New kind of attack bringing server down..

[g0atz]

In the past few days our server has been disrupted with connectivity issues on and off where it takes way too long to log on and when you do finally connect the connection drops and freezes etc. I was about to move the server to a new IP because GS couldn't figure out the problem even after a complete clean wipe & reinstall.

Now I spotted the behavior happening again as i write this and witnessed this IP:

68.47.32.72

...connecting to the server many times under different names sometimes 10+ times at once and a different name every 5 seconds... so a program I'm guessing. I am sure this is some kind of attack and must be the cause of the problems we are having. I did not notice this IP b4 because I was just checking the server status from my remote viewer most of the time so didn't see the connect attempts.

I have blocked it with my Auto Kick and with the 1.12 ban option but the requests
are still coming through. So i have asked GS to block the range 68.47.*.*

Any ideas as to why if I have this IP on the ipfilter.cfg list that the requests are still coming through??

[TK4|2|1]

We too are noticing strange server behaviour, lagging, rubber banding and random restarts.

[JoTo]

I don't know, sounded first to me like filling attac but seems is something different, we will wait for Razo his response.

[James]

Can you post the log file on here so we can see what's happening?
This actually reminds me of a hack I once saw in the works. It was never published publically, but it caused issues that you speak of.
We will discuss this in the development section. We'll keep you posted on this.

[Elgan]

think i know what you mean James, cud be cud be

but you know, this sounds to me like bots?

[Razo[R]apiD]

Can be a Fill attack.

Try to set sv_timeout to 10 and sv_zombietime to 1

He's probably using this attack as a DoS attack. I'll come up with better fix for this on lower level.

[g0atz]

Sorry James...I get it to you when it starts again. hopefully it won't. But do you think if GS does block the range the requests will completely be unable to reach the server?

[JoTo]

Sorry James...I get it to you when it starts again. hopefully it won't. But do you think if GS does block the range the requests will completely be unable to reach the server?

They would block the connects at firewall level, so they won't reach the gameserver at all.

[heatsinkbod]

That will sort it out as JoTo said, you could also raise a complaint to the ISP -:
68.47.32.72 - Geo Information
IP Address 68.47.32.72
Host c-68-47-32-72.hsd1.ga.comcast.net
Location US, United States
City Augusta, GA -
Organization Comcast Cable
ISP Comcast Cable
AS Number AS33665 Comcast Cable Communications, Inc.
Latitude 33°43'93" North
Longitude 82°05'12" West
Distance 8652.56 km (5376.45 miles)


abuse@comcast.net


68.47.32.72 - Whois Information
#
# Query terms are ambiguous. The query is assumed to be:
# "n + 68.47.32.0"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=68...showARIN=false
#


# start

NetRange: 68.32.0.0 - 68.63.255.255
CIDR: 68.32.0.0/11
OriginAS:
NetName: JUMPSTART-1
NetHandle: NET-68-32-0-0-1
Parent: NET-68-0-0-0-0
NetType: Direct Allocation
NameServer: DNS101.COMCAST.NET
NameServer: DNS105.COMCAST.NET
NameServer: DNS103.COMCAST.NET
NameServer: DNS102.COMCAST.NET
NameServer: DNS104.COMCAST.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-11-29
Updated: 2010-02-01
Ref: http://whois.arin.net/rest/net/NET-68-32-0-0-1

OrgName: Comcast Cable Communications, Inc.
OrgId: CMCS
Address: 1800 Bishops Gate Blvd
City: Mt Laurel
StateProv: NJ
PostalCode: 08054
Country: US
RegDate: 2001-11-29
Updated: 2009-11-06
Ref: http://whois.arin.net/rest/org/CMCS

OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: +1-856-317-7200
OrgTechEmail: CNIPEO-Ip-registration@cable.comcast.com
OrgTechRef: http://whois.arin.net/rest/poc/IC161-ARIN

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-856-317-7272
OrgAbuseEmail: abuse@comcast.net
OrgAbuseRef: http://whois.arin.net/rest/poc/NAPO-ARIN

RTechHandle: IC161-ARIN
RTechName: Comcast Cable Communications Inc
RTechPhone: +1-856-317-7200
RTechEmail: CNIPEO-Ip-registration@cable.comcast.com
RTechRef: http://whois.arin.net/rest/poc/IC161-ARIN

# end


# start

NetRange: 68.47.0.0 - 68.47.127.255
CIDR: 68.47.0.0/17
OriginAS:
NetName: AUGUSTA-1
NetHandle: NET-68-47-0-0-1
Parent: NET-68-32-0-0-1
NetType: Reassigned
RegDate: 2003-03-19
Updated: 2004-07-02
Ref: http://whois.arin.net/rest/net/NET-68-47-0-0-1

CustName: Comcast Cable Communications, Inc.
Address: 3 Executive Campus
Address: 5th Floor
City: Cherry Hill
StateProv: NJ
PostalCode: 08002
Country: US
RegDate: 2003-03-19
Updated: 2003-03-19
Ref: http://whois.arin.net/rest/customer/C00491936

OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: +1-856-317-7200
OrgTechEmail: CNIPEO-Ip-registration@cable.comcast.com
OrgTechRef: http://whois.arin.net/rest/poc/IC161-ARIN

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-856-317-7272
OrgAbuseEmail: abuse@comcast.net
OrgAbuseRef: http://whois.arin.net/rest/poc/NAPO-ARIN

RTechHandle: IC161-ARIN
RTechName: Comcast Cable Communications Inc
RTechPhone: +1-856-317-7200
RTechEmail: CNIPEO-Ip-registration@cable.comcast.com
RTechRef: http://whois.arin.net/rest/poc/IC161-ARIN

# end


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

Happy shooting

Cheers
Heatsinkbod

(Jon)

KILL em ALL and then KILL em ALL again!!

[g0atz]

Thanks Heatsinkbod...