Assh*les and DDOS Attacks

legacy-alphaman36 · 08-23-2003, 11:39 PM

I have to admit, the way that epic/atari has implemented their way of communication with the master server is BS!!!!!!!! I have been under a DDOS with a forged address (I have been in contact with the admin of the forged address, I am not the only one wit this forged address being attacked) since 4:30am this morning MDT. It's going to be REALLY hard to support another product from this company. Currently I have my server down and all ports realating to UT2003 closed and dropped on a IPTables based firewall.

Hey Epic, THANKS ALOT FOR CRAP!!! :down: :down: :down:

**legacy-rice** · 08-24-2003, 12:17 AM

i been getting the same thing too.
ip starts with a 130.230

legacy-alphaman36 · 08-24-2003, 12:42 AM

Yep, that's the address, at least the first part. Since at LEAST 4:30am MDT. I have been working with NOC at that IP, and it would seem from what they are saying, this is a massive attack from that IP. This not coming from their network, they have closed that port (7777). The address is being spoofed

**elmuerte** · 08-24-2003, 02:58 AM

This doesn't have **** to do with Epic\Atari, every server you run that uses UDP as it's protocol is vulnerable to DoS attacks (that includes game servers, streaming video servers, DNS).
There is _no_ way to stop a DoS attack on the target side.
But there is something that can be done about spoofed IPs. But a lot of ISPs don't care about it. ISPs should filter all outgoing traffic that doesn't have an IP in their range. This will stop IP spoofing from a remote network.

Note: servers using TCP as their network protocol suffer less because of the handshaking required, the first step in the hand shake uses a very small packet. UDP packets have a maximum size however (the MTU).

**legacy-shov3l** · 08-24-2003, 03:08 AM

Ya same thing happining to me since about 4pm friday there were 4 ips at first and i think i killed 3 of the four machines heh lil retaliation never hurt lol but the 130.230.72.156 wont go down believe me i tried lol

heres the log
FWIN,2003/08/23,03:02:54 -7:00 GMT,130.230.72.156:6066,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:02:56 -7:00 GMT,130.230.72.156:38619,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:02:56 -7:00 GMT,130.230.72.156:42229,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:02:56 -7:00 GMT,130.230.72.156:18183,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:02:56 -7:00 GMT,130.230.72.156:14483,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:02:56 -7:00 GMT,130.230.72.156:13877,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:02:58 -7:00 GMT,130.230.72.156:15422,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:02:58 -7:00 GMT,130.230.72.156:19492,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:03:00 -7:00 GMT,130.230.72.156:9409,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:03:00 -7:00 GMT,130.230.72.156:53357,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:03:00 -7:00 GMT,130.230.72.156:39913,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:03:00 -7:00 GMT,130.230.72.156:35650,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:03:00 -7:00 GMT,130.230.72.156:39720,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:03:02 -7:00 GMT,130.230.72.156:13392,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:03:02 -7:00 GMT,130.230.72.156:41302,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:03:02 -7:00 GMT,130.230.72.156:41110,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:03:02 -7:00 GMT,130.230.72.156:25100,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:03:04 -7:00 GMT,130.230.72.156:14439,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:03:04 -7:00 GMT,130.230.72.156:16366,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:03:04 -7:00 GMT,130.230.72.156:36940,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:03:06 -7:00 GMT,130.230.72.156:21880,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:03:06 -7:00 GMT,130.230.72.156:27350,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:03:06 -7:00 GMT,130.230.72.156:11282,66.92.28.74:7777,UDP
FWIN,2003/08/23,03:03:06 -7:00 GMT,130.230.72.156:15352,66.92.28.74:7777,UDP

if u look at the times its gettin hit about 2 times a second well its not now because im using 1 of my other ip's but ya epics netcode is a mess id say

get it together epic or let someone capable do it for you

**legacy-shov3l** · 08-24-2003, 03:11 AM

i geuss u posted while i was typing

ok so if its not epics fault then why are the game server that run thier product being targeted ????

legacy-Sproket · 08-24-2003, 04:01 AM

Im getting the same thing.
Im pissed, can we hack this mother who is doing this??

