search -  faq -  rulez -  staff

forums






map cycle
irc              pwnalizer
voice         dswp bar




Register

Login


It is currently 12.22.24

 

All times are UTC + 1 hour




Post new topic Reply to topic  [ 9 posts ] 
Author Message
PostPosted: 09.19.11 
Offline
Ingame Mod
User avatar

Joined: 12.28.09
Posts: 139
i was playing on tdm when spect attack began
check it if u can



 


Top
 Profile  
 
PostPosted: 09.19.11 
Offline
Ingame Mod
User avatar

Joined: 05.08.09
Posts: 437
Location: Germany
yea i c it someones flooding with fake clients.


Attack started 11:42 with client ID 339356 (Nick: 1CI4vbIAK) and lasted until 12:01 with client ID 339501 (Nick: IVuhosI1OTT), so 146 bots were connected.
http://www.dswp.de/echelon/clients.php? ... 30.178.187

http://whois.domaintools.com/99.130.178.187
-> http://whois.arin.net/rest/net/NET-99-128-0-0-1
http://www.robtex.com/ip/99.130.178.187.html

i banned one client but that doesnt help, all different GUID, but always one IP (lol?), and looks like AT&T dialup from Indianapolis

how does no iptable rule prevent so many connections from one src?

edit:
so i had nothin better to do than trolling around abit. that machine wasnt running ssh, win service, socks etc. but... 80.

so lets have a look at this, i guess most likely compromised, machine:


You do not have the required permissions to view the files attached to this post.



 


Last edited by SKracht on 09.19.11, edited 1 time in total.

Top
 Profile  
 
PostPosted: 09.19.11 
Offline
DSWP Meme Artist
User avatar

Joined: 12.05.10
Posts: 1852
Location: Estonia
-----tdm:  
nick: WidespreadPanic
skill: 618.539
kills: 12260
deaths: 10971
ratio: 1.11
-----bomb:  
nick: SelfRescuingPrincess
skill: 254.796
kills: 219
deaths: 202
ratio: 1.08
Ain’t it just lovely (UrT forum):

Server COnnection Flooder
Admins: a new tool spotted

_________________
Путін — хуйло

Beginner’s Guide to Urban Terror (woefully out of date)

Daily Deadnade (last updated September 9, 2016)



 


Top
 Profile  
 
PostPosted: 09.19.11 
Offline
Ingame Mod
User avatar

Joined: 05.08.09
Posts: 437
Location: Germany
Hm yea I think it doesn't make much traffic but it occupies all slots and i had to join server bye console.

as seen on screenshot...

i googled for something like that, flood tools for urt or q3 server, but found nothing usefull, thx for those links.
this can be easily fixed *imho* but whats the sense of that floodin? why should someone take that effort just to -fill- servers?
Or does it make more traffic than i can imagine?
i dont get the point of this -_-

i didnt do complete scan of that machine just checked a handfull ports, maybe someone gets an deeper nmap inspection on it. i'm pretty sure its a zombie.


You do not have the required permissions to view the files attached to this post.



 


Top
 Profile  
 
PostPosted: 09.20.11 
Offline
Ingame Mod
User avatar

Joined: 05.08.09
Posts: 437
Location: Germany
Seems like he is going on, started @ 3:02 tonight and continues since, he is not connecting masses but only a few bots.
new ip ranges:

99.66.79.19
99.70.42.87
99.62.107.38
99.130.207.77
99.130.205.129

looks like he found some realy bad managed piece off hardware overthere.

alphahusky maybe was able to get the real guy, connecting from 84.109.92.101



 


Top
 Profile  
 
PostPosted: 09.20.11 
Offline
Godlike
User avatar

Joined: 07.15.08
Posts: 4648
Location: Behind U
-----tdm:  
nick: [dswp]GewitterOma
skill: 1122.83
kills: 25960
deaths: 19847
ratio: 1.30
-----bomb:  
nick: [dswp]GewitterOma
skill: 812.172
kills: 3885
deaths: 3541
ratio: 1.09
Hm AFAIK theres no fix for this DOS Attack in the Q3 engine.
The exploit was found (as so often) by Luigi Auriemma, see here:
http://aluigi.altervista.org/poc.htm
He dont release prooves of concept for software wheres no fix.
if someone (who knows C) wanna have it for testing:
send me PM or ask Luigi for help, hes a friendly guy.
BTW. before u go fixing day+night, maybe check the IoQ3 Dev to find friends...

whats left atm: 99.130.192.0/20 as a new firewall rule, his subnet seem to change from time to time.

