You are an unregistered user, you can register here
Navigation

Information

Site

Donations
If you wish to make a donation you can by clicking the image below.


 
Go Back   The Unreal Admins Page > Forums > Hosted Forums > UTPure > UTPure - Client Side Hack Protection > Server Admins Open Forum

Reply
Thread Tools Display Modes
  #1  
Unread 23rd August, 2003, 06:58 PM
KillerJB
 
Posts: n/a
Default

Ocassionaly I am seeing clients in my logs that apparently have been or are trying to connect to the server , but for whatever reason are not getting connected. Other players and myself connect just fine.

The problem is these clients continue to generate the open mylevel message at least twice a second for long periods of time, each time with a different port. Todays episode was just with one client but I have seen this same thing before with multiple clients.

I normally will shut the server down as these client requests are taking all the bandwith.

I am running 436 with an older utpure.

Has anybody experienced this on thier server


NetComeGo: Open MyLevel 08/23/03 13:51:10 130.xxx.72.156:45509
NetComeGo: Open MyLevel 08/23/03 13:51:11 130.xxx.72.156:31464
NetComeGo: Open MyLevel 08/23/03 13:51:11 130.xxx.72.156:8120
NetComeGo: Open MyLevel 08/23/03 13:51:12 130.xxx.72.156:30447
NetComeGo: Open MyLevel 08/23/03 13:51:12 130.xxx.72.156:58585
NetComeGo: Open MyLevel 08/23/03 13:51:13 130.xxx.72.156:51767
NetComeGo: Open MyLevel 08/23/03 13:51:14 130.xxx.72.156:42702
NetComeGo: Open MyLevel 08/23/03 13:51:14 130.xxx.72.156:46772
NetComeGo: Open MyLevel 08/23/03 13:51:14 130.xxx.72.156:35629
NetComeGo: Open MyLevel 08/23/03 13:51:14 130.xxx.72.156:62604
NetComeGo: Open MyLevel 08/23/03 13:51:16 130.xxx.72.156:18750
NetComeGo: Open MyLevel 08/23/03 13:51:17 130.xxx.72.156:46750
NetComeGo: Open MyLevel 08/23/03 13:51:17 130.xxx.72.156:1255
NetComeGo: Open MyLevel 08/23/03 13:51:17 130.xxx.72.156:7424
NetComeGo: Open MyLevel 08/23/03 13:51:17 130.xxx.72.156:42364
NetComeGo: Open MyLevel 08/23/03 13:51:18 130.xxx.72.156:8524
NetComeGo: Open MyLevel 08/23/03 13:51:19 130.xxx.72.156:11899
NetComeGo: Open MyLevel 08/23/03 13:51:19 130.xxx.72.156:33926
NetComeGo: Open MyLevel 08/23/03 13:51:19 130.xxx.72.156:34183
NetComeGo: Open MyLevel 08/23/03 13:51:19 130.xxx.72.156:38253
NetComeGo: Open MyLevel 08/23/03 13:51:20 130.xxx.72.156:13213
NetComeGo: Open MyLevel 08/23/03 13:51:20 130.xxx.72.156:17283
NetComeGo: Open MyLevel 08/23/03 13:51:20 130.xxx.72.156:38375
NetComeGo: Open MyLevel 08/23/03 13:51:20 130.xxx.72.156:42445
Net
Reply With Quote
  #2  
Unread 23rd August, 2003, 09:38 PM
zenbog
 
Posts: n/a
Default

Quote:
Originally posted by KillerJB
Ocassionaly I am seeing clients in my logs that apparently have been or are trying to connect to the server , but for whatever reason are not getting connected. Other players and myself connect just fine.

The problem is these clients continue to generate the open mylevel message at least twice a second for long periods of time, each time with a different port. Todays episode was just with one client but I have seen this same thing before with multiple clients.

I normally will shut the server down as these client requests are taking all the bandwith.  

I am running  436 with an older utpure.

Has anybody experienced this on thier server


NetComeGo: Open MyLevel 08/23/03 13:51:10 130.xxx.72.156:45509
NetComeGo: Open MyLevel 08/23/03 13:51:11 130.xxx.72.156:31464
[snipped]

You are not alone in the "attacks", I have been in touch with at least 2 other admins and they are getting the same in there logs.
I have also pulled our Fragism sever log (5 of them) and the same is happening there also, so it seems that this is not just a windows server related issue, Fragism servers are Linux based.

