Jump to content

Security advisory: recent DDoS attacks

zCyCL.png

Recent DDoS attacks

Over the past few months, an unusually large amount of JKA servers have been getting hit by DoS and DDoS attacks. The main symptom of this is extreme lag. Today, we figured out what's going on, and why.

 

What is a (D)DoS?

A DoS, or Denial of Service attack, is a kind of attack that works by flooding a server. Essentially, you spam connections to a server, in order to either saturate its bandwidth (making it unable to serve actual visitors because all the bandwidth is going up on the attacker), or make it run out of processing resources. Game servers are particularly vulnerable, since you don't even have to make the entire server unusable; you can just make it so laggy it becomes impossible to comfortably play on it.

 

A DDoS is a type of DoS where the attacker is not a single machine, but rather, several machines controlled by a central one. Usually, these machines are the computers of people infected with a virus that makes them a so-called botnet zombie.

 

Here's a graphic to illustrate, courtesy of Wikipedia:

l62gb.png

The pattern

The DDoS in question has been increasingly common on JKA. Many servers have been hit by it to date, including names such as JAWA, To and EK. There's even a thread about it here. We've been trying to devise a way to make JKA servers less vulnerable to it, but so far, we've had little luck. Today, we noticed a pattern (due credit to SiLink for thinking of the possibility): every server that's been hit by DDoS attacks so far has been using GameTracker. Particularly, in JAWA's case, the DDoS attacks only started happening within days of signing up for GameTracker.

 

What's a GameTracker?

GameTracker is a website that offers server trackers. You've probably seen them before. Here's an example:

b_560_95_1.png

 

GameTracker offers convenient lists of every server using their website and running a specific game, like this one for JKA: http://www.gametrack...om/search/swjk/

 

As I said before, every server that's been hit by these DDoS attacks was signed up for GameTracker. On GameTracker's own forums, there are several threads about it as well.

 

In a nutshell: everything we know (or: tl;dr)

This is everything we know:

  • Many JKA servers are being hit by DDoS attacks
  • ALL of these servers are signed up for GameTracker
  • Many owners of servers on different games vulnerable to the same attack have noticed the same, and posted about it on GameTracker
  • DDoS attacks cause extreme lag and can, in some cases, take a server offline
  • Every server that stopped using GameTracker and got a new IP/Port stopped being targeted by these DDoS attacks

Security advisory

Here's JKHub's advice: do not use GameTracker. You may be able to use GameTracker without any problems, since:

  • Your server owner may have taken sufficient measures to prevent DDoS attacks
  • Your server might be too powerful to notice much of the attack

...but even if you don't have any problems, we still recommend that you don't use GameTracker. It's really as simple as that; don't be on GameTracker and you will not be targeted by these DDoS attacks.

 

But I'm already using GameTracker!

If you're already using GameTracker, here's what you should do, particularly if you're experiencing high levels of (intermittent) lag:

  • First off, get rid of your GameTracker account so your server is no longer listed there
  • Since we don't know how the attacker(s) store IPs, or how often they refresh their list, the easiest method is to use a new IP or port for your server if possible. Most game server providers will oblige if you submit a ticket requesting that. The attacks may stop after a while even if you don't, though.

For game server providers or people who manage their own dedicated server/VPS, both ServerArk and Shorewall are worth looking into as methods of being less vulnerable to these attacks.

 

So in conclusion...

...Don't use GameTracker. If you are experiencing DDoS attacks, get off GameTracker.

 

 

Update: FAQ

Here's some frequently asked questions about these attacks.

 

Q: So, are attackers using GameTracker to find their targets, or does GameTracker open servers up to this exploit somehow?

A: The former; attackers are using GameTracker to find their targets. We're very very certain about it.

 

Q: My server is not listed on GameTracker and it was hit by a (D)DoS anyway! What gives?

A: It is entirely possible to be attacked by a (D)DoS without being listed on GameTracker. However, attackers are targeting servers using GameTracker on a large scale, in a manner that's far more impersonal than any attack aimed specifically at your server. Not being on GameTracker does not make you invulnerable, it just very drastically reduces the chances of you being hit by a DDoS.

 

Q: Is this related to the Rcon DoS exploit that was fixed on aluigi.org aaaages ago?

A: No. That is a different exploit entirely, and applying the patch for it will not protect your server from the current exploit.

 

Q: Is there a fix for this?

A: There are several snippets of code floating around in attempts to mitigate it, but all of them come with their own exploits and problems, such as the possibility for an attacker to arbitrarily remove your server from the master server list, or even the fix itself removing your server from the master server list.

