Jump to content

Security advisory: recent DDoS attacks

zCyCL.png

Recent DDoS attacks

Over the past few months, an unusually large amount of JKA servers have been getting hit by DoS and DDoS attacks. The main symptom of this is extreme lag. Today, we figured out what's going on, and why.

 

What is a (D)DoS?

A DoS, or Denial of Service attack, is a kind of attack that works by flooding a server. Essentially, you spam connections to a server, in order to either saturate its bandwidth (making it unable to serve actual visitors because all the bandwidth is going up on the attacker), or make it run out of processing resources. Game servers are particularly vulnerable, since you don't even have to make the entire server unusable; you can just make it so laggy it becomes impossible to comfortably play on it.

 

A DDoS is a type of DoS where the attacker is not a single machine, but rather, several machines controlled by a central one. Usually, these machines are the computers of people infected with a virus that makes them a so-called botnet zombie.

 

Here's a graphic to illustrate, courtesy of Wikipedia:

l62gb.png

The pattern

The DDoS in question has been increasingly common on JKA. Many servers have been hit by it to date, including names such as JAWA, To and EK. There's even a thread about it here. We've been trying to devise a way to make JKA servers less vulnerable to it, but so far, we've had little luck. Today, we noticed a pattern (due credit to SiLink for thinking of the possibility): every server that's been hit by DDoS attacks so far has been using GameTracker. Particularly, in JAWA's case, the DDoS attacks only started happening within days of signing up for GameTracker.

 

What's a GameTracker?

GameTracker is a website that offers server trackers. You've probably seen them before. Here's an example:

b_560_95_1.png

 

GameTracker offers convenient lists of every server using their website and running a specific game, like this one for JKA: http://www.gametrack...om/search/swjk/

 

As I said before, every server that's been hit by these DDoS attacks was signed up for GameTracker. On GameTracker's own forums, there are several threads about it as well.

 

In a nutshell: everything we know (or: tl;dr)

This is everything we know:

  • Many JKA servers are being hit by DDoS attacks
  • ALL of these servers are signed up for GameTracker
  • Many owners of servers on different games vulnerable to the same attack have noticed the same, and posted about it on GameTracker
  • DDoS attacks cause extreme lag and can, in some cases, take a server offline
  • Every server that stopped using GameTracker and got a new IP/Port stopped being targeted by these DDoS attacks

Security advisory

Here's JKHub's advice: do not use GameTracker. You may be able to use GameTracker without any problems, since:

  • Your server owner may have taken sufficient measures to prevent DDoS attacks
  • Your server might be too powerful to notice much of the attack

...but even if you don't have any problems, we still recommend that you don't use GameTracker. It's really as simple as that; don't be on GameTracker and you will not be targeted by these DDoS attacks.

 

But I'm already using GameTracker!

If you're already using GameTracker, here's what you should do, particularly if you're experiencing high levels of (intermittent) lag:

  • First off, get rid of your GameTracker account so your server is no longer listed there
  • Since we don't know how the attacker(s) store IPs, or how often they refresh their list, the easiest method is to use a new IP or port for your server if possible. Most game server providers will oblige if you submit a ticket requesting that. The attacks may stop after a while even if you don't, though.

For game server providers or people who manage their own dedicated server/VPS, both ServerArk and Shorewall are worth looking into as methods of being less vulnerable to these attacks.

 

So in conclusion...

...Don't use GameTracker. If you are experiencing DDoS attacks, get off GameTracker.

 

 

Update: FAQ

Here's some frequently asked questions about these attacks.

 

Q: So, are attackers using GameTracker to find their targets, or does GameTracker open servers up to this exploit somehow?

A: The former; attackers are using GameTracker to find their targets. We're very very certain about it.

 

Q: My server is not listed on GameTracker and it was hit by a (D)DoS anyway! What gives?

A: It is entirely possible to be attacked by a (D)DoS without being listed on GameTracker. However, attackers are targeting servers using GameTracker on a large scale, in a manner that's far more impersonal than any attack aimed specifically at your server. Not being on GameTracker does not make you invulnerable, it just very drastically reduces the chances of you being hit by a DDoS.

 

Q: Is this related to the Rcon DoS exploit that was fixed on aluigi.org aaaages ago?

A: No. That is a different exploit entirely, and applying the patch for it will not protect your server from the current exploit.

 

Q: Is there a fix for this?

A: There are several snippets of code floating around in attempts to mitigate it, but all of them come with their own exploits and problems, such as the possibility for an attacker to arbitrarily remove your server from the master server list, or even the fix itself removing your server from the master server list.

