You are an unregistered user, you can register here
Navigation

Information

Site

Donations
If you wish to make a donation you can by clicking the image below.


 
Go Back   The Unreal Admins Page > Forums > Hosted Forums > UTPure > UTPure - Client Side Hack Protection > Server Admins Open Forum

Reply
Thread Tools Display Modes
  #21  
Unread 26th August, 2003, 01:44 PM
puntloos
 
Posts: n/a
Default

To make this all very clear:

The IP's you see in your logs are NOT the ips of some evil attacker. Instead they are IPs that get attacked.

YOU are attacking THEM!

Not voluntarily, of course, but this is comparable with the MSBlaster situation. That worm used your computer to start attacking windowsupdate.microsoft.com. Mailing those admins and bitching at them is equivalent with mailing Microsoft asking them to turn off windowsupdate.

(yeah I have to admit I was fooled for a minute too)

The best way to fix this is to upgrade your UT server, but until now I've held off on this since upgrading to 440 or 451 will cause considerable lag in non-upgraded clients.

Until I decide to upgrade I've remedied all this by automatically firewalling all ips that appear too frequently in the logs, however obviously malicious people could start using this to get valid UT players firewalled.
Reply With Quote
  #22  
Unread 26th August, 2003, 01:55 PM
[OS]HellRaiser
 
Posts: n/a
Default

Quote:
Originally posted by puntloos
To make this all very clear:

The IP's you see in your logs are NOT the ips of some evil attacker. Instead they are IPs that get attacked.  

YOU are attacking THEM!

Not voluntarily, of course, but this is comparable with the MSBlaster situation. That worm used your computer to start attacking windowsupdate.microsoft.com. Mailing those admins and bitching at them is equivalent with mailing Microsoft asking them to turn off windowsupdate.  

(yeah I have to admit I was fooled for a minute too)

The best way to fix this is to upgrade your UT server, but until now I've held off on this since upgrading to 440 or 451 will cause considerable lag in non-upgraded clients.

Until I decide to upgrade I've remedied all this by automatically firewalling all ips that appear too frequently in the logs, however obviously malicious people could start using this to get valid UT players firewalled.
I am running the 440 patch...this still happens, however with that patch I can allow or disallow so many connection attempts per minute, at present I have it set to 3 per minute but it just keeps hammering away. I tried the 451 patch but it was very laggy.
Reply With Quote
  #23  
Unread 26th August, 2003, 02:26 PM
KillerJB
 
Posts: n/a
Default

Quote:
Originally posted by puntloos
To make this all very clear:

The IP's you see in your logs are NOT the ips of some evil attacker. Instead they are IPs that get attacked.  

YOU are attacking THEM!

Not voluntarily, of course, but this is comparable with the MSBlaster situation. That worm used your computer to start attacking windowsupdate.microsoft.com. Mailing those admins and bitching at them is equivalent with mailing Microsoft asking them to turn off windowsupdate.  

(yeah I have to admit I was fooled for a minute too)

The best way to fix this is to upgrade your UT server, but until now I've held off on this since upgrading to 440 or 451 will cause considerable lag in non-upgraded clients.

Until I decide to upgrade I've remedied all this by automatically firewalling all ips that appear too frequently in the logs, however obviously malicious people could start using this to get valid UT players firewalled.
I found that out too after researching the links Zenbog gave us above. The logon request to our servers has a phoney header ip address. all they need to do in plug in the address they want us to flood and off we go to the attack. I feel like a god dam bot.

As you said, we need to watch the logs much closer. no more waiting for a week to look at them.
Reply With Quote
  #24  
Unread 26th August, 2003, 08:01 PM
[OS]HellRaiser
 
Posts: n/a
Default

A friend just showed me this for Win2K and WinXP:

Block all outgoing icmp traffic:

1. > administrative tools
2. >local security
3. >ip security policies
4. >client respond (assign) make yes.
5. > then properties and add a icmp outgoing deny rule.

So far so good here. I will keep an eye on it today and see what happens.
Reply With Quote
  #25  
Unread 28th August, 2003, 11:11 AM
puntloos
 
Posts: n/a
Default

Blocking all ICMP traffic sounds like quite a bad idea.. other than ping it has a lot of uses. I suppose on a dedicated server you could do this..

Plus I kinda don't see why this would help anything? Could you find that out?
Reply With Quote
  #26  
Unread 28th August, 2003, 03:55 PM
[OS]HellRaiser
 
Posts: n/a
Default

Quote:
Originally posted by puntloos
Blocking all ICMP traffic sounds like quite a bad idea.. other than ping it has a lot of uses. I suppose on a dedicated server you could do this..

Plus I kinda don't see why this would help anything? Could you find that out?
I will try and find out. All I know is since this was implemented there hasn't been one single attack request and the server is running as smooth as a babys butt. I rent a server and the host is the one that came up with this, he blocked all outgoing
ICMP traffic.

*Edited to add what the host told me:

"Blocking outgoing icmp traffic basically shuts the server down for sending information packets.
It doesnt hurt to block outgoing traffic, been like that for what 2 days now and not one problem
you just cant ping another server or send echo requests to another server. Incoming traffic is allowed so you can still ping the server.
This is a dedicated machine, so no one is on it sending ping requests, its just not used."

Probably not the answer you were looking for, but it works for me and so far not a single problem with my dedicated server.
Reply With Quote
  #27  
Unread 29th August, 2003, 03:01 AM
puntloos
 
Posts: n/a
Default

Quote:
Originally posted by '[OS
HellRaiser']I will try and find out.  All I know is since this was implemented  there hasn't been one single attack request and the server is running as smooth as a babys butt.  I rent a server and the host is the one that came up with this, he blocked all outgoing
ICMP traffic.

*Edited to add what the host told me:

"Blocking outgoing icmp traffic basically shuts the server down for sending information packets.  
It doesnt hurt to block outgoing traffic, been like that for what 2 days now and not one problem
you just cant ping another server or send echo requests to another server.  Incoming traffic is allowed so you can still ping the server.
This is a dedicated machine, so no one is on it sending ping requests, its just not used."

Probably not the answer you were looking for, but it works for me and so far not a single problem with my dedicated server.
Curious. Or rather, your server should still work without ICMP, that much is true, however ICMP does serve a useful purpose in providing 'bad' connections extra information on what happened, what went wrong etc. Especially in the case of bad connections this info is useful and even required sometimes (with fragmentation etc).

But in -most- cases it won't hurt performance to block it, especially with short-packets like UT uses and where reliable connections are required for playing. I would advise against this method on anything like webservers.

But what's curious to me is that it worked against this problem of DDOS, since the DDOS itself should simply still work. Spoofing IPs or connecting with UDP has nothing to do with ICMP. I suppose that you have now effectively cloaked your server from the annoying little brat that has been abusing the flaw on your box and he isn't even trying to send DDOS'es through you anymore. ("hmm the server isnt there anymore, I guess I'll try another")

Good for you I guess, but I doubt this really is a viable option for most of us. Thanks tho.
Reply With Quote
  #28  
Unread 1st September, 2003, 12:16 AM
Torinir
 
Posts: n/a
Default

Quote:
Originally posted by aol|jetstorm
this ip is hit servers in uk as well.
so is very wide spread
And North America too... Both my clan's public and private server have been getting numerous ICMP failures and ignores.
Reply With Quote
  #29  
Unread 1st September, 2003, 04:09 PM
puntloos
 
Posts: n/a
Default

OK I've made some scripts (Linux only, sorry) that will effectively do almost the same thing (AND MORE!) UTPG 440 and 451 versions do automatically.

Basically they check the log file and firewall (temp or permanently) ips that show up more than a set amount of times per game.

Some more info and the download are here:

http://www.unrealadmin.org/modules.php?nam...article&sid=294
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 08:27 AM.


 

All pages are copyright The Unreal Admins Page.
You may not copy any pages without our express permission.