Connection flood

Whoever is experiencing this issue and wants to create a solution, PM me! All I need is access to a blank public server being flooded 24/7, I have an idea in mind that just may work.

Just need one person. You'll receive the solution with no charge!
Reply

Quote:
Originally Posted by azzerking
Посмотреть сообщение
You are correct in a way, but if the ddosers are attacking the SA-MP executable, then they must be manipulating/exploiting a bug that causes the server to stop sending alive packets.

So if we could find what they are exploiting then we could write a plugin to limit/prevent someone flooding it. We might not be able to fully stop it, but we could at least lessen the damage caused by it.
Well.. It's not exploited. There is some "requests per second limit" hardcoded in sa-mp executable and that's all. The attackers are reaching the limit and that's why it's not responding.
Reply

Quote:
Originally Posted by Ubi
Посмотреть сообщение
Well.. It's not exploited. There is some "requests per second limit" hardcoded in sa-mp executable and that's all. The attackers are reaching the limit and that's why it's not responding.
I'm actually certain there is no limit, There seems to be a limit in place for connections from the same IP, but not for loads of random IP's. So thats where the limit will be based on your network devices / OS network interfaces.

It's possible that RakNet has a connection limit in place, that may refuse a connections made within a set period of time, I believe most are if you have more then 30 connections within 1ms - 15ms then it would refuse the connection. I know a lot of third party multi-player add-ons follow the same pattern.

Which is why it then becomes easier for these people to attack, since they can make delays between connections and just have the server send useless packets. UDP is a bitch to work against, there no real way to identify or even analyses the host, which makes it so much harder to protect against DDos attacks.
Reply

Quote:
Originally Posted by Shaheen
Посмотреть сообщение
but some servers are not at all affected.
i hope its a dirty trick playing to get his/her server to get more popular
It's FZ-fenixzone, some years ago they attacked all latin american servers on hosted tab with similar shit that is happening now and they were blacklisted in samp, their servers removed from hosted and internet tab. When this shit starts yesterday, on hosted tab was only a few servers, big servers from Rusia and of course all FZ servers, only they were not affected in start.
Reply

Quote:
Originally Posted by Paulice
Посмотреть сообщение
Whoever is experiencing this issue and wants to create a solution, PM me! All I need is access to a blank public server being flooded 24/7, I have an idea in mind that just may work.

Just need one person. You'll receive the solution with no charge!
Whatever you would like to do locally on a samp server will 99% likely not work, sorry for disappointing you.

What's happening, and what is been explained above, is network related UDP traffic. These are things that has to be sorted out before reaching the server. Unless you can somehow change the way the servers report status to the Internet and/or hosted tab client wise.
Reply

A good way of fighting this attacks is to go outside and have fun alongside with that saying bye to SAMP
Thank me later for the solution!

This is where we see that Kalcor needs to update SAMP and make everything more secure, even if it's just a security update with some add-ons, it'd be enough for everyone.
But we see that's not near to happening, Kalcor gave up on SAMP and left it here. Like this. The playerbase will start dropping until there's a total of 10 servers and 100 players globally, until it dies, sad but true if there is no update in the near future.

OT: Keeping the calm and giving solutions alongside everyone will only make it better for everyone, attackers will get bored at one point and stop this shit, until then, we only have to wait and co-operate.
Reply

Quote:
Originally Posted by Th3_P4dr1n0
Посмотреть сообщение
It's FZ-fenixzone, some years ago they attacked all latin american servers on hosted tab with similar shit that is happening now and they were blacklisted in samp, their servers removed from hosted and internet tab. When this shit starts yesterday, on hosted tab was only a few servers, big servers from Rusia and of course all FZ servers, only they were not affected in start.
This attack is different from the attack performed by the FZ-fenixzone server!

This attack is totally spoofed!

The attack performed by the FZ-fenixzone server was of simple mitigation my firewall kept several servers protected!

I'm about to get an effective solution against this current attack ..

Tip: the attacker sends the 4 querys followed and after sending the connection packet,
A normal client sends the 4 querys packages and more than 1 second then sends the connection packet !!