 

Q: Why can't common mods just create a fix and release it?

A: It's not quite as simple as that. The problem here lies with a fundamental flaw in the way the Q3 engine handles networking. It's not possible to release a fix without completely reinventing all of JKA's networking and introducing massive potential compatibility problems. We are looking into one possibility that would work, but it's a massive undertaking, and unlikely to be released anytime soon.

 

Q: Are you certain it's not just a coincidence that servers that're on GameTracker are being targeted?

A: Yes.

 

Q: Does JKHub have anything against GameTracker?

A: Of course not. I think it's a great service. But the fact remains that, at this time, JKA servers using GameTracker are being targeted by DDoS attacks on a rather large scale.

 

Q: I have root access to my own server! Is there anything I can do against this?

A: There are several ways to mitigate the problem, but they come with the same drawbacks I mentioned in the fourth question. For now, however, they're probably your best bet. On Linux, you can use iptables rules to block this - I'd be happy to help with it if you PM me. I don't have enough knowledge about Windows Server to help there, but it should still be possible as well. Here is an example of such iptables rules. The last two lines are currently untested:

 

#Basic UDP flood prevention in IPTables. Courtesy of Soh Raun. These go at the beginning of the INPUT chain.iptables -A INPUT -p udp --dport 29070:29080 -m length --length 41:42 -m string --algo bm --from 32 --to 41 --string 'getstatus' -m recent --set --name jka_getstatusiptables -A INPUT -p udp --dport 29070:29080 -m recent --update --seconds 1 --hitcount 5 --name jka_getstatus -j DROPiptables -A INPUT -p udp --dport 29070:29080 -m length --length 39:40 -m string --algo bm --from 32 --to 39 --string 'getinfo' -m recent --set --name jka_getinfoiptables -A INPUT -p udp --dport 29070:29080 -m recent --update --seconds 1 --hitcount 5 --name jka_getinfo -j DROP

 

By Caelum, in Community News,

Followers 0
Go to articles

User Feedback

Recommended Comments



Link

I don't think any one is blaming GT or their services.. a lot of people do/did use them regularly including myself.

 

We can't prove the person/people behind this used GT as a way to list certain targets but there is definitely some correlation from what myself/Caelum brainstormed. The only reason it came up was because I signed JAWA up for GT a few days before this happened (Wouldn't matter if I did it months ago though).

 

But yeah, just to reiterate, nobody is blaming any one... this is all pure speculation apart from the solutions offered.

Link to comment
Mysterious Stranger

Heh I don't think it is primarily targeted at JKA since if you've visited the few threads in the article some poor COD people had been experiencing it for a full five months & JKA got attacked later.

 

My host (the only non dedi/VPS one) seems to think that the attacks were targeted at something else.

 

"The attack is not meant to crash your game server, but it is meant to attack others. In a reaction it also makes your game server hard accessible.

 

For example:

1. Attacker sends request to your game server.

2. Game server responds to www.mywebsite.com

 

The attacker sends requests to hundreds of game servers which takes down the website (www.mywebsite.com for example). In an affect all those game servers get under high load as well and become hardly accessible."

 

I don't know how true this is but there's been complaints of slow server scanning/updating on GT. Poor souls (and us!).

Link to comment
Loki

I can agree with Mr. Stranger. The attack isn't aimed at disrupting JKA, but our servers are rather the vessel for the 'attacks' (on who currently seems to be random). Whoever, or whatever, is behind all of this is masking themselves with various IP addresses through some means, sending a request to our servers (only a few bytes large) and our servers return a response much greater in size to that IP. If our servers get a huge number of these requests, they'll attempt to respond in turn to the IP before it collapses under the load.

 

JP's server (and both EK and JAWA's) were taken down by our providers because of a complaint from a University that our servers were effectively attacking theirs. Why our servers are being used to attack a University I'd love to know.

Link to comment
Mysterious Stranger

JP's server (and both EK and JAWA's) were taken down by our providers because of a complaint from a University that our servers were effectively attacking theirs. Why our servers are being used to attack a University I'd love to know.

 

That is terrible! I hope you guys have found solutions or it was resolved. Goodness.

 

I was over at the MBII forums and someone had posted about having evidence that some (kids?) were part of attacks. I haven't got anything to say for them...

