[dudaefj]

Hello

First, I'm sorry for my bad english.
I'm not here to adv, I wanna more people help to test a beta solution we've developed.

We work with ddos protection in Brazil from many years and this attack got us by surprise.
We are the biggest samp host provider in Brazil and at start we were thinking this attack was targeting only us.
From days we spent thousands of dollars do research and develop a solution since we also work with ddos protection, so we got this case as personal issue.

Now I see this attack is large and it is hitting the whole world samp community and I want to check if it other places everyone are having the same attack type (not talking about the final client behavior, like server full, but talking about the IPv4 header, udp header, and stuff from spoofed source)


I won't post website cuz I don't want to violate this forum's rules, I only want to know some server owners to test it for free, please answer me here and/or PM, I can provide a free test VPS to check if the attack in the whole world is the same and if we can really block it all.



One more time, I'm not here to adv, I only want some server owners that are being target of this attack to help with some tests on this beta firewall system. You will have full root access, we will make the protection by packet routing.

This protection is still in beta but we are having a great result as well.
You can see some of our customers here, all of them are being target of this attack constantly, in total, more tham 800 million packets blocked only this week:


--------------- Servers on Protection Beta v3 --------------

HostName: Brasil PlayGames [RPG] @CarbonHost
Address: 192.99.203.29:7777
Players: 131 / 500
Ping: 200
Mode: BPG RPG: Brasil/PT
Map: Brasil RPG BR/PT

HostName: Cidade Vida Real RPG ® | Server: 1 | #CarbonHost
Address: 192.95.52.36:7777
Players: 236 / 400
Ping: 208
Mode: Brasil - CVR RPG v3.5.2
Map: Brasil - [L.K] Jogos Online




--------------- Servers on Protection Beta v2 --------------

HostName: Cidade Vida Real RPG ® | Server: 2 | #CarbonHost
Address: 192.99.183.164:7772
Players: 141 / 400
Ping: 170
Mode: Brasil - CVR RPG v3.5.2
Map: Brasil - [L.K] Jogos Online

HostName: Cidade Vida Real RPG ® | Server: 3 | #CarbonHost
Address: 192.99.183.164:7773
Players: 105 / 400
Ping: 226
Mode: Brasil - CVR RPG v3.5.2
Map: Brasil - [L.K] Jogos Online

HostName: GTA Torcidas @ CarbonHost.com.br
Address: 192.99.99.170:7777
Players: 267 / 500
Ping: 204
Mode: [GT]Mod 9.2c
Map: Torcidas Organizadas

HostName: Brasil New Life
Address: 192.99.41.194:7777
Players: 110 / 248
Ping: 200
Mode: BNL:RPG
Map: San Andreas

HostName: Brasil PlayForever [RPG v3.6a] #CarbonHost
Address: 192.99.203.30:7777
Players: 172 / 400
Ping: 204
Mode: BPF RPG: Brasil/PT
Map: Brasil RPG BR/PT



--------------- Servers on Protection Beta v1 --------------

HostName: [PT/BR] Brasil Start Life [v2.5.257]
Address: server.bslrpg.com:7777
Players: 45 / 170
Ping: 167
Mode: [PT/BR] Brasil Start Life 2.5.
Map: [PT/BR] Brasil Start Life [v2.



My main wish is to help the major number of players and server owners, but We still don't have much room for tests, so I ask you, only contact me if you are really under this type of attack and if you really need help.

Again, I'm sorry for bad english, and I hope I really can help the right people.

[BrasilPlayGames]

the protection that the Carbon Host made to the server is really great, I was around 15 days with unstable server and I lost some players, but is now back to normal and the attacks are being mitigated in a way that players do not even realize really a great job, as the first customer of SA: MP carbon host, I say and I repeat, do not intend to leave the company and admire the work you do. Thank you so much.

Regards,
Rodrigo Vilhena

Brasil Play Games - Owner / Scripter

[Raphael_Santos]

Hello, I'm Raphael Santos, owner of Brasil PlayForever server, I am currently using a protection Carbon Host Inc to my server, and is excellent as the services provided by them since 2012, always with speed and confidence on these attacks the SA-MP servers are getting, it's really very sad that, but at last the Carbon get this solution until the SA-MP can solve it.
I have my server almost 6 years and I am proud to have spent almost half of that time staying in Carbon.
Strength and wisdom to all owners of servers para que possamos resolver isso.

Regards, Raphael M. Santos.

[Unyx]

This is not a solution, it's a slow death for those servers.

The servers do not respond well to ping, sometimes not even come to respond to the ping, querys not respond, players see the offline servers, and last but not least, servers with this protection does not come out or the Internet list or the Hosted list nor on any list of servers samp, because do not respond to ping, or the query or anything.

In short, carbon has destroyed their own servers, this is the ruin of those servers.
A slow death.

[Raphael_Santos]

Quote:

Originally Posted by Unyx This is not a solution, it's a slow death for those servers. The servers do not respond well to ping, sometimes not even come to respond to the ping, querys not respond, players see the offline servers, and last but not least, servers with this protection does not come out or the Internet list or the Hosted list nor on any list of servers samp, because do not respond to ping, or the query or anything. In short, carbon has destroyed their own servers, this is the ruin of those servers. A slow death.

still does not respond, that's what would ruin the servers.
what carbon is suggesting is something temporary, until the SA-MP arrange this EXPLOIT

[dudaefj]

Quote:

Originally Posted by Unyx This is not a solution, it's a slow death for those servers. The servers do not respond well to ping, sometimes not even come to respond to the ping, querys not respond, players see the offline servers, and last but not least, servers with this protection does not come out or the Internet list or the Hosted list nor on any list of servers samp, because do not respond to ping, or the query or anything. In short, carbon has destroyed their own servers, this is the ruin of those servers. A slow death.

which one do you see offline?
It's 1h AM here and there are many servers with more tham 100 players, what is a lot for brazilian servers.

You can see query is slot and you have to refresh more tham once, this is why samp is UDP and UDP sucks...
We are forcing a "handshake" where should be virtually impossible to do, that is why you see it slow.
After you have the "authorization" from the firewall, you are able to have a perfect query.

If you check servers on Beta v3 this problem is mainly gone. And it is still in beta.


Of course would be the best if SAMP team solved this by updating game client with a real query udp handshake, but while we wait them, you can have a poorly query and a nice gameplay, or stay fully offline, you pick

[Unyx]

Quote:

Originally Posted by Raphael_Santos still does not respond, that's what would ruin the servers. what carbon is suggesting is something temporary, until the SA-MP arrange this EXPLOIT

This is not an exploit...

And this "protection" is very simple, just playing with packets of ping, query and incoming connection (and therefore does not respond or the ping, or the query or anything, and offline servers appear to the naked eye = slow death of this servers), and is very easy to fool, you know it...

[GWMPT]

Quote:

Originally Posted by dudaefj is UDP and UDP sucks...

Could you explain why "UDP" sucks?

[dudaefj]

Quote:

Originally Posted by Kikito Could you explain why "UDP" sucks?

cuz you don't have handshake, so you don't have a way to know if the IP source is real or isn't.

And that is where the exploit is.

The attacker is on IP, for exemple, 123.123.123.123 and he send a packet pretending to be 144.144.144.144, and include on this packet the connection packet data (4 bytes, usually some kind of hash from server port).

So the server only see the source 144.144.144.144 asking for connection, and give it to him. He doesn't know the 144.144.144.144 is not really asking for connection, it is a fake.


and the IP 123.123.123.123 try it again with an other ip, for exemple, 84.84.84.84
and again with other IP


A single server with 100mbps bandwidth can send up to 133,333 packets per second, each one with a different IP address (it doesn't have to have this address, he only fake it)

and that is why UDP sucks, it has this exploit by default

the solution is use a handshake, how it works with TCP?

first packet to be accepted has to be a, for exemple "hello, what is my password?".
and the server return "hello, you password is xAEW54x, repet it to me",
and, finally the IP source has to say "my password is xAEW54x, can I connect now?"

this is the only way to check if the IP Source is real, and TCP has it by default, UDP doesn't. And what I did was to try to force an other type of handshake by a "maze" with packets, and that is why the query is a bit slow...


I'm getting it simplified, the attacker already know and is doing it harder to force this handshake, and we are also doing it better...

[dudaefj]

Quote:

Originally Posted by Unyx This is not an exploit... And this "protection" is very simple, just playing with packets of ping, query and incoming connection (and therefore does not respond or the ping, or the query or anything, and offline servers appear to the naked eye = slow death of this servers), and is very easy to fool, you know it...

The idea started this way, on v1, but the attacker is smart...
look here: https://mega.co.nz/#!FsYkUT6Z!WgkXk9...QxSgBhTM4SL_Pg
or on this image:




The attacker is now sending all queries types, and them he send connect packet info, so the protection beta v1 is not so usefull anymore...
I can't tell the fully solution cuz I'm pretty sure the attacker will check this topic since he is intended to take the whole samp down, but it is a combination of many many factors, including ip header and udp header fields, but you got part of the idea.

and I have to say, it is working very very well...