DDoS attack from Wolfenstein ET Servers. Developers, please fix the exploit.

My website was just attacked by a 1000+ mbit DDoS attack, nearly all from Wolfenstein ET servers.

Mz2yb.png764x494

This is probably a reflected DDoS attack where the attacker sends a small query to all the Wolfenstein servers and spoof my IP, so all your servers spam data back to my server.

If you are an ET server owner, you should be worried about this because it uses up your bandwidth and causes lag on your servers too. Not to mention it could be used against you.

If you are a developer, you can fix this by limiting the number of replies per second to something sane like 20 replies per second.

Yeah I have discreetly provided a new utility to W:ET community yesterday… and Surprise… ??

My Dedicated Server 213.246.52.36 is now under attack from these IP :

188.138.88.197
213.108.29.23
78.46.108.196
78.80.32.60
80.243.98.181

Yeah thank !!!

I do not think this attack is due to a coincidence…
If someone have the skill to trace who is doing that : I thank him a lot !

this is why I never post my ip or server name on sites where modders and programmers frequent anymore

you UK fellows have too much time on your hands and hacking seems to be a raw talent

Big Bear, the first IP you list is the tracker-server of splatterladder (and mine).
I dont drive any attacks (I think youll believe my words).
The second in the list is AFAIK (but I`m not sure about it) trackbase.net

For sure neither paul nor I are interested in spoiling any gameserver.

Can you provide some information which kind of attack was performed against your server?

Maybe a tcpdump or similar (currently 6 server are listed with your IP, so a maximum of 12 getstatus request from SL should arrive per minute).

Kind regards
Schnoog

p.s.: THX for the PM, just noticed it. Am I allowed to share it over wolffiles filebase?

Thank you for your answer

1) I will not learn you IP can be faked and I am surprised you think it have been necessary to say it because we all know IP can be faked :o

But generally attackers cannot always hide completely their origin to skilled persons.
In that case, because your IP is faked I think you have interest to check who can perhaps do that ?
I am sure you have skilled friends in your circle…

2) & how can I know it is your server ?

I have just tried that website to check the IP origine :

I can just say that today reported by that script :

http://et-zone.de/downloads/?action=download&id=14

188.138.88.197
213.108.29.23
63.239.170.8
80.243.98.181
89.176.131.236

I am sorry but I think that script work good ; for the IP they can be faked you know it ?
That is not a reason to became angry for some IP (I am sure you not attack my Server

I have provided ClearCache to a some persons (most part of are MOD coders) ; you be the only one that have answered (here) and that only been angry…

Most of time I am only attacked here by some peoples… and when I post here the next day my servers are always under attack : this is not a dream but a fact.

Yes , You can provide ClearCache to all
Why ? because the attackers not want me to distribute it to make servers of other MasterFloor perhaps more stable…

But in the future I am not sure to be interested to provide more.

Because I am not here to put persons angry & in fact, the W:ET players that come here are very rare… there is no advertisement interest for attracting players

I say it to other MasterFloors, most of the time, when you post here : you risk to just get problems in return ; most of the time !

But be sure I do not forget on the other side the persons that have helped me in the past

Have Fun !

BigBear, maybe I wrote the wrong words.
I was never angry, believe me mate
Im very sorry when it sounds to you like Im angry.

For me, youre a friendly guy. If I ever meet you in real-life, for sure well have a lot of fun

Im sure lots of WET ppl still are using this site mate im not advertising that much here atm, but thats just because i dont think it will help getting new ppl into our group

New tools that can help us secure our servers are always welcome

and as schnoog said

Thx to both of you for keeping interest up

Yes this is a known problem.
One option for Server Admin, read this:

http://www.wolffiles.de/index.php?forum-showposts-44-p7#597

[QUOTE=Old Man;391781]Yes this is a known problem.
One option for Server Admin, read this:

http://www.wolffiles.de/index.php?forum-showposts-44-p7#597[/QUOTE]

That is good, but the developers need to patch it so people aren’t required to stumble upon this forum to fix it.

It should only take the programmers 15 minutes to make a feature to record the time the last 20 replies were sent, and if it is within the same second, just ignore extra requests.

