Jump to content

DDoS Attacks, and their effects on the community

8FpbRBD.png

 

...And their effects on the community

There has, in recent times, been a marked increase in DDoS attacks on JKA servers. No, not the GameTracker ones, but other ones: DDoS attacks launched by members of the JKA community on other members of the JKA community. I'd like to talk about that a bit.

 

A reminder: what a DDoS is

A DDoS attack is an attack where you flood a server beyond its processing power (bandwidth and maximum simultaneous connections, typically) to take it down. You spam connections to a server, particularly from multiple sources (a DDoS from a single source is called a DoS), in an attempt to take it down. This is common across the internet, and DDoS attacks are often launched against anything from webservers to game servers.

 

I feel like I cannot emphasize enough that a DDoS attack is not a hack, and does not compromise your security in any way at all. It's simply a matter of throwing more traffic at your server than it can process. It can happen to anyone.

 

Here's that useful diagram from Mr. and Mrs. Wikipedia again:

l62gb.png

 

Recent events

A few days ago, a number of popular servers were taken down by someone through DDoS attacks of up to around 5 Gbps (most servers run on either 0.1 Gbps or 1 Gbps connections). These include JAWA, EK, and others. I've been working with some of them, and their server providers, to mitigate these attacks and find a solution.

 

A while ago, several MB2 servers were hit by DDoS attacks as well. You can find a thread about it here, for instance.

 

These are not the only instances of DDoSes that have happened lately, nor do I think they will be the last. Perhaps unremarkably, in every case of DDoS attacks, the intention seems to force other players to do something. Clans are told they should remove certain members the attackers dislike, or be hit by a DDoS. Servers running MB2 are DDoSed in an attempt to make players play JKGalaxies instead (which, for the record, the JKG team had absolutely nothing to do with, and condemned). Servers who ban certain players are told to unban those players, and let them break any rules those servers enforce, or be hit by a DDoS. The list goes on.

 

A chilling effect

I feel like these DDoS attacks are a considerable threat to the JKA community - more so than the attackers realize. With every DDoS attack, it becomes more difficult, and less appealing, to run a JKA server. As a result, the number of JKA servers will shrink.

 

Additionally, every time a server is taken offline by a DDoS attack, it affects the number of people playing JKA, simply because people can't play on their favorite servers, and as a result, often won't play at all until it's back online.

 

There are those who will argue that, simply by paying attention to this problem and writing this article, I'll be exacerbating the problem. That's possible, but I feel like it's a subject worth talking about nonetheless.

 

Why it's ineffective

The aim of these DDoS attacks, as I mentioned earlier, is to make players do something they don't want to - be it playing a different mod, or cutting their ties to other players. The reason people play games in the first place is to have fun. If one is constantly discouraged from having fun, one will eventually just quit playing JKA, negatively affecting the community, but not meeting any real demands. Besides, the moment one starts accepting these demands, one opens one's self up to further demands in the future, and essentially loses all control over their own server or clan.

 

There will always be people on JKA you don't like, and indeed, whose style of playing you find repulsive. By all means, avoid those people, and even argue with them, irritate them, get banned by them, or ban them yourself, but I'd urge anyone who will listen not to resort to DDoS attacks, as it has an extremely chilling effect on the community, and you will never be able to eliminate all players you don't like.

 

If any servers have issues with DDoS attacks, they are welcome to contact me at any time, and I will do everything in my power to help them mitigate the attacks. In the meantime, if you have root access to your own server, or if you are a game server provider, I'd highly recommend using the following Linux firewall rules, or variants of them:

#Basic UDP flood prevention in IPTables. Courtesy of Soh Raun. These go at the beginning of the INPUT chain. iptables -A INPUT -p udp --dport 29070:29080 -m length --length 41:42 -m string --algo bm --from 32 --to 41 --string 'getstatus' -m recent --set --name jka_getstatus iptables -A INPUT -p udp --dport 29070:29080 -m recent --update --seconds 1 --hitcount 5 --name jka_getstatus -j DROP iptables -A INPUT -p udp --dport 29070:29080 -m length --length 39:40 -m string --algo bm --from 32 --to 39 --string 'getinfo' -m recent --set --name jka_getinfo iptables -A INPUT -p udp --dport 29070:29080 -m recent --update --seconds 1 --hitcount 5 --name jka_getinfo -j DROP

...as well as software like DDoS Deflate and/or ServerArk.


