Post new topic Reply to topic | Message |
|
||||
I got a notice this morning from my host informing me that the OC machine was involved in a DDoS attack. So i check the logs and it seems it indeed was. I update windows sec patches, run a bot killer that detected a modification in a Dll and repaired that. The original guy that complained was from france, and included a log from his server. His server IP is for the UIF GTA SA server. A multiplayer server for GTA San Andreas for the PC. I then flip on a packet sniffer just to make sure my machine isn't doing anything nefarious, and see all this incoming traffic and the UIF SA server IP is one of the IP's. The catch is, they are hammering ports 27960,27961... which is for Q3.
At this point I'm thinking they are retaliating. Well I find my wau onto some GTA IRC networks, and I run into a guy who informs me that it is botnet related. Myself and the UIF users are both victims in a botnet DDoS redirect. Where our game servers are being used as mirrors, or means to reflect DDoS packets to other sources. That being said, OC's Q3 servers are temporarily shutdown. The master list and DNS app are still running, but our own hosted servers are down for the moment. Obviously this isn't just a problem for OC's servers but for all users, and the DC Quake 3 community as a whole. We should use this thread to research and find solutions to running a DC Q3 server that can't be exploited and used as part of a botnet. Post your findings and or links. Here is a start: http://www.quake.ie/blogs/rawshark/preventing-ddos-attacks-quake-3-server.php |
||||
_________________ I'm already numero uno on Dark Helmet's hit list... |
||||
|
||||
|
||||
Things are looking grim. OC's game server is completly unusable right now and is getting hammered by a massive DRDoS amplification swarm. While I have the Q3 servers shutdown, OC's IP address is already in the loop and the server is going to continue to get hammered by inbound traffic. I basically have no choice but to get a new IP address or cancel the service.
Even if I switch to another IP or server, all it takes is someone putting OC's IP into gametracker.com again, and then we are right back to where we are now. This is very bad. |
||||
_________________ I'm already numero uno on Dark Helmet's hit list... |
||||
|
||||
lordnikon wrote:
I basically have no choice but to get a new IP address or cancel the service.
Even if I switch to another IP or server, all it takes is someone putting OC's IP into gametracker.com again, and then we are right back to where we are now. This is very bad. Oh wow. So that leaves canceling the service as the only option? |
||||
|
||||
Thats not the real bad part about all of this. Its that anyone's hosted server can be absorbed into such Reflective DDOS attacks. If your Q3 server is running on your home connection, and it gets detected by the attack, tons of other servers involved will start hammering your internet connection. Even if you block your ports and the IP's, the data keeps coming in assuming your servers are just down and will eventually come back online.
Not only can you no longer play Quake, but your internet connection is going to be horribly slow. The only *slight* fix I've seen is to host on Linux and use some IPTables configs. However this just prevents your machine from reflecting data. It still doesn't prevent the swarm from detecting your machine, targeting it, and hammering it with data. This is the list of preventative steps I have come up with thus far:
I have put in a request to change the IP Address on OC's server. If you are pointing your Q3 server to master.onlineconsoles.com, you won't need to do a thing. However users using OC's DNS will need to update their DC's primary DNS IP. Info will be posted in the News as soon as this switch takes place. Also, any research/ideas that you guys might have, please reply. This is a pretty serious problem. |
||||
_________________ I'm already numero uno on Dark Helmet's hit list... |
||||
|
||||
I hope this can get resolved. I just recently got Q3 and was looking forward to playing online and now this | ||||
|
||||
I haven't played online in a while. I've been thinking about it lately. And for this to happeN? Lame. :/ | ||||
|
||||
I have obtained a new IP Address for our game server. I will be posting a news announcement later today so you guys can update your DNS on your DC's to reach the master list. If your Q3 server was previously pointing to OC's master.onlineconsoles.com, then you don't need to do anything. The IP will assign to the domain and your server should be listed in the master list as soon as the switch has been made.
Note: OC will only be hosting a Q3 master list for the moment. Users will have to step up and host more Q3 arena servers as outlined above. Keep your servers out of gametracker.com as well. |
||||
_________________ I'm already numero uno on Dark Helmet's hit list... |
||||
|
||||
Wow, this is all very surprising, and rather unfortunate
Please keep us posted Nikon. |
||||
|
||||
are there any updates on this issue? i hope this doesn't essentially render online play useless for quake 3. i was really hoping i could start playing this on DC again online. | ||||
|
||||
Any word yet on the new IP? I'm looking to get some Quake in... | ||||
|
||||
This "exploit" has become an annoyance.. All quake engine based games are vulnerable. Call of duty 4 servers where used in the past for this kind of attack, but now there is fix for the dod4 linux servers and they start to use other gameservers.. Still no patch from ID software.. but they shutdown the masterservers for Q1,Q2,Q3,RTWC, and ET
I suggest checking out the icculus mailing list for very good linux iptable rules that at least stop the outgoing traffic |
||||
_________________ http://members.multimania.co.uk/fall3/ 4x4Evo http://fallout.bplaced.net Linux for the masses |
||||
|
||||
It's almost unrealistic to expect any sort of patch from ID isn't it? Besides Quake Live, isn't the idtech3 engine dead to ID software at this point? | ||||
|
||||
mattdc wrote:
Any word yet on the new IP? I'm looking to get some Quake in... Yes I have acquired a new IP Address and will be making an announcement shortly. I will have this all sorted out no later than Thursday evening. Thanks for being patient. gRimGrAvY014 wrote:
It's almost unrealistic to expect any sort of patch from ID isn't it? Besides Quake Live, isn't the idtech3 engine dead to ID software at this point? There isn't going to be any support from any company as this isn't a new issue. It has been around for a long time. There were reports of this on slashdot back in 2003. The only real solution that I know of is to use our wits to try and mitigate the impact of such a problem. |
||||
_________________ I'm already numero uno on Dark Helmet's hit list... |
||||
|
||||
The only hope I see for a patch is that the people from who maintain the ioquake3 engine develop one. (Ioquake being the community made enhanced engine when idtech3 was released under the gpl) | ||||
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum