How to stop this CHEAT - HACKED DEDI SERVER

Pilotasso · January 30, 2012

The only servers i had jumped in in the last couple weeks have crashed within minutes.

GGTharos · January 30, 2012

For sure no one is happy with this happening, not ED either. But like Andrey explained, right now it would indeed not make much sense to try and go back to old code to try to fix things.

As Boberro mentioned, a firewall capable of deep packet inspection may help here, but it has to be well configured, or laaaag.

Sorry, don't mean to be negative. There is no doubt that this has hurt FC2 though. I understand why though, with FC3 close, that efforts to fix this in FC2 may not be the best way to go about things currently.

Rhinox · January 30, 2012

If anyone knows a software firewall that can filter packets based on content, then please let me know. That may be the only way to prevent these attacks.

iptables can definitelly do that (-m string --string "whatever" has been implemented some time ago), but there are a few caveats you must be aware of:

First, filtering packets based on string matching requires quite much cpu-power if every packent is to be checked and low latency is required. I have done a few experiments with this on my web-server, and cpu-load increased signifficantly. My server was more busy doing all that filtering than by web/database-server, and I had to switch to application-level firewall...

Second: packets might come fragmented. You could find one part of string in one packet, and the other part in different packet. And there are ways how to force fragmentation on sending side intentionally. And to make the problem even more complicated, those fragments might arrive "out-of-order". You could make conditional nested filtering rule(s), but number of combinations (even for such a simple string as "whatever") is very high, further contributing to complexity of filtering rules.

So basically, you could protect FC-server by filtering out tcp/udp packets for known strings (provided you know unique attacking vector, which might in no case be used in valid communication), but imho you would need dedicated firewall-box with at least a few dozens of quite complex rules. And I'm affraid none of those small soho-routers is powerfull enough for this job...

Oh, and not to forget: what if communication si encrypted?

Case · January 30, 2012

As Boberro mentioned, a firewall capable of deep packet inspection may help here, but it has to be well configured, or laaaag.

it would help if ED could inform server admins what to look for. I can identify the packet that crash the server based on their content, but I'd like to know anything that can help us stop these attacks.

Ramstein · January 30, 2012

"You need to spread some reputation around before giving to polecat again."

+1

:thumbup:

I was once rich with Frugal's Dollars, and once in a BlueMoon I shared them, but had I known they were going to be tossed with the website, I would have spent them here..

:P

Cali · January 31, 2012

I've done a couple sorties on public servers this weekend ... didn't look like A2A was terribly dead to me. Not yet, at least.

Last time I flew FC2 was about 3 weeks ago and he hacker showed up once the server started getting full. Maybe it was the time you flew, The hacker showed up for me at these times 11am to 4pm. My normal time I use to fly, no one is there anymore, so it's worthless for me to try.

Night · January 31, 2012

Hackers

Are hackers the reason there are so fewer servers up now than there were just last week? Several of my favorite servers aren't up anymore.

ED,

Please don't just ignore these problems in FC2 only to fix them up in FC3!!! Just for your own interests, that will be absolutely horrible for business. Many people buy flaming cliffs for the multiplayer experience. In the months leading up to your new release, if you don't fix the hacks, many people will quit playing FC2. They will put it on their shelves and forget about it for a long time. Many of your fans probably won't buy FC3, not out of vengeance, but because they simply lost interest and are now playing other games.

Hackers,

Please just stop. No one thinks you're cool. In fact most of us think you're the pathetic scum of the earth. I feel sorry for you, I can't believe someone hacks a FLIGHT SIMULATOR for fun! Really? Are you gonna tell your non-existent girlfriend that "I hack flight simulators for fun!"? Give me a break. Go play Call of Duty or something, because you are a pathetic wimp who can't seem to let other people have fun if you can prevent it. You don't have to be a complete loser your whole life, if you quit doing stuff like this people wouldn't hate you so much (and I'm 100% certain you're not a popular guy in real life). Go get a life, and let us of us who want to play this game have fun without your pathetic hacks.

P.S. if there is someone reading this who speaks Russian, can you please translate this for me so I can post it in the RUS section? I don't know whether the hackers even read these forums, but if they do, I want them to see it. Sorry to use strong personal language but I have been looking forward to flying on FC2 for days now, and right when I get it, there's almost no servers up!

Signed,

Brad

Edited January 31, 2012 by Night

124SqZeljava · January 31, 2012

Okay, we still don`t know who is cheater, i don`t know how is this possible??? My question is how much FC 3 will cost???? Ill say no more!!!!!!

Cali · January 31, 2012

I looked last night at the servers and there were 15 servers up in FC2. Although they had at the most 3-4 people in some, but it is a weeknight.

159th_Viper · January 31, 2012

At time of post:

Frostie · January 31, 2012

You will find that during certain hours, presumably when the hacker/s are sleeping, servers remain untouched. But when the beasts wake any server with a handful of players will get attacked and shut down.

Maybe i'm wrong but it would seem that at least one server is immune to these attacks, will they share their secret?

Case · January 31, 2012

At time of post:

I can show you a similar screenshot with only 3 servers. Honestly, I can assure you that the problem is real and we are not imagining it.

Rhinox · January 31, 2012

I suppose more servers are running in "stealth" mode these days: on non-standard port, and blocking connection to ED so that they do not appear on server-list (afaik in FC2 "master-server connection" is not needed). You can connect if you know ip/port...

That offers at least some basic protection. Even if hacker knows IP of the server, he would still need to find ports. And compared to deep packet inspection, it is quite easy to block any client doing port-scanning (let's say more than 10 ports out of 65536 possible)...

GGTharos · January 31, 2012

I ran into this last night myself - it was 'fun' ... to avoid the attack I had to go to LAN mode, so that I wouldn't appear on the server list, and of course change port since my original connection was historied. The attacker's script reads connection details from the MS list and attacks everything that's on it, AFAIK.

MoGas · January 31, 2012

I can show you a similar screenshot with only 3 servers. Honestly, I can assure you that the problem is real and we are not imagining it.

Exactly, and if some people would look over there noses, to other sims like CloD (even with a broken SIM like CloD :music_whistling: ) and what amount of players you have online, then you can call FC2 dead, sad it is!

Cali · January 31, 2012

You will find that during certain hours, presumably when the hacker/s are sleeping, servers remain untouched. But when the beasts wake any server with a handful of players will get attacked and shut down.
Maybe i'm wrong but it would seem that at least one server is immune to these attacks, will they share their secret?

That's right. the time I saw it hacking away at servers was 11am to 5pm for me at -6 gmt.

GGTharos · January 31, 2012

I saw it between 10-11pm EST.

Heli Shed · January 31, 2012

On a serious note, what is ED's stance on this?

Sanch0 · January 31, 2012

On a serious note, what is ED's stance on this?

From what I know they are not trying to do anything...

159th_Viper · January 31, 2012

From what I know they are not trying to do anything...

Your assumption is incorrect.

Sanch0 · January 31, 2012

Deep packet inspection can be done by installing Vyatta on a virtual machine. You can use virtual network interfaces to setup it but it needs additional resources and will have significant impact on performance...

http://www.vyatta.com/

It's just an idea and I don't think it match the needs on FC2 servers...

Vault · January 31, 2012

Their using WPE Pro and probably artmoney. Their flooding the servers with filtered packets to reset lockon.exe. This can be run through proxies and is autonomous using WPE. The only permanent fix is a code change. They can change user names and user ID's. They can turn game settings on and off and change any data they like. IC wont help because they dont need to alter any files the exploit works on the presentation and session layer. You won't beat them because WPE Pro/Artmoney make them more powerful than the admins.

The only way to beat them is to make an anticrash/exploit filter using WPE Pro to filter all offending TCP/UDP packet/s to the application/presentation layer of lockon.exe WPE pro can defend you from attacks by filtering suspect packets.

The reason he can start in the air and not at base is because it's an option in game and he can turn this on and off to his liking.

*EDIT Just checked all fc2.exe packets are encrypted so you cant filter the offending packets, good luck. He's got to be using a memory editor combined with WPE's proxie for the attacks. Devs are gonna have to encrypt all values in memory to fix this.

Edited January 31, 2012 by Vault

Speed · January 31, 2012

It's just one or two jerkwads doing this. Is there any possibility of tracking it down and ED filing charges against it? People have already hinted that they have some idea of who it is, and the attacks are very consistent. Sure you can use proxy servers and all that, but if you can get someone to repeatedly attack you, can you eventually figure out where they are?

Edited January 31, 2012 by Speed

FLANKERATOR · February 1, 2012

Exactly, and if some people would look over there noses, to other sims like CloD (even with a broken SIM like CloD :music_whistling: ) and what amount of players you have online, then you can call FC2 dead, sad it is!

Props ans war-birds are not everyone's passion Mogas. Good for you that u got into it, but it's just not an option for me, otherwise I would have been an IL2 junkie long time ago.

FC2 hacks and all those attacks not only threaten FC2 but the whole MP servers in the future, that's why am pretty confident ED along with the community will end-up backfiring.

So all this is temporary pain, no matters how long it will take, it will disappear and something better will take place.

Case · February 1, 2012

The attacker's script reads connection details from the MS list and attacks everything that's on it, AFAIK.

I think it is done manually, where he reads the connections from the server list and then attacks through a proxy. I have repeatedly changed port and each time the server was brought down from the proxied IP that IP only had made one connection with the server, i.e. the attack is specific to the present IP and port and he is not attacking all ports.

Sign In

How to stop this CHEAT - HACKED DEDI SERVER

Recommended Posts

Pilotasso

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

GGTharos

Rhinox

Case

Ramstein

Cali

Night

124SqZeljava

Cali

159th_Viper

Frostie

Case

Rhinox

GGTharos

MoGas

Cali

GGTharos

Heli Shed

Sanch0

159th_Viper

Sanch0

Vault

Speed

FLANKERATOR

Case

Recently Browsing 0 members