DDOSing Report

[AuriusPheonix]

Alrighty, so this is never pleasant, but it has to be done. I don't know the culprit, though if I can find out I will be returning to deliver that information, however there has recently been a huge increase in DDOS attacks across multiple servers in the NA region. AOD servers have been hit numerous times, as well as tR's Deathstar server. I'm not sure if it's possible to do something about it, but it has started to become a real nuisance.

 

[XAvi]

cant even play at this point

 

[Dorito]

I am afraid w o w has evolved into a force we can no longer stop...

 

[XAvi]

I am afraid w o w has evolved into a force we can no longer stop...

nah w o w the homie

 

[Caelum]

We (JKA.io) have been seeing several hundred filtered DDoS attempts over the past several days on servers we host, it seems to be a JKA-wide thing targeting essentially any server on any mod that gets a meaningful amount of players.

The actual DDoS is fairly simple, and trivial for us to filter, we've seen hundreds like it in the past. Since we offer (real) DDoS protection and servers we host are immune, you'll be able to play on these servers uninterrupted when this happens, for what it's worth:

in NA:

• Owe's Bedroom{RTV/RTM} - North America • 198.50.210.67:29070

in EU:

• {BG}Server[OPEN] • 54.37.94.229:29070
  
• TIN | HQ • 54.37.94.207:29070
• TIN | Duel • 54.37.94.226:29070
• TIN | FA Fun • 54.37.94.205:29070
• Battlegrounds of Delaware • 54.37.94.202:29070
• [Legacy] Lyceum • 54.37.94.193:29070
• [Cult:Arena] • 54.37.94.210:29070
• 'GJO| Duel./[RTV] • 54.37.94.206:29070
• TIN | Classic DotF • 54.37.94.232:29070

 

[isair]

It is indeed a proper DDoS tailored specifically for JA servers. My knowledge of Quake engine games are limited but the packets look like they could apply to those as well. Filtered DDoS attempts seem to be in the thousands though. Here is a partial screenshot of the firewall rules statistics from one of the least busy servers I host. The first column is the number of packets. The third column is whether it is for dropped packets (to protect the server) or accepted ones. Each pair of two rows is for one type of game packet we specifically watch out for.

 

[Encritary]

By the way, ad.ppl.Opens have DDoS-protection too, but it wasn't tested on the production yet.

 

[nullb]

Can somebody share the iptables rules required to drop these bad packets? I'd just like my servers in Australia to stop lagging
It's not volumetric or a known attack type as I have in-line 40GE scrubbers, it's something customer tailored to Q3.

Which should be reported to OpenJK on git so it can be patched and the iptables rules shared so we can all block it and move on...

I'm currently away or I'd debug it, patch it and share it myself.

 

[isair]

I'd be happy to share via private messages. Do shoot one my way.

 

[nullb]

I'd be happy to share via private messages. Do shoot one my way.

Cheers sent one you way

 

[Dorito]

We (JKA.io) have been seeing several hundred filtered DDoS attempts over the past several days on servers we host, it seems to be a JKA-wide thing targeting essentially any server on any mod that gets a meaningful amount of players.

The actual DDoS is fairly simple, and trivial for us to filter, we've seen hundreds like it in the past. Since we offer (real) DDoS protection and servers we host are immune, you'll be able to play on these servers uninterrupted when this happens, for what it's worth:

in NA:

• Owe's Bedroom{RTV/RTM} - North America • 198.50.210.67:29070

in EU:

• {BG}Server[OPEN] • 54.37.94.229:29070
  
• TIN | HQ • 54.37.94.207:29070
• TIN | Duel • 54.37.94.226:29070
• TIN | FA Fun • 54.37.94.205:29070
• Battlegrounds of Delaware • 54.37.94.202:29070
• [Legacy] Lyceum • 54.37.94.193:29070
• [Cult:Arena] • 54.37.94.210:29070
• 'GJO| Duel./[RTV] • 54.37.94.206:29070
• TIN | Classic DotF • 54.37.94.232:29070

I knew BlueFangSolutions was a hack when I saw they charged you extra for uploading and enabling rtv and JKA mods (that means you pay extra to run MB2 and server add-ons). Extra charge PER MONTH (Something they didn't used to do, and if you've ever dealt with hosting servers, you know that is a completely arbitrary up-charge. akin to Telecom companies charging you a 'service fee' on your equipment, as opposed to being allowed to upload the files on your own and change command lines your self, which, again, isn't hard to do if you've dealt with server hosting. Instead, you have to pay each time you want to say... switch your JA+ server to a MB2 server. Which is bullshit.

And they don't even have DDoS protection. (Also something I noticed some time ago.)

Also, time to get the tinfoil hats out... What if Disney is behind the JKA DDoS attacks? I find it hard to believe that someone would have so much hate, not to mention time and money on their hands to be doing this as frequently as they are.

 

[Defiant]

(Something they didn't used to do, and if you've ever dealt with hosting servers, you know that is a completely arbitrary up-charge. akin to Telecom companies charging you a 'service fee' on your equipment).

To be fair, especially for JKA mods since your running native code that doesn't come with any guarantee that it doesn't do anything bad, the hosting companies do take on a tonne of risk. Depending on how they're set up it can put other customers service at risk and take more administrators time to mitigate/monitor. If they actually bother with that is another question - but if they do then charging more for the extra work it causes seems fair.

 

[Dorito]

To be fair, especially for JKA mods since your running native code that doesn't come with any guarantee that it doesn't do anything bad, the hosting companies do take on a tonne of risk. Depending on how they're set up it can put other customers service at risk and take more administrators time to mitigate/monitor. If they actually bother with that is another question - but if they do then charging more for the extra work it causes seems fair.

So are you saying someone who really knows what they're doing could use their MB2 server to disrupt other servers on its network?

 

[Spaghetti]

So are you saying someone who really knows what they're doing could use their MB2 server to disrupt other servers on its network?

Essentially, but it's not really about MB2 servers. Any service that lets you upload arbitrary executable code has the risk Defiant is highlighting. Even if they prevent direct shell access, as long as you're allowed to upload a library that the server executable loads, they could potentially get shell access and from there it's down to whatever other security mitigations are in place. So there is a justification for a managed service to babysit mods and charge for maintaining them across updates.

 

[isair]

Essentially, but it's not really about MB2 servers. Any service that lets you upload arbitrary executable code has the risk Defiant is highlighting. Even if they prevent direct shell access, as long as you're allowed to upload a library that the server executable loads, they could potentially get shell access and from there it's down to whatever other security mitigations are in place. So there is a justification for a managed service to babysit mods and charge for maintaining them across updates.

Pretty much. This is exactly why I containerise, and probably any other modern hosting provider does as well.

 

[Defiant]

Pretty much. This is exactly why I containerise, and probably any other modern hosting provider does as well.

But when your talking about a hosting company that has been hosting a game for 15 years, they probably don't put resources towards doing such things to old games.

 

[Puppytine]

I knew BlueFangSolutions was a hack when I saw they charged you extra for uploading...

If you believe that BlueFang doesn't do a good job, that they ripping you off and the services they provide aren't worth the money BlueFang does want for them, buy a VPS and do everything in your way.

 

[isair]

But when your talking about a hosting company that has been hosting a game for 15 years, they probably don't put resources towards doing such things to old games.

I'll trust that they did the math to see if it's worth it, but this is usually the kind of thing that slowly kills a tech company.