Connect flood DOS?

Chairman_Kaga · 2003-07-05 08:07:12 UTC

I had someone attempt a DOS attack against my public ET server tonight. It came in the form of a connect flood:

Client 410 connecting with 300 challenge ping
Client 413 connecting with 200 challenge ping
Client 413 connecting with 200 challenge ping
Client 413 connecting with 200 challenge ping
Client 413 connecting with 200 challenge ping
Client 410 connecting with 300 challenge ping
Client 413 connecting with 200 challenge ping

Multiply that by about 100,000 lines. This went on for a good hour, with about 25 attempts a second on average, occasionally spiking up to 50 or more.

Now, the good news is that the server blithely ignored this attack as it was going on, with gameplay completely unaffected even with a full (20-person) server. So kudos to Splash Damage for making the netcode bright enough to not succumb to this lame sort of behavior.

However, it would be nice if the server did one of two things (preferably both):

Automatically ignore an IP after a series of bogus connection attempts. That way the message doesn’t flood the console logs (which could be a problem if you’re running under a disk quota).
Show the IP in the connection message, so I can blackhole them at my firewall, or perhaps even pursue an investigation.

spoon · 2003-07-05 12:33:57 UTC

Dig through your console logs. You should see a line that looks like:

Userinfo: \g_password
one\cl_guid\buncha letters and numbers…lots of other stuff…
ame^0[^2KP^0]^2sp^7oo^2n…more stuff…\ip\64.39.1.12:27960

Boom. There’s the IP, the username, and the guid (although I get the impression guid bans aren’t worth much since you can create a new one fairly easily). Might also be something in the punkbuster log files, but I freed up some space tonight after applying the server patch and making sure pb was up to date.

bani · 2003-07-05 12:51:30 UTC

was it a DOS or was someone trying a password cracker? i’ve seen q3 password crackers that behave like that, to try to crack the private server passwords.

Chairman_Kaga · 2003-07-07 07:37:07 UTC

Dig through your console logs. You should see a line that looks like:

Userinfo: \g_password
one\cl_guid\buncha letters and numbers…lots of other stuff…
ame^0[^2KP^0]^2sp^7oo^2n…more stuff…\ip\64.39.1.12:27960

Yes, I know about those lines, but they only appear once a client actually starts negotiating with the server. There’s nothing here that correlates with all those bogus connect attempts. All I see in the UserInfo lines are people that were legitimately on the server at the time.

Whatever it was apparently sent the challenge ping packet and nothing else.

Spookstah · 2003-07-07 08:38:04 UTC

We did encounter a DDos yesterday also and because most game use UDP which is a “connectionless” connection you wont find their IP`s in the logs (firewall/game server etc.) because they dont actualy connect with the server, you will only see their IP in the server log when they connect with an ET client and they probly dont do that.

Here a nice graph of our ddos: