English Server hosters please note.

19 replies
Goto Page
To the start Previous 1 Next To the start
18.05.16 10:16:10 am
Up
Mami Tomoe
User
Offline Off
Hi, there is a new crasher called SnK, he is crashing many servers for no reason and I came to ask you if you can range ban him from your servers.
Some links: vC Fwsl

Let's get that crasher banned so he will be sorry for crashing servers.
Do it unless you want to be his next target.
edited 1×, last 19.05.16 06:18:12 pm
18.05.16 12:28:17 pm
Up
G3tWr3ck3d
User
Offline Off
I managed to block such (dos) attacks / the empty packets tweak, just contact me on skype, I won't post here the commands I use just because of security reasons that would mean to give them the bypass to my servers once again.
Mess with the best, die like the rest. ༼ つ ◕_◕ ༽つ
18.05.16 06:21:01 pm
Up
Evaldas
BANNED
Offline Off
security reasons? NONSENSES!

Drop packets with empty payload. (You can find it in any DDoS Usgn thread)
Code:
1
sudo iptables -A INPUT -p udp -m length --length 28 -j DROP

Drop DrDoS attacks. (Most times got hit by this attack, btw its most effective)
Code:
1
sudo iptables -A INPUT -p udp -m multiport --sport 19,111,53,521,135,161,151,162,123,1434,1900,3306 -j DROP
edited 1×, last 18.05.16 06:32:50 pm
Destroying children's dream's, since 2012..
18.05.16 06:38:40 pm
Up
Mami Tomoe
User
Offline Off
Can someone confirm what @user Evaldas: said?
Somehow I can't trust his rank :3
18.05.16 06:55:17 pm
Up
Evaldas
BANNED
Offline Off
You waiting for 13years kids so they would confirm it?
Destroying children's dream's, since 2012..
18.05.16 07:01:00 pm
Up
Mami Tomoe
User
Offline Off
Well last time your comment was a lie.
18.05.16 07:19:03 pm
Up
Evaldas
BANNED
Offline Off
Your whole life is a lie.

well probably someone can confirm that this command drops all packets of incoming connections with ports 19,111,53,521,135,161,151,162,123,1434,1900,3306.
Code:
1
sudo iptables -A INPUT -p udp -m multiport --sport 19,111,53,521,135,161,151,162,123,1434,1900,3306 -j DROP

Now google how DrDoS attacks works.
After that, check these ports on wiki or anywhere else. √

also you probably want to add this too.
Code:
1
--dport 36900:37000
Destroying children's dream's, since 2012..
18.05.16 07:24:33 pm
Up
xsiN
User
Offline Off
Hello, I'm a sixteen year old kid who has nothing to do with ddosing, even though he gets banned, almost every hacker uses an ip camouflage/ip changer.

Regards.
ignore my previous names
18.05.16 07:42:34 pm
Up
Mami Tomoe
User
Offline Off
Yes but I ranged ban him and he can't seem to be able to join.
18.05.16 07:45:00 pm
Up
Evaldas
BANNED
Offline Off
VPN services like TorGuard, SecurityKiss, HotSpot-Shield, PrivateInternetAccess and any others you can simply block by just sending message with request blacklist your ip.

David (Hotspot Shield Help Desk) has written:
David (Hotspot Shield Help Desk)

Mar 22, 09:18

Hello,

I want to help you out on this matter.

We can protect your IP from any HSS user.
If you share the IP that you want protected, we can set that up as a protected server in our system and then no one using our app can touch it.

Please reply to this message and I will set this in motion.

Thanks,

David
Destroying children's dream's, since 2012..
18.05.16 07:49:48 pm
Up
Cirium
User
Offline Off
That's good to know. Wouldn't have thought to have contacted them.

I have my iptables rules setup to block invalid packets and I still find my server gets crashed by SnK. I dont think this method of prevention/mitigation works against the method(s) he is using to attack.
18.05.16 07:55:49 pm
Up
Evaldas
BANNED
Offline Off
Post TCPDump records, maybe we will think something, to stop him or any other uber h4x0r.

.cap file would be great.
Destroying children's dream's, since 2012..
18.05.16 08:24:47 pm
Up
Cirium
User
Offline Off
I have some screenshots i'm willing to release. There is little value in the whole tcpdump, they just look like this:

http://f.cirium.me/attacks_05-13-2016/screen1.png
http://f.cirium.me/attacks_05-13-2016/screen2.png

Notes:
1.
Code:
1
2
3
4
5
6
recv join attempt... (181.163.179.86:58624)
[03:14:27] Fighters | SnK clientdata: WIN {28cefe3ac30ab30ab5268978955263db3271680}
[03:14:27] U.S.G.N.: Fighters | SnK (181.163.179.86) joining with U.S.G.N. ID #150145 - verifying...
[03:14:28] U.S.G.N.: 181.163.179.86 is using U.S.G.N. ID #150145
[03:14:28] Fighters | SnK connected
[03:14:28] Fighters | SnK is using IP 181.163.179.86:58624 and U.S.G.N. ID #150145

2. From what I can remember he was in spectator the entire time
18.05.16 08:34:19 pm
Up
Evaldas
BANNED
Offline Off
if its DoS why you simply dont just block his IP?
Code:
1
sudo iptables -A INPUT -s 181.163.179.86 -j DROP

Also i need .cap file.
Destroying children's dream's, since 2012..
18.05.16 08:52:11 pm
Up
gotya2
GAME BANNED
Offline Off
screen2 shows a regular packet ( move / rotate). This isn't a DoS attack. We need tcpdumps (udp).
As you can see, there's a packet every 0.02s , which corresponds to a framerate of 50 fps (framerate = netrate).
edited 1×, last 18.05.16 09:17:23 pm
18.05.16 08:52:55 pm
Up
Cirium
User
Offline Off
@user Evaldas Yes, that solution will work temporarily for a couple hours until he changes his IP. That's why I suggested just table'ing the entire ASN.
18.05.16 09:01:13 pm
Up
Evaldas
BANNED
Offline Off
Chances he is DoS with VPN is almost zero, because most VPNs firewalls have limited bandwidth and outgoing packet rate. If he is doing with no VPN im sure just simply sending letter to his ISP ambuse mail, should be enough trouble for him.
edited 2×, last 18.05.16 09:16:38 pm
Destroying children's dream's, since 2012..
19.05.16 12:37:41 pm
Up
xsiN
User
Offline Off
Even if you block Vpn's, ddosers can still use CMD with /ip config although it only works with fix internet (router)
ignore my previous names
19.05.16 02:05:14 pm
Up
Evaldas
BANNED
Offline Off
Changing private IP doesn't mean bypass IP ban on server because your Public IP remain same.
Destroying children's dream's, since 2012..
19.05.16 03:01:10 pm
Up
xsiN
User
Offline Off
Hmmm.......
Okay.




Vegetables
ignore my previous names
To the start Previous 1 Next To the start