How to stop this CHEAT - HACKED DEDI SERVER

159th_Viper · February 2, 2012

Your comments are noted .......... so what?

Stay on topic, keep any comments, should you have any further comments to give, constructive, mature and courteous - that's what. You have been warned.

GGTharos · February 2, 2012

Do you know the schedule of the attacks?

I have seen them happen regularly at around 10-11pm EST, but I can't monitor earlier times.

I too see all of this as an attack on Eagle Dynamics. Dedicated server application is long overdue. And it is just getting more and more difficult to host this game.

Case · February 2, 2012

Do you know the schedule of the attacks?
I have seen them happen regularly at around 10-11pm EST, but I can't monitor earlier times.

Incomplete list of the attacks on the 51st server. Times in UTC+1.

2012-01-27 11:53:55

2012-01-27 11:51:58

2012-01-27 11:50:02

2012-01-27 11:48:05

2012-01-27 11:46:08

2012-01-27 15:52:47

2012-01-28 07:30:45

2012-01-28 07:34:39

2012-01-28 07:36:35

2012-01-28 07:38:32

2012-01-28 07:44:22

2012-01-28 07:46:19

2012-01-28 07:48:16

2012-01-28 07:50:12

2012-01-28 07:52:09

2012-01-28 07:54:06

2012-01-28 14:55:48

2012-01-28 15:39:56

2012-01-28 15:40:38

2012-01-28 22:05:35

2012-01-29 19:09:52

2012-01-29 21:03:20

2012-01-29 22:21:48

2012-01-29 22:43:03

2012-01-30 03:13:53

2012-01-30 09:50:03

2012-01-30 18:45:22

2012-01-30 18:50:54

2012-01-30 20:20:06

2012-01-30 20:20:21

2012-01-30 20:21:07

2012-02-01 12:07:29

2012-02-02 09:08:11

This list is biased as I can not always put the server immediately back online (and get fed up with doing it as well). Most of the attacks which are spaced closely in time originate from the same IP. Some of the IPs of attacks spaced by more than that do show similarities. I can share the IPs on request.

Case · February 2, 2012

It feels like the attacker is least active between 00UTC to 05UTC. You can guess for yourself where on the globe that might place him (after making some assumptions).

GGTharos · February 2, 2012

I am guessing you already thought of this, but if it is a narrow range of IPs you can collect them in a list and block them. In any case, I wouldn't mind seeing them.

Case · February 2, 2012

I am guessing you already thought of this, but if it is a narrow range of IPs you can collect them in a list and block them. In any case, I wouldn't mind seeing them.

It is not narrow enough yet. PM sent.

4c Hajduk Veljko · February 2, 2012

Do you know the schedule of the attacks?
I have seen them happen regularly at around 10-11pm EST, but I can't monitor earlier times.

Unfortunately I don't have attack schedule list. I reside in the states and everybody else in our squadron is in Serbia or European region. Due to time differences and professional responsibilities (work :)) I am not in the best situation to be in contact with my team mates all the time.

A person who is maintaining our dedicated server has invested a lots of his time in trying to figure all of this out and in my opinion, we are running out of understanding on our dedicated server provider side too.

This morning I got a PM message on our forum that our complete server, including dedicated server and TS was shut down, I assume late last night CET. We are working with our dedicated server provider, to yet again, restart our server ...

GGTharos · February 2, 2012

^^^^

It's killing your entire machine?!

4c Hajduk Veljko · February 2, 2012

^^^^

It's killing your entire machine?!

That's my understanding. Let me see if I can get you in touch with a person who is taking care of our dedicated server. His English is not very good, but I can translate if needed.

GGTharos · February 2, 2012

Thanks. This particular attack so far only kills the FC2 process, not the machine itself. You might be experiencing some additional problems if your entire machine is crashing.

Moa · February 2, 2012

No, passwording the server does not help. The hacker only has to send a specific packet to the right IP and port, and regardless if the server is passworded, it will crash.

Ah. So if you proxy and do a deep packet inspection you could block that packet and let everything else through - and you could log against MAC address. Do you know the specific contents of that packet?

If the packet content was fixed a little proxy program running on each game server would solve the problem.

