Has anyone resolved the bot attack issue (with diff ips)?
#1

I'm talking about these bots ... with different IPs! Flood Control will not help (just a fyi)

Code:
[19:39:19] [warning] dropping a split packet from client
[19:39:19] [join] 64LPqNvCVArqR2Kr has joined the server (36:46.255.216.151)
[19:39:19] [part] 1nSZ1Wkr8XkR2Zga has left the server (30:2)
[19:39:19] [join] TqHe24xNSYNXhEj9 has joined the server (43:168.205.24.3)
[19:39:20] [connection] incoming connection: 123.249.60.102:56792 id: 29
[19:39:20] [connection] incoming connection: 123.249.2.246:56779 id: 35
[19:39:20] [connection] incoming connection: 198.199.123.35:61421 id: 50
[19:39:20] [warning] dropping a split packet from client
[19:39:20] [warning] dropping a split packet from client
[19:39:20] [connection] incoming connection: 200.199.114.236:52796 id: 51
[19:39:20] [connection] incoming connection: 114.6.27.199:64450 id: 52
[19:39:20] [connection] incoming connection: 123.249.60.203:56882 id: 53
[19:39:20] [connection] incoming connection: 123.249.60.186:56902 id: 54
[19:39:20] [warning] dropping a split packet from client
[19:39:20] [part] edGOTENDlFODE4Mx has left the server (33:2)
[19:39:20] [connection] incoming connection: 82.196.10.131:47674 id: 55
[19:39:20] [connection] incoming connection: 91.142.208.125:35523 id: 56
[19:39:21] [warning] dropping a split packet from client
[19:39:21] [join] QU0nUQTQzXeiTrdF has joined the server (50:198.199.123.35)
[19:39:21] [part] QU0nUQTQzXeiTrdF has left the server (50:2)
[19:39:21] [connection] incoming connection: 94.23.214.220:59707 id: 45
[19:39:21] [join] GkqmNM17BIJY82zo has joined the server (55:82.196.10.131)
[19:39:21] [join] ketH4syXyHKXm7ke has joined the server (56:91.142.208.125)
[19:39:21] [connection] incoming connection: 167.99.89.72:41651 id: 52
[19:39:21] [join] 1YCJC4LsU59WctWO has joined the server (44:42.51.194.28)
[19:39:21] [join] QjcYp1cwmQQxA312 has joined the server (46:121.12.92.62)
[19:39:21] [join] 8DKMpKtBSZoyH3gD has joined the server (45:94.23.214.220)
[19:39:21] [connection] incoming connection: 114.55.63.81:46162 id: 57
[19:39:21] [join] mhJmhjwYFMrvZdmF has joined the server (47:121.12.92.59)
[19:39:21] [join] TBXnGifnj52QRlri has joined the server (51:200.199.114.236)
[19:39:22] [join] 4FzfIthOs2xErqW6 has joined the server (52:167.99.89.72)
[19:39:22] [part] 4FzfIthOs2xErqW6 has left the server (52:2)
[19:39:22] [connection] incoming connection: 185.40.31.136:37234 id: 58
[19:39:22] [part] TqHe24xNSYNXhEj9 has left the server (43:2)
[19:39:22] [connection] incoming connection: 42.51.216.10:55266 id: 40
[19:39:22] [connection] incoming connection: 123.249.60.185:56830 id: 59
[19:39:22] [part] Yqcr6byjgIXOlybQ has left the server (41:2)
[19:39:22] [part] 3qeuQdrIR7BKBF7u has left the server (38:2)
[19:39:22] [connection] incoming connection: 123.249.60.76:56953 id: 60
[19:39:22] [connection] incoming connection: 88.99.76.114:58749 id: 61
[19:39:22] [connection] incoming connection: 123.249.60.246:57516 id: 62
[19:39:22] [connection] incoming connection: 42.51.216.11:58107 id: 63
[19:39:22] [join] TN8QD2EXWhnujuYN has joined the server (58:185.40.31.136)
[19:39:22] [part] TN8QD2EXWhnujuYN has left the server (58:2)
[19:39:22] [connection] incoming connection: 123.249.61.135:57989 id: 61
[19:39:23] [connection] incoming connection: 123.249.61.6:58006 id: 64
[19:39:23] [warning] dropping a split packet from client
[19:39:23] [connection] incoming connection: 121.12.92.93:34177 id: 65
[19:39:23] [part] T127iZFoycoop85a has left the server (28:2)
[19:39:23] [warning] dropping a split packet from client
[19:39:23] [part] gtxhXwXCUBEMm9MB has left the server (42:2)
[19:39:23] [connection] incoming connection: 42.51.216.3:50625 id: 57
[19:39:23] [part] 64LPqNvCVArqR2Kr has left the server (36:2)
All my NPCs get kicked when they attack my server - and they artificially add to my player count (none of my intentions).

My server automatically kicks them after like 9 seconds.

I don't know where to get access to this thing to really get an idea of how I can stop the attacks - but if somebody has feedback it will be greatly appreciated.

Tried to search, could not find anything. If I missed a detail, please link me in the thread so that users have a future reference when encountering this attack.

It's annoying as hell!
Reply
#2

Maybe there's a GPCI ID pattern for them, some of those used to have a blank one.
Reply
#3

There are multiple methods how to detect them:

- They use same name length, you can kick all players with the same name length, that are not registered/logged
- There are often too many consonants in the row in their names, unlike regular player's name, you can apply some heuristics to detect the bot from its name
- They attempt to connect multiple times with the same IP, calling OnIncomingConnection quickly - regular players don't call this more than twice within 30 seconds.

Besides that, they all use VPN/Proxy. So far I have blocked these ranges, it helped to reduce the attacks a bit:

Code:
95.156.102.* 
192.169.217.* 
31.13.224.* 
95.78.157.* 
138.118.224.* 
103.250.166.* 
177.131.12.*
114.6.27.* 
192.169.188.* 
157.119.207.* 
203.145.179.* 
83.143.31.* 
42.51.216.* 
114.55.63.* 
185.67.93.* 
37.113.191.* 
85.192.154.* 
185.124.86.* 
128.199.*.* 
46.101.*.* 
201.184.*.* 
136.243.*.* 
188.235.*.* 
195.9.*.* 
94.153.*.* 
162.144.*.* 
192.169.140.* 
185.40.31.* 
173.249.29.* 
128.199.36.* 
192.163.207.* 
163.53.209.* 
154.72.75.* 
103.21.163.* 
46.101.240.* 
123.249.*.* 
46.214.146.* 
37.59.8.* 
42.51.*.* 
103.240.161.* 
121.12.92.* 
5.135.20.* 
103.216.82.*
Reply
#4

Quote:
Originally Posted by niCe
View Post
There are multiple methods how to detect them:

- They use same name length, you can kick all players with the same name length, that are not registered/logged
- There are often too many consonants in the row in their names, unlike regular player's name, you can apply some heuristics to detect the bot from its name
- They attempt to connect multiple times with the same IP, calling OnIncomingConnection quickly - regular players don't call this more than twice within 30 seconds.

Besides that, they all use VPN/Proxy. So far I have blocked these ranges, it helped to reduce the attacks a bit:

Code:
95.156.102.* 
192.169.217.* 
31.13.224.* 
95.78.157.* 
138.118.224.* 
103.250.166.* 
177.131.12.*
114.6.27.* 
192.169.188.* 
157.119.207.* 
203.145.179.* 
83.143.31.* 
42.51.216.* 
114.55.63.* 
185.67.93.* 
37.113.191.* 
85.192.154.* 
185.124.86.* 
128.199.*.* 
46.101.*.* 
201.184.*.* 
136.243.*.* 
188.235.*.* 
195.9.*.* 
94.153.*.* 
162.144.*.* 
192.169.140.* 
185.40.31.* 
173.249.29.* 
128.199.36.* 
192.163.207.* 
163.53.209.* 
154.72.75.* 
103.21.163.* 
46.101.240.* 
123.249.*.* 
46.214.146.* 
37.59.8.* 
42.51.*.* 
103.240.161.* 
121.12.92.* 
5.135.20.* 
103.216.82.*
You champ! Thanks for that!

The only thing that would have been great is if OnIncomingConnection was able to pull the player's name so that we can do the name checking in that function (since GetPlayerName does not work).

Right now I check the rate in which these bots connect and if there is an anomaly then it will block their IP for 60 seconds. It seems to work a bit, I mean they do connect but they don't stay very long. I'd say maybe 75% reduced in connections alone just by checking the rate of connecting.

Got another check to see if the ID is within range otherwise it will block them (so that my NPCs dont get kicked). Will see how this holds up... Still hasn't went over the limit, yet.

Just gonna leave this info here if by chance Kalcor sees the thread and decides one day to give the issue another tackle.

GPCI is useless by the looks as someone suggested up. Different between every bot.

