some spect sht on tdm - FLOAD DETECTED

[MadaFakir]

i was playing on tdm when spect attack began
check it if u can

[SKracht]

yea i c it someones flooding with fake clients.


Attack started 11:42 with client ID 339356 (Nick: 1CI4vbIAK) and lasted until 12:01 with client ID 339501 (Nick: IVuhosI1OTT), so 146 bots were connected.
http://www.dswp.de/echelon/clients.php? ... 30.178.187

http://whois.domaintools.com/99.130.178.187
-> http://whois.arin.net/rest/net/NET-99-128-0-0-1
http://www.robtex.com/ip/99.130.178.187.html

i banned one client but that doesnt help, all different GUID, but always one IP (lol?), and looks like AT&T dialup from Indianapolis

how does no iptable rule prevent so many connections from one src?

edit:
so i had nothin better to do than trolling around abit. that machine wasnt running ssh, win service, socks etc. but... 80.

so lets have a look at this, i guess most likely compromised, machine:

[JRandomNoob]

Ain’t it just lovely (UrT forum):

Server COnnection Flooder
Admins: a new tool spotted

[SKracht]

Hm yea I think it doesn't make much traffic but it occupies all slots and i had to join server bye console.

as seen on screenshot...

i googled for something like that, flood tools for urt or q3 server, but found nothing usefull, thx for those links.
this can be easily fixed *imho* but whats the sense of that floodin? why should someone take that effort just to -fill- servers?
Or does it make more traffic than i can imagine?
i dont get the point of this -_-

i didnt do complete scan of that machine just checked a handfull ports, maybe someone gets an deeper nmap inspection on it. i'm pretty sure its a zombie.

[SKracht]

Seems like he is going on, started @ 3:02 tonight and continues since, he is not connecting masses but only a few bots.
new ip ranges:

99.66.79.19
99.70.42.87
99.62.107.38
99.130.207.77
99.130.205.129

looks like he found some realy bad managed piece off hardware overthere.

alphahusky maybe was able to get the real guy, connecting from 84.109.92.101

[wurst]

Hm AFAIK theres no fix for this DOS Attack in the Q3 engine.
The exploit was found (as so often) by Luigi Auriemma, see here:
http://aluigi.altervista.org/poc.htm
He dont release prooves of concept for software wheres no fix.
if someone (who knows C) wanna have it for testing:
send me PM or ask Luigi for help, hes a friendly guy.
BTW. before u go fixing day+night, maybe check the IoQ3 Dev to find friends...

whats left atm: 99.130.192.0/20 as a new firewall rule, his subnet seem to change from time to time.

Whats possible from my POV:
Auto- Firewall these connections. We have always
- multiple clients
- connecting rapidly
- from the same IP
- ping is 999
- theres no GUID (sure)
Its the smaller solution then install this additional bot, plus it should work better...

####EDIT####
just read krachts IP list.
--> corrected to 99.0.0.0/8
we europeans are pinky pussies, thats teh fucking problem. right? good bye texas. say hello to mister bush.

[SKracht]

yep, x connections in x time from 1 ip -> drop. should do it

thx for Luigi link

[HumppaLakki]

btw. Seen the same spec connecting spam tonight on two other servers.

[Ana]

what i noticed on q3 is that when such floader reconnects all the time its usualy the same slot number. so i once did !kick 7 for like 10 minutes til he gave up, since then i couldnt do ip-ban. but be carefull..