By Caelum, in Community News,



User Feedback

Recommended Comments

Attacks like these are very common in Garry's Mod for some of the same reasons, another one of my favorite games. It's unfortunate that such attacks have now hit JKA, as it will cause the game's player's to go down even more than they have been over the years.

Smoo likes this
Link to comment

Golly. I hope you didn't have to pay an arm MoonDog.

 

Caelum <.< I could use help to prevent such a thing *before* it happens and end up paying excessively...am on Windows.

Link to comment

The most popular public base TDM server "Lolipop ESL Server" gets crashed like 5 times a day at least.

Link to comment

These kinds of attacks are a small part of the reason -[KoTp]- has left the JK community and gone to "The Old Republic." I truly sympathize with all who have been affected by these attacks and I still support all of my friends in the JK community. I truly hope you guys get through this and become stronger for it.

 

Sincerely,

-[KoTp]-IronSkull86|HC|

Link to comment

Also for those on Linux servers who would like to try to catch their attacker, first install tcpdump and write to log when you are being attacked.

 

tcpdump -w 01.log

 

Will write all protocols to 01.log in the current directory.

 

You can then tcpdump -r 01.log to read it back, but I prefer to download it and use WireShark to analyze.

 

You can look for familiar getstatus sizes or huge series from a specific address, then create iptables rules or inform your host to absorb or drop.

 

You can use these to justify a ban or to try to stop the attacks by confrontation or contacting the service provider.

 

I'm sure there's other apps for both linux and windows but this is just my preference.

 

Cheers

Fighter likes this
Link to comment

What solutions are there for people running home hosted servers?

I home-host a few private servers off my home network... but my home network is constantly DDoS'd whenever I open my ports to incoming connections since my IP has bin static for the past few years and almost everyone who hates me has it..

 

So what do?

 

In this situation, it's going to be impossible to host a public server off crappy home internet, assuming your upload speed is not in the top 90th percentile (>10mbps) and even then you aren't safe.

 

Private servers however, if set up right, you can run with your ports closed by default.

 

What you'll do is set a Block All rule for all incoming connections, and you will put this at the bottom of the INPUT rule chain, this block will also have to be accompanied by stealthing your ports by default otherwise they can still be saturated in an attack.

 

Then before that, you'll put Accept rules for the players you wish to allow, or set a custom rule to give you a notification every time someone tries to connect to your server's port.

 

I do this for UDP 21000 and 29070 for the JKA private server, and I also use it for utorrent nowadays too.

 

I use comodo firewall to give me the custom notifications, so each time someone tries to connect to my private server, it will pop up their IP which I have scripted to search for that IP in my rcon log file for the public server, at which point if I know them I will accept, and if they are a known attacker I will simply set to always drop.

 

This can be done in Windows Firewall, Comodo, Linux IPtables, etc

 

For example on IPtables you would use these 2 rules to first accept one range and then block everyone else. You will still need to stealth the ports I believe, or a DoS attack can still saturate the port.

 

iptables -A INPUT -m iprange --src-range 111.111.0.0-111.111.255.255 -j ACCEPT

iptables -A INPUT -m iprange --src-range 0.0.0.0-255.255.255.255 -j DROP

 

(This can also be used on public servers as a way to rangeban outside the JKA ban system, it will even block pings and connect attempts, and it won't even tell the person they were banned. Of course a change in IP to outside the range or use of VPN\proxy works around this.)

 

Understand that a public server needs to allow incoming connections by default to be able to accept first-time guest players, and this is why a server is vulnerable to DoS.

 

Private servers don't have such limitations but will require a higher level of manipulation to be used in a more public manner. And by private I do not simply mean setting a password, this does not protect you from DoS.

 

Anyways best of luck.

Smoo and Caelum like this
Link to comment

Anyone who can help me set up those iptable rules? I'm a bit of a noobie and when I just tried copy pasting I got 'No chain/target/match by that name.' server/vps is running centOS

Link to comment


Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...