Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: MOHAAC Creator Behind MOHAA Server UDP DDOS Attacks?

  1. #1

    Default MOHAAC Creator Behind MOHAA Server UDP DDOS Attacks?

    Hey,

    My MOHAA servers have been under DDoS attack, and going back through logs, we've been able to pinpoint some IP addresses that were trying to flood mohaa itself, which failed thanks to Reborn protection. However, once these attacks failed to work, UDP Flood DDOS attacks are purchased at $5 per hour. Massive amounts of UDP packets containing spoofed addresses and a massive payload then take down our servers. LNA, MLS, BW, and other servers are constantly targeted. As a community, several of us have gathered to help track down who may or may not be responsible.

    So far, we have evidence that chodda, risky shot, and p4 (xfire linux) may be behind the ordering of these DDOS attacks. p4 is the creator of MOHAAC. We looked up his contact information.

    Anyways, these DDOS attacks need to stop. Anyone have information about them? Several of us are considering pursuing legal action.

    The spammer in MOHAA had an IP address which is New Jersey based:

    Code:
    >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<<
    version 8 connecting to 8
    69.127.56.101:-2906:reconnect rejected : too soon
    SV packet 69.127.56.101:-2906 : connect
    SVC_DirectConnect ()
    >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<<
    version 8 connecting to 8
    69.127.56.101:-2906:reconnect rejected : too soon
    SV packet 69.127.56.101:-2906 : connect
    SVC_DirectConnect ()
    >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<<
    version 8 connecting to 8
    69.127.56.101:-2906:reconnect rejected : too soon
    SV packet 69.127.56.101:-2906 : connect
    SVC_DirectConnect ()
    >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<<
    version 8 connecting to 8
    69.127.56.101:-2906:reconnect rejected : too soon
    SV packet 69.127.56.101:-2906 : connect
    SVC_DirectConnect ()
    >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<<
    version 8 connecting to 8
    69.127.56.101:-2906:reconnect rejected : too soon
    SV packet 69.127.56.101:-2906 : connect
    SVC_DirectConnect ()
    >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<<
    version 8 connecting to 8
    69.127.56.101:-2906:reconnect rejected : too soon
    SV packet 69.127.56.101:-2906 : connect
    SVC_DirectConnect ()
    >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<<
    version 8 connecting to 8
    69.127.56.101:-2906:reconnect rejected : too soon
    SV packet 69.127.56.101:-2906 : connect
    SVC_DirectConnect ()
    >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<<
    version 8 connecting to 8
    69.127.56.101:-2906:reconnect rejected : too soon
    SV packet 69.127.56.101:-2906 : connect
    SVC_DirectConnect ()
    >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<<
    version 8 connecting to 8
    69.127.56.101:-2906:reconnect rejected : too soon
    SV packet 69.127.56.101:-2906 : connect
    SVC_DirectConnect ()
    >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<<
    version 8 connecting to 8
    69.127.56.101:-2906:reconnect rejected : too soon
    SV packet 69.127.56.101:-2906 : connect
    SVC_DirectConnect ()
    >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<<
    version 8 connecting to 8
    69.127.56.101:-2906:reconnect rejected : too soon
    SV packet 69.127.56.101:-2906 : connect
    SVC_DirectConnect ()
    >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<<
    version 8 connecting to 8
    69.127.56.101:-2906:reconnect rejected : too soon
    SV packet 69.127.56.101:-2906 : connect
    SVC_DirectConnect ()
    >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<<
    version 8 connecting to 8
    69.127.56.101:-2906:reconnect rejected : too soon
    SV packet 69.127.56.101:-2906 : connect
    SVC_DirectConnect ()
    >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<<
    version 8 connecting to 8
    69.127.56.101:-2906:reconnect rejected : too soon
    SV packet 69.127.56.101:-2906 : connect
    SVC_DirectConnect ()
    >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<<
    version 8 connecting to 8
    69.127.56.101:-2906:reconnect rejected : too soon
    SV packet 69.127.56.101:-2906 : connect
    SVC_DirectConnect ()
    >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<<
    version 8 connecting to 8
    69.127.56.101:-2906:reconnect rejected : too soon
    SV packet 69.127.56.101:-2906 : connect
    SVC_DirectConnect ()
    Thousands more lines of entries exactly like this.

    When these attacks fail to work, the attacker goes and orders massive DDOS attacks that exceed 6GB/sec which takes down our servers.

    What if MOHAAC plays a role in these attacks? It would be the perfect DDOS tool. Under the covers, do you really think its solely for anticheat?

    p4 (xfire linux): has admitted to crashing servers.

    These attacks only occur during college breaks. STEVEN DELLAVALLE (p4) is a medical school student who lives in New Jersey (that checks up with the IP address we have). Could it be that he has better things to do when he's going to school but decides to DDOS the community during breaks? He gets banned from servers for hacking, and then the servers mysteriously go down?

