Sgt Pepper Posted August 30, 2013 Posted August 30, 2013 Early this morning our server was hit with a mid level DoS attack. Using tcpdump it was easy enough to log the packets, then download the log and analyze in Wireshark. Using these basic methods you can then get a long stream of packets from the attacker in the form of:14 0.002412 192.210.133.40 69.197.137.234 UDP 60 Source port: 43429 Destination port: 29070 Edit 8/30 8:39AMCheck bottom of page for server belonging to this IP You can then block this by using:iptables -A INPUT -s 192.210.133.40 -j DROPWe had a break of about 5 minutes before a second VPS hit us again, the same method to capture and analyze was used with the return:765 0.132720 192.223.27.158 69.197.137.234 UDP 60 Source port: 57301 Destination port: 29070 Edit:8/30 8:01AMCheck bottom of page for server belonging to this IP We then repeat the drop method:iptables -A INPUT -s 192.223.27.158 -j DROPAnother break of 5 minutes ensued, before the attacker used a third server:If you simply Google this IP Address it should pop up the Game Tracker page for Masterful Dojo as one of the first results:2 0.000004 184.82.150.229 69.197.137.234 UDP 60 Source port: 46319 Destination port: 29070Name: Masterful DojoGame: Star Wars Jedi Knight Browse: Star Wars Jedi Knight ServersAddress: 184.82.150.229 Port: 29070 Status: AliveServer Manager: binnyer (claim server)He was then once again blocked using the same method:iptables -A INPUT -s 184.82.150.229 -j DROPMy question then is, what kind of a sorry excuse for a "hacker" uses such obvious methods when committing criminal acts online?Not one with very much patience, it would seem. Should anyone question the authenticity of these samples, I would be glad to provide them with large chunks of the several gigabyte dumps that were saved on our servers. I would like to take this opportunity to request as others have, that those in the community stop these destructive antics before it not only damages the community, but potentially gets someone into legal trouble as well. I am hesitant as to whether or not I am going to forward my dump logs and this information to the authorities or the ISP of the attacker. Given that the situation has been diffused I likely won't, but wish to share with the community the identity of someone who has clearly been up to no good. I would keep a watchful eye in the future my friends. Cheers. -------Edit Aug 30 7:01AM------- By stepping into the UDP stream on Wireshark, I can then go into more detail as to the nature of the attack: .....getstatus ......getstatus ......getstatus ......getstatus ......getstatus ......getstatus ......getstatus ......getstatus ......getstatus ......getstatus ......getstatus ......getstatus ......getstatus ......getstatus ......getstatus ......getstatus ......getstatus ......getstatus .....statusResponse \g_jediVmerc\0\jp_highlander\0\jp_duelAlpha\10\g_debugMelee\2\g_showDuelHealths\0\g_stepSlideFix\1\g_siegeRespawn\20\g_saberWallDamageScale\0.4\g_siegeTeamSwitch\1\g_maxGameClients\0\g_forceRegenTime\0\g_forcePowerDisable\163837\g_weaponDisable\524279\bot_minplayers\6\sv_allowDownload\0\sv_floodProtect\1\sv_maxPing\0\sv_minPing\0\sv_maxRate\25000\sv_maxclients\32\sv_hostname\........................ Kansas^5Art of Combat ^7(JA+ NF Community)\sv_privateClients\0\sv_keywords\word1 word2\g_gametype\0\g_duelWeaponDisable\524278\g_forceBasedTeams\0\duel_fraglimit\10\g_maxForceRank\7\g_saberLocking\0\g_privateDuel\1\capturelimit\0\timelimit\100\fraglimit\100\dmflags\584\version\JAmp: v1.0.1.1 linux-i386 Nov 10 2003\g_maxHolocronCarry\3\g_needpass\0\protocol\26\mapname\mp/ffa3\jp_cinfo\117763\V\2.4B7\gamename\JA+ Mod v2.4 B7 2 84 "^7.^3.^0Vlad" 3 257 "^1W^7iki^1W^7arrior" 2 0 "^1|^7TS3&JKA: 69.197.137.234^1|" 2 73 "Smackers" 31 43 "^7.^5.^7Sgt Pepper^5^ " 6 46 "^3.^0.Cri^3x^0us" .....getstatus ......getstatus ......getstatus ......getstatus ......getstatus ......getstatus .....statusResponse \g_jediVmerc\0\jp_highlander\0\jp_duelAlpha\10\g_debugMelee\2\g_showDuelHealths\0\g_stepSlideFix\1\g_siegeRespawn\20\g_saberWallDamageScale\0.4\g_siegeTeamSwitch\1\g_maxGameClients\0\g_forceRegenTime\0\g_forcePowerDisable\163837\g_weaponDisable\524279\bot_minplayers\6\sv_allowDownload\0\sv_floodProtect\1\sv_maxPing\0\sv_minPing\0\sv_maxRate\25000\sv_maxclients\32\sv_hostname\........................ Kansas^5Art of Combat ^7(JA+ NF Community)\sv_privateClients\0\sv_keywords\word1 word2\g_gametype\0\g_duelWeaponDisable\524278\g_forceBasedTeams\0\duel_fraglimit\10\g_maxForceRank\7\g_saberLocking\0\g_privateDuel\1\capturelimit\0\timelimit\100\fraglimit\100\dmflags\584\version\JAmp: v1.0.1.1 linux-i386 Nov 10 2003\g_maxHolocronCarry\3\g_needpass\0\protocol\26\mapname\mp/ffa3\jp_cinfo\117763\V\2.4B7\gamename\JA+ Mod v2.4 B7 2 84 "^7.