[Abbott]

Currently I have a client that is experiencing a sort of connection attack. I have blocked over 150 IP addresses via the firewall, yet a couple of hours later completely different IP addresses come in and do the same. This is not a a large DDoS, it isn't consuming much bandwidth at all, or network usage, merely just something attacking a SA-MP server.

Quote:

[08:43:29] Incoming connection: 186.144.116.52:4502 [08:51:54] Incoming connection: 186.180.98.232:64023 [08:51:54] Incoming connection: 186.146.85.122:2827 [08:51:54] [CMD] ********** [08:51:54] Incoming connection: 190.19.236.211:64880 [08:51:54] Incoming connection: 201.244.14.26:55502 [08:51:54] [part] ********** [08:51:54] Incoming connection: 190.208.161.80:3931 [08:51:54] [CMD] ********** [08:51:55] Incoming connection: 181.145.223.112:1856 [08:51:55] Incoming connection: 186.85.172.116:61098 [08:51:55] [CMD] ********** [08:51:55] Incoming connection: 190.253.148.70:13310 [08:51:55] Incoming connection: 186.85.217.255:4175 [08:51:55] Incoming connection: 190.125.15.2:4454 [08:51:55] [chat] ********** [08:51:55] Incoming connection: 190.250.240.114:10934 [08:51:55] Incoming connection: 186.113.47.54:24124 [08:51:56] Incoming connection: 190.60.238.6:44438 [08:51:56] Incoming connection: 190.13.16.240:55805 [08:51:56] Incoming connection: 166.238.25.79:54493 [08:51:56] ********** [08:51:56] ********** [08:51:56] Incoming connection: 190.25.153.66:59548 [08:51:56] Incoming connection: 186.108.158.73:15304 [08:51:56] Incoming connection: 186.30.117.77:13689 [08:51:56] Incoming connection: 190.67.152.109:55169 [08:51:56] Incoming connection: 181.144.174.86:60838 [08:51:57] Incoming connection: 190.85.43.2:3022 [08:51:57] Incoming connection: 190.27.193.221:17989 [08:51:57] Incoming connection: 190.90.6.22:10031 [08:51:57] Incoming connection: 190.254.9.121:65290 [08:51:57] Incoming connection: 190.158.183.21:58254 [08:51:57] ********** [08:51:57] Incoming connection: 201.236.125.252:4589 [08:51:57] Incoming connection: 190.96.206.105:1788 [08:51:57] Incoming connection: 190.146.237.111:4035 [08:51:57] Incoming connection: 186.147.54.105:53565 [08:51:57] ********** [08:51:57] Incoming connection: 186.81.217.76:55380 [08:51:57] Incoming connection: 190.27.234.196:21093 [08:51:58] Incoming connection: 190.60.193.77:59523 [08:51:58] Incoming connection: 186.28.159.250:11098 [08:51:58] Incoming connection: 186.144.116.52:4585 [08:51:58] [CMD] ********** [08:51:58] Incoming connection: 186.180.98.232:64024 [08:51:58] Incoming connection: 186.146.85.122:2829 [08:51:58] [CMD] ********** [08:51:58] [CMD] ********** [08:51:58] Incoming connection: 186.180.224.103:1608 [08:51:58] Incoming connection: 181.145.223.112:1857 [08:51:58] Incoming connection: 190.208.161.80:3932 [08:51:58] Incoming connection: 201.244.14.26:55503 [08:51:58] Incoming connection: 190.19.236.211:64881

Why not just block the ranges 190.*.*.* and 201.*.*.* 181.*.*.* 186.*.*.*?

The majority of the players who are playing on this server share the same range, banning those ranges will cause the whole player count plummet.

I have also told them to put small snippet of code on their OnPlayerConnect to log the IP address in order to make an exception inside the firewall, no such luck.

Limiting the maximum amount of UDP packets to 2000/second worked, but this only allowed around 80 players to connect, max.

With this type of attack the hostname of the server shows, as with the ping. But the players/mode/map retrieves as 0/0. Logging the queries to the server also didn't help.

I have even blocked all of the IP's that have had over 10 attempted connections and no joins with no luck.

Will this be fixed in the 0.3e security release?

Also, it doesn't only not query on the SAMP client, it also doesn't allow queries via PHP.

[T0pAz]

It's a very weird attack. Does it occurs frequently or in a specific time?

[Abbott]

Quote:

Originally Posted by T0pAz It's a very weird attack. Does it occurs frequently or in a specific time?

24/7.