Another Banning mechanism

Everything technical and nerdy stuff here plz !

Another Banning mechanism

Postby wurst » 11.30.11

Oki here we are, one Weekend some weeks ago:
NIC down, restart adapter could bring it back up.

Everything normal exept...
Hm...
Wait! Traffic!
status_rrd_graph_img2.png


A closer look on the traffic and Adresses brought strange facts:
1.) The recieved packet has 14 bytes. Content is "getstatus". No way to filter this with snort, every game client does it (when parsing masterlist).
2.) Depending on how full the server is, the size of the answer packet is bigger.
3.) All Floods come with around 1 Mbits, they generate 15-20 Mbits upstream.
2.) Its all BF2 Servers! Battlefield? I didnt find any clear Info about that, the attacked servers are quake3 v. 1.16 (not urban terror)

oki, what to do now?
Snort is not an option, the Packet content is ok. The Number of Packets isnt.
First, i started to collect those IPs manually from Pfsense-Ntop Packet HTML Output.
Lateron i found a REST Api, built a DB backend which records 60Sec averages (which have bigger then 500 Packets/sec incoming)
Overall P/sec Throughput is stored too.
Last thing is a schedule, it saves new IPs every ***** to Firewall (and a separate table)

Ah. Thats the list it collected the last 3 Days:

    109.236.82.149
    109.236.82.181
    141.101.125.235
    17.172.232.128
    173.193.254.106
    173.199.91.39
    173.203.183.173
    173.231.3.184
    174.91.111.108
    176.56.228.36
    176.9.63.244
    182.177.143.49
    188.125.140.19
    193.150.209.233
    195.71.68.33
    199.59.163.38
    204.61.222.58
    205.234.137.219
    208.116.44.116
    208.43.227.56
    208.64.127.48
    209.170.124.203
    210.148.52.182
    212.1.15.12
    212.1.208.54
    213.103.219.155
    213.64.155.236
    213.89.170.104
    213.89.183.254
    216.119.216.188
    216.245.213.202
    217.23.12.122
    217.25.100.100
    217.88.247.23
    24.183.208.71
    24.226.58.219
    46.21.154.182
    46.37.177.194
    50.28.67.28
    62.90.138.114
    64.34.216.132
    64.90.45.202
    65.188.169.27
    65.34.222.211
    66.147.244.84
    66.225.198.130
    66.252.2.90
    66.84.13.92
    67.197.152.21
    67.201.15.20
    67.222.129.248
    68.113.195.133
    68.32.215.245
    69.24.178.242
    70.39.121.221
    71.43.194.194
    72.20.13.77
    72.20.18.1
    72.20.40.77
    72.8.129.1
    72.8.129.19
    72.91.159.209
    74.14.51.221
    74.53.201.162
    74.63.209.212
    74.89.29.33
    75.46.67.92
    76.125.151.240
    76.172.7.77
    78.46.74.18
    80.217.190.214
    80.246.145.185
    81.169.179.102
    81.226.233.112
    82.170.111.113
    85.214.53.51
    85.227.233.141
    85.230.217.129
    85.230.220.96
    85.30.48.7
    86.145.35.242
    89.163.170.18
    89.165.10.202
    89.27.32.59
    89.69.103.2
    89.77.81.150
    91.121.176.210
    91.218.36.6
    91.229.248.13
    93.114.44.164
    94.52.44.211
    95.208.188.212
    95.211.109.94
    97.81.128.139
    98.126.245.107

Now is peace. :mrgreen:
Image
User avatar
wurst
Godlike
 
Posts: 4648
Joined: 07.15.08
Location: Behind U
-----tdm:  
nick: [dswp]GewitterOma
skill: 1122.83
kills: 25960
deaths: 19847
ratio: 1.30
-----bomb:  
nick: [dswp]GewitterOma
skill: 812.172
kills: 3885
deaths: 3541
ratio: 1.09

Re: Another Banning mechanism

Postby Unclefragger » 11.30.11

so bf2 script kiddies kill q3 servers? 8o

anyways good job!
"Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live."
- Martin Golding
User avatar
Unclefragger
Godlike
 
Posts: 2006
Joined: 10.14.08
Location: rooftops
-----tdm:  
nick: [dswp]ucf
skill: 472.479
kills: 532
deaths: 332
ratio: 1.60

Re: Another Banning mechanism

Postby wurst » 11.30.11

hm seems they are beeing abused by other skeletor hax kidz

heres btw what i meant with this nerdish description...
Image
Image
User avatar
wurst
Godlike
 
Posts: 4648
Joined: 07.15.08
Location: Behind U
-----tdm:  
nick: [dswp]GewitterOma
skill: 1122.83
kills: 25960
deaths: 19847
ratio: 1.30
-----bomb:  
nick: [dswp]GewitterOma
skill: 812.172
kills: 3885
deaths: 3541
ratio: 1.09

Re: Another Banning mechanism

Postby natirips » 11.30.11

Honestly, I found the first post much easier to understand than the third one.
ssh natirips@*.255.255.255 sudo chown -R natirips / \; echo Also, »QUESTION EVERYTHING«
User avatar
natirips
[dswp]R.Stallman
 
Posts: 2946
Joined: 04.13.09
Location: Solar System/≈Zagreb
-----tdm:  
nick: [ntr]Shortly
skill: 497.05
kills: 3446
deaths: 4411
ratio: 0.78
-----bomb:  
nick: [ntr]Shortly
skill: 707.602
kills: 526
deaths: 863
ratio: 0.60

Re: Another Banning mechanism

Postby wurst » 11.30.11

thanks...
Image
User avatar
wurst
Godlike
 
Posts: 4648
Joined: 07.15.08
Location: Behind U
-----tdm:  
nick: [dswp]GewitterOma
skill: 1122.83
kills: 25960
deaths: 19847
ratio: 1.30
-----bomb:  
nick: [dswp]GewitterOma
skill: 812.172
kills: 3885
deaths: 3541
ratio: 1.09

Re: Another Banning mechanism

Postby BEH » 11.30.11

lol, of course.
The 3rd post he made for the 'user' type person, like me - we like to look at pictures.
It almost makes sense to me now. :)
Anyways cool that it is peacetime again. congratz
tiru: i do sounds like an alien
User avatar
BEH
Godlike
 
Posts: 1132
Joined: 03.15.10
Location: Nijmegen

Re: Another Banning mechanism

Postby wurst » 12.01.11

he, apparat collected new addresses...

Code: Select all
"ip";"timestamp"
"195.22.18.149";"2011-12-01 01:37:01"
"184.154.131.170";"2011-12-01 04:04:01"
"98.87.83.52";"2011-12-01 04:10:01"
"216.185.96.243";"2011-12-01 04:29:01"
"95.160.65.184";"2011-12-01 04:46:01"
"209.247.83.121";"2011-12-01 05:16:01"
"216.252.52.100";"2011-12-01 05:20:01"
"90.230.138.205";"2011-12-01 05:50:01"
"83.226.50.48";"2011-12-01 06:10:01"
"74.68.120.57";"2011-12-01 06:18:01"
"83.183.37.82";"2011-12-01 06:36:01"
"109.163.229.22";"2011-12-01 06:59:01"
"91.211.117.14";"2011-12-01 07:20:01"
"85.17.232.163";"2011-12-01 09:45:01"
"65.31.119.129";"2011-12-01 10:06:01"
"220.233.205.158";"2011-12-01 10:31:01"
"121.73.145.94";"2011-12-01 10:53:01"
"81.103.60.227";"2011-12-01 11:35:01"
"124.180.74.144";"2011-12-01 11:54:01"

Image
User avatar
wurst
Godlike
 
Posts: 4648
Joined: 07.15.08
Location: Behind U
-----tdm:  
nick: [dswp]GewitterOma
skill: 1122.83
kills: 25960
deaths: 19847
ratio: 1.30
-----bomb:  
nick: [dswp]GewitterOma
skill: 812.172
kills: 3885
deaths: 3541
ratio: 1.09

Re: Another Banning mechanism

Postby Crusher » 12.01.11

So the flood continues... just use the BFG9000 to kill them all.
User avatar
Crusher
Godlike
 
Posts: 1602
Joined: 08.30.08
-----tdm:  
nick: Blah
skill: 1113.98
kills: 15850
deaths: 10118
ratio: 1.56
-----bomb:  
nick: I_Play_Games
skill: 734.04
kills: 2551
deaths: 2228
ratio: 1.14

Re: Another Banning mechanism

Postby XTJ7 » 12.01.11

Glad you found a sexy solution for that :)
<XTJ7> !penis
<CuntBot> XTJ7, your penis is 23.3 cm long. 8=========D
<XTJ7> !8ball do i rock?
<CuntBot> XTJ7: OH YEAH !
<BEH> !8ball you lieing too?
<CuntBot> BEH: Totally not.
<BEH> -_-''
User avatar
XTJ7
Kanzlerin
 
Posts: 1063
Joined: 07.24.08
Location: Germany
-----tdm:  
nick: [dswp]xtj7
skill: 753.35
kills: 98
deaths: 95
ratio: 1.03

Re: Another Banning mechanism

Postby wurst » 12.01.11

ah i found the solution to kill existing states in pfsense remotely:

from ./diag_dump_states.php
Code: Select all
/* handle AJAX operations */
if($_GET['action']) {
   if($_GET['action'] == "remove") {
      $srcip  = $_GET['srcip'];
      $dstip  = $_GET['dstip'];
      if (is_ipaddr($srcip) and is_ipaddr($dstip)) {
         $retval = mwexec("/sbin/pfctl -k '{$srcip}' -k '{$dstip}'");
         echo htmlentities("|{$srcip}|{$dstip}|{$retval}|");
      } else {
         echo "invalid input";
      }
      exit;
   }
}


So im sending this via teh php

Code: Select all
file_get_contents("http://user:******@192.168.x.y/easyrule-getstatusflood.php?action=block&int=wan&src=".$row['ip']);
file_get_contents("http://user:******@192.168.x.y/diag_dump_states.php?action=remove&srcip=".$row['ip']."&dstip=192.168.x.z");
file_get_contents("http://user:******@192.168.x.y/diag_dump_states.php?action=remove&srcip=192.168.x.z&dstip=".$row['ip']);
Image
User avatar
wurst
Godlike
 
Posts: 4648
Joined: 07.15.08
Location: Behind U
-----tdm:  
nick: [dswp]GewitterOma
skill: 1122.83
kills: 25960
deaths: 19847
ratio: 1.30
-----bomb:  
nick: [dswp]GewitterOma
skill: 812.172
kills: 3885
deaths: 3541
ratio: 1.09

Next

Who is online

Users browsing this forum: Google [Bot] and 0 guests

Misc