^3.^0Vlad" 3 257 "^1W^7iki^1W^7arrior" 2 0 "^1|^7TS3&JKA: 69.197.137.234^1|" 2 73 "Smackers" 31 43 "^7.^5.^7Sgt Pepper^5^ " 6 46 "^3.^0.Cri^3x^0us" It's clear even from the first portion that it was the UDP Getstatus flood, fortunately using similar rules to what Caelum posted this was already greatly mitigated. Next I filter out the scrap packets to get the pure stream so I can upload it here as proof of the attack. You can do this yourself by right clicking one of the packets, "Follow UDP Stream", it will then filter down to the stream. You then go to file -> Export Specified Packets and save to a .pcap file and you can then re-open to make sure there's no scrap left. I wasn't able to find an attach function for this post so I just threw it up on a storage site: http://www.fileswap.com/dl/tLl3NH4B2U/ Edit:8/30 8:01AM765 0.132720 192.223.27.158 69.197.137.234 UDP 60 Source port: 57301 Destination port: 29070 Upon doing further research, it's easily discovered that this first IP is that of the Warheads server, meaning the attack had to have been done by someone who had privileged access to that server http://www.warheadss.enjin.com/forum/m/13172886/viewthread/6885460-server-information Here is all the information you will have to know about the Warheads Server;IP;192.223.27.158:29070 Edit 8/30 8:39AM14 0.002412 192.210.133.40 69.197.137.234 UDP 60 Source port: 43429 Destination port: 29070 Upon researching this last IP I come up with: Server NameBinny's Shitty JA+Server IP 192.210.133.40:29070Server Ping38Server Infomp/ffa3 (3/32)Game Typefree-for-all DM I think I'm beginning to see a pattern here...
Xycaleth Posted August 30, 2013 Posted August 30, 2013 To be honest, said "hacker" is probably nothing more than some kid who has nothing better to do and thinking he's "leet" by running one of probably numerous getstatus flood scripts circulating around the interwebs. If I were you, I'd send a report to his ISP (though from the information you've given, I don't see how you could know who this is) as a warning as he will probably continue attacking other servers anyway. katanamaru likes this
Sgt Pepper Posted August 30, 2013 Author Posted August 30, 2013 To be honest, said "hacker" is probably nothing more than some kid who has nothing better to do and thinking he's "leet" by running one of probably numerous getstatus flood scripts circulating around the interwebs. If I were you, I'd send a report to his ISP (though from the information you've given, I don't see how you could know who this is) as a warning as he will probably continue attacking other servers anyway. While I agree this is clearly not a hacker and that usually you would not know who it was based on source IP alone, 2 of the 3 IPs being registered to an individual and the third being registered to a clan where the same person has root access tends to narrow down the search a little. 765 0.132720 192.223.27.158 69.197.137.234 UDP 60 Source port: 57301 Destination port: 29070 QuoteEdit: Upon doing further research, it's easily discovered that this first IP is that of the Warheads server, meaning the attack had to have been done by someone who had privileged access to that server http://www.warheadss...ver-information Here is all the information you will have to know about the Warheads Server; IP;192.223.27.158:29070 And then below: 2 0.000004 184.82.150.229 69.197.137.234 UDP 60 Source port: 46319 Destination port: 29070 Name: Masterful DojoGame: Star Wars Jedi Knight Browse: Star Wars Jedi Knight ServersAddress: 184.82.150.229 Port: 29070 Status: AliveServer Manager: binnyer (claim server) Not sure why these fellas are attacking our server as we've done nothing to them, but I'll again take this opportunity to request they stop before I forward my pcap logs to their server provider. Wookiee likes this
Futuza Posted August 30, 2013 Posted August 30, 2013 I say turn him. This stuff is serious and even if he is just some kid he deserves a wake up call before tries something more disruptive. Let his ISP do the investigative work to find out who exactly it is. katanamaru likes this
CaptainCrazy Posted August 30, 2013 Posted August 30, 2013 I hate people like this they thrive on thinking that they're so cunning and smart, attacking servers and websites because they think it makes them, as stated, "leet." People like this need to be made an example of and put in their place. They're like bullies that keep going on and on to see how far they can push you, all the time laughing at the fact that they may be getting on your nerves. I do agree that this is very amateur hacking, if you can even class it as that, done by somebody who picked up a cheap tool yet lacks the skill to be any real threat. If anything they're the ones to be mocked and laughed at for their incompetent stupidity. katanamaru likes this