It is possible to drop the connection packet, which causes more damage to the server!
Reply

Код:
/*==============================================================================


[14:52:11]     Southclaw's Scavenge and Survive
[14:52:11]         Copyright © 2016 Barnaby "Southclaw" Keene
[14:52:11]         This program comes with ABSOLUTELY NO WARRANTY; This is free software,
[14:52:11]         and you are welcome to redistribute it under certain conditions.
[14:52:11]         Please see <http://www.gnu.org/copyleft/gpl.html> for details.
[14:52:11] 

==============================================================================*/


[14:52:11] Number of vehicle models: 25
[14:52:11] [connection] 190.66.153.175:27235 requests connection cookie.
[14:52:11] [connection] 190.66.153.175:27235 requests connection cookie.
[14:52:11] [connection] 190.66.153.175:27235 requests connection cookie.
[14:52:11] [connection] 181.242.57.250:22535 requests connection cookie.
[14:52:11] [connection] 181.242.57.250:22535 requests connection cookie.
[14:52:11] [connection] 181.242.57.250:22535 requests connection cookie.
[14:52:11] [connection] 200.30.138.232:35033 requests connection cookie.
[14:52:11] [connection] 200.30.138.232:35033 requests connection cookie.
[14:52:11] [connection] 200.30.138.232:35033 requests connection cookie.
[14:52:11] [connection] 190.168.153.148:38613 requests connection cookie.
[14:52:11] [connection] 190.168.153.148:38613 requests connection cookie.
[14:52:11] [connection] 190.168.153.148:38613 requests connection cookie.
[14:52:11] [connection] 181.64.222.217:6151 requests connection cookie.
[14:52:11] [connection] 181.64.222.217:6151 requests connection cookie.
[14:52:11] [connection] 181.64.222.217:6151 requests connection cookie.
[14:52:11] [connection] 180.51.141.252:3175 requests connection cookie.
[14:52:11] [connection] 180.51.141.252:3175 requests connection cookie.
[14:52:11] [connection] 180.51.141.252:3175 requests connection cookie.
[14:52:11] [connection] 180.61.67.228:44887 requests connection cookie.
[14:52:11] [connection] 180.61.67.228:44887 requests connection cookie.
[14:52:11] [connection] 180.66.235.35:8449 requests connection cookie.
[14:52:11] [connection] 180.66.235.35:8449 requests connection cookie.
[14:52:11] [connection] 180.66.235.35:8449 requests connection cookie.
[14:52:11] [connection] 186.163.84.157:17574 requests connection cookie.
[14:52:11] [connection] 186.163.84.157:17574 requests connection cookie.
[14:52:11] [connection] 186.163.84.157:17574 requests connection cookie.
[14:52:11] [connection] 181.14.68.214:23391 requests connection cookie.
[14:52:11] [connection] 181.14.68.214:23391 requests connection cookie.
[14:52:11] [connection] 181.14.68.214:23391 requests connection cookie.
[14:52:11] [connection] 180.26.159.64:56138 requests connection cookie.
[14:52:11] [connection] 180.26.159.64:56138 requests connection cookie.
[14:52:11] [connection] 180.26.159.64:56138 requests connection cookie.
[14:52:11] [connection] 181.207.44.244:61339 requests connection cookie.
[14:52:11] [connection] 181.207.44.244:61339 requests connection cookie.
[14:52:11] [connection] 181.207.44.244:61339 requests connection cookie.
[14:52:11] [connection] 200.17.9.205:40966 requests connection cookie.
[14:52:11] [connection] 200.17.9.205:40966 requests connection cookie.
[14:52:11] [connection] 200.17.9.205:40966 requests connection cookie.
[14:52:11] [connection] 181.70.19.176:1198 requests connection cookie.
[14:52:11] [connection] 181.70.19.176:1198 requests connection cookie.
[14:52:11] [connection] 181.70.19.176:1198 requests connection cookie.
[14:52:11] [connection] 181.247.93.253:18388 requests connection cookie.
[14:52:11] [connection] 181.247.93.253:18388 requests connection cookie.
[14:52:11] [connection] 181.247.93.253:18388 requests connection cookie.
[14:52:11] [connection] 180.33.169.219:22543 requests connection cookie.
[14:52:11] [connection] 180.33.169.219:22543 requests connection cookie.
[14:52:11] [connection] 180.33.169.219:22543 requests connection cookie.
[14:52:11] [connection] 190.237.112.18:21120 requests connection cookie.
[14:52:11] [connection] 190.237.112.18:21120 requests connection cookie.
[14:52:11] [connection] 190.237.112.18:21120 requests connection cookie.
[14:52:11] [connection] 181.176.107.54:35706 requests connection cookie.
[14:52:11] [connection] 181.176.107.54:35706 requests connection cookie.
[14:52:11] [connection] 181.176.107.54:35706 requests connection cookie.
[14:52:11] [connection] 180.46.92.92:1972 requests connection cookie.
[14:52:11] [connection] 180.46.92.92:1972 requests connection cookie.
[14:52:11] [connection] 186.15.25.14:30496 requests connection cookie.
[14:52:11] [connection] 186.15.25.14:30496 requests connection cookie.
[14:52:11] [connection] 186.15.25.14:30496 requests connection cookie.
[14:52:11] [connection] 186.63.193.170:42110 requests connection cookie.
[14:52:11] [connection] 186.63.193.170:42110 requests connection cookie.
[14:52:11] [connection] 180.251.27.193:60113 requests connection cookie.
my beloved server its now since 2 days under this attack, and so many dudes are waiting for play...
Reply