Whats possible from my POV:
Auto- Firewall these connections. We have always
- multiple clients
- connecting rapidly
- from the same IP
- ping is 999
- theres no GUID (sure)
Its the smaller solution then install this additional bot, plus it should work better...

####EDIT####
just read krachts IP list.
--> corrected to 99.0.0.0/8
we europeans are pinky pussies, thats teh fucking problem. right? good bye texas. say hello to mister bush.
:D

_________________
Image



 


Top
 Profile  
 
PostPosted: 09.20.11 
Offline
Ingame Mod
User avatar

Joined: 05.08.09
Posts: 437
Location: Germany
yep, x connections in x time from 1 ip -> drop. should do it

thx for Luigi link



 


Top
 Profile  
 
PostPosted: 09.20.11 
Offline
Godlike
User avatar

Joined: 09.01.08
Posts: 1604
-----tdm:  
nick: Make.Them.Fluffy
skill: 986.209
kills: 1115
deaths: 1030
ratio: 1.08
-----bomb:  
nick: Make.Them.Fluffy
skill: 825.312
kills: 2105
deaths: 2476
ratio: 0.85
btw. Seen the same spec connecting spam tonight on two other servers.

_________________
Image



 


Top
 Profile  
 
PostPosted: 09.20.11 
Offline
Godlike
User avatar

Joined: 07.21.08
Posts: 1049
-----tdm:  
nick: Ana
skill: 1097.59
kills: 2163
deaths: 2016
ratio: 1.07
-----bomb:  
nick: Ana
skill: 797.802
kills: 160
deaths: 221
ratio: 0.72
what i noticed on q3 is that when such floader reconnects all the time its usualy the same slot number. so i once did !kick 7 for like 10 minutes til he gave up, since then i couldnt do ip-ban. but be carefull..

_________________
Life is about the people you meet.



 


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 11 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Imprint

Powered by phpBB © 2000, 2002, 2005, 2007, 2008, 2009, 2010 phpBB Group

Skin by Lucas Kane
we use apache2 mod rewrite with phpBB SEO
map train_beta1-100 © 2009 by SteveMcQueen
Statistics Backend + Database by XLR Stats and B3 Bot
mapvote robot and gameserver monitor © 2009 by BlinKy
mumble viewer Copyright © 2008 Dominik Radner (aka Urmel)
mumble switcher and integration © 2008 by XTJ7, Unclefragger and Wursti
Localisation Plugin © 2009, Team Leads Plugin © 2009 and Knifer Plugin © 2009 by SvaRoX
for our stats we use Chart.js Copyright (c) 2013-2015 Nick Downie.
the stats also use some jQuery jQuery v2.1.4 | (c) 2005, 2015 jQuery Foundation, Inc.



voice server
top 20 players


nameskillkills
-Dws.BLINGBLING*-*1730.63418631
NormaSnockers1865.75400492
Zottel1760.8276378
make.them.suffer1846.17269872
>8v=1825.35230156
moon1777.56195615
sjas1692.49192315
peace1878.86190660
Wagner_Moura1562.9188001
Goomba1859.75182677
z0rn1608.41181016
Mad1803.76179124
[dswp]PLZ1847.85178516
Graf_ZahlIII1835.73167407
Zohan1611.07159737
ubercunt1634.93159240
Yarrr!1917.33156233
I_am_nOOb1909.64151268
Pandageddon1891.75148319
Pirat1664.08145798