Onysfx Posted August 30, 2013 Posted August 30, 2013 This hackers feeble skills are no match for the powah of the darkside! Circa likes this
Binny Posted August 30, 2013 Posted August 30, 2013 I see a set of IP addresses requesting status packets & your server returning normal status packets. Considering every JKA client does the same thing when connecting to or requesting information about a server on the master list I'm not sure what exactly you're claiming was done that was legally questionable? There's a strict set of rules about what you can and cannot legally do on the internet, you cannot access a computer system you were not authorized to access, you cannot execute code on a server you were not authorized to access, you cannot share copyrighted content, and you cannot knowingly disrupt, damage, or access a 'Federally Protected Computer' which basically means any Govt computers, or FDIC insured bank computers. One thing you definitely can do legally is send legitimate requests for information (at any rate, even if the server at the receiving end cannot handle the requests and freezes or crashes), which is what we see done in the original post. This is perfectly legal and the responsibility of the server operator to make sure they don't use a piece of software vulnerable to being DOS'd by legitimate traffic. Unfortunately that puts the burden of blocking any security holes on outdated software like Jedi Academy squarely on you, Sgt.Pepper, the server owner's shoulders. I suggest taking the time to read computer security law before embarrassing yourself further by forwarding your claims of illegal activity to any of these servers providers.
Sgt Pepper Posted August 30, 2013 Author Posted August 30, 2013 I see a set of IP addresses requesting status packets & your server returning normal status packets. Considering every JKA client does the same thing when connecting to or requesting information about a server on the master list I'm not sure what exactly you're claiming was done that was legally questionable? You bring up an interesting legal point about Denial of Service attacks. Too bad it is written into The Computer Misuse Act of 1990 and upheld with the appeals court exactly what a Denial of Service attack constitutes and its legality: In fact, this one gentleman made almost exactly the same argument you did: Appeals court says Denial of Service is a crimeA judge made a mistake when he suggested that a teenager using a 'mail-bombing' program to attack his former employer's computer system was not breaching the Computer Misuse Act, according to an appeals court.12 May 2006 David Lennon, who could not be named when he was cleared last November because he was then under 18, must now decide whether to plead guilty or stand trial in the magistrates' court. If convicted, he faces a maximum possible sentence of five years in prison and a fine.After being dismissed from Domestic & General Group, in early 2004, Lennon allegedly used a program called Avalanche that, once activated, automatically sent continuous emails to the insurer's server until the program was manually stopped. The server received over 500,000 emails, the vast majority of which purported to come from a human resources manager within the company. In November, Lennon successfully argued in a Magistrates' Court that the purpose of the company's server was to receive emails, therefore the company had consented to the receipt of emails and their consequent modifications in data. District Judge Kenneth Grant concluded that sending emails is an authorised act. That there were lots of them was irrelevant. He ruled that Lennon had no case to answer, so no trial took place. But in an appeal from the Director of Public Prosecutions, Lord Justice Keene and Justice Jack disagreed with Judge Grant's reasoning. Yes, the owner of a computer system would ordinarily consent to the sending of emails to his computer; but such implied consent is not without limits, he said. And the consent did not cover emails that had been sent not for the purpose of communication with the owner, but to interrupt his computer system. It was successfully argued in the to the Queen's Bench Division of the High Court* that the acts described in the charge amounted to an unauthorised modification to the computer by the adding of unauthorised data. He had the requisite knowledge to commit the offence, because he knew the emails were unauthorised, it was argued. It has been found that while yes, sending one e-mail or several e-mails is in fact completely legal, deliberately sending so many e-mails (or other forms of packets) in order to incapacitate the