[MD5]

It would be nice to earn some type of award for putting all of your time into your community, but then you get people who're jealous, and crash your server.

~Annoyed.

[FaceTutorialz]

SA-MP needs a custom-built protection system of some kind (and I'm not a code expert so I dunno what to call it) to prevent this, just like GTA Online and CoD: Advanced Warfare. I remember seeing that GTA Online has a very sophisticated prevention method that hackers would shit themselves to get through.

[Faskis]

Quote:

Originally Posted by FaceTutorialz SA-MP needs a custom-built protection system of some kind (and I'm not a code expert so I dunno what to call it) to prevent this, just like GTA Online and CoD: Advanced Warfare. I remember seeing that GTA Online has a very sophisticated prevention method that hackers would shit themselves to get through.

In both of those examples, the companies that own the games operate the servers for them, which has protection as-is and the operation is entirely different than SA-MP. A custom-built protection system at the program level would likely do more harm than good, in a lot of ways. There's only so much that can be done in a mostly self-hosted application.

[Redirect Left]

Quote:

Originally Posted by MohanedZzZ My 4 servers are fucked up, Thanks for the beta-testers and developers. + Servers on the hosted tab.

I've got a message from them, they say "np bbz"

[dudaefj]

Quote:

Originally Posted by dugi How about you provide more information such as your server log instead of posting such rude messages? We do know about this issue, several servers owned by beta team members were affected by it, believe me it's not being ignored.

Hello

If you want more information you can check on this logs:
https://mega.co.nz/#!FsYkUT6Z!WgkXk9...QxSgBhTM4SL_Pg
try to use this on filter field: "ip.src eq 177.134.74.170"
like you can see: http://prntscr.com/5e0ea8


We found a beta solution for this, but we have only 98% precision, we are still studying while the attacker change it's method, but we can have a nice result

there are some servers on our network with this solution:

HostName: Cidade Vida Real RPG ® | Server: 1 | #CarbonHost
Address: 192.95.52.36:7777
Players: 275 / 400
Ping: 213
Mode: Brasil - CVR RPG v3.5.2
Map: Brasil - [L.K] Jogos Online

HostName: Cidade Vida Real RPG ® | Server: 2 | #CarbonHost
Address: 192.99.183.164:7772
Players: 169 / 400
Ping: 194
Mode: Brasil - CVR RPG v3.5.2
Map: Brasil - [L.K] Jogos Online

HostName: Cidade Vida Real RPG ® | Server: 3 | #CarbonHost
Address: 192.99.183.164:7773
Players: 138 / 400
Ping: 238
Mode: Brasil - CVR RPG v3.5.2
Map: Brasil - [L.K] Jogos Online

HostName: Brasil PlayGames [RPG] @CarbonHost
Address: 192.99.203.29:7777
Players: 155 / 500
Ping: 202
Mode: BPG RPG: Brasil/PT
Map: Brasil RPG BR/PT

HostName: GTA Torcidas @ CarbonHost.com.br
Address: 192.99.99.170:7777
Players: 319 / 500
Ping: 209
Mode: [GT]Mod 9.2c
Map: Torcidas Organizadas

HostName: Brasil PlayForever [RPG v3.6a] #CarbonHost
Address: 192.99.203.30:7777
Players: 172 / 400
Ping: 208
Mode: BPF RPG: Brasil/PT
Map: Brasil RPG BR/PT

HostName: Brasil New Life
Address: 192.99.41.194:7777
Players: 101 / 248
Ping: 176
Mode: BNL:RPG
Map: San Andreas


We want to help other servers, if someone want a test only tell me or tell us on our chat.
Our website is in portuguese - brazilian, but we can talk in english.
We can make a free test to be sure your server will be fine on our protection.

[MohanedZzZ]

Quote:

