Page Location: Home > Quake III Arena > Topic
1, 2  Next
lordnikon
rank 86
Posted:
Sun Jun 24, 2012 5:12 pm
quote : #1
profile : pm
Posts: 5889
Type: NTSC-U/C
I got a notice this morning from my host informing me that the OC machine was involved in a DDoS attack. So i check the logs and it seems it indeed was. I update windows sec patches, run a bot killer that detected a modification in a Dll and repaired that. The original guy that complained was from france, and included a log from his server. His server IP is for the UIF GTA SA server. A multiplayer server for GTA San Andreas for the PC. I then flip on a packet sniffer just to make sure my machine isn't doing anything nefarious, and see all this incoming traffic and the UIF SA server IP is one of the IP's. The catch is, they are hammering ports 27960,27961... which is for Q3.

At this point I'm thinking they are retaliating. Well I find my wau onto some GTA IRC networks, and I run into a guy who informs me that it is botnet related. Myself and the UIF users are both victims in a botnet DDoS redirect. Where our game servers are being used as mirrors, or means to reflect DDoS packets to other sources.

That being said, OC's Q3 servers are temporarily shutdown. The master list and DNS app are still running, but our own hosted servers are down for the moment.

Obviously this isn't just a problem for OC's servers but for all users, and the DC Quake 3 community as a whole.

We should use this thread to research and find solutions to running a DC Q3 server that can't be exploited and used as part of a botnet. Post your findings and or links. Cool

Here is a start:
http://www.quake.ie/blogs/rawshark/preventing-ddos-attacks-quake-3-server.php
  _________________
I'm already numero uno on Dark Helmet's hit list...
link85
rank 3
Posted:
Tue Jun 26, 2012 12:38 pm
quote : #2
profile : pm
Posts: 17
Sad
 
lordnikon
rank 86
Posted:
Tue Jun 26, 2012 3:09 pm
quote : #3
profile : pm
Posts: 5889
Type: NTSC-U/C
Things are looking grim. OC's game server is completly unusable right now and is getting hammered by a massive DRDoS amplification swarm. While I have the Q3 servers shutdown, OC's IP address is already in the loop and the server is going to continue to get hammered by inbound traffic. I basically have no choice but to get a new IP address or cancel the service.

Even if I switch to another IP or server, all it takes is someone putting OC's IP into gametracker.com again, and then we are right back to where we are now.

This is very bad.
  _________________
I'm already numero uno on Dark Helmet's hit list...
everynewday84
rank 12
Posted:
Tue Jun 26, 2012 9:40 pm
quote : #4
profile : pm
Posts: 196
Type: NTSC-U/C
lordnikon wrote:
I basically have no choice but to get a new IP address or cancel the service.

Even if I switch to another IP or server, all it takes is someone putting OC's IP into gametracker.com again, and then we are right back to where we are now.

This is very bad.


Oh wow. So that leaves canceling the service as the only option? Confused
 
lordnikon
rank 86
Posted:
Wed Jun 27, 2012 6:26 am
quote : #5
profile : pm
Posts: 5889
Type: NTSC-U/C
Thats not the real bad part about all of this. Its that anyone's hosted server can be absorbed into such Reflective DDOS attacks. If your Q3 server is running on your home connection, and it gets detected by the attack, tons of other servers involved will start hammering your internet connection. Even if you block your ports and the IP's, the data keeps coming in assuming your servers are just down and will eventually come back online.

Not only can you no longer play Quake, but your internet connection is going to be horribly slow.

The only *slight* fix I've seen is to host on Linux and use some IPTables configs. However this just prevents your machine from reflecting data. It still doesn't prevent the swarm from detecting your machine, targeting it, and hammering it with data.

This is the list of preventative steps I have come up with thus far:

  • OC would have to host a Q3 master list only. I don't have the money to rent a second server. So the community will have to be relied on more for hosting Q3 servers.

  • Host Q3 servers when you are going to play Q3, and then shut them down when you are done playing. This might be a better option for people on home connections who can't run a server all the time.

  • Host Q3 servers on Linux, using IP Tables to prevent servers from being used to reflect DDoS packets (I'll provide scripts soon.)

  • Use non-standard ports for hosting. I don't even know if this will do anything at all. Maybe it will just prevent your server from being picked up in a port scan as running Q3 under default ports like 27960, 27961, etc.

  • Stop listing servers in gametracker.com! This will be impossible to enforce, and I know people want to see how many people are on a server without having to power on a game console, but all hackers have to do is scrape a list of known servers off gametracker.com, drop them into thier DDoS list of IP's and then they have tons of bandwidth at their disposal without having to infect a single machine.