**legacy-shov3l** · 08-24-2003, 04:13 AM

when it started yesterday there was 4 ips i knocked 3 out this one i cant pisses me off too .on my other ips i have no problem but all my regulars are havin problems finding my server cuz of the ip

legacy-Sproket · 08-24-2003, 04:21 AM

Search results for: 130.230.72.156

OrgName: Tampere University of Technology
OrgID: TUT
Address: P.O. Box 527
Address: SF-33101 Tampere
City:
StateProv:
PostalCode:
Country: FI

NetRange: 130.230.0.0 - 130.230.255.255
CIDR: 130.230.0.0/16
NetName: TAMNET
NetHandle: NET-130-230-0-0-1
Parent: NET-130-0-0-0-0
NetType: Direct Assignment
NameServer: RESSU.CC.TUT.FI
NameServer: NS-SECONDARY.FUNET.FI
Comment:
RegDate: 1989-01-04
Updated: 1999-02-24

TechHandle: MJ114-ARIN
TechName: Jokipii, Martti
TechPhone: +358 3 365 2111
TechEmail: martti@tut.fi

# ARIN WHOIS database, last updated 2003-08-23 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

**legacy-rice** · 08-24-2003, 05:51 AM

http://www.pivx.com/luigi/adv/ueng-adv.txt

so at the end of that article, he points us to download patches. im assuming that the patches prevent the server from attacking?

im confused now.

**legacy-shov3l** · 08-24-2003, 06:43 AM

no those tools are what he made or used to exploit the vulnerabitys except for the packet sniffer and the uchecker those are not exploits but the other things are compilable scripts for terorizibng our servers bro really suck having them available like he does makes it all to easy for the moron wannabees that cant get a life so they mess with others who offer the ut comunity a nice place to frag

i wont rant u know what im sayin im sure

**elmuerte** · 08-24-2003, 07:03 AM

Originally posted by shov3l
ok so if its not epics fault then why are the game server that run thier product being targeted ????

Because they can, people try to use known exploits all the time, sometimes they're lucky and find a vulnerable host.
about all servers I run (http, ftp, etc..) are being probed once in a while so see if it can be exploited.

If you are being attacked by somebody gather information about the possible attacker. This includes all relevant information about the attack (include the time of the attack(s)), so save your logs to keep a history. If you've gathered enough information about the attacker write an email to abuse@<the owner of the IP>.
To get the owner of the IP resolve the IP to a hostname, maybe do a whois on the domain name to validate the info.
If the attacks involves a non TCP based attack please include in the email that the IP might be spoofed.

Do not counter attack, this never solves anything, and might even result in an abuse report on your account.

[edit]
Also note that working together on gathering info about the attack and contacting the host will have a greater effect.
[/edit]

legacy-alphaman36 · 08-24-2003, 09:31 AM

I agree with the way to resolve the issue. I have worked with the NOC folks from whom the IP address is being spoofed. They claim the only way that I could really find it now at this point to go to my ISP and and hope that they can track them down. All of the lookups I have done all refer back to someone that isn't doing anything. This is day two of the attack.

legacy-Nexxxus · 08-24-2003, 10:40 AM

add me to that list of attackees - i noticed my log file is huuuuuge with openmylevel and close tcpip entrys from the IP addres 130.230.72.156:####. by the tone of the thread- i sounds like we are SOL eh?

legacy-alphaman36 · 08-24-2003, 10:51 AM

Yep pretty much so. As stated in my earlier post, this is a MASSIVE attack from that spoofed IP.

**legacy-My_Stroh** · 08-24-2003, 11:15 AM

Kill that shhht damn assshole , he is bugging my server since friday................i have to use a firewall now , because of him...banned his IP , but these things are making my server laggy....
Someone kill that irritating guy!!!