 

Q: Why can't common mods just create a fix and release it?

A: It's not quite as simple as that. The problem here lies with a fundamental flaw in the way the Q3 engine handles networking. It's not possible to release a fix without completely reinventing all of JKA's networking and introducing massive potential compatibility problems. We are looking into one possibility that would work, but it's a massive undertaking, and unlikely to be released anytime soon.

 

Q: Are you certain it's not just a coincidence that servers that're on GameTracker are being targeted?

A: Yes.

 

Q: Does JKHub have anything against GameTracker?

A: Of course not. I think it's a great service. But the fact remains that, at this time, JKA servers using GameTracker are being targeted by DDoS attacks on a rather large scale.

 

Q: I have root access to my own server! Is there anything I can do against this?

A: There are several ways to mitigate the problem, but they come with the same drawbacks I mentioned in the fourth question. For now, however, they're probably your best bet. On Linux, you can use iptables rules to block this - I'd be happy to help with it if you PM me. I don't have enough knowledge about Windows Server to help there, but it should still be possible as well. Here is an example of such iptables rules. The last two lines are currently untested:

 

#Basic UDP flood prevention in IPTables. Courtesy of Soh Raun. These go at the beginning of the INPUT chain.iptables -A INPUT -p udp --dport 29070:29080 -m length --length 41:42 -m string --algo bm --from 32 --to 41 --string 'getstatus' -m recent --set --name jka_getstatusiptables -A INPUT -p udp --dport 29070:29080 -m recent --update --seconds 1 --hitcount 5 --name jka_getstatus -j DROPiptables -A INPUT -p udp --dport 29070:29080 -m length --length 39:40 -m string --algo bm --from 32 --to 39 --string 'getinfo' -m recent --set --name jka_getinfoiptables -A INPUT -p udp --dport 29070:29080 -m recent --update --seconds 1 --hitcount 5 --name jka_getinfo -j DROP

 


By Caelum, in Community News,



User Feedback

Recommended Comments



JEDI was hit by an attack last night, but we aren't signed up with Gametracker.

If I recall, I saw JEDI on GT earlier. Someone must have put you guys on there at some point. I looked today though and you're no longer on there. If the attacker got your server IP and port from when you were on GT, and you never changed your port, that's how the attack maybe happened.

Link to comment

Yeah I just found out our head guy signed up on GT today after I told him about the post, only to find that someone else had signed up our server somewhere along the line and we weren't aware of it. He's taken care of it now.

Link to comment

To throw a random thought at you all, has any one considered that rather than a user or group using GT for the IP's that the code behind GT itself is causing this effect. A standard DOS can be done by a single source, if they are constantly sending requests to the server for players/score etc. Would only take one bit of bad coding in the request that could be spamming the servers which if busy could slow down you average game server!

Link to comment

The main siege servers Impulse and Tempest appear to have been hit by this as well. I can confirm that upon deleting them from GameTracker we are currently up and running at 100% again. Thanks for the info.

 

I'm currently investigating DDOS protection for Windows as all of our siege servers run on 2008 R2. I'll let you guys know what I come up with.

 

Also, this appears to have happened before with GameTracker. Their admins don't seem particularly helpful, and their response and apathy on that thread have led me to decide never to use GameTracker ever again.

 

EDIT: Here's the link http://www.gametracker.com/forums/forum.php?site=1&thread=64722

Caelum likes this
Link to comment

I'm currently investigating DDOS protection for Windows as all of our siege servers run on 2008 R2. I'll let you guys know what I come up with.

I'd appreciate that as I run 2008 R2 on my servers too.

Link to comment

Z3n got hit again, and dioxide got hit.

 

Any idea what other clans have been hit? Anything that stands out to you at all ?

Link to comment

Hey guys!

First I want you guys to know that I'm not an JKA player, I'm only playing JK2 but it's exactly the same problem there anyway.

 

Q: Why can't common mods just create a fix and release it?

A: It's not quite as simple as that. The problem here lies with a fundamental flaw in the way the Q3 engine handles networking. It's not possible to release a fix without completely reinventing all of JKA's networking and introducing massive potential compatibility problems. We are looking into one possibility that would work, but it's a massive undertaking, and unlikely to be released anytime soon.

The problem is that the server is not limiting ConnectionlessPackets (getstatus, getinfo, ...) and answers as many as requested.

The query length is 13 bytes long and the answer size is about 600 bytes long.

When I observed the attack live on my server I saw that the input is about 300KB/s - 1MB/s (which are ~30000 (!) querys per second )

The server tries to answer each and every query, which resulted in about 12,5 MB/s output bandwidth.

It would even be more, but that's the maximum my server is allowed to send.

 

So I hooked SV_ConnectionlessPacket (see quake3 source code) and implemented a limitation for query's per ip and per second.

Of course you will still have the input then (300KB/s - 1MB/s) so this only helps on root servers and not if you are hosting your server at home.

I tested it a lot now and it really works.

 

But the fix is only available for JK2 1.04 (windows, linux) and 1.02 (linux) in the moment. If enough people are interested I'm going to make another one for JKA.

http://jk2.ouned.de/jk2mf/

 

ouned :)

Link to comment

@@eezstreet THIS IS WHAT I WAS TALKING ABOUT. I'm glad at least @@ouned gets it.

@@Caelum doesn't get it either

Also ouned, you can just give us(me) the source code and we(I) can convert it to JKA. If you don't feel like making it yourself, that is. Whatever floats your boat.

Link to comment
Guest Ory'Hara

Posted

It would help in terms of security, plus i like the idea of having a mod that'll block battlescripts (aimbots and all).

 

as for pro hackers, theres not much in the way of that. I for one would like to see this mod in jka :)

 

It would help in terms of security, plus i like the idea of having a mod that'll block battlescripts (aimbots and all).

 

as for pro hackers, theres not much in the way of that. I for one would like to see this mod in jka :)

Link to comment

@@ouned 's patch is a good stopgap measure against the same IP address attacking the server.

However two points:

  • If it's a Distributed Denial of Service attack, then the IPs will be very varied. This patch should decrease the impact a lot since each IP can only attack a certain number of times before becoming a useless attack source.
  • The UDP protocol is inherently unsafe and the source IP address can be spoofed easily behind a rogue ISP. This has been witnessed a lot in the past especially in the MBII community where every single packet sent had a different source address. (Totally arbitrary random IP addresses)

I think the patch will be a good solution in the meantime, but the hole is still there in the Q3 connectionless protocol and it might be only a matter of time until they figure out their way around it.

 

EDIT: I'm pretty sure they're utilising the servers on GameTracker to mount UDP Reflection Attacks using the many-times-larger-than-request response from getstatus to attack targets which they spoofed as the source. Thus they're using the JKA (and JK2, CoD 4, Q3, etc.) servers on GameTracker as a massive botnet to amplify data to a target.

Link to comment
EDIT: I'm pretty sure they're utilising the servers on GameTracker to mount UDP Reflection Attacks using the many-times-larger-than-request response from getstatus to attack targets which they spoofed as the source. Thus they're using the JKA (and JK2, CoD 4, Q3, etc.) servers on GameTracker as a massive botnet to amplify data to a target.

And that's why there would be no reason for them to use a different IP each time.

I'm aware about the fact that this fix is not a magic solution which blocks every single kind of attack, but it solves this specific kind of attack and I'm pretty sure they don't want to destroy all q3 servers, they want to increase their bandwidth.

I don't think we are messing with some kind of "q3 haters", I think they are just using us to flood something else.

 

It would help in terms of security, plus i like the idea of having a mod that'll block battlescripts (aimbots and all).

Sorry but I wasn't planning to port the whole JK2MF project to JK3 because that would take week's of work.

 

I would make something small, new which just fixes this specific "bug" and nothing else.

Link to comment

Most of the attacks are on the servers most populated by users. Huge clans and such. The fuller the server most likly it will be noticed and targeted.

Its post like these that makes attacks get worse, you acknowledge them and they will continue. But as the OP says,

If you are experiencing DDoS attacks, get off GameTracker.
and if you arn't using GT and still being attacked then well god speed.
Link to comment

I'd say the higher up your server was on GT the faster it was attacked...cause mine was on 16th when I first noticed it. Then a month later those on the 150's got hit. Servers which have been empty for years (no kidding, years!) were attacked too, and they weren't on GT.

 

This is one of the few times I'm glad three of my servers have dynamic IPs xD

Link to comment

A few question, I have. How many servers are being attacked that are part of GT? And how many are being attacked that do not belong to GT? And which is most concerning, you think? Focus on the most problematic, I think you should. The more servers attacked, belonging or not to GT, should be the first concern, for appear to have the most people, they do.

 

Blame GT for these attacks, we cannot. Blame them for lack of support and apathy, however, we can. Displaying great uncare towards their customers, they are.

Link to comment



Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...