So far I have not heard a word back from the Tampere University of Technology in Tempere, Finland. I have email them on this matter.
For those that have not traced the IP (130.230.72.156) that is who it is registered to.
Reply With Quote
  #3  
Unread 23rd August, 2003, 10:01 PM
KillerJB
 
Posts: n/a
Default

Thanks Zenbog, thats what I thought was happening. I did a tracert and saw that it was going into Finland.

I was forced to shut all the ports in my router to prevent them from getting in.

PM me if you have more info than you want to post here. I am interested in how they are doing this and more interested in how I can return the favor.
Reply With Quote
  #4  
Unread 24th August, 2003, 12:05 AM
zenbog
 
Posts: n/a
Default

I thought this [crap] was stopped with the IpDrv.dll that was past out some time ago, A fellow admin, mailed this webpage that talks about how-to and what to do for this very thing, although old it seems that it does still happen.
http://cert.uni-stuttgart.de/archive/bugtr...7/msg00035.html

just for test I ran a server from the in-game dedicated button, and when it got loaded I opend the UT server window and saw that UT thought that there were 45-52 connections on my 6 man server.

Seems the only cure for now is to change the port UT runs on and just email the world and tell them that your server is still up, just refresh it from the DeathMatch tab with the in-game browser, and dissreguard there link in Favorites,,, (bummer)

ps... anybody in finland want to go pull the plug on this machine ?
Reply With Quote
  #5  
Unread 24th August, 2003, 02:36 AM
zenbog
 
Posts: n/a
Default

well here is the reply I got from the site in Finland:
Quote:
The traffic you are seeing in your Unreal Tournament game
servers is a part of a Distributed Denial of Service (DDoS)
attack attempt against the host at 130.230.72.156
(valokola.modeemi.cs.tut.fi). The traffic does NOT originate
from that host, or from the entire TUT network, but instead
the packet source addresses have been forged.

The attackers are attempting to use your Unreal Tournament
server to flood the host with traffic.

For more information about the vulnerability in Unreal
Tournament that is being exploited, see
       http://cert.uni-stuttgart.de/archive/bugtr...7/msg00035.html

For a server fix, see
       http://www.securityfocus.com/bid/5148/solution/

Unfortunately there is nothing we can do to stop the forged
traffic from reaching your servers, since the traffic does not
originate from our network. Your best bet is to filter out
packets with the source address 130.230.72.156 destined to your
game servers. That host is not used for games. You could also
contact your own network provider to see if they can help in
determining the real source of the traffic.

Also, to make sure such attacks cannot be launched from your
network, please make sure that you do not allow outgoing traffic
with packet source addresses outside of your network.


Best Regards,

Martti Jokipii

--  
Martti Jokipii                         #  E-mail:   [email address]
Tampere University of Technology       #  Phone:    +358  3 3115 2425
Network Administration                 #  GSM:      +358 40 849 0804
P.O. Box 692, 33101 Tampere, FINLAND   #  FAX:      +358  3 3115 2172
wonder why they don't turn that machine off or disable that IP ? maybe the "forged" attacker will move some where else or stop ??
Quote:

Your best bet is to filter out
packets with the source address 130.230.72.156 destined to your
game servers
Sorry, not much of a IT/Networking guru, how do you block traffic from this IP? on a standard Windows XP pro system.
Reply With Quote
  #6  
Unread 23rd August, 2003, 10:24 PM
nightstormer
 
Posts: n/a
Default

Quote:
Originally posted by zenbog
well here is the reply I got from the site in Finland:


wonder why they don't turn that machine off or disable that IP ? maybe the "forged" attacker will move some where else or stop ??  

Sorry, not much of a IT/Networking guru, how do you block traffic from this IP? on a standard Windows XP pro system.
Not sure how to block it from the IP, but if you patch your server to at least v440, your server will "ignore" the incoming attempts, as the patch refuses to allow any more than 5 connections per minute. The contant hits still uses some of the server bandwidth which sucks, but at least your server isn't being used for a DOS attack. You can get the v440 server patch from the UTPG website.
Reply With Quote
  #7  
Unread 23rd August, 2003, 10:40 PM
KillerJB
 
Posts: n/a
Default

Quote:
Originally posted by nightstormer
Not sure how to block it from the IP, but if you patch your server to at least v440, your server will "ignore" the incoming attempts, as the patch refuses to allow any more than 5 connections per minute.  The contant hits still uses some of the server bandwidth which sucks, but at least your server isn't being used for a DOS attack.  You can get the v440 server patch from the UTPG website.
Thank you all, maybe I should read a little more than once a year, LOL. I see how it works now. they use my bandwith to attack others.