Quote:
Originally Posted by PrettyDiamond
Посмотреть сообщение
Код:
/*==============================================================================


[14:52:11]     Southclaw's Scavenge and Survive
[14:52:11]         Copyright © 2016 Barnaby "Southclaw" Keene
[14:52:11]         This program comes with ABSOLUTELY NO WARRANTY; This is free software,
[14:52:11]         and you are welcome to redistribute it under certain conditions.
[14:52:11]         Please see <http://www.gnu.org/copyleft/gpl.html> for details.
[14:52:11] 

==============================================================================*/


[14:52:11] Number of vehicle models: 25
[14:52:11] [connection] 190.66.153.175:27235 requests connection cookie.
[14:52:11] [connection] 190.66.153.175:27235 requests connection cookie.
[14:52:11] [connection] 190.66.153.175:27235 requests connection cookie.
[14:52:11] [connection] 181.242.57.250:22535 requests connection cookie.
[14:52:11] [connection] 181.242.57.250:22535 requests connection cookie.
[14:52:11] [connection] 181.242.57.250:22535 requests connection cookie.
[14:52:11] [connection] 200.30.138.232:35033 requests connection cookie.
[14:52:11] [connection] 200.30.138.232:35033 requests connection cookie.
[14:52:11] [connection] 200.30.138.232:35033 requests connection cookie.
[14:52:11] [connection] 190.168.153.148:38613 requests connection cookie.
[14:52:11] [connection] 190.168.153.148:38613 requests connection cookie.
[14:52:11] [connection] 190.168.153.148:38613 requests connection cookie.
[14:52:11] [connection] 181.64.222.217:6151 requests connection cookie.
[14:52:11] [connection] 181.64.222.217:6151 requests connection cookie.
[14:52:11] [connection] 181.64.222.217:6151 requests connection cookie.
[14:52:11] [connection] 180.51.141.252:3175 requests connection cookie.
[14:52:11] [connection] 180.51.141.252:3175 requests connection cookie.
[14:52:11] [connection] 180.51.141.252:3175 requests connection cookie.
[14:52:11] [connection] 180.61.67.228:44887 requests connection cookie.
[14:52:11] [connection] 180.61.67.228:44887 requests connection cookie.
[14:52:11] [connection] 180.66.235.35:8449 requests connection cookie.
[14:52:11] [connection] 180.66.235.35:8449 requests connection cookie.
[14:52:11] [connection] 180.66.235.35:8449 requests connection cookie.
[14:52:11] [connection] 186.163.84.157:17574 requests connection cookie.
[14:52:11] [connection] 186.163.84.157:17574 requests connection cookie.
[14:52:11] [connection] 186.163.84.157:17574 requests connection cookie.
[14:52:11] [connection] 181.14.68.214:23391 requests connection cookie.
[14:52:11] [connection] 181.14.68.214:23391 requests connection cookie.
[14:52:11] [connection] 181.14.68.214:23391 requests connection cookie.
[14:52:11] [connection] 180.26.159.64:56138 requests connection cookie.
[14:52:11] [connection] 180.26.159.64:56138 requests connection cookie.
[14:52:11] [connection] 180.26.159.64:56138 requests connection cookie.
[14:52:11] [connection] 181.207.44.244:61339 requests connection cookie.
[14:52:11] [connection] 181.207.44.244:61339 requests connection cookie.
[14:52:11] [connection] 181.207.44.244:61339 requests connection cookie.
[14:52:11] [connection] 200.17.9.205:40966 requests connection cookie.
[14:52:11] [connection] 200.17.9.205:40966 requests connection cookie.
[14:52:11] [connection] 200.17.9.205:40966 requests connection cookie.
[14:52:11] [connection] 181.70.19.176:1198 requests connection cookie.
[14:52:11] [connection] 181.70.19.176:1198 requests connection cookie.
[14:52:11] [connection] 181.70.19.176:1198 requests connection cookie.
[14:52:11] [connection] 181.247.93.253:18388 requests connection cookie.
[14:52:11] [connection] 181.247.93.253:18388 requests connection cookie.
[14:52:11] [connection] 181.247.93.253:18388 requests connection cookie.
[14:52:11] [connection] 180.33.169.219:22543 requests connection cookie.
[14:52:11] [connection] 180.33.169.219:22543 requests connection cookie.
[14:52:11] [connection] 180.33.169.219:22543 requests connection cookie.
[14:52:11] [connection] 190.237.112.18:21120 requests connection cookie.
[14:52:11] [connection] 190.237.112.18:21120 requests connection cookie.
[14:52:11] [connection] 190.237.112.18:21120 requests connection cookie.
[14:52:11] [connection] 181.176.107.54:35706 requests connection cookie.
[14:52:11] [connection] 181.176.107.54:35706 requests connection cookie.
[14:52:11] [connection] 181.176.107.54:35706 requests connection cookie.
[14:52:11] [connection] 180.46.92.92:1972 requests connection cookie.
[14:52:11] [connection] 180.46.92.92:1972 requests connection cookie.
[14:52:11] [connection] 186.15.25.14:30496 requests connection cookie.
[14:52:11] [connection] 186.15.25.14:30496 requests connection cookie.
[14:52:11] [connection] 186.15.25.14:30496 requests connection cookie.
[14:52:11] [connection] 186.63.193.170:42110 requests connection cookie.
[14:52:11] [connection] 186.63.193.170:42110 requests connection cookie.
[14:52:11] [connection] 180.251.27.193:60113 requests connection cookie.
my beloved server its now since 2 days under this attack, and so many dudes are waiting for play...
I'm doing my best to test the firewall I developed this afternoon!

