Hey,
My MOHAA servers have been under DDoS attack, and going back through logs, we've been able to pinpoint some IP addresses that were trying to flood mohaa itself, which failed thanks to Reborn protection. However, once these attacks failed to work, UDP Flood DDOS attacks are purchased at $5 per hour. Massive amounts of UDP packets containing spoofed addresses and a massive payload then take down our servers. LNA, MLS, BW, and other servers are constantly targeted. As a community, several of us have gathered to help track down who may or may not be responsible.
So far, we have evidence that chodda, risky shot, and p4 (xfire linux) may be behind the ordering of these DDOS attacks. p4 is the creator of MOHAAC. We looked up his contact information.
Anyways, these DDOS attacks need to stop. Anyone have information about them? Several of us are considering pursuing legal action.
The spammer in MOHAA had an IP address which is New Jersey based:
Thousands more lines of entries exactly like this.Code:>>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<< version 8 connecting to 8 69.127.56.101:-2906:reconnect rejected : too soon SV packet 69.127.56.101:-2906 : connect SVC_DirectConnect () >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<< version 8 connecting to 8 69.127.56.101:-2906:reconnect rejected : too soon SV packet 69.127.56.101:-2906 : connect SVC_DirectConnect () >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<< version 8 connecting to 8 69.127.56.101:-2906:reconnect rejected : too soon SV packet 69.127.56.101:-2906 : connect SVC_DirectConnect () >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<< version 8 connecting to 8 69.127.56.101:-2906:reconnect rejected : too soon SV packet 69.127.56.101:-2906 : connect SVC_DirectConnect () >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<< version 8 connecting to 8 69.127.56.101:-2906:reconnect rejected : too soon SV packet 69.127.56.101:-2906 : connect SVC_DirectConnect () >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<< version 8 connecting to 8 69.127.56.101:-2906:reconnect rejected : too soon SV packet 69.127.56.101:-2906 : connect SVC_DirectConnect () >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<< version 8 connecting to 8 69.127.56.101:-2906:reconnect rejected : too soon SV packet 69.127.56.101:-2906 : connect SVC_DirectConnect () >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<< version 8 connecting to 8 69.127.56.101:-2906:reconnect rejected : too soon SV packet 69.127.56.101:-2906 : connect SVC_DirectConnect () >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<< version 8 connecting to 8 69.127.56.101:-2906:reconnect rejected : too soon SV packet 69.127.56.101:-2906 : connect SVC_DirectConnect () >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<< version 8 connecting to 8 69.127.56.101:-2906:reconnect rejected : too soon SV packet 69.127.56.101:-2906 : connect SVC_DirectConnect () >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<< version 8 connecting to 8 69.127.56.101:-2906:reconnect rejected : too soon SV packet 69.127.56.101:-2906 : connect SVC_DirectConnect () >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<< version 8 connecting to 8 69.127.56.101:-2906:reconnect rejected : too soon SV packet 69.127.56.101:-2906 : connect SVC_DirectConnect () >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<< version 8 connecting to 8 69.127.56.101:-2906:reconnect rejected : too soon SV packet 69.127.56.101:-2906 : connect SVC_DirectConnect () >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<< version 8 connecting to 8 69.127.56.101:-2906:reconnect rejected : too soon SV packet 69.127.56.101:-2906 : connect SVC_DirectConnect () >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<< version 8 connecting to 8 69.127.56.101:-2906:reconnect rejected : too soon SV packet 69.127.56.101:-2906 : connect SVC_DirectConnect () >>>\protocol\8\challenge\111010330qport62630nameWillyrate5000snaps20.5dm_playermodelamerican_armydm_playergermanmodelgerman_winter_1<<< version 8 connecting to 8 69.127.56.101:-2906:reconnect rejected : too soon SV packet 69.127.56.101:-2906 : connect SVC_DirectConnect ()
When these attacks fail to work, the attacker goes and orders massive DDOS attacks that exceed 6GB/sec which takes down our servers.
What if MOHAAC plays a role in these attacks? It would be the perfect DDOS tool. Under the covers, do you really think its solely for anticheat?
p4 (xfire linux): has admitted to crashing servers.
These attacks only occur during college breaks. STEVEN DELLAVALLE (p4) is a medical school student who lives in New Jersey (that checks up with the IP address we have). Could it be that he has better things to do when he's going to school but decides to DDOS the community during breaks? He gets banned from servers for hacking, and then the servers mysteriously go down?
From a server admin:
Your thoughts on this?Last summer, a player from an IP=204.14.77.6 with a username .357 | PLYR4 | ELITE_HITMAN got banned from our server.Seconds later he launched an attack form the same IP address which included multiple robots named "Mario", they all joined the server from different ports and crashed our server.
Last week, I banned a player named .357| AZ for cheating from an IP=69.127.56.101. Next day I went to another one of our servers and saw him play from the same IP but this time he was uing a name "elite hitmen pfs".I keep a log of everyone's names and IPs who join our server and I know for sure that from that IP address he also used a name "eh.PUREMAYHEM".After banning him from sniper server, a DDoS was lanuched against our servers which included a modified unnamedsoldier.cfg file where the "\" sign between config field was somehow removed.He access from the same 69.127.56.101 address 17,000 times which created the DDoS.
Few days after that incident,one of our admins banned a player named "elite hitman riskyshot" form an IP=71.223.121.158.He had a friend named "357 tubecatche" who started cursing and saying bad words to that admin so he got banned too.The friend's IP was 24.247.115.248.
I used to think that Riskyshot=Chodda but they are not.I think the attacks were launched by either "Player 4" or other Elite Hitmen members.We were ddosed twice after banning two different players so they could be both behind it but the DDoS that crippled the datacenters was launched after banning elite hitmen riskyshot so I think he could be behind the big DDoS.