[donB]

Quote:

Originally Posted by Pizzy My server is running fine with no speed or lag, it's perfect once you connect - but the whole querying of the server on the client looks as if the server is lagging or not responding - but connecting is perfectly fine.

True. I'm not able to query the server using 3rd party Android apps as well.

[Whale]

Quote:

Originally Posted by .03 Seeing the same thing on a server I manage. Attack involves around 1700 IPs. I've just temporarily blocked the following: Code: 180.0.0.0/8 181.0.0.0/8 186.0.0.0/8 190.0.0.0/8 200.0.0.0/8 201.0.0.0/8 And then I've added a few exceptions here and there for legit players trying to join. It's not ideal but it's better than the whole server being down. Hopefully they'll get bored soon.

I have been receiving attack since yesterday from same ips. I have blocked These ranges it seems to work.

[soul225]

how can i block this IPs in Kerio Winroute Firewall?

[WarZ]

the attack start again today .-.

[WarZ]

the attack start again today .-.

[adri[4]Life]

So i've wasted all this time for a dying mod, so much time on coding Bo3 so much time administrating
And so much time advertising and searching for who can provide us hosted tab
Finally due to lack of updates, My community is fucked up.
Thanks kalcor

[denNorske]

Those IP's were the same for me, the block did the job, however as WarZ stated above, there's a bunch of new IP's today.

Blocking 100 million IP's each time is not going to solve this in a clean way. We might end up blocking out way too many players/users at some point if this continues.

Any firewall mthods available to limit the UDP/TCP packets from repeating IP's ?

Also, in order to save some hard-drive space i suggest you guys disable cookie logging in the server log by doing:

PHP Code:

//server.cfg
cookielogging 0
conncookies 1 


The logs were about 800 mb in 30 minutes when the attacks started..

[SWAT4]

Quote:

Originally Posted by adrianlouise So i've wasted all this time for a dying mod, so much time on coding Bo3 so much time administrating And so much time advertising and searching for who can provide us hosted tab Finally due to lack of updates, My community is fucked up. Thanks kalcor

you, missed the point, its not a 'lack' of update, its the miss-optimisation you've got there...
if you think you'd do something to solve that in the new update, then i tell you , you're totally mistaken, i bet that you're not even using 10% of the current version's benefits, and if you can't handle to moderate at least a temporary solution for an attack on your "community", then i'd tell you , you aren't ready for this... so stop lying to yourself, and start working with what you have.
put in mind that many servers stood upon the attack, and yeah, they are using the same version as you, its just the skill, and they never requested another update...

[adri[4]Life]

Quote:

Originally Posted by SWAT4 you, missed the point, its not a 'lack' of update, its the miss-optimisation you've got there... if you think you'd do something to solve that in the new update, then i tell you , you're totally mistaken, i bet that you're not even using 10% of the current version's benefits, and if you can't handle to moderate at least a temporary solution for an attack on your "community", then i'd tell you , you aren't ready for this... so stop lying to yourself, and start working with what you have. put in mind that many servers stood upon the attack, and yeah, they are using the same version as you, its just the skill, and they never requested another update...

Lying? We stopped this once but we can't block million ranges daily, SA-MP features won't helpme stopping this attack
I Am not asking for any new feature But for a solution, Cookielogging doesn't even effect just few lines in log that's all
Firewall is just temp for few hours then you have to block more Ranges so a fix is necessary but if they don't
then it's SA-MP's death. People like you who are not playing/managing a SA-MP server better stop talking about this.
We all know that we have much to do with SA-MP we can script so many stuffs but no we can't script anything in a mod attacked by infinity bots

[dugi]

Quote:

Originally Posted by adrianlouise So i've wasted all this time for a dying mod, so much time on coding Bo3 so much time administrating And so much time advertising and searching for who can provide us hosted tab Finally due to lack of updates, My community is fucked up. Thanks kalcor

An update won't fix ddos attacks, this sort of spoofed IP flood attacks have been happening for years.

[adri[4]Life]

Quote:

Originally Posted by dugi An update won't fix ddos attacks, this sort of spoofed IP flood attacks have been happening for years.

Is there any solution? Firewall became useless

[oMa37]

Quote:

Originally Posted by adrianlouise Is there any solution? Firewall became useless

cookielogging 0 in server.cfg got it working for me.

[denNorske]

Quote:

Originally Posted by [HLF]Southclaw The masterlist 2.0 server is showing about 50% of the servers refusing queries so I've lowered the request time to a 3 minute period just to ease the load a bit (at first I was worried the service scaled to more nodes and was inadvertently DDoSing the entire community!) For more mitigation methods, take a look at rate limiting UDP packets - it's not so common as TCP as it's usually used in the microservices/API scenarios but iptables and hardware firewalls should support it.

What could a useable limit be in this case?

The rates are around 100 per second, which is not that much, but still problematic.

[adri[4]Life]

Quote:

Originally Posted by oMa37 cookielogging 0 in server.cfg got it working for me.

All it does is stop spamming the requests in server log, My server still appears offline

[blackgangs]

Looks like they changed the ip we can't block it anymore

[Mark™]

You need DDoS mitigating hardware at the server end which analyzes and filters network traffic, otherwise there's hardly anything you can do about it.

[Morpheus1992]

Quote:

Originally Posted by dugi An update won't fix ddos attacks, this sort of spoofed IP flood attacks have been happening for years.

Ofc a Update would fix this, a new Callback or a a new Config Var to limit the querys per player at query info and then with exec plugin ban with iptables would fix this for everyone

[Dance94]

I don't understand why they continue with the same stupidity of block ip's in the firewall if everyone is aware that those ip's are false and the attacker can replace them with other false, this problem is not kalcor it's yours.

Kalcor cannot manage the security of your virtual server where you have stayed your server sa-mp.

Sorry if i don't understand, my native language is spanish

[adri[4]Life]

Quote:

Originally Posted by Dance94 I don't understand why they continue with the same stupidity of block ip's in the firewall if everyone is aware that those ip's are false and the attacker can replace them with other false, this problem is not kalcor it's yours. Kalcor cannot manage the security of your virtual server where you have stayed your server sa-mp. Sorry if i don't understand, my native language is spanish

The question is: How could the attacker get the whole SA-MP servers IP? how could he attack all servers?

[RDM]

It is kalcor's obligation to launch a new update the vulnerability is layer 7 and it has been reported for more than 1 year!

I am afraid that it is necessary to change the way of altenticaзгo of the samp is very simple to falsify packages!


It is impossible to block such attacks via firewall, since the packets are identical to those of the clients! Impossible in the right way respecting good practices, and not blocking any legitimate customer!


I spent 5 hours analyzing the traffic of this attack!

The attack is totally spoofed, the ips never repeat !!!!

Do not try to block the ips that flood, adding them to a blacklist, the amount of ips is giant, if you make your memory / cpu will run out quickly,