    From a server admin:

    Last summer, a player from an IP=204.14.77.6 with a username .357 | PLYR4 | ELITE_HITMAN got banned from our server.Seconds later he launched an attack form the same IP address which included multiple robots named "Mario", they all joined the server from different ports and crashed our server.
    Last week, I banned a player named .357| AZ for cheating from an IP=69.127.56.101. Next day I went to another one of our servers and saw him play from the same IP but this time he was uing a name "elite hitmen pfs".I keep a log of everyone's names and IPs who join our server and I know for sure that from that IP address he also used a name "eh.PUREMAYHEM".After banning him from sniper server, a DDoS was lanuched against our servers which included a modified unnamedsoldier.cfg file where the "\" sign between config field was somehow removed.He access from the same 69.127.56.101 address 17,000 times which created the DDoS.
    Few days after that incident,one of our admins banned a player named "elite hitman riskyshot" form an IP=71.223.121.158.He had a friend named "357 tubecatche" who started cursing and saying bad words to that admin so he got banned too.The friend's IP was 24.247.115.248.
    I used to think that Riskyshot=Chodda but they are not.I think the attacks were launched by either "Player 4" or other Elite Hitmen members.We were ddosed twice after banning two different players so they could be both behind it but the DDoS that crippled the datacenters was launched after banning elite hitmen riskyshot so I think he could be behind the big DDoS.
    Your thoughts on this?

  2. #2
    Administrator James's Avatar
    Join Date
    May 2010
    Location
    on the intraweb
    Posts
    3,180

    Default

    This brings back memories..

    1. Can't recall who, but I wouldn't be surprised if it was riskyshot, somehow managed to send me some virus years ago and leaked STWH. He distributed it all over the place which is why when I found out, I released the source code. Anywho, that nor here nor there, the point is, I don't have a very good experience with that crew, and I don't think they like me very much either. Whatever the reason, I wouldn't be surprised.

    The thing that I am confused about is... wasn't MOHAAC developed by Steve?? So is Steve this p4 guy you're talking about??

    However, once these attacks failed to work, UDP Flood DDOS attacks are purchased at $5 per hour. Massive amounts of UDP packets containing spoofed addresses and a massive payload then take down our servers.


    Help me understand this.. So Reborn protects against this, but I'm assuming those are TCP or UDP?? Doesn't GSProtect protect against both or multiple protocols??
    And if there is a common range of IP's couldn't you just ban the range to prevent the mass attack?

    Also on another note, I'm going to have to dig through some old posts, but I believe there are a few anti DDOS scripts out there that help protect against these types of attacks. I mean you can always pull the "legal" card and scare them off, but not sure how far it will go. Also if you have a good firewall, it should be able to prevent against attacks like these.

    I hope this info helps a bit.

  3. #3

    Default

    Our servers are already protected via IPTables. The traffic gets dropped. However, the traffic is still reaching my server. The data center can null the IP address, but then it's their firewall that is dropping the traffic instead of mine. Someone is handling the DDOS attack and that takes resources.

    Yes, we're talking about Steve, the creator of MOHAAC. We're still trying to gather evidence and are taking action.

    Reborn protects MOHAA related attacks. These UDP DDOS attacks target the IP address and different closed ports. The traffic is dropped, but it's still getting to its destination. These UDP attacks are non-related to MOHAA and spoof IP addresses. You can't return the attack, as the packets are looking like they are coming from everywhere. A lot of services have been having problems because of this lately such as Steam and EA.

    There's not much you can do unless you rewrite UDP protocol or write a better one.

  4. #4

    Default

    His email address is:

    dellavallx@gmail.com

    As found from here (Search Steve):

    https://webcache.googleusercontent.c...&ct=clnk&gl=us

    So, he participates in scams and sells pirated copies of games on ebay: http://feedback.ebay.com/ws/eBayISAP...rld=true&rt=nc

    This guy is probably the culprit.

  5. #5

    Default

    I dont believe Steve is behind this and if you dont know a group of hackers called DERP have done alot of DDOS attacks to alot of games like League of Legends, EA,club pinguin, etc every service was down, if you whant acuse someone get the evidence first.

  6. #6
    Client Beta Testers Appelpitje's Avatar
    Join Date
    Jan 2012
    Location
    Belgium
    Posts
    571

    Default

    In which datacenter is your server located?
    And yes Derptrolling took down some Internap datacentra.

  7. #7
    Administrator JoTo's Avatar
    Join Date
    May 2010
    Location
    www.scapp.net
    Posts
    1,953

    Default

    interesting

  8. #8

    Default

    Quote Originally Posted by DoubleKill View Post
    I dont believe Steve is behind this and if you dont know a group of hackers called DERP have done alot of DDOS attacks to alot of games like League of Legends, EA,club pinguin, etc every service was down, if you whant acuse someone get the evidence first.
    We do have evidence. This has been going on for over six months. P4 even admits to crashing / DDOSing things all the time over xfire. The IP addresses are from New Jersey in the same area Steve lives based on the addresses we've looked up. It has nothing to do with Derptrolling, as this has gone on for a while. P4 AKA STEVE is mad.

  9. #9

    Default

    Sorry live4thetruth but who are you for starters ??
    you just joined and posted this ??
    I know Steve and I am sure he did not just spend 2 years creating an anti cheat to then do this on a old game with not many players!!!

    Next up if you think it is then unistall it and block the MOHAAC IP's not that you need to !!!

    I get loads of shit like this on my own dedi server but never been down to MOHAAC

    Next thing is that IP address is not the master MOHAAC server IP so what say its just a player flooding ????

    Dont dis something till you have the facts !!! you have not got the facts on this !!
    If you so think it is this then its simple dont use it and block the IP's

    I use it and dont have these issues across 30+ MOHAA servers

  10. #10

    Default

    it has to be investigated, Steve is registered on this forum btw, maybe he can deny or admit this attack by himself ?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •