Jump to content

Security advisory: recent DDoS attacks

zCyCL.png

Recent DDoS attacks

Over the past few months, an unusually large amount of JKA servers have been getting hit by DoS and DDoS attacks. The main symptom of this is extreme lag. Today, we figured out what's going on, and why.

 

What is a (D)DoS?

A DoS, or Denial of Service attack, is a kind of attack that works by flooding a server. Essentially, you spam connections to a server, in order to either saturate its bandwidth (making it unable to serve actual visitors because all the bandwidth is going up on the attacker), or make it run out of processing resources. Game servers are particularly vulnerable, since you don't even have to make the entire server unusable; you can just make it so laggy it becomes impossible to comfortably play on it.

 

A DDoS is a type of DoS where the attacker is not a single machine, but rather, several machines controlled by a central one. Usually, these machines are the computers of people infected with a virus that makes them a so-called botnet zombie.

 

Here's a graphic to illustrate, courtesy of Wikipedia:

l62gb.png

The pattern

The DDoS in question has been increasingly common on JKA. Many servers have been hit by it to date, including names such as JAWA, To and EK. There's even a thread about it here. We've been trying to devise a way to make JKA servers less vulnerable to it, but so far, we've had little luck. Today, we noticed a pattern (due credit to SiLink for thinking of the possibility): every server that's been hit by DDoS attacks so far has been using GameTracker. Particularly, in JAWA's case, the DDoS attacks only started happening within days of signing up for GameTracker.

 

What's a GameTracker?

GameTracker is a website that offers server trackers. You've probably seen them before. Here's an example:

b_560_95_1.png

 

GameTracker offers convenient lists of every server using their website and running a specific game, like this one for JKA: http://www.gametrack...om/search/swjk/

 

As I said before, every server that's been hit by these DDoS attacks was signed up for GameTracker. On GameTracker's own forums, there are several threads about it as well.

 

In a nutshell: everything we know (or: tl;dr)

This is everything we know:

  • Many JKA servers are being hit by DDoS attacks
  • ALL of these servers are signed up for GameTracker
  • Many owners of servers on different games vulnerable to the same attack have noticed the same, and posted about it on GameTracker
  • DDoS attacks cause extreme lag and can, in some cases, take a server offline
  • Every server that stopped using GameTracker and got a new IP/Port stopped being targeted by these DDoS attacks

Security advisory

Here's JKHub's advice: do not use GameTracker. You may be able to use GameTracker without any problems, since:

  • Your server owner may have taken sufficient measures to prevent DDoS attacks
  • Your server might be too powerful to notice much of the attack

...but even if you don't have any problems, we still recommend that you don't use GameTracker. It's really as simple as that; don't be on GameTracker and you will not be targeted by these DDoS attacks.

 

But I'm already using GameTracker!

If you're already using GameTracker, here's what you should do, particularly if you're experiencing high levels of (intermittent) lag:

  • First off, get rid of your GameTracker account so your server is no longer listed there
  • Since we don't know how the attacker(s) store IPs, or how often they refresh their list, the easiest method is to use a new IP or port for your server if possible. Most game server providers will oblige if you submit a ticket requesting that. The attacks may stop after a while even if you don't, though.

For game server providers or people who manage their own dedicated server/VPS, both ServerArk and Shorewall are worth looking into as methods of being less vulnerable to these attacks.

 

So in conclusion...

...Don't use GameTracker. If you are experiencing DDoS attacks, get off GameTracker.

 

 

Update: FAQ

Here's some frequently asked questions about these attacks.

 

Q: So, are attackers using GameTracker to find their targets, or does GameTracker open servers up to this exploit somehow?

A: The former; attackers are using GameTracker to find their targets. We're very very certain about it.

 

Q: My server is not listed on GameTracker and it was hit by a (D)DoS anyway! What gives?

A: It is entirely possible to be attacked by a (D)DoS without being listed on GameTracker. However, attackers are targeting servers using GameTracker on a large scale, in a manner that's far more impersonal than any attack aimed specifically at your server. Not being on GameTracker does not make you invulnerable, it just very drastically reduces the chances of you being hit by a DDoS.

 

Q: Is this related to the Rcon DoS exploit that was fixed on aluigi.org aaaages ago?

A: No. That is a different exploit entirely, and applying the patch for it will not protect your server from the current exploit.

 

Q: Is there a fix for this?

A: There are several snippets of code floating around in attempts to mitigate it, but all of them come with their own exploits and problems, such as the possibility for an attacker to arbitrarily remove your server from the master server list, or even the fix itself removing your server from the master server list.

 

Q: Why can't common mods just create a fix and release it?

A: It's not quite as simple as that. The problem here lies with a fundamental flaw in the way the Q3 engine handles networking. It's not possible to release a fix without completely reinventing all of JKA's networking and introducing massive potential compatibility problems. We are looking into one possibility that would work, but it's a massive undertaking, and unlikely to be released anytime soon.

 

Q: Are you certain it's not just a coincidence that servers that're on GameTracker are being targeted?

A: Yes.