If I get success I will make it available in github!
Reply

Can confirm this is happening on our server also, same ips etc, taken multiple steps to defending against it but nothing possible via server script/firewall. this issue is a samp issue and needs to be addressed.
Reply

Quote:
Originally Posted by Christofski
Посмотреть сообщение
Can confirm this is happening on our server also, same ips etc, taken multiple steps to defending against it but nothing possible via server script/firewall. this issue is a samp issue and needs to be addressed.
Really is, this has happened for more than 1 year, but now they have found hosting that allow spoofed and it is almost impossible to block ...
Reply

Quote:
Originally Posted by denNorske
Посмотреть сообщение
Whatever you would like to do locally on a samp server will 99% likely not work, sorry for disappointing you.

What's happening, and what is been explained above, is network related UDP traffic. These are things that has to be sorted out before reaching the server. Unless you can somehow change the way the servers report status to the Internet and/or hosted tab client wise.
I stand in that 1%. Offer still stands!
Reply

No one can disagree on this not being annoying. but once again it just seems to bring up the now old aged question of "Where is Kalcor?"

Most other Multiplayer communities you would atleast have a response from someone high up about the problem atleast acknowledging it or suggestion idea's on how to help the community.
But sadly here its seemed to of become the norm for server owners just to bite their lip and get on with it.

Sad really, From seeing this community in 2007 to now. Alots changed, In in attitudes more than anything.

Anyway, Hope there's a help in hand soon or idea's on how to prevent from fellow members. Cos i sure need something because i'm all out of idea's.
Reply

Why would the attacker(s) give up, when "the attacker(s)" is(are) enjoying that all of you are discussing about "the attacker(s)" and how to protect your server. The "the attacker(s)" now already knows how to do it.
Reply

Quote:
Originally Posted by Paulice
Посмотреть сообщение
I stand in that 1%. Offer still stands!
Just post what you think might work rather than have it as an offer.
Reply

Is it weird that I want someone to attack a server of mine to be able to create a solution? No-one is cooperating on the previous offer. Someone able to, please PM me!
Reply

Hello with great effort after 7 hours analyzing the traffic of this attack managed to significantly minima it!

Protection from attack! https://sampforum.blast.hk/showthread.php?tid=639962
Reply

Can you create this also for a Windows server?
Reply

if samp was querying the servers instead of clients (so clients are just viewers) would that "fix" the problem?
Reply

Quote:
Originally Posted by wallee
Посмотреть сообщение
if samp was querying the servers instead of clients (so clients are just viewers) would that "fix" the problem?
It's more likely to work yes. Or if the servers reported their status to a masterlist directly, avoiding the problems regarding UDP packets drowning in requests

But there again, this is kalcor stuff to sort out. I am not sure what else to do, it's difficult to distinguish the fake packets :/
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)