Patch the game to prevent DDOS exploit please!

[PreedSwe 18]

As it stands, currently ArmA server can be attacked by a DDOS attack using spoofed IP's to make the gameserver in turn send replies to the spoofed IP.

This has happened to our server lately and I have had to nullroute several subnets and send apologizing emails to host providers after receiving abuse emails from them.

Make the game handshake by having the client send a request, server replies ok, but please send back this cookie, client replies with cookie and server establishes session..

/ Preed

[=wfl= sgt bilko 10]

Not sure I understand how this will prevent the attacker from spamming initial requests and the server forwarding the spam by replying "OK" to the spoofed IP (with or without "cookie")?

Don't get me wrong, I look forward to a working generic solution, since this problem is rampaging in many other games as well.

[PreedSwe 18]

Well, it prevents amplification.. But I guess maybe you could also throw in a time based block on traffic from that IP for a period of time.. Like 30 seconds, if the spoofed IP doesn't reply back like the gameserver expects..

Another way could be to have a control connection on TCP.. And not respond to any traffic from an ip that doesnt have a corresponding TCP connection.. But this will take a bit more work to implement.

[AndrewsRG 22]

Hey Preed,

I too have experienced this. Would be interested in finding a solution.

[Leopardi 0]

"organized" attacks aren't the real problem, but simply thousands of people trying to get on DayZ servers by spamming enter which causes servers to die.

[sickboy 13]

Are you guys referring to GameSpy query, or actual game traffic? Because re GameSpy they switched to the protocol revision with handshake some months ago?

Perhaps good idea to make a private ticket on the Community Issue Tracker with some more details, perhaps logs etc.

[Dwarden 1124]

provide proof of concept , to my email (obviously obvious my nickname on forum at bistudio.com)

[BasileyOne 10]

1. Heavily tune firewall. switch from FW-grimmick lick conntrack stuff to something more serious. like zorp or so. in especially-hostile environment, turn on and tune convener-attacking feats.

[sometimes]it would be surprising to attacker 2 see message shortly before being offended too. not recommended "in general".

2. deploy/update/configure full-scale IPS/IDS, such as Snort, Suricata and etc.

3. purchase hardware IPS/Firewall thingy. partially offload/shrug-off ~40% of stuff.

4. ENFORCE DEP/NX full-time[Windows users can use something like "bcdedit.exe/set nx AlwaysOn" with administrator privilege/rights, for reference].

5. put tiny/LW EWS IDS-stuff, alike PSAD on server and heavily tune it on-topic too.

Edited July 29, 2012 by BasileyOne

[imago 1]

Well, it prevents amplification.. But I guess maybe you could also throw in a time based block on traffic from that IP for a period of time.. Like 30 seconds, if the spoofed IP doesn't reply back like the gameserver expects..

Another way could be to have a control connection on TCP.. And not respond to any traffic from an ip that doesnt have a corresponding TCP connection.. But this will take a bit more work to implement.

Hi Preed. The Life Mission servers have always been targets of multi source packet flood attack as you say DDOS exploit (lol)

Here is what I did:

Make your server appear down to Novatech0, no matter where he is trying to "see your server" from. He'll think he has won and the attack will cease.

Also order him a pizza? *nod to da. / AAA* :rolleyes:

For obvious reasons I will not disclose any technical details here. Catch me creeping on these TS3 servers for now 72.20.13.74, ts3.arma2life.com:9988 or ts3.lifeprojectrpg.com if you'd like more infos.

[SnR 1]

Or send your infos to Dwarden. Thanks.

[PreedSwe 18]

It is hard to do that since he is always on some random VPN when he is controlling these botnets.

He has had more than pizzas ordered. I heard someone called the cops saying he had approached their underage daughter wanting sex in exchange for drugs. (I have not been part of any of that), however if he had his place tossed and spent a day or two in jail, I wouldnt cry.. :p

Eventually someone who wants to play on the server is going to get fed up and go pay him a visit. Too bad he doesn't understand that himself..

[suma 8]

Make the game handshake by having the client send a request, server replies ok, but please send back this cookie, client replies with cookie and server establishes session..

Handshake implemented in 95442. As nobody contacted me back with repro or technical details of the attack, I did not test if it is really efficient against it. In theory it should be. You shall see once a next beta is published.

[PreedSwe 18]

Handshake implemented in 95442. As nobody contacted me back with repro or technical details of the attack, I did not test if it is really efficient against it. In theory it should be. You shall see once a next beta is published.

Excellent! :) At least it should prevent amplification/spoof attacks :)

[sickboy 13]

Is this about game communication or gamespy communication?

In case of the latter - any details on how to deal with the change in utilities querying the servers?

[suma 8]

Is this about game communication or gamespy communication?

Game communication only. Gamespy communication is already handshaked.

[sickboy 13]

Game communication only. Gamespy communication is already handshaked.

Thanks, I got confused thinking there was another GS change :P

[BasileyOne 10]

yeah, for awhile.

unless someone [hideous and unfriendly]write another "server monitoring tool" 2 offend serverbase again :[