Link to comment
elraro

My DDoS attack:

 

2012-10-07 04:27:54 2012-10-07 04:28:27 188.165.214.107:29070 76.113.249.238:80

2012-10-07 04:28:27 2012-10-07 04:28:59 188.165.214.107:29070 76.113.249.238:80

2012-10-07 04:28:59 2012-10-07 04:29:30 188.165.214.107:29070 76.113.249.238:80

2012-10-07 04:29:32 2012-10-07 04:30:02 188.165.214.107:29070 76.113.249.238:80

 

76.113.249.238 was the target

Link to comment
Mysterious Stranger

I did that and it worked for an hour or bit, then the attacker(s) started switching to other random ports, sneaky little stinkers.

 

I'm using Windows at the moment.

 

But so far the server port change has been keeping things steady.

Link to comment
`teh1

Hey guys,

 

As of late, my clan's JK2 server has been DDoS attacked. This has been going on for a week now, so I decided to have a crack at it. I banned the DDoS attacker's IPs. But that is not a good "solution", so I will describe a better one in more detail.

 

Let me recreate what I did, and how to fix it.

 

1.) Download Wireshark and install.

 

2.) Run wireshark and start capturing network activity for 60 seconds.

 

3.) Go through your network activity and identify the malicious connections. It should be instantly apparent, as the attack is using 2+ different servers to deliver hundreds of 13 byte UDP messages to port 28070 of your server. It will DEFINITELY be port 28070, as the attackers have confirmed it is open due to your server being listed on GameTracker.

 

4.) Upon observing the messages, you will notice two things. 1.) The datagram's data is 13 bytes long, every time. 2.) The data equals the string "getstatus".

 

As a temporary solution, I setup a firewall that bans the offending IPs, but let's explore a more permanent solution...

 

We know already that the DDoS attack consists of hundreds of 13 byte UDP messages of the string "getstatus". So, we want to block all incoming UDP messages with the data of "getstatus". Easy, right!? Nope, sorry. Hate to break it to you windows folks, but you don't have the tools you need to do this….

 

If you are a linux user, this is actually fairly easy with `iptables`, as illustrated in the original post. Unfortunately, most server are on windows.

 

SO WHAT CAN I DO!?!?!?!

 

Well, simple. You know how I told you to use Wireshark to capture 60 seconds of network activity? Well, now's where that comes in handy.

 

1.) You will have to save this capture as a `.winpcap` file (default format).

 

2.) Call up your ISP and have them permanently ban the offending IPs.

 

3.) Enjoy a fast server

 

BUT WHAT IF IT HAPPENS AGAIN WITH DIFFERENT IPS!?

 

This one is on me. I will be compiling a list of offending IPs and will do my best to figure out the source of the botnet. So, do the following:

 

1.) Post the offending IPs here: http://spiralnebulad...tnetprevention/

 

2.) Rinse, repeat steps 1-3 above.

 

GREAT, SO WHY SHOULD I REPORT MALICIOUS IPS TO THAT URL!?!?!?

 

Simple. For one, that URL will allow server owners to reject those IP addresses and prevent potential further DDoS attacks with those IPs. The goal here is to minimize vulnerabilities.

 

Additionally, it is my hope to be able to expose this nasty botnet for what it is. Hopefully I can figure out the afflicting program and how to counter it - perhaps report it to the police. This kind of thing is most certainly illegal.

Link to comment
`teh1

You make a valid point. :\ Totally didn't occur to me. I wish iptables existed on windows. Honestly I reaaaally dislike windows. :]

Caelum likes this
Link to comment
`teh1

How about this as a solution, guys. I will host my own private gametracker that up to 100 people can apply to be part of. The tracker will provide you with a server stats iframe for your site, and will update every 5 minutes. I might be willing to do some generated images too if requested for signatures and what not.

 

There will be no public list of servers that are registered, so no one will be able to have easy access to all the servers' IPs.

 

Good?

Link to comment
spior

How about this as a solution, guys. I will host my own private gametracker that up to 100 people can apply to be part of. The tracker will provide you with a server stats iframe for your site, and will update every 5 minutes. I might be willing to do some generated images too if requested for signatures and what not.

 

There will be no public list of servers that are registered, so no one will be able to have easy access to all the servers' IPs.

 

Good?

But then how will people know what your server IP is :P?

That's like holding a sign saying "Party at my house" without giving your address.

Link to comment
Raz0r
There will be no public list of servers that are registered

Until someone goes in-game and clicks "get new list".

 

Obtaining the IP isn't the issue. Flooding the IP and having the server respond to each request is the issue.

Link to comment


Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...