:sour: :sour:

legacy-Nexxxus · 08-24-2003, 11:44 AM

is there anything that we can do to block that specific range of IP address from accessing our dedi-servers? For example - is it possible to block ip address from within some settng of the router?

**legacy-rice** · 08-24-2003, 01:01 PM

Originally posted by Nexxxus
is there anything that we can do to block that specific range of IP address from accessing our dedi-servers? For example - is it possible to block ip address from within some settng of the router?

hi Nexxus,

i think there is..i tried and failed being the noob that i am.

i changed the ports on my server (7777 to 8888) and that has worked for the past 30 minutes.
ofcourse the regulars will prolly think its still down, and noone will play there all day...hehe.

if you figure out how to put a filter on the ip let us know.

yo alphaman36,

if/when you find out who to complain to, give us an addy to send our log files to like El Muerte suggests.(good idea, thanks)

god i woke up too early today.

l8

legacy-Sproket · 08-24-2003, 02:22 PM

From Him!

Hello,

The traffic you are seeing in your Unreal Tournament game
servers is a part of a Distributed Denial of Service (DDoS)
attack attempt against the host at 130.230.72.156
(valokola.modeemi.cs.tut.fi). The traffic does NOT originate
from that host, or from the entire TUT network, but instead
the packet source addresses have been forged.

The attackers are attempting to use your Unreal Tournament
server to flood the host with traffic.

For more information about the vulnerability in Unreal
Tournament that is being exploited, see
http://cert.uni-stuttgart.de/archive.../msg00035.html

For a server fix, see
http://www.securityfocus.com/bid/5148/solution/

Unfortunately there is nothing we can do to stop the forged
traffic from reaching your servers, since the traffic does not
originate from our network. Your best bet is to filter out
packets with the source address 130.230.72.156 destined to your
game servers. That host is not used for games. You could also
contact your own network provider to see if they can help in
determining the real source of the traffic.

Also, to make sure such attacks cannot be launched from your
network, please make sure that you do not allow outgoing traffic
with packet source addresses outside of your network.

Best Regards,

Martti Jokipii

--
Martti Jokipii # E-mail: martti.jokipii@tut.fi
Tampere University of Technology # Phone: +358 3 3115 2425
Network Administration # GSM: +358 40 849 0804
P.O. Box 692, 33101 Tampere, FINLAND # FAX: +358 3 3115 2172

legacy-Sproket · 08-24-2003, 02:30 PM

GGGGGGGGGRRRRRRRRRHHHHHHHHHHHHHHHH
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!
I Want To Hurt SomeOne Very Badly.

legacy-alphaman36 · 08-24-2003, 03:39 PM

You think it's bad for us? How about the poor NOC folks at that address.

**legacy-My_Stroh** · 08-24-2003, 05:01 PM

Kill the damn "player" "kakaachicken" he is makin UT2003 servers sick......soon no server will be online anymore , cause of that gay homofiel!!!!

:bulb:

legacy-alphaman36 · 08-24-2003, 05:36 PM

I have two things that will help me with this in order to nix him

1) I need to see logs that prove it is him.

2)I need his IP address

legacy-Sproket · 08-24-2003, 06:17 PM

I changed ports from 7777 to xxxx.
Now everyone will have to re-find the server.

I could do it some other way but that was the best option and most secure for me.

GGGGRRRRHHHHHHH

**legacy-My_Stroh** · 08-24-2003, 07:42 PM

Try adding "Player" in your buddylist , you will see all the servers this guy is attackking , check the ping 0 players , he now uses plenty other names .
:weird:

i shutted down my server now...when he/it stops , i will open server again...:cry:

i found 2 ip's , 130.230.72.156 and 130.234.194.77 ......
when it logs in , i see no ip in kick/ban menu.....