Originally Posted by dudaefj Hello If you want more information you can check on this logs: https://mega.co.nz/#!FsYkUT6Z!WgkXk9...QxSgBhTM4SL_Pg try to use this on filter field: "ip.src eq 177.134.74.170" like you can see: http://prntscr.com/5e0ea8 We found a beta solution for this, but we have only 98% precision, we are still studying while the attacker change it's method, but we can have a nice result there are some servers on our network with this solution: HostName: Cidade Vida Real RPG ® | Server: 1 | #CarbonHost Address: 192.95.52.36:7777 Players: 275 / 400 Ping: 213 Mode: Brasil - CVR RPG v3.5.2 Map: Brasil - [L.K] Jogos Online HostName: Cidade Vida Real RPG ® | Server: 2 | #CarbonHost Address: 192.99.183.164:7772 Players: 169 / 400 Ping: 194 Mode: Brasil - CVR RPG v3.5.2 Map: Brasil - [L.K] Jogos Online HostName: Cidade Vida Real RPG ® | Server: 3 | #CarbonHost Address: 192.99.183.164:7773 Players: 138 / 400 Ping: 238 Mode: Brasil - CVR RPG v3.5.2 Map: Brasil - [L.K] Jogos Online HostName: Brasil PlayGames [RPG] @CarbonHost Address: 192.99.203.29:7777 Players: 155 / 500 Ping: 202 Mode: BPG RPG: Brasil/PT Map: Brasil RPG BR/PT HostName: GTA Torcidas @ CarbonHost.com.br Address: 192.99.99.170:7777 Players: 319 / 500 Ping: 209 Mode: [GT]Mod 9.2c Map: Torcidas Organizadas HostName: Brasil PlayForever [RPG v3.6a] #CarbonHost Address: 192.99.203.30:7777 Players: 172 / 400 Ping: 208 Mode: BPF RPG: Brasil/PT Map: Brasil RPG BR/PT HostName: Brasil New Life Address: 192.99.41.194:7777 Players: 101 / 248 Ping: 176 Mode: BNL:RPG Map: San Andreas We want to help other servers, if someone want a test only tell me or tell us on our chat. Our website is in portuguese - brazilian, but we can talk in english. We can make a free test to be sure your server will be fine on our protection.

Great job but the problem is,
They can get a new false ips.
Today i bought 252 static ip with 30$ from my Internet company.
Thats the problem.

[Khanz]

Quote:

Originally Posted by MohanedZzZ Great job but the problem is, They can get a new false ips. Today i bought 252 static ip with 30$ from my Internet company. Thats the problem.

How the fuck and why would someone sell you 252 IP's for $30.

[dudaefj]

Quote:

Originally Posted by MohanedZzZ Great job but the problem is, They can get a new false ips. Today i bought 252 static ip with 30$ from my Internet company. Thats the problem.

it doesn't matter

what we did is for any IP, they are using spoofed IPs, so they have more tham 1 billion different IPs to use.

I said to use the filter to 177.134.74.170 but it is only one small exemple, you can get logs and see that there are more tham 300.000 different IPs trying to connect and all are being blocked

[ErickOwnZ]

Quote:

Originally Posted by MohanedZzZ Great job but the problem is, They can get a new false ips. Today i bought 252 static ip with 30$ from my Internet company. Thats the problem.

Yes, we know. The attack is spoofed, you will not be able to block it directly by SA-MP itself.

We had to develop a filtering scheme and C to compile with the kernel of our firewall to confirm the connections before moving to the sa-mp / server client.

One example is synproxy used by several companies as: Arbor, Cisco, Brocade, Juniper and others... It's used to mitigate TCP L7 SYN attacks.

SYNPROXY Example:



So, we have developed the same system to UDP protocol. Especially for the query / SA-MP packets.

Example of the attack:

16:20:04.046961 IP (tos 0x24, ttl 109, id 57678, offset 0, flags [none], proto UDP (17), length 32)
30.176.241.167.28966 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.046968 IP (tos 0x24, ttl 109, id 43415, offset 0, flags [none], proto UDP (17), length 32)
105.160.211.82.30292 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.046969 IP (tos 0x24, ttl 109, id 36130, offset 0, flags [none], proto UDP (17), length 32)
214.190.88.169.29204 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.046970 IP (tos 0x24, ttl 109, id 20510, offset 0, flags [none], proto UDP (17), length 32)
72.235.89.217.30287 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.046973 IP (tos 0x24, ttl 109, id 62565, offset 0, flags [none], proto UDP (17), length 32)
161.201.8.98.30494 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.046975 IP (tos 0x24, ttl 109, id 65440, offset 0, flags [none], proto UDP (17), length 32)
119.50.189.26.29202 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.046981 IP (tos 0x24, ttl 109, id 55045, offset 0, flags [none], proto UDP (17), length 32)
150.29.236.112.30579 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.046985 IP (tos 0x0, ttl 128, id 7806, offset 0, flags [none], proto UDP (17), length 39)
192.95.52.47.cbt > 189.74.61.200.59551: [udp sum ok] UDP, length 11
16:20:04.046996 IP (tos 0x24, ttl 109, id 8652, offset 0, flags [none], proto UDP (17), length 32)
112.91.138.244.30459 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.046997 IP (tos 0x24, ttl 109, id 48391, offset 0, flags [none], proto UDP (17), length 32)
3.151.36.155.29213 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.047003 IP (tos 0x24, ttl 109, id 39803, offset 0, flags [none], proto UDP (17), length 32)
202.158.192.227.30517 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.047004 IP (tos 0x24, ttl 109, id 52031, offset 0, flags [none], proto UDP (17), length 32)
190.176.9.176.30518 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.047008 IP (tos 0x24, ttl 109, id 11801, offset 0, flags [none], proto UDP (17), length 32)
84.125.96.211.30589 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.047024 IP (tos 0x24, ttl 109, id 28993, offset 0, flags [none], proto UDP (17), length 32)
209.70.169.49.30507 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.047027 IP (tos 0x24, ttl 109, id 62759, offset 0, flags [none], proto UDP (17), length 32)
70.227.245.234.30586 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.047044 IP (tos 0x24, ttl 109, id 39924, offset 0, flags [none], proto UDP (17), length 32)
49.96.89.155.30526 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.047046 IP (tos 0x24, ttl 109, id 45617, offset 0, flags [none], proto UDP (17), length 32)
108.230.209.166.30570 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.047050 IP (tos 0x24, ttl 109, id 2171, offset 0, flags [none], proto UDP (17), length 32)
80.169.246.14.30476 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.047056 IP (tos 0x24, ttl 109, id 40458, offset 0, flags [none], proto UDP (17), length 32)
193.72.190.64.30583 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4
16:20:04.047067 IP (tos 0x24, ttl 109, id 5411, offset 0, flags [none], proto UDP (17), length 32)
46.155.105.80.30601 > 192.95.52.35.cbt: [udp sum ok] UDP, length 4

