Server Being Flooded??

[legacy-Nutcracker]

Just fired off my server for the evening, and noticed that as soon as the server started, it appears that the server is being flooded with countless IP's. This activity seems to run endlessly, with loads of IP's, even though nobody was connected. I've never noticed anything like this before, so any help or info would be appreciated!!

[legacy-MikeDr]

My 2 servers are getting the same activity. I just turned both of them off for now.

I turned them back on after about 15 mins. All is still for now.
It kept saying:
Open mylevel xxxxxxxx
Close xxxxxxxx
It did even seem to be trying to connect, just pinging to see if my server was there. ???????

[legacy-Nutcracker]

I was able to make whatever was happening stop. Simply rebooting the server didn't work, but completely shutting the machine down, then restarting the server worked fine. Very, very strange though!!

[NakedApe]

What you're seeing is probably scans from the computers maintaining various server lists (Gamespy, ASE and what-not). If you have tcpdump or similar you'd probably see that all these connections where probing your query ports.

[legacy-Nutcracker]

Just fired off the server this afternoon, and the same activity is happening as on 7/10. Dozens of IP's, stating "opening level x.x.x.x". Gonna try shutting the server down for a while, and see if that fixes it again. It is beginning to be a real pain in the gazoo admining one of these servers

[legacy-Nutcracker]

Is anyone else having this particular issue? It is now 4 hours since the last try at starting my server, and the issue is still happening. I did let the server run for several minutes, and the IP's just keep coming!! I mean, bunches of them too!! Guess I'll give it another whirl tomorrow and see what happens.

[legacy-Mitchell]

I came home to see that my server reported having 357 players.
Needless to say I shutdown the box, refired it up shortly there after and experienced the same open/close loop in the server.log you mentioned. I shut the box down and brought up my backup server box online only to see the same thing. I then changed my servers ip with another ip from a workstation and fired it up. Now the server works like it normally does but the firewall logs on the workstation whose ip I switched display a constant bombardment of udp probes. The numbers are higher in 5 minutes than I get within a 24 hour period.

Needless to say I'm not liking what I am seeing. Especially since the ips that keep probing are constantly cycling....

[legacy-rice]

same problems here, just noticed today.
what patch version are ya all using?
im using 2199 .
very annoying problem this one is.

[elmuerte]

Yes UT2003 (and UT) servers are being attacked, if you have upgraded your server to 2225 (and 440) it will prevent your server taking part in the DDoS, however this will _not_ stop you from being attacked.
There is no way to stop from being attacked. If all the logging causes problems on your system you might want to surpress log entries. To Suppress log entires add a line "Suppress=xxx" to your ini file. Where "xxx" is the text you see in front of each log entry.
For example:

Code:

NetComeGo: Close TcpipConnection 127.0.0.1:3870 06/17/03 13:21:28

if you have "Suppress=NetComeGo" in your ini file it will no longer log it.
You might want to suppress the following entries during these attacks:

• NetComeGo
• DevNet

[legacy-rice]

k, thanks again for the tips bro.

[legacy-BoToKi]

Surpres=NetComeGo
Surpres=DevNet

where should this line be added?

[elmuerte]

In [Core.System]
where you can find the other Suppress=... lines

[legacy-BoToKi]

thanks again

[legacy-Nutcracker]

El_Muerte...

Thanks for the info! At least it's good to know what is happening. BTW, been running patch 2225 since it was released. Thanks again!!

[legacy-Mitchell]

I am also running the 225 patch on both servers. And since moving to another IP resolved the issue it is obviously a DoS attack. I later put the server back to its "attacked" IP and the game was running fine even with the constant barage. Just a little more overhead but managable I guess. I looked at it the next morning and the attacks stopped.

And thanx El_Muerte for the tips