Affects several Q3-engine games, not only ET

Im sorry to say that i can recognize 1 of the IP’s as ours

What i have done is to ad the script made by schnoog and oldman v 1.5 and put a cronjob on it that runs every 3 minutes, unfortunately after seeing our ip there, i discovered that even tho the script is running every 3 minutes it dosent update the banlist, kinda weird to me, i had some struggle to get it running because of path issues, maybe i still have.

i have this line in top off script

#!/bin/bash

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/games/getstatus

I have also added these rules to our iptables

iptables -N CHAIN_GETSTATUS # new chain_getstatus

iptables -I INPUT -p udp -m multiport --dports 27960,27961,27962,27963,27964,27965,27966,27967,27968,27969 -m string --string "getstatus" --algo bm --from 30 --to 45 -j CHAIN_GETSTATUS # setup for Input

iptables -A CHAIN_GETSTATUS -m hashlimit --hashlimit 30/sec  --hashlimit-burst 1 --hashlimit-htable-expire 10000 --hashlimit-mode srcip  --hashlimit-htable-gcinterval 2300 --hashlimit-name getstatus -j DROP

found somthing about this on NQ Forum

i thought it worked tbh, but if anyone has an idea about why the script dosent ban when run by cronjob, but does when run manual, I would really appreciate a hand

again sorry for our IP beeing there

By crontab, the “.profile” of the user owning the crontab is not executed, so you may need to execute it on top of actual script.
When you run manual, your “.profile” is already executed at connection.
Probably your problem Patriot
V55

i use webmin to setup the cronjob

it is run as root and the file is owned by root

i just updated script to 1.6 from oldman, which btw looks nice

am testing my stuff right now

[QUOTE=bottiger;391789]That is good, but the developers need to patch it so people aren’t required to stumble upon this forum to fix it.

It should only take the programmers 15 minutes to make a feature to record the time the last 20 replies were sent, and if it is within the same second, just ignore extra requests.[/QUOTE]

It wouldn’t be too difficult to release binaries based upon the source code of wolfet, in which this exploit is fixed but this binary won’t be compatible with etpro since it issues a checksum scan of the wolfet 2.60 binary to check if it’s valid and not a modified one.

This solution may work for other mods like jaymod but that was about it and as long as not every mod developer - also etpro - start supporting the open source solution, any new wolfet.exe won’t be help- or useful. It will simply cause a big tohuwabohu under the remaining player base and at most for new players if everyone starts with his custom wolfet.exe with super-duper bugfixes and features, if you know what i mean…

By this point of view the iptables solution might be then the better solution

[QUOTE=donmichelangelo;391875]It wouldn’t be too difficult to release binaries based upon the source code of wolfet, in which this exploit is fixed but this binary won’t be compatible with etpro since it issues a checksum scan of the wolfet 2.60 binary to check if it’s valid and not a modified one.

This solution may work for other mods like jaymod but that was about it and as long as not every mod developer - also etpro - start supporting the open source solution, any new wolfet.exe won’t be help- or useful. It will simply cause a big tohuwabohu under the remaining player base and at most for new players if everyone starts with his custom wolfet.exe with super-duper bugfixes and features, if you know what i mean…

By this point of view the iptables solution might be then the better solution :)[/QUOTE]

I am still waiting for an open source project like this. I had also considerations about the etplus project, where it would be maybe good to keep backwards compatibility. But i guess this is not going to happen.

Maybe an exe by some experienced team with replacing etkey problem, and fixing a few major bugs in the engine will do it.

[QUOTE=donmichelangelo;391875]It wouldn’t be too difficult to release binaries based upon the source code of wolfet, in which this exploit is fixed but this binary won’t be compatible with etpro since it issues a checksum scan of the wolfet 2.60 binary to check if it’s valid and not a modified one.

This solution may work for other mods like jaymod but that was about it and as long as not every mod developer - also etpro - start supporting the open source solution, any new wolfet.exe won’t be help- or useful. It will simply cause a big tohuwabohu under the remaining player base and at most for new players if everyone starts with his custom wolfet.exe with super-duper bugfixes and features, if you know what i mean…[/QUOTE]

exactly so it is …

Hello

we agree that IP can be spoofed, but when attacks are so Strong… Can we continue to think they could be spoofed ?

Thanks

I found several tools to run such DDOS attackes. All I found have a parameter to set the offender IP address to be spoofed.
And when I have a llok on the targets (Royal Bank of Scottland aso.) I doubt this is based on a mad ET clan admin.

Yeah unfortunately its easy to find the tools to run attacks

and no i dont think its a fellow et admin doing this.

on a sidenote, our IP is shown in that graph at top, that wont happen again i hope, our server is been scanned now every minute and traffic succeeding my criterias is dumped. oldman helped me get our system protected.

thx again mate

Hi

I got the same problems
Please does someone have this version of script for a Debian version 6 ?

http://et-zone.de/downloads/?action=download&id=14

when I try to launch it I got :
getstatus_ban.sh: line 129: `echo > $mygoto/getstatus.ini fi if [ -z $MYDEBUG ] ; then MYDEBUG=1 fi ’
Syntax Error near the unexpected “then”

Thank you