Connection flood

Quote:
Originally Posted by adrianlouise
Посмотреть сообщение
The question is: How could the attacker get the whole SA-MP servers IP? how could he attack all servers?
but some servers are not at all affected.
i hope its a dirty trick playing to get his/her server to get more popular
Reply

Quote:
Originally Posted by adrianlouise
Посмотреть сообщение
The question is: How could the attacker get the whole SA-MP servers IP? how could he attack all servers?
he is using NASA servers and get all the hosted server ip. Easy isn't it? lol
Reply

Quote:
Originally Posted by adrianlouise
Посмотреть сообщение
The question is: How could the attacker get the whole SA-MP servers IP? how could he attack all servers?
He/she/they is/are fucking retard(s) with no fucking life. Cancerous autistic fucking 12 year old.
Reply

Quote:
Originally Posted by Shaheen
Посмотреть сообщение
but some servers are not at all affected.
i hope its a dirty trick playing to get his/her server to get more popular
lol yeah..
Gamerx's the only surviver server :3
Reply

Quote:
Originally Posted by Shaheen
Посмотреть сообщение
but some servers are not at all affected.
i hope its a dirty trick playing to get his/her server to get more popular
It is not that they are not affected, if they are affected but have security at the server level.
Reply

anyone got a solution ??
Reply

Quote:
Originally Posted by Morpheus1992
Посмотреть сообщение
Just block the IP's, you need putty access to your Root Server and then just copy and past this here:

iptables -I INPUT -s 188.0.0.0/8 -j DROP
iptables -I INPUT -s 180.0.0.0/8 -j DROP
iptables -I INPUT -s 181.0.0.0/8 -j DROP
iptables -I INPUT -s 186.0.0.0/8 -j DROP
iptables -I INPUT -s 190.0.0.0/8 -j DROP
iptables -I INPUT -s 200.0.0.0/8 -j DROP
iptables -I INPUT -s 201.0.0.0/8 -j DROP

It will stop the Attacks and everything is fine.
Banning class A ranges is really not a good idea. For example, these countries all have IP addresses starting with 180:
  • Afghanistan
  • Australia
  • Bangladesh
  • Canada
  • China
  • Germany
  • Guam
  • Hong Kong
  • Indonesia
  • India
  • Japan
  • Cambodia
  • Korea, Republic of
  • Lao People's Democratic Republic
  • Myanmar
  • Mongolia
  • Macau
  • Malaysia
  • New Caledonia
  • New Zealand
  • "Papua New Guinea"
  • Philippines
  • Pakistan
  • Singapore
  • Thailand
  • Timor-Leste
  • Taiwan
  • United States
  • Vietnam
  • Vanuatu
The attacks are probably coming from only a few countries on this list. I'm still seeing if I can cross reference the lists for all of these ranges but I feel like I'm doing something wrong at the moment. Will update later.

Edit: total number of hosts blocked with this block would be approximately 120 million. Top 10 countries most likely to be affected:

codenamerange startrange endnumber of hosts
BRBrazil200.239.64.0201.95.255.2557,389,183
JPJapan180.0.0.0180.63.255.2554,194,303
BRBrazil200.128.0.0200.187.255.2553,932,159
BRBrazil186.194.176.0186.250.143.2553,661,823
BRBrazil186.250.155.252187.49.143.2553,601,411
ARArgentina181.78.0.0181.111.255.2552,228,223
CNChina180.95.128.0180.127.255.2552,129,919
COColombia181.128.0.0181.159.255.2552,097,151
MXMexico201.96.0.0201.126.112.2551,995,007
BRBrazil200.200.200.201200.224.255.2551,586,998
Edit 2: in case someone wants the entire list: http://www.vince0789.com/samp/ranges_20170825.csv
Reply

Again new Ips added by bot network.
That is terrible.

There are hours when you are going to block them all the way.

[25.08.2017 | 14:01:51] [connection] 173.70.64.129:50862 requests connection cookie.
[25.08.2017 | 14:01:51] [connection] 59.18.203.156:19058 requests connection cookie.
[25.08.2017 | 14:01:51] [connection] 59.18.203.156:19058 requests connection cookie.
[25.08.2017 | 14:01:51] [connection] 59.18.203.156:19058 requests connection cookie.
[25.08.2017 | 14:01:51] [connection] 126.71.110.13:22282 requests connection cookie.
[25.08.2017 | 14:01:51] [connection] 126.71.110.13:22282 requests connection cookie.
[...]
Reply

Quote:
Originally Posted by Shaheen
Посмотреть сообщение
but some servers are not at all affected.
Looks like only servers from hosted tab are being targeted.
Reply

The attack doesn't affect the server at all, just the querying mechanism. If you disable connection cookies (conncookies) your server gets filled up with fake players. Disabling cookie logging does not fix the problem, it's not the server that's overloading but merely querying of server information doesn't work properly anymore..

By now the attack is coming from pretty much every IP range, so there's no point in blocking them, looks like spoofed IPs too..
Reply

I haven't experienced any loss during gameplay in the servers I played on. It's probably just stopping the IP to give info to the users.
Reply

I just hope that the Angrift is not eternal.
Reply

Quote:
Originally Posted by niCe
Посмотреть сообщение
Looks like only servers from hosted tab are being targeted.
samp 3.7 master list returns same servers for internet and host tabs.

http://lists.sa-mp.com/0.3.7/servers
http://lists.sa-mp.com/0.3.7/hosted
Reply

Quote:
Originally Posted by jlalt
Посмотреть сообщение
samp 3.7 master list returns same servers for internet and host tabs.

http://lists.sa-mp.com/0.3.7/servers
http://lists.sa-mp.com/0.3.7/hosted
Ya it seems developers of samp don't really want competition for their hosted tab.
This is pretty sad to be honest.

I mean, what would they expect?
The server numbers are dwindling even on hosted tab. Samp's being killed, all for a quick buck.

There was just so many ways to monetise SAMP which was not simply making people pay to have players.
Reply

Well, I guess this is why the "Official" tab (well, if I remember correctly, they said that this was exactly this reason) was removed years ago: imagine these attacks centered only on ~10 servers, not on 400 servers.

Yeah, it looks like it affects only the querying mechanism, but because the samp.exe client probably has a timeout of probably 500 milliseconds or so, so it won't wait 5 seconds for a probably closed server, servers won't appear in Hosted tab, that's why someone said that the hosted tab loads only 175 servers or so. The problem is that players (most of them) won't join from hosted tab. To me it looks like right now on my server are only players that had my server stored in their favorites tab.

Vince is right, banning all these ranges:
Quote:

188.0.0.0/8
180.0.0.0/8
181.0.0.0/8
186.0.0.0/8
190.0.0.0/8
200.0.0.0/8
201.0.0.0/8

is insanely huge. I actually have a few players from those countries.

Quote:
Originally Posted by dugi
Посмотреть сообщение
An update won't fix ddos attacks, this sort of spoofed IP flood attacks have been happening for years.
I guess SA-MP could improve filtering of the requests.
Reply

This attack is just combination of two OLD(!) attacks.
1. Connection flood (old incoming flood)
2. Query flood

As stated before, the first one was fixed in previous versions. You should add "cookielogging 0" to your config file. But there is still "query flood" problem. You can join the server, even if it's unavailable in browser.

Possible solutions for "query flood":
1. Country block - easy to bypass, but should fix the problem by now.
2. Query cache mechanism (introduced in OVH Game - don't know if it's working or not) - there are methods to introduce it with additional filtering software and some redirections.
3. Increase maximum queries per second in samp server or let owners change it (kalcor needed here, or simple reverse engineering) - there are risks of self-ddos/huge network output.
4. If you have BGP access or good relations with your provider, you can check where the attack comes from and announce selective blackhole. This means affect on legit customers but 100% filtering.
5. Remove your server from hosted tab - stupid but it works.

You should also inspect packets and see if there's something which can help you filter it (in some packets it is small difference and I'm not going to explain.. you know why). That's all..
Reply

There must be more than 10 servers attacked. Because I have a server that has 10-20 players. He is there too.

A strong attack is not synonymous if you look at it.
https://dsz-img.de/uploads/2017/08/i9428b6rfle.png

I think it's going to stop and give up.
Reply

I haven't experienced this myself, yet being on hosted tab for 4 years now. I am however hosting my servers on a dedicated server by OVH, which probably explains why I barley get an attack.

However has anyone attempted to setup a network debugger, and capture all the packets being sent by these ddosers? If enough research into the attack was done it is quite possible that we could write a plugin to manually defend ourselves against the exploit they seem to have found.

Because I haven't been attacked, I can't really do this myself, since I can't possibly know what packets are being sent, and the next best thing for me would be to reverse engineer SA-MP which would take a long time, and by then there would be a patch (hopefully)

If anyone is able to capture the full amount of packets sent, you could send it me, and I will try to write a plugin to protect SA-MP against it, memory hacking will most likely have to be done, and I'm not a expert at understanding SA-MP inner workings or GTA SA Engine. ( I'm sure there people on this forums who have this knowledge, so would be useful to talk to get more knowledge and will help in a fix )
Reply

There are no differences between attack packets and legit traffic. I'm from hosting company and we found that some of our servers are attacked with packets slightly different from legit but most of the traffic is exactly the same. You cannot filter it just by introducing some pattern filter.
Reply

Quote:
Originally Posted by Ubi
Посмотреть сообщение
There are no differences between attack packets and legit traffic. I'm from hosting company and we found that some of our servers are attacked with packets slightly different from legit but most of the traffic is exactly the same. You cannot filter it just by introducing some pattern filter.
You are correct in a way, but if the ddosers are attacking the SA-MP executable, then they must be manipulating/exploiting a bug that causes the server to stop sending alive packets.

So if we could find what they are exploiting then we could write a plugin to limit/prevent someone flooding it. We might not be able to fully stop it, but we could at least lessen the damage caused by it.
Reply


Forum Jump:


Users browsing this thread: 10 Guest(s)