Hot Chills
General Category => Server => Topic started by: siN on April 11, 2016, 20:41:26
-
Hello! I want to report a mass ddos attack ocurring today :D
The server suffered from ddos attacks, maybe you(the owner) should get a better ddos protection ^^
Anyways that's all, just wanted to keep you (the owner) informed.
PS: Was it ex0? O.o
-
Before the ddos attacks i saw a guy joining as Player 3 (ID: 57648)
He stayed in specs the whole time, which was pretty suspicious.
I'm guessing it might have been him, although i might be wrong.
-
Damn, i took to long to input his usgn here.
-
Before the ddos attacks i saw a guy joining as Player 3 (ID: 57648)
He stayed in specs the whole time, which was pretty suspicious.
I'm guessing it might have been him, although i might be wrong.
Can confirm. It's very obvious its him. Within a 1hour span earlier today my server was attacked 7-8 times. I noticed the same thing with him in spec as you did Hyorgh, he'll join the server, then 10 seconds later the attacks begin and the server crashes. He dosen't play, say, or do anything.
His goal is to get the players to leave and join the servers that he hosts. "Infinity" servers as it appears to be. He'll immediately run back to his servers hoping people will join him after he crashes other servers.
[16:11:48] Player clientdata: WIN {2916352}
[16:11:48] U.S.G.N.: Player (213.233.85.197) joining with U.S.G.N. ID #57648 - verifying...
[16:11:48] U.S.G.N.: 213.233.85.197 is using U.S.G.N. ID #57648
[16:11:48] Player 2 connected
It appears he's using something called "tsource engine query" commonly used to crash game servers. Specifically counterstrike and call of duty servers from what i've read. Can see the name encoded in the actual data packets that are received by the server. img: http://f.cirium.me/attacks_04-12-2016/screen1.png
Regards,
Cirium.
-
Wow 0.o
Ddosing other servers so that people would play on his one's... That's just the next level of douche-baggery.
Thank you Cirium for the confirmation, you did a really good job!
Now we need ŦƲƦƙɘƳ to permanently ban him.
-
Before the ddos attacks i saw a guy joining as Player 3 (ID: 57648)
He stayed in specs the whole time, which was pretty suspicious.
I'm guessing it might have been him, although i might be wrong.
Can confirm. It's very obvious its him. Within a 1hour span earlier today my server was attacked 7-8 times. I noticed the same thing with him in spec as you did Hyorgh, he'll join the server, then 10 seconds later the attacks begin and the server crashes. He dosen't play, say, or do anything.
His goal is to get the players to leave and join the servers that he hosts. "Infinity" servers as it appears to be. He'll immediately run back to his servers hoping people will join him after he crashes other servers.
[16:11:48] Player clientdata: WIN {2916352}
[16:11:48] U.S.G.N.: Player (213.233.85.197) joining with U.S.G.N. ID #57648 - verifying...
[16:11:48] U.S.G.N.: 213.233.85.197 is using U.S.G.N. ID #57648
[16:11:48] Player 2 connected
It appears he's using something called "tsource engine query" commonly used to crash game servers. Specifically counterstrike and call of duty servers from what i've read. Can see the name encoded in the actual data packets that are received by the server. img: http://f.cirium.me/attacks_04-12-2016/screen1.png
Regards,
Cirium.
Thank you for this valuable info. I'll make short work of him.
-
Ohh that's nothing. Good to know its useful to you though. You could spend hours analyzing the attacks and learning about them. Not like that'l help though in the end.
Many of the attacks that take place in CS2D seem to be empty packet attacks. Which are mostly blockable using the correct firewall rules if you know what you're doing. (Two weeks ago took a hit of 60,000packets/sec from 'Pelennor' and his 4 VPSes. CS2D server was still playable and my box was mitigating every packet sent to it. Was quite impressed.)
Ultimately DDoS protection needs to be enabled 24/7 for this kind of attack, and even then I find that this "Alex" guy seems to switch his methods of attacks now and again making them difficult to mitigate. Not much that can be done but wait it out.
Regards,
Cirium.