1. Post #1
    SammySung's Avatar
    January 2010
    451 Posts
    Hi,

    Before some of you start rambling on about how I don't know that I'm talking about, which may possibly be the case, please hear me out. This information may be old, or new.

    I, together with a friend, Matt, used to run an Australian Garry's Mod community named PubGamer, whom was popular throughout the last couple of years in Half Life 2 Roleplay, Dark Roleplay, TTT, as well PERP. Whilst running namely PERP, we were the victim of devnulls, day in, day out, hour after hour. After countless days researching on the issue, we found a program called Peerblock. What Peerblock effectively does is block IP's you tell it to block. Maybe the attacks on our server weren't as large as others, but we were still being hit with 30 thousand IP's simultaneously, with a total of 100 thousand being blocked ultimately.

    Once blocking these IP's, which were indeed carrying COD4 data, the affect of the attack would happen for about 20-30 seconds, which was because Peerblock found it hard to block 30 thousand IP's all at once so it had to take a breather, then the overall affect of the attack would disappear. The packets were still being sent, they were just being blocked at a software level.

    Here's all of our peerblock lists which contain, I believe, most of the offending IP's. Close to 100 thousand all up.

    http://www.mediafire.com/?17xaisst549svks

    The only attack in which this did not withstand was a 15gb/s attack on Boxing day of 2010, which crashed Optus Queensland in Australia for 25 minutes.

    I hope this information is useful to you all.
    Reply With Quote Edit / Delete Reply Windows 7 Australia Show Events Informative Informative x 7Friendly Friendly x 5Late Late x 1Winner Winner x 1 (list)

  2. Post #2
    Gold Member
    Alkalisk's Avatar
    September 2011
    279 Posts
    Anyone else tested this before?

  3. Post #3
    Gold Member
    Kill coDer's Avatar
    April 2006
    955 Posts
    The amount of bandwidth devnull puts out is greater than the pipe that feeds into your server. Which means that any firewall measures that you have in place on your server won't matter, as the network itself is being flooded.

    Analogy:

    You have a store, when two or three customers go through the door, it's fine. If a million try to get through, no one who really wants to be there can get in the door to get to the counter, if you tell the guy at the counter to refuse service for 'those people', it doesn't matter, your door is still blocked.

    And you could just query the master servers of the cods, quakes and source servers for the IPs to block, would be much more up to date. You'll need to get your upstream providers to block the IPs for you though.
    Reply With Quote Edit / Delete Reply Windows 7 Australia Show Events Agree Agree x 12Artistic Artistic x 2 (list)

  4. Post #4
    Sorry about the downtime, now buy shit.
    CrispexOps's Avatar
    February 2010
    1,588 Posts
    I'd say let's just let the investigation continue in this thread. Hopefully it won't get shitposted to death by some dumbass again.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 4 (list)

  5. Post #5
    Gold Member
    nicatronTg's Avatar
    July 2009
    4,697 Posts
    Again, best way to stop this would be through reporting PayPal accounts, as they have bank accounts tied to them and such. If we stop CoD4, he can still use any number of other games, and we'll just have wasted our time.

  6. Post #6

    January 2012
    23 Posts
    Hi,

    Before some of you start rambling on about how I don't know that I'm talking about, which may possibly be the case, please hear me out. This information may be old, or new.

    I, together with a friend, Matt, used to run an Australian Garry's Mod community named PubGamer, whom was popular throughout the last couple of years in Half Life 2 Roleplay, Dark Roleplay, TTT, as well PERP. Whilst running namely PERP, we were the victim of devnulls, day in, day out, hour after hour. After countless days researching on the issue, we found a program called Peerblock. What Peerblock effectively does is block IP's you tell it to block. Maybe the attacks on our server weren't as large as others, but we were still being hit with 30 thousand IP's simultaneously, with a total of 100 thousand being blocked ultimately.

    Once blocking these IP's, which were indeed carrying COD4 data, the affect of the attack would happen for about 20-30 seconds, which was because Peerblock found it hard to block 30 thousand IP's all at once so it had to take a breather, then the overall affect of the attack would disappear. The packets were still being sent, they were just being blocked at a software level.