 

Q: Does JKHub have anything against GameTracker?

A: Of course not. I think it's a great service. But the fact remains that, at this time, JKA servers using GameTracker are being targeted by DDoS attacks on a rather large scale.

 

Q: I have root access to my own server! Is there anything I can do against this?

A: There are several ways to mitigate the problem, but they come with the same drawbacks I mentioned in the fourth question. For now, however, they're probably your best bet. On Linux, you can use iptables rules to block this - I'd be happy to help with it if you PM me. I don't have enough knowledge about Windows Server to help there, but it should still be possible as well. Here is an example of such iptables rules. The last two lines are currently untested:

 

#Basic UDP flood prevention in IPTables. Courtesy of Soh Raun. These go at the beginning of the INPUT chain.iptables -A INPUT -p udp --dport 29070:29080 -m length --length 41:42 -m string --algo bm --from 32 --to 41 --string 'getstatus' -m recent --set --name jka_getstatusiptables -A INPUT -p udp --dport 29070:29080 -m recent --update --seconds 1 --hitcount 5 --name jka_getstatus -j DROPiptables -A INPUT -p udp --dport 29070:29080 -m length --length 39:40 -m string --algo bm --from 32 --to 39 --string 'getinfo' -m recent --set --name jka_getinfoiptables -A INPUT -p udp --dport 29070:29080 -m recent --update --seconds 1 --hitcount 5 --name jka_getinfo -j DROP

 


By Caelum, in Community News,



User Feedback

Recommended Comments



Hmmmm...very interesting. I don't think I could have ever drawn that connection. It does make sense, though. Good work, coders and server gurus!

Link to comment

Interesting...so are you suggesting that using GameTracker is making some kind of opening? Or simply that the attacker(s) is using the GameTracker list to find targets?

 

Either way, it seems a pretty far-fetched way to make DDoS attacks. I can't help but wonder if it is this scenario:

oKYCy.jpg

An graph which proves that the decrease in numbers of pirates is responsible for the increase in global temperature.

therfiles likes this
Link to comment

Found out how they do it, you have. What to do about it, you do not know yet. Find the answers, you must. At its source, the resolution of this problem is.

Link to comment

Easy nothing is in life. Yet, strive for success we all should and must. Instead of explaining why easy it will be not, already good news you should have.

Link to comment

Although there can never be a true cure for DDoS, the coder team here is discussing some sort of protocol in order to prevent DDoS attacks. Stay tuned.

Link to comment

Very strange. So the person(s) got it from GameTracker? Hmm...Hopefully it wasn't one of their rivals of something, do kinda feel bad for them.

 

But I did like GT's idea of server ranking was though and stats...maybe someone here can come up with a page/site that we can list our servers with similar purposes without the vulnerabilities?

 

I'm gonna try removing my servers from GT and see what happens :o

Link to comment

Hmmm. Would DDoSr's really need this to find targets? Could they just go to the server's website to get the same info? Or is there some special info on GT?

Link to comment

Hmmm. Would DDoSr's really need this to find targets? Could they just go to the server's website to get the same info? Or is there some special info on GT?

I think the implication is that the attacks are not against any particular groups, and that they are just attacking all the IPs in the GT list.

Link to comment

Hmmm. Would DDoSr's really need this to find targets? Could they just go to the server's website to get the same info? Or is there some special info on GT?

 

Some of my friends who haven't got their servers on GT are under attack too.

 

Idk about special info on GT just that recently a lot of people had complained about their server changing gametypes everyday due to some incorrect SteamID thing and JKA was one of them.

Link to comment

Wait a moment...but some servers are added by random people who have a GT account! So those renting it wouldn't have a clue...and what if someone keeps adding them back to GT ? D:

Link to comment

Wait a moment...but some servers are added by random people who have a GT account! So those renting it wouldn't have a clue...and what if someone keeps adding them back to GT ? D:

As I recall, you have to confirm you own it with a server setting or other.

Link to comment

As I recall, you have to confirm you own it with a server setting or other.

 

You can add a server without being the owner just that they will be unclaimed.

 

I have a server on GT that I haven't claimed but that one was attacked too. To delete a server you have to claim it but there's no stopping others from re-adding it.

Link to comment
Guest Ory'Hara

Posted

its wierd, who ever is behind this latest attack today definitely has a decent chuck of power. Daj's main rp has been affected, ek earlier was affected, z3n's and legends servers went down for awhile. im guessin atleast half of the jka community felt this or have been affected in some way

Link to comment

A major contributing factor to this particular attack is response packet is magnitudes larger than the request packet. About 40 times larger?

Just about every Q3-based game server is vulnerable, but the attacker(s) are only gathering targets via GT at the moment.

Link to comment

Well, it might be another DDoSer. There are many of them out there, didn't neccesarily to b the GT one.

Link to comment

Or they've moved on to a broader range of targets. Just putting it out there, in case it helps keep track of these guys.

Link to comment

It would be terrible if they used the master list or xfire D:

 

A coder helped make my servers unresponsive to getstatus, but I really don't want to take that path permanently.

Link to comment



Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...