAN
46.16.150.251 [27/06/12 | 16:59:00] NONE - IP BAN
Need protection on the server side because this attack becomes better known
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)