server's ability to respond to legitimate traffic is in fact destruction of property. One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. Not only were your addresses sending more getstatus requests than any other client I've ever seen, they were sending them within about 20 microseconds of each other, a feat impossible to be gotten by refreshing or re-querying the server and instead only made possible by a looped object within a program. Likely either some tiny php or c++ applet, in your case I'm going to go with the latter. There is no reason a client would be sending millions of getstatus packets within 20 microseconds of one another except as a deliberate means to incapacitate the server. Denial-of-service attacks are considered violations of the Internet Architecture Board's Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers. They also commonly constitute violations of the laws of individual nations. Oh and just as a thank you for responding, I decided to upload another .pcap, more to come. http://www.fileswap.com/dl/s9RQEIthYl/ Cheers. Futuza and Wookiee like this
Binny Posted August 30, 2013 Posted August 30, 2013 I've read those cases previously as well, the reason I didn't mention them is that in cases following that one it has only ever been used to hold people responsible for email flooding, no other kind of data has ever or likely will ever be prosecuted in the same manner. The only illegal DOS you mentioned (that doesn't even fall in to the category of what your original post details the attack was) is the saturation of a downstream connection via massive numbers of connection requests, this is typically done by utilizing TCP SYN packets and is not relevant to the aforementioned attack. In a getstatus flood only 150-200kbps worth of getstatus packets must be send to the server, the server then floods it's own upstream connection with the responses. The actual denial of service was caused by your application, and not the large number of incoming getstatus packets, so no mentioned law (or even any that I'm aware of) constitute it as a denial of service. You were denying yourself service.
Sgt Pepper Posted August 30, 2013 Author Posted August 30, 2013 I've read those cases previously as well, the reason I didn't mention them is that in cases following that one it has only ever been used to hold people responsible for email flooding, no other kind of data has ever or likely will ever be prosecuted in the same manner. I wasn't interested in legal action anyways. I find it intriguing you have no problem with attacking other servers and would actually argue it is legal. This is exactly what Caelum was talking about when he made his post on DDoS. The game would be better off if you were just to disappear, you not only don't bother denying the fact you attacked our server, but you actually try to defend it. Fascinating, quite honestly. I suggest taking the time to look around whats left of the community, and see if even a single JKA player left at this point has an opinion of you that doesn't fall in the negative. I suggest taking the time to read computer security law before embarrassing yourself further by forwarding your claims of illegal activity to any of these servers providers. Also, something doesn't have to be illegal to get you put on to say a server black list for the foreseeable future. What you've done is a clear violation of almost every set of ToS that server providers use nowadays. I wouldn't be surprised if you found your name popping up in all sorts of spam and fraud filters in the coming years, if you continue doing what you've been doing. Wookiee and Futuza like this
Binny Posted August 30, 2013 Posted August 30, 2013 I neither denied it nor accepted responsibility for it, I'm simply pointing out why it was your responsibility to fix the security hole, and how referencing it as illegal was technically incorrect. I don't really have any other points to make other than: suck it
Sgt Pepper Posted August 30, 2013 Author Posted August 30, 2013 I neither denied it nor accepted responsibility for it, I'm simply pointing out why it was your responsibility to fix the security hole, and how referencing it as illegal was technically incorrect. I don't really have any other points to make other than: suck it I couldn't care less about the technicality, you're letting your ego get the best of you. You've all but admitted to it and for the community to see one of the people who has been around DoSing servers is enough for me. So what I'm going to do now is lean back, have a nice chuckle, and move on with my life, because unlike some people, I am not pathetic enough to attack a game server to try to win an argument. Kane, Futuza and Wookiee like this
Recommended Posts