IncomingConnection:
Code:
[13:53:31] Name:(45)
Version:
IP: / 123.249.60.171:54741
Network Stats:{Network Active: 1
Network State: 6
Messages in Send buffer: 0
Messages sent: 0
Bytes sent: 0
Acks sent: 0
Acks in send buffer: 0
Messages waiting for ack: 0
Messages resent: 0
Bytes resent: 0
Packetloss: -nan%
Messages received: 0
Bytes received: 0
Acks received: 0
Duplicate acks received: 0
Inst. KBits per second: 28.8
KBits per second sent: 0.0
KBits per second received: 0.0
}
Ping:-1
NPC:0
GPCI:
OnPlayerConnect:
Code:
[13:53:30] [join] kKFdGEyGrk9TlTAI has joined the server (68:70.83.106.82)
[13:53:30] Name:kKFdGEyGrk9TlTAI(68)
Version:0.3.7
IP:70.83.106.82
Network Stats:{Network Active: 1
Network State: 8
Messages in Send buffer: 7
Messages sent: 52
Bytes sent: 2596
Acks sent: 6
Acks in send buffer: 3
Messages waiting for ack: 0
Messages resent: 0
Bytes resent: 0
Packetloss: 0.0%
Messages received: 8
Bytes received: 186
Acks received: 0
Duplicate acks received: 0
Inst. KBits per second: 28.8
KBits per second sent: 71.1
KBits per second received: 5.0
}
Ping:65535
NPC:0
GPCI:544E5049485245344C5238504F51584850494734
Reply
#5

Quote:
Originally Posted by Lorenc_
View Post
GPCI is useless by the looks as someone suggested up. Different between every bot.

IncomingConnection:
Code:
[13:53:31] Name:(45)
..
GPCI:
OnPlayerConnect:
Code:
....
GPCI:544E5049485245344C5238504F51584850494734
They do have a pattern tho, i see over 30 numbers in the GPCI ID, do they all have that pattern? the hashed outcome of that string is usually less than 30 numbers since its 40 characters as a whole.
Reply
#6

Quote:
Originally Posted by RogueDrifter
View Post
They do have a pattern tho, i see over 30 numbers in the GPCI ID, do they all have that pattern? the hashed outcome of that string is usually less than 30 numbers since its 40 characters as a whole.
stop it
ill get bigeti
Reply
#7

But GPCI is a number with 40 hexadecimal digits...
There is indeed a low probability (not very low though) of having only decimal digits inside a hexadecimally represented number, but there is a very high probabibility for players that are falsely tagged as bots according to your logic. Your logic extends to that you should count base 5 digits out of a octal represented number. That makes absolutely no sense. I want that you should plot a distribution of GPCIs by using your hilarious counting method, so we can do an end at your logic for good.
Reply
#8

I'd try simply to password the server anytime it gets attacked.
Or is it useless?
Reply
#9

Pfft i never said it’s a permanent solution nor did i say it was a 100% accurate, it can still be used to push away the attacker then you can take it off afterwards.

If it was so inaccurate i wouldn’t have used it or recommended it but I’ve used it for a long period of time and it rarely kicked the innocent people, the ones that were detected were usually players with edited clients that set their GPCI ID to be spoofed every time they connect to ban evade which lead it to be a gay 40 characters string with more numbers than letters.

Just set it to kick the players with >=30 numbers or if it wasn’t equal to 40 characters until the attacker goes away then remove it.

Code:
bool:IsPlayerBot(playerid)
{  
    if(IsPlayerNPC(playerid)) return false;
    new TempId[40+1], TempNumb;  
    gpci(playerid, TempId, sizeof(TempId)); 
    for(new i; i < strlen(TempId); i++)  
    {  
        if(TempId[i] >= '0' && TempId[i] <= '9')  TempNumb++;  
    }  
    return (TempNumb >= 30 || strlen(TempId) != 40);
}
Reply
#10

Aah I've already said my piece on this, i realize normal players could have those specs, that's why i said it rarely kicked normal ones, but clients which spoof your GPCI info always come up with a string that has those specs as well except for one spoofer i saw that does it the same and i don't think the attacks happening above include that.

If you're not going to take the risk of kicking that normal small percentage of players to stop the spoof of hundreds it's totally up to you, i just provided a resolution that may not be very accurate but could stop it til it goes away, then you can remove that piece of code or set a command to disable it afterwards. Again it's up to you.
Reply
#11

GPCI code is useless. When you get attacked, even kicking them OnPlayerConnect doesn't do much. It all has to be done through OnIncomingConnection - the majority of the preventing.
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)