[Shaheen]

Quote:

Originally Posted by adrianlouise The question is: How could the attacker get the whole SA-MP servers IP? how could he attack all servers?

but some servers are not at all affected.
i hope its a dirty trick playing to get his/her server to get more popular

[HydraHumza]

Quote:

Originally Posted by adrianlouise The question is: How could the attacker get the whole SA-MP servers IP? how could he attack all servers?

he is using NASA servers and get all the hosted server ip. Easy isn't it? lol

[cuber]

Quote:

Originally Posted by adrianlouise The question is: How could the attacker get the whole SA-MP servers IP? how could he attack all servers?

He/she/they is/are fucking retard(s) with no fucking life. Cancerous autistic fucking 12 year old.

[WarZ]

Quote:

Originally Posted by Shaheen but some servers are not at all affected. i hope its a dirty trick playing to get his/her server to get more popular

lol yeah..
Gamerx's the only surviver server :3

[Dance94]

Quote:

Originally Posted by Shaheen but some servers are not at all affected. i hope its a dirty trick playing to get his/her server to get more popular

It is not that they are not affected, if they are affected but have security at the server level.

[bugmenotlol]

anyone got a solution ??

[Vince]

Quote:

Originally Posted by Morpheus1992 Just block the IP's, you need putty access to your Root Server and then just copy and past this here: iptables -I INPUT -s 188.0.0.0/8 -j DROP iptables -I INPUT -s 180.0.0.0/8 -j DROP iptables -I INPUT -s 181.0.0.0/8 -j DROP iptables -I INPUT -s 186.0.0.0/8 -j DROP iptables -I INPUT -s 190.0.0.0/8 -j DROP iptables -I INPUT -s 200.0.0.0/8 -j DROP iptables -I INPUT -s 201.0.0.0/8 -j DROP It will stop the Attacks and everything is fine.

Banning class A ranges is really not a good idea. For example, these countries all have IP addresses starting with 180:

• Afghanistan
• Australia
• Bangladesh
• Canada
• China
• Germany
• Guam
• Hong Kong
• Indonesia
• India
• Japan
• Cambodia
• Korea, Republic of
• Lao People's Democratic Republic
• Myanmar
• Mongolia
• Macau
• Malaysia
• New Caledonia
• New Zealand
• "Papua New Guinea"
• Philippines
• Pakistan
• Singapore
• Thailand
• Timor-Leste
• Taiwan
• United States
• Vietnam
• Vanuatu

The attacks are probably coming from only a few countries on this list. I'm still seeing if I can cross reference the lists for all of these ranges but I feel like I'm doing something wrong at the moment. Will update later.

Edit: total number of hosts blocked with this block would be approximately 120 million. Top 10 countries most likely to be affected:

code	name	range start	range end	number of hosts
BR	Brazil	200.239.64.0	201.95.255.255	7,389,183
JP	Japan	180.0.0.0	180.63.255.255	4,194,303
BR	Brazil	200.128.0.0	200.187.255.255	3,932,159
BR	Brazil	186.194.176.0	186.250.143.255	3,661,823
BR	Brazil	186.250.155.252	187.49.143.255	3,601,411
AR	Argentina	181.78.0.0	181.111.255.255	2,228,223
CN	China	180.95.128.0	180.127.255.255	2,129,919
CO	Colombia	181.128.0.0	181.159.255.255	2,097,151
MX	Mexico	201.96.0.0	201.126.112.255	1,995,007
BR	Brazil	200.200.200.201	200.224.255.255	1,586,998

Edit 2: in case someone wants the entire list: http://www.vince0789.com/samp/ranges_20170825.csv

[Noir]

Again new Ips added by bot network.
That is terrible.

There are hours when you are going to block them all the way.

[25.08.2017 | 14:01:51] [connection] 173.70.64.129:50862 requests connection cookie.
[25.08.2017 | 14:01:51] [connection] 59.18.203.156:19058 requests connection cookie.
[25.08.2017 | 14:01:51] [connection] 59.18.203.156:19058 requests connection cookie.
[25.08.2017 | 14:01:51] [connection] 59.18.203.156:19058 requests connection cookie.
[25.08.2017 | 14:01:51] [connection] 126.71.110.13:22282 requests connection cookie.
[25.08.2017 | 14:01:51] [connection] 126.71.110.13:22282 requests connection cookie.
[...]

[niCe]

Quote:

Originally Posted by Shaheen but some servers are not at all affected.

Looks like only servers from hosted tab are being targeted.

[woot]

The attack doesn't affect the server at all, just the querying mechanism. If you disable connection cookies (conncookies) your server gets filled up with fake players. Disabling cookie logging does not fix the problem, it's not the server that's overloading but merely querying of server information doesn't work properly anymore..

By now the attack is coming from pretty much every IP range, so there's no point in blocking them, looks like spoofed IPs too..

[Terrorfist]

I haven't experienced any loss during gameplay in the servers I played on. It's probably just stopping the IP to give info to the users.