[Lumabd]

Gamerzhosting anda carbono hostigamiento had the solution.... Anymore to say

[Faskis]

Quote:

Originally Posted by Sew_Sumi The worst thing about all of this thread, is that NO-ONE bar a few, are actually stating what they're trying, and what results they've had... But I suppose that is normal in this forum....... It is good that you are sharing your knowledge, and illustrating it too. I'm eager to see what "easy" options you can provide people to obtain your fix when it becomes efficient and confirmed as being a decent fix.

The trouble with this whole situation (and part of the reason why I haven't posted any specific solutions) is because none of what has been tried completely blocks it, or has caused further issues beyond what has existed. The other issue is that if a solution is posted, you know that whoever is behind all of this (regardless of if it's one person or a group), they're going to see it and attempt to work around it. I can tell you, with certainty, that one of the solutions we're working with can be easily bypassed.

If you're really looking for a solution to this issue outside of what has already been posted, your best bet would be to do so through private means. IRC would be a good place to start.

[jackswingfield]

^ Amen.

This is starting to get out of hand. Still no solutions but only speculations.

[yass0016]

I hope in the next client version of SA-MP they would use a new protocol with a different authentication and better encryption. I don't think there will be any solution for this issue on the current and previous clients.

[Lumabd]

Yes, it`s a solution.

[SERGIO9800]

Actualmente Lanzaron una Version 0.3z RC5, que veo que el problema en esa version se soluciono, pero abria que esperar un poco mas!

[XLeoX]

Quote:

Originally Posted by SERGIO9800 Actualmente Lanzaron una Version 0.3z RC5, que veo que el problema en esa version se soluciono, pero abria que esperar un poco mas!

їDуnde viste eso? їTienes algъn link?

[MD5]

Hello,

I've recently made an script that can seriously help prevent this issue. It basically checks an IP from a player that disconnects and reconnects within 10 seconds, and then "rcon bans" the player, for the best protection. It'll mostly help you avoid bots/players who try to flood the server using the "reconnect" method.

I also made an API that has (12,000+) banned VPNs/Proxies that're most abused, I recently also implemented kaisersouse's list into it.

This seems to be fixing the issue for me.

[MohanedZzZ]

Quote:

Originally Posted by SERGIO9800 Actualmente Lanzaron una Version 0.3z RC5, que veo que el problema en esa version se soluciono, pero abria que esperar un poco mas!

Quote:

Originally Posted by XLeoX їDуnde viste eso? їTienes algъn link?

There is a spanish language section.

Quote:

Originally Posted by MD5 Hello, I've recently made an script that can seriously help prevent this issue. It basically checks an IP from a player that disconnects and reconnects within 10 seconds, and then "rcon bans" the player, for the best protection. It'll mostly help you avoid bots/players who try to flood the server using the "reconnect" method. I also made an API that has (12,000+) banned VPNs/Proxies that're most abused, I recently also implemented kaisersouse's list into it. This seems to be fixing the issue for me.

Can you post it please ?

[MD5]

Quote:

Originally Posted by MohanedZzZ There is a spanish language section. Can you post it please ?

For my server(s) security sake, I won't give you the script I've put together.

But this may help you: https://sampforum.blast.hk/showthread.php?tid=321533