I patched to 451 and now just get the 5 per minute.
Reply With Quote
  #8  
Unread 23rd August, 2003, 10:42 PM
just**me<{VDS}>
 
Posts: n/a
Default

err nvm I can't read
Reply With Quote
  #9  
Unread 24th August, 2003, 08:34 AM
{ASS}My_Ass
 
Posts: n/a
Default

If you run a firewall on your server - you can use this to ban the IP- I also use my firewall to ban players - the banned player doesnt even know the server is running
Reply With Quote
  #10  
Unread 24th August, 2003, 10:58 AM
KillerJB
 
Posts: n/a
Default

Quote:
Originally posted by {ASS}My_Ass
If you run a firewall on your server - you can use this to ban the IP- I also use my firewall to ban players - the banned player doesnt even know the server is running
Exactly what I thought of doing. I purchased zone alarm and added it to my server and banned that ip. It works fine. I gave up a little money/cpu cycles , but saved my outgoing bandwith from participating in an attack on someone else.

It was annoying the hell out of me that I still had to live with those 5 connections with 451, even though that was a lot better than 436.

All i need to do is watch the logs and ban other attacks as I see them.
Reply With Quote
  #11  
Unread 24th August, 2003, 03:26 PM
Germ
 
Posts: n/a
Default

well, starting last night I'm getting the "Ignoring" too, haven't noticed too much difference in-game but I have noticed that my server has been reset twice already!

Reply With Quote
  #12  
Unread 24th August, 2003, 04:33 PM
KillerJB
 
Posts: n/a
Default

Just to give you an idea of how much these attacks can impact your servers, since I blocked that IP address about 6 hours ago the firewall has blocked over 55,000 intrusions.

Yes , your seeing that right, 55 THOUSAND connection requests in just 6 hours.

I understand from the links Zenbog gave us above each one of those connections would send large amounts of packets to the 130.230.72.156 (intended target of the attack) for 2 1/2 minutes each.

The attackers masked their real IP with 130.230.72.156 so our servers will attempt to answer the logon with our regular return packets. All these return packets head to the target.

Get yourself a server firewall . after this attack is stopped , I am sure there will be others.
Reply With Quote
  #13  
Unread 24th August, 2003, 05:49 PM
Germ
 
Posts: n/a
Default

damn! I believe you dude, my logs are huge, and i've contacted a few other admins and found out it's happening to them too.

I don't know what I'm gonna do but I've contacted our server rental company and hopefully they will get a firewall up soon or if they have one add that IP.
Reply With Quote
  #14  
Unread 25th August, 2003, 07:51 AM
zenbog
 
Posts: n/a
Default

As of 1:00 am central time mine has stopped logging that IP !
I guess someone finally stopped the person, or they got tired of the little game that he/she was playing. Although I don't think this will be the last one, it was my first one and it caused me enough headache. A firewall goes up today to help aid in blocking these type of events.
Reply With Quote
  #15  
Unread 25th August, 2003, 08:10 AM
aol|jetstorm
 
Posts: n/a
Default

this ip is hit servers in uk as well.
so is very wide spread
Reply With Quote
  #16  
Unread 25th August, 2003, 08:05 PM
KillerJB
 
Posts: n/a
Default

Quote:
Originally posted by aol|jetstorm
this ip is hit servers in uk as well.
so is very wide spread
Its back............. LOL
Reply With Quote
  #17  
Unread 25th August, 2003, 08:45 PM
zenbog
 
Posts: n/a
Default

Quote:
Originally posted by KillerJB
Its back............. LOL


bummer,
still adding firewall, in hopes of simply blocking the offending IP #
Reply With Quote
  #18  
Unread 25th August, 2003, 09:18 PM
Germ
 
Posts: n/a
Default

mine stopped last night too....but they came back tonight and since we have a practice night i've really felt the lag! grrr
Reply With Quote
  #19  
Unread 25th August, 2003, 09:56 PM
[OS]HellRaiser
 
Posts: n/a
Default

...Count me in. This has been hitting my server for two days now...again. I had this going on like two weeks ago also, that time some place in Germany was the target.
Reply With Quote
  #20  
Unread 25th August, 2003, 10:45 PM
KillerJB
 
Posts: n/a
Default

Quote:
Originally posted by '[OS
HellRaiser']...Count me in. &nbsp;This had been hitting my server for two days now...again. &nbsp;I had this going on like two weeks ago also, that time some place in Germany was the target.
FireWall working great on my server, just need to look at the logs to see if/when they attack some other ip, then I will just add it to the list. Players don't notice a thing, cpu cycles taken for firewall are much less than the added connections and data flow.

zonealarm pro is free for 30 days. go get it.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 06:11 AM.


 

All pages are copyright The Unreal Admins Page.
You may not copy any pages without our express permission.