[Noir]

I just hope that the Angrift is not eternal.

[jlalt]

Quote:

Originally Posted by niCe Looks like only servers from hosted tab are being targeted.

samp 3.7 master list returns same servers for internet and host tabs.

http://lists.sa-mp.com/0.3.7/servers
http://lists.sa-mp.com/0.3.7/hosted

[Fish]

Quote:

Originally Posted by jlalt samp 3.7 master list returns same servers for internet and host tabs. http://lists.sa-mp.com/0.3.7/servers http://lists.sa-mp.com/0.3.7/hosted

Ya it seems developers of samp don't really want competition for their hosted tab.
This is pretty sad to be honest.

I mean, what would they expect?
The server numbers are dwindling even on hosted tab. Samp's being killed, all for a quick buck.

There was just so many ways to monetise SAMP which was not simply making people pay to have players.

[IstuntmanI]

Well, I guess this is why the "Official" tab (well, if I remember correctly, they said that this was exactly this reason) was removed years ago: imagine these attacks centered only on ~10 servers, not on 400 servers.

Yeah, it looks like it affects only the querying mechanism, but because the samp.exe client probably has a timeout of probably 500 milliseconds or so, so it won't wait 5 seconds for a probably closed server, servers won't appear in Hosted tab, that's why someone said that the hosted tab loads only 175 servers or so. The problem is that players (most of them) won't join from hosted tab. To me it looks like right now on my server are only players that had my server stored in their favorites tab.

Vince is right, banning all these ranges:

Quote:

188.0.0.0/8 180.0.0.0/8 181.0.0.0/8 186.0.0.0/8 190.0.0.0/8 200.0.0.0/8 201.0.0.0/8

is insanely huge. I actually have a few players from those countries.

Quote:

Originally Posted by dugi An update won't fix ddos attacks, this sort of spoofed IP flood attacks have been happening for years.

I guess SA-MP could improve filtering of the requests.

[Ubi]

This attack is just combination of two OLD(!) attacks.
1. Connection flood (old incoming flood)
2. Query flood

As stated before, the first one was fixed in previous versions. You should add "cookielogging 0" to your config file. But there is still "query flood" problem. You can join the server, even if it's unavailable in browser.

Possible solutions for "query flood":
1. Country block - easy to bypass, but should fix the problem by now.
2. Query cache mechanism (introduced in OVH Game - don't know if it's working or not) - there are methods to introduce it with additional filtering software and some redirections.
3. Increase maximum queries per second in samp server or let owners change it (kalcor needed here, or simple reverse engineering) - there are risks of self-ddos/huge network output.
4. If you have BGP access or good relations with your provider, you can check where the attack comes from and announce selective blackhole. This means affect on legit customers but 100% filtering.
5. Remove your server from hosted tab - stupid but it works.

You should also inspect packets and see if there's something which can help you filter it (in some packets it is small difference and I'm not going to explain.. you know why). That's all..

[Noir]

There must be more than 10 servers attacked. Because I have a server that has 10-20 players. He is there too.

A strong attack is not synonymous if you look at it.
https://dsz-img.de/uploads/2017/08/i9428b6rfle.png

I think it's going to stop and give up.

[azzerking]

I haven't experienced this myself, yet being on hosted tab for 4 years now. I am however hosting my servers on a dedicated server by OVH, which probably explains why I barley get an attack.

However has anyone attempted to setup a network debugger, and capture all the packets being sent by these ddosers? If enough research into the attack was done it is quite possible that we could write a plugin to manually defend ourselves against the exploit they seem to have found.

Because I haven't been attacked, I can't really do this myself, since I can't possibly know what packets are being sent, and the next best thing for me would be to reverse engineer SA-MP which would take a long time, and by then there would be a patch (hopefully)

If anyone is able to capture the full amount of packets sent, you could send it me, and I will try to write a plugin to protect SA-MP against it, memory hacking will most likely have to be done, and I'm not a expert at understanding SA-MP inner workings or GTA SA Engine. ( I'm sure there people on this forums who have this knowledge, so would be useful to talk to get more knowledge and will help in a fix )

[Ubi]

There are no differences between attack packets and legit traffic. I'm from hosting company and we found that some of our servers are attacked with packets slightly different from legit but most of the traffic is exactly the same. You cannot filter it just by introducing some pattern filter.

[azzerking]

Quote:

Originally Posted by Ubi There are no differences between attack packets and legit traffic. I'm from hosting company and we found that some of our servers are attacked with packets slightly different from legit but most of the traffic is exactly the same. You cannot filter it just by introducing some pattern filter.

You are correct in a way, but if the ddosers are attacking the SA-MP executable, then they must be manipulating/exploiting a bug that causes the server to stop sending alive packets.

So if we could find what they are exploiting then we could write a plugin to limit/prevent someone flooding it. We might not be able to fully stop it, but we could at least lessen the damage caused by it.