Recent DDoS attacks
Over the past few months, an unusually large amount of JKA servers have been getting hit by DoS and DDoS attacks. The main symptom of this is extreme lag. Today, we figured out what's going on, and why.
What is a (D)DoS?
A DoS, or Denial of Service attack, is a kind of attack that works by flooding a server. Essentially, you spam connections to a server, in order to either saturate its bandwidth (making it unable to serve actual visitors because all the bandwidth is going up on the attacker), or make it run out of processing resources. Game servers are particularly vulnerable, since you don't even have to make the entire server unusable; you can just make it so laggy it becomes impossible to comfortably play on it.
A DDoS is a type of DoS where the attacker is not a single machine, but rather, several machines controlled by a central one. Usually, these machines are the computers of people infected with a virus that makes them a so-called botnet zombie.
Here's a graphic to illustrate, courtesy of Wikipedia:
The DDoS in question has been increasingly common on JKA. Many servers have been hit by it to date, including names such as JAWA, To and EK. There's even a thread about it here. We've been trying to devise a way to make JKA servers less vulnerable to it, but so far, we've had little luck. Today, we noticed a pattern (due credit to SiLink for thinking of the possibility): every server that's been hit by DDoS attacks so far has been using GameTracker. Particularly, in JAWA's case, the DDoS attacks only started happening within days of signing up for GameTracker.
What's a GameTracker?
GameTracker is a website that offers server trackers. You've probably seen them before. Here's an example:
GameTracker offers convenient lists of every server using their website and running a specific game, like this one for JKA: http://www.gametrack...om/search/swjk/
In a nutshell: everything we know (or: tl;dr)
This is everything we know:
- Many JKA servers are being hit by DDoS attacks
- ALL of these servers are signed up for GameTracker
- Many owners of servers on different games vulnerable to the same attack have noticed the same, and posted about it on GameTracker
- DDoS attacks cause extreme lag and can, in some cases, take a server offline
- Every server that stopped using GameTracker and got a new IP/Port stopped being targeted by these DDoS attacks
Here's JKHub's advice: do not use GameTracker. You may be able to use GameTracker without any problems, since:
- Your server owner may have taken sufficient measures to prevent DDoS attacks
- Your server might be too powerful to notice much of the attack
...but even if you don't have any problems, we still recommend that you don't use GameTracker. It's really as simple as that; don't be on GameTracker and you will not be targeted by these DDoS attacks.
But I'm already using GameTracker!
If you're already using GameTracker, here's what you should do, particularly if you're experiencing high levels of (intermittent) lag:
- First off, get rid of your GameTracker account so your server is no longer listed there
- Since we don't know how the attacker(s) store IPs, or how often they refresh their list, the easiest method is to use a new IP or port for your server if possible. Most game server providers will oblige if you submit a ticket requesting that. The attacks may stop after a while even if you don't, though.
So in conclusion...
...Don't use GameTracker. If you are experiencing DDoS attacks, get off GameTracker.
Here's some frequently asked questions about these attacks.
Q: So, are attackers using GameTracker to find their targets, or does GameTracker open servers up to this exploit somehow?
A: The former; attackers are using GameTracker to find their targets. We're very very certain about it.
Q: My server is not listed on GameTracker and it was hit by a (D)DoS anyway! What gives?
A: It is entirely possible to be attacked by a (D)DoS without being listed on GameTracker. However, attackers are targeting servers using GameTracker on a large scale, in a manner that's far more impersonal than any attack aimed specifically at your server. Not being on GameTracker does not make you invulnerable, it just very drastically reduces the chances of you being hit by a DDoS.
Q: Is this related to the Rcon DoS exploit that was fixed on aluigi.org aaaages ago?
A: No. That is a different exploit entirely, and applying the patch for it will not protect your server from the current exploit.
Q: Is there a fix for this?
A: There are several snippets of code floating around in attempts to mitigate it, but all of them come with their own exploits and problems, such as the possibility for an attacker to arbitrarily remove your server from the master server list, or even the fix itself removing your server from the master server list.
Q: Why can't common mods just create a fix and release it?
A: It's not quite as simple as that. The problem here lies with a fundamental flaw in the way the Q3 engine handles networking. It's not possible to release a fix without completely reinventing all of JKA's networking and introducing massive potential compatibility problems. We are looking into one possibility that would work, but it's a massive undertaking, and unlikely to be released anytime soon.
Q: Are you certain it's not just a coincidence that servers that're on GameTracker are being targeted?
Q: Does JKHub have anything against GameTracker?
A: Of course not. I think it's a great service. But the fact remains that, at this time, JKA servers using GameTracker are being targeted by DDoS attacks on a rather large scale.
Q: I have root access to my own server! Is there anything I can do against this?
A: There are several ways to mitigate the problem, but they come with the same drawbacks I mentioned in the fourth question. For now, however, they're probably your best bet. On Linux, you can use iptables rules to block this - I'd be happy to help with it if you PM me. I don't have enough knowledge about Windows Server to help there, but it should still be possible as well. Here is an example of such iptables rules. The last two lines are currently untested:
#Basic UDP flood prevention in IPTables. Courtesy of Soh Raun. These go at the beginning of the INPUT chain.iptables -A INPUT -p udp --dport 29070:29080 -m length --length 41:42 -m string --algo bm --from 32 --to 41 --string 'getstatus' -m recent --set --name jka_getstatusiptables -A INPUT -p udp --dport 29070:29080 -m recent --update --seconds 1 --hitcount 5 --name jka_getstatus -j DROPiptables -A INPUT -p udp --dport 29070:29080 -m length --length 39:40 -m string --algo bm --from 32 --to 39 --string 'getinfo' -m recent --set --name jka_getinfoiptables -A INPUT -p udp --dport 29070:29080 -m recent --update --seconds 1 --hitcount 5 --name jka_getinfo -j DROP