Register
Events
Popular
More
Post #1The ddos attack is just a simple issue with the ulink protocol. It uses udp as it is fast, quick when you dont need all the data to be checked for loss and corruption. But ulink does not check if the incoming packet size is 0 bytes long. Ulink will try and read the data from the packet to see what it was asking for it to do but the buffer has a length of zero and when you try and read from the buffer there are two options, the server waits for the client to send the missing data leaving a infinite wait (or until it timesout) or a error is thrown.
I also know that i should email garry but this is for host providers as a quick fix! Please note that i have read the playrust homepage
To fix this there are 3 ways:
1) If you are using linux you can edit your iptables to block empty udp packets. The following command should work
iptables -A input -m udp -p length –length 0 –j DROP
2) Use/write a proxy server where you tunnel the udp data and check the length before passing it on
Might work on one of these
3) The rust developers could do a temp fix where they create a udp proxy and suggest server providers to block the main port. So:
port = private real server port
port + 1 = public fake udp server with options 2 built in
The fixes above will only work util they change they way they are confusing the server, im guessing they will change over to a system of sending broken packets if people start blocking 0 packet length?
If you have any other possible fixes please comment and i will add them to the list.
-
-
invade france
-
You should send garry an email, he said to send it to garry@playrust.com
Also check out his Information Appeal post on the main site.
-
I do not think the British empire is still strong enough :D
Edited:
I will but in the mean time this allows any server providers to fix there servers
-
much better option
also, as long as something allows a connection, it can be flooded and rendered useless.
There are no real "fixes" to attacks apart from just firewalling massive amounts of IPs, well, none that work permanently.
-
Well this currently is not a spam ddos, its just a exploit. Most good server hosters will have anti ddos protection for the standard version of ddos,
-
DDoS attacks can be traced even through botnets. Why are these guys not already arrested?
-
because its not easy to detect the the source of the DDOS attack. besides this isn't a DDOS attack.
-
DDos is a denial of service. DDos is not just when you spam the server with losts of pings, it is anything that denys the service, like an exploit
-
Let me rephrase it.
Besides this isn't a common DDOS attack.
-
uh, unless the botnet owner is fucking retarded thats not the case
generally the "order" comes from a master server which then tells all the infected computers to do whatever, unless the owner uses his own pc in the botnet the chances of finding the dude without checking the master servers logs are pretty much nil
-
So far as I look at it, Its evident that the uLink software makers don't know their software enough to fix it. I mean come on its been how many days since the DOS attacks started?
Most software company's would have had a decent fix for it by now!
-
It is a DDoS attack. Just not the common one. Instead of huge amounts of data being spammed, only shells with nothing inside are being spammed. It's the same thing. The goal is to crash the server. --> Denial of service.
I got another idea. What if Garry (temporarily) makes some kind of extra network layer. (not much to make but probably effective) a layer in front of uLink. The layer would function a bit like a firewall.. specifically designed to catch the things the uLink library can't handle. And all the rest, the layer just forwards to uLink to be further processed.
If this is done, then they can still DDoS purely with huge amounts of data. But this CANNOT affect all servers. There would (maybe) be some servers that are getting a beating but... atleast not entire Rust will be offline.
It's not an ideal solution but it would render the game playable again until uLink comes up with a more robust library.
EDIT:
A bit like option 3.
-
It is possible by accessing one of the infected computers and check for the IP sending the orders to the infected computer. Again, if the user is smart he would be behind a few VPN's which wouldn't be as "easy" to find the source.
-
These packets only need to travel one-way, so there's nothing stopping the source from being spoofed. Also, even assuming no spoofing is occurring, you could get access to a shared, low-speed botnet of 1000 computers for a few bucks, and that's all you'd need to carry out this attack indefinitely. It only takes something like 20kb/sec of empty packets to make a current Rust server rubberband horribly so it's completely unplayable - that'd only take like 5 dial up connections! Or one shitty DSL. The servers are not getting flooded with data (more expensive to do) - instead, they are being confused by specific packets which exploit bugs in the networking code.
Even assuming you traced all 1000 of those theoretical 'bot' computers, what would you do? As soon as any are blocked they can just be replaced by more, cheaply and instantly.
-
did you even read what i said, the owner generally uses a master server IE the orders come from that, not from him.
you have to be the most retarded fuckin' dude to use your own connection to send the orders.
-
So the only things we really know is that their TeamSpeak server is located in Paris to a company who has been hacked several times in the past. They speak french. Did you notice yesterday a lot of people posting their TS info were from Canada. Let's say French Canadian. I found the answer.
Blame Canada!!!!
-
Jeez, people still talking botnets even though it's quite easy to determine that there isn't a botnet involved...
-
the discussion is DDoS
while they might be using an exploit at this point in time, it still stands to say that even if thats patched they could easily return to more primitive attacks
prepare for the worst, don't expect the best
-
These actually aren't bad ideas. Are you sure the exploit is zero-length packets?
-
The only thing that really helps against a DDoS that doesn't utilize an application-level exploit to make itself more effective is to have a network of proxy servers that filter out suspected illegitimate requests. Those proxy servers have to be able to handle more packets and have more bandwidth available to them than the main server, so it sort of defeats the purpose, but there are companies that will put their machines in their way on the cheap rather than bumping up the main server's specs or trying to do it yourself.
-
Invade france!