**legacy-Ezequiel** · 08-24-2003, 08:43 PM

I have closed my server too...

legacy-Sproket · 08-24-2003, 08:55 PM

after switching port I have seen no more attacks, also suppress=devnet has helped with other problem thanks to frogger.

**legacy-Kaoh** · 08-24-2003, 08:58 PM

Count my server in also

I dont understand I use the latest patch for ut2003, wasnt that supposed to fix this vulnarability?

**legacy-shov3l** · 08-25-2003, 01:37 AM

I just switched back to my other ip and its clean no more ddos

**elmuerte** · 08-25-2003, 04:12 AM

the latest versions of UT and UT2003 fix the vulnerabilities in the engine that could be exploited for a DDoS, it doesn't prevent you server being attacked by a DoS.
The ip's you see are the real servers being attacked. If you have patched to the latest version you don't take part in the DDoS attack on those servers.
There is no way to protect yourself from being attacked.

**legacy-rice** · 08-25-2003, 11:21 AM

Originally posted by El_Muerte_[TDS]
the latest versions of UT and UT2003 fix the vulnerabilities in the engine that could be exploited for a DDoS, it doesn't prevent you server being attacked by a DoS.
The ip's you see are the real servers being attacked. If you have patched to the latest version you don't take part in the DDoS attack on those servers.
There is no way to protect yourself from being attacked.

thats what i was confused about.
thanks for explaining.

legacy-Nexxxus · 08-25-2003, 11:45 AM

<knocking furiously on wood> I dont know about you guys but my attacks seem non-existant (at least at the moment)...anyone sharing the same "peace"?

**legacy-rice** · 08-25-2003, 12:17 PM

i havent switched back to port 7777 yet, but i will give it a day then switch back.

anyhow, no attacks on 8888 either.

**legacy-shov3l** · 08-25-2003, 12:17 PM

yeah they stopped hours ago all im gettin on the firewall is the worm bs 135 and icmp hits had a bunch of guys playing inv when i went to bed when i got up they were still playing so it must be ok lol just keep an eye out for the next one let your regulars know what port or ip you will change to if and when another attack occurs thats all you can do

**legacy-Kaoh** · 08-25-2003, 01:10 PM

Originally posted by El_Muerte_[TDS]
the latest versions of UT and UT2003 fix the vulnerabilities in the engine that could be exploited for a DDoS, it doesn't prevent you server being attacked by a DoS.
The ip's you see are the real servers being attacked. If you have patched to the latest version you don't take part in the DDoS attack on those servers.
There is no way to protect yourself from being attacked.

Hey thats good enough fo rme then

I dont wish to participate in a DDoS attack, being attacked is a pain, but being part of a attack is even worst.

**legacy-Ezequiel** · 08-25-2003, 07:48 PM

The IP 130.230.72.156 is ddos Attack Again !
Tabarnak d'ostie de calisse

25/08/2003 19:45 Eastern Time

Grrrrrrrrr !

Ezequiel

**legacy-Kaoh** · 08-25-2003, 07:55 PM

yup here too

this sucks so bad, I wish i knew where this assh*ole lived and send him a nice bomb letter...

legacy-Nexxxus · 08-25-2003, 08:02 PM

aside from an annoyingly long log file - have you guys noticed any difference in actual gameplay? I really havent noticed a ping any worse then normal (although I am on a cable - so lag is a matter of routine for me)

**legacy-shov3l** · 08-25-2003, 08:28 PM

ya im getting it again to so i changed ip and its all good . as far as it effecting your quality of game play id say ya its going to effect it some what its creating network congestion regardles of your machine not accepting the routed packets.

did any of you add player to your buddies then refesh list thers some servers getin filled with zombies they must not be patched i geuss

legacy-Sproket · 08-26-2003, 01:10 AM

I thought this DDOS attack just looks for IP's that have port 7777 open?
Is this correct? I just changed my port and closed port 7777 and no more attacks. Changing IP and still using port 7777 leaves your server a target.

Thread: Assh*les and DDOS Attacks

Thread Tools

Display