GGTharos · February 2, 2012

It seems fixed, but filtering based on packet content can be prohibitively cpu-intensive. Nice idea though, it would be interesting to see if/how it works out.

Case · February 2, 2012

Do you know the specific contents of that packet?

If the packet content was fixed a little proxy program running on each game server would solve the problem.

So far the majority of the suspect packets have the same content. I have only seen one other packet that was different. I think though that the problem might be in the header of the packet.

FLANKERATOR · February 2, 2012

No, passwording the server does not help. The hacker only has to send a specific packet to the right IP and port, and regardless if the server is passworded, it will crash.

Does it mean that the hacker does not need to connect to the server to send the offending packets?? does he only need to know the server's IP to hack it?

GGTharos · February 2, 2012

Correct. It's not a hack in the way you think of a hack in this case, it's a DOS (denial of service). He can't make new planes appear or other fun things without connecting; however, he can crash the server without connecting.

FLANKERATOR · February 2, 2012

Correct. It's not a hack in the way you think of a hack in this case, it's a DOS (denial of service). He can't make new planes appear or other fun things without connecting; however, he can crash the server without connecting.

Alright, then we have to forget about the static IP's proposal since he doesn't need to connect to crash the server.

A packet-filtering patch/hotfix seems to be the only hope...

Yammo · February 2, 2012

So, i`m assuming that if you close your server and make the password available on Teamspeak, that this scripting hack cannot go on??

Passwording does not help...

I think I know why, but I'll refrain from giving people more ideas. :)

While I'm still in testing-phase...

...it would seem that the guy seems clueless when facing a basic freeware

firewall. I'm up to about two thousand blocked connections per attack and

15'000 blocked attempts over 2 days and all he has managed to do so far

is eat up 7MB of HDD space for the IP log.

So, at this rate I will be out of HDD space in about 1'714'285 days. :cry_2:

GGTharos · February 2, 2012

What exactly are you blocking?

Sanch0 · February 2, 2012

Alright, then we have to forget about the static IP's proposal since he doesn't need to connect to crash the server.

Wrong. If you will know trusted client IP addresses then you can drop everything else. UDP is just connection less but it still have to tell the server sender address.

Yammo · February 2, 2012

What exactly are you blocking?

Stage 1 was everything...

Server ran fine

Stage 2 is granting on-per-IP access

Seem to be working fine... *knock on wood* ...going on 2 days.

Stage 3 will be allowing packets to be sent to master-server

Will be interesting to see if there is any change in number hack-attempts.

If the log of IPs would be of any interest to you, just say the word :)

FLANKERATOR · February 2, 2012

Wrong. If you will know trusted client IP addresses then you can drop everything else. UDP is just connection less but it still have to tell the server sender address.

Okay, thanks Sancho, then static IPs remains an efficient solution, even if it might have appeared a bit drastic since it didn't generate much feedback...

Good news though as we at least know that a "last ditch" solution does exist !

Moa · February 2, 2012

It seems fixed, but filtering based on packet content can be prohibitively cpu-intensive. Nice idea though, it would be interesting to see if/how it works out.

Just as well FC2 only uses one-and-a-bit cores then eh? :)

Realistically, you'd do the filtering on another (Linux) box you use as your gateway.

RIPTIDE · February 2, 2012

Smoothwall FTW :D

Yammo · February 3, 2012

Nice !!! Keep the hackers out of this serious games !!!!!!!

You being sarcastic... or just wobbly at English? :)

L0op8ack · February 4, 2012

1. create server as "LAN", your server will not exist in the online server list;

2. configure your router/firewall, mapping global IP/port to your local IP/port;

3. tell your friends the global IP/port and password, they can join in the server by "connect by IP";

hide yourself from the bad boys, or you will be in trouble sooner or later.

Edited February 6, 2012 by L0op8ack

Sign In

How to stop this CHEAT - HACKED DEDI SERVER

Recommended Posts

159th_Viper

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

GGTharos

Case

Case

GGTharos

Case

4c Hajduk Veljko

GGTharos

4c Hajduk Veljko

GGTharos

Moa

GGTharos

Case

FLANKERATOR

GGTharos

FLANKERATOR

Yammo

GGTharos

Sanch0

Yammo

FLANKERATOR

Moa

RIPTIDE

Yammo

L0op8ack

Recently Browsing 0 members