Kill the western infidel! ... wait.... I'm the western infidel...
Shit?
-
We cannot invade/nuke/delete France, MaxOfS2D lives there =/
-
You guys are so funny.
-
Ok well here's one thing that could be done if someone could get a hold of the ip from the person who is causing the DDoS we could all ip ban him from our servers someone said they managed to get the ip and he banned it and didn't receive the DDoS attack anymore
-
Any possible solution for FreeBSD (Multiplay servers?)
-
I am in the networking field so I don't know about servers, but in routers you can put a deny all in and add exceptions. It could work like 802.1x. So my take on that would be, what if you required to have a client-side certificate to be able to access the server listing (the listing when you click "play game"). You know, some type of authentication. Then if they continue to attack the servers, you know for a fact that one person whom has a certificate is doing the DDoS. This would cut down the number of people you have to sift through to find out who is doing this. Then, the only thing they could do if they didn't authenticate is bring down the distribution server, but users could still connect directly to individual servers.
That is if the DDoS is dynamically updating the hosts to attack.
I don't know if I am using the right lingo for you server guys, or if this is even possible to program, but if it is it could work.
-
More specifically, a DDoS is a Distributed Denial of Service. That means it would be multiple machines across multiple networks all attacking the same server. If it's just one machine/one network, it's just a DoS.
-
First thing, If you were in the networking field you would know about servers.
Now heres the big issue with what you said.
Botnets and most DDoS attacks arent from a single IP range, its from thousands of IPs around the world.
Also, an authentication feature wouldn't do shit, to authenticate a connection you still have to accept a connection to check it, and anyone that knows how a generic denial of service attack works could tell you is enough to abuse with an attack.
-
How can you say you're in the networking field, yet not know about servers?
Edited:
I'm taking a networking class in my High School, and that's actually exactly what we're learning about at the moment.
-
First thing, I am in the Air Force and they segregate our career fields extensively. I work on switches, routers, and I am supposed to work on phone switches too (but I don't) and that is it. If you knew anything about routers, if something is on a deny list it checks the list and your IP isn't on it, it drops the packet without opening anything inside the frame. If the problem is what I have been reading and the packets are falsifying their length, a decent router could keep up with shit-tons (a scientific measurement) of bogus traffic without overloading the CPU. How about you quit being a jerk and simply say, "As a server guy, I don't see how this could be implemented." Or, this is not currently possible instead of attacking me.
Basically, I am a plumber of a network. I don't care what kind of water you are transporting, I just make sure it gets there. I understand the flow of traffic, and the different protocols-not how the traffic is used. OSI model layers 1 through 5.
-
This guy right here. I like this guy. He knows his shit.
-
Packets will not have a length 0, they have at the very least an IP Header. A more robust approach is to write a signature to match specific patterns in packets, for instance an empty payload in regex "^$" but they would need some sort of IPS solution to do it. This is ofcourse in lieu of being able to fix the bug at a software level.
-
Wow you guys did it, you solved DDOS attacks.
-
I got this from my provider yesterday:
"Our system detected a (D)DoS against your service on IP address at this time, described as 'empty UDP packets', and added a filter to our router to block it for about 5 days."
Since then, we haven't had any issues at all with this.
-
Since you a jerk I'm going to pull you apart. It doesn't matter if you use a server or your own connection. Every IP address is registered (unless falsified temporarily). Yes, if you don't use your own IP it will take longer to track you down. The best thing to do as a DDoS is to console into someone else's server (physically be there) and start the attack. Everything remote can be traced with the right forensics team. If you OWN that server and it is hosted in someones data-center then yes, they can track it to you. Because to own a server in someone else's data-center, that data-center likely has some financial transactions or log of who owns what server.
If the IP is falsified, routers still hold these forwarding database tables (mac/IP listing) generally for 3 days or until their table fills up.
Even VPNs can technically be traced. If you use a VPN you are given an IP address from a DHCP server. That DHCP server creates a log of who has what IP. The thing with VPNs is that most people who host them delete these records frequently. But if they trace it to a server, hack into it and start exporting these entries as soon as it gets in, then they could find out who you are if you disconnect/reconnect.
How about you quit talking.
I should add the reason why it is extremely difficult to trace it back to the user is because there are different administrators across different networks and coordinating a trace within the time that the information is expired/deleted is not possible without some planning.
-
Here's an idea, why don't Garry change from uLink to some other provider :/
-
I seriously doubt that it would be as simple as this. You can't just plop in a different piece of software and expect it to magically work.
-
Hi Sievers!
I agree. Much like infrastructure devices. My network was all Cisco at one time. Some idiot in my chain of command decided to "save money" by moving to Nortel Networks (which went under and got bought out by Avaya) when the tech-refresh came up. All of the technicians needed to learn the new command-line/code, not to mention that we had Cisco proprietary protocols running between servers and switches (ether-channel) and the software on the new stuff was extremely buggy and couldn't run LACP-and my leadership said, "Well... make it work..." FML.
-
Hi Panda! :D
Also, this. ^^
Granted, Rust is developed in Unity, which I don't know much about but I understand that a lot of it is rather plug-and-play (for lack of a better term) so changing out the uLink stuff probably wouldn't be as absolutely horrible as it could be but still... That's a lot of work and then bugs and then who knows what other exploits would come of it.
x 10
x 3
x 2
x 1
x 1
Funny x 21
Disagree x 1