I have put in a request to change the IP Address on OC's server. If you are pointing your Q3 server to master.onlineconsoles.com, you won't need to do a thing. However users using OC's DNS will need to update their DC's primary DNS IP. Info will be posted in the News as soon as this switch takes place.

Also, any research/ideas that you guys might have, please reply. This is a pretty serious problem.
  _________________
I'm already numero uno on Dark Helmet's hit list...
WildCard
rank 5
Posted:
Wed Jun 27, 2012 5:00 pm
quote : #6
profile : pm
Posts: 38
Type: NTSC-U/C
I hope this can get resolved. I just recently got Q3 and was looking forward to playing online and now this Sad
 
Metal Hedgehog
rank 11
Posted:
Thu Jun 28, 2012 5:02 pm
quote : #7
profile : pm
Posts: 159
I haven't played online in a while. I've been thinking about it lately. And for this to happeN? Lame. :/
 
lordnikon
rank 86
Posted:
Fri Jun 29, 2012 1:09 pm
quote : #8
profile : pm
Posts: 5889
Type: NTSC-U/C
I have obtained a new IP Address for our game server. I will be posting a news announcement later today so you guys can update your DNS on your DC's to reach the master list. If your Q3 server was previously pointing to OC's master.onlineconsoles.com, then you don't need to do anything. The IP will assign to the domain and your server should be listed in the master list as soon as the switch has been made.

Note: OC will only be hosting a Q3 master list for the moment. Users will have to step up and host more Q3 arena servers as outlined above. Keep your servers out of gametracker.com as well.
  _________________
I'm already numero uno on Dark Helmet's hit list...
gRimGrAvY014
rank 26
Posted:
Sun Jul 01, 2012 1:48 am
quote : #9
profile : pm
Posts: 548
Type: NTSC-U/C
Wow, this is all very surprising, and rather unfortunate Confused

Please keep us posted Nikon.
 
ncman071
rank 3
Posted:
Tue Jul 03, 2012 10:33 am
quote : #10
profile : pm
Posts: 18
are there any updates on this issue? i hope this doesn't essentially render online play useless for quake 3. i was really hoping i could start playing this on DC again online.
 
mattdc
rank 1
Posted:
Tue Jul 03, 2012 6:40 pm
quote : #11
profile : pm
Posts: 1
Type: NTSC-U/C
Any word yet on the new IP? I'm looking to get some Quake in...
 
fallout
rank 16
Posted:
Wed Jul 04, 2012 1:56 pm
quote : #12
profile : pm
Posts: 278
Type: PAL
This "exploit" has become an annoyance.. All quake engine based games are vulnerable. Call of duty 4 servers where used in the past for this kind of attack, but now there is fix for the dod4 linux servers and they start to use other gameservers.. Still no patch from ID software.. but they shutdown the masterservers for Q1,Q2,Q3,RTWC, and ET

I suggest checking out the icculus mailing list for very good linux iptable rules that at least stop the outgoing traffic
  _________________
http://members.multimania.co.uk/fall3/ 4x4Evo
http://fallout.bplaced.net
Linux for the masses
gRimGrAvY014
rank 26
Posted:
Fri Jul 06, 2012 9:20 am
quote : #13
profile : pm
Posts: 548
Type: NTSC-U/C
It's almost unrealistic to expect any sort of patch from ID isn't it? Besides Quake Live, isn't the idtech3 engine dead to ID software at this point?
 
lordnikon
rank 86
Posted:
Tue Jul 10, 2012 11:16 am
quote : #14
profile : pm
Posts: 5889
Type: NTSC-U/C
mattdc wrote:
Any word yet on the new IP? I'm looking to get some Quake in...

Yes I have acquired a new IP Address and will be making an announcement shortly. I will have this all sorted out no later than Thursday evening. Thanks for being patient. Smile

gRimGrAvY014 wrote:
It's almost unrealistic to expect any sort of patch from ID isn't it? Besides Quake Live, isn't the idtech3 engine dead to ID software at this point?

There isn't going to be any support from any company as this isn't a new issue. It has been around for a long time. There were reports of this on slashdot back in 2003. The only real solution that I know of is to use our wits to try and mitigate the impact of such a problem.
  _________________
I'm already numero uno on Dark Helmet's hit list...
Favrenation
rank 9
Posted:
Tue Jul 10, 2012 6:11 pm
quote : #15
profile : pm
Posts: 106
Type: NTSC-U/C
The only hope I see for a patch is that the people from who maintain the ioquake3 engine develop one. (Ioquake being the community made enhanced engine when idtech3 was released under the gpl)
 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Display:   
 
View previous topic - View next topic
Page Location: Home > Quake III Arena > Topic
1, 2  Next