    Here's all of our peerblock lists which contain, I believe, most of the offending IP's. Close to 100 thousand all up.

    http://www.mediafire.com/?17xaisst549svks

    The only attack in which this did not withstand was a 15gb/s attack on Boxing day of 2010, which crashed Optus Queensland in Australia for 25 minutes.

    I hope this information is useful to you all.
    wouldnt the line still get flooded even if you blocked it with software?
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Late Late x 9Agree Agree x 2 (list)

  7. Post #7
    JamieH is a retarded bitch <3
    Pantho's Avatar
    July 2008
    1,965 Posts
    wouldnt the line still get flooded even if you blocked it with software?
    I dunno, the cod4 drdos I've been hit with this month havn't saturated my line or even lagged RDP much, it's just the srcds application really hates unwanted parties.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Dumb Dumb x 1 (list)

  8. Post #8
    Ruzza's Avatar
    December 2011
    1,137 Posts
    Something needs to be implemented into srcds to ignore stupid packets.
    Reply With Quote Edit / Delete Reply Windows 7 Australia Show Events Optimistic Optimistic x 3Dumb Dumb x 2 (list)

  9. Post #9

    October 2011
    140 Posts
    I dunno, the cod4 drdos I've been hit with this month havn't saturated my line or even lagged RDP much, it's just the srcds application really hates unwanted parties.
    yep.
    If the DrDoS is not big enough to saturate your connection then a firewall helps because the game server has to receive, process, and respond to all those requests. So in that instance the firewall can help the game server out by blocking connections so the game server never has to know about them.
    However, if the server as a whole is maxed out on it's connection then there is nothing you can do.

  10. Post #10
    :-)
    Phycosymo's Avatar
    December 2007
    4,132 Posts
    There's a program now that is specialized for DDoS'ing gmod servers?


    um ok wow
    Reply With Quote Edit / Delete Reply Windows Vista United States Show Events Late Late x 5Dumb Dumb x 4 (list)

  11. Post #11
    Bawbag's Avatar
    December 2011
    530 Posts
    There's a program now that is specialized for DDoS'ing gmod servers?


    um ok wow
    Not specific to GMod servers; the method works for everything.. Facepunch has been hit by it a few times. It's targetted to GMod players; pain in the arse.

    Took me a while to figure out how to reduce the effects of it even with a gig line..
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Agree Agree x 2 (list)

  12. Post #12
    Ruzza's Avatar
    December 2011
    1,137 Posts
    In my opinion there is already DNS Amp implemented in DevNull because when I got DDoSed, I was hit from root-servers.net, and cod4 servers alongside Source Engine Query spam exploits.
    Reply With Quote Edit / Delete Reply Windows 7 Australia Show Events Optimistic Optimistic x 1 (list)

  13. Post #13
    Bawbag's Avatar
    December 2011
    530 Posts
    In my opinion there is already DNS Amp implemented in DevNull because when I got DDoSed, I was hit from root-servers.net, and cod4 servers alongside Source Engine Query spam exploits.
    There is, and it hits 1-5mbit/s per DNS server. I ended up getting some complaints from DNS hosts once.

  14. Post #14
    SammySung's Avatar
    January 2010
    451 Posts
    The amount of bandwidth devnull puts out is greater than the pipe that feeds into your server. Which means that any firewall measures that you have in place on your server won't matter, as the network itself is being flooded.

    Analogy:

    You have a store, when two or three customers go through the door, it's fine. If a million try to get through, no one who really wants to be there can get in the door to get to the counter, if you tell the guy at the counter to refuse service for 'those people', it doesn't matter, your door is still blocked.

    And you could just query the master servers of the cods, quakes and source servers for the IPs to block, would be much more up to date. You'll need to get your upstream providers to block the IPs for you though.
    Sorry to break it to you buddy but it does work.
    Reply With Quote Edit / Delete Reply Australia Show Events Dumb Dumb x 4 (list)

  15. Post #15
    Bawbag's Avatar
    December 2011
    530 Posts
    Sorry to break it to you buddy but it does work.
    Only if your pipe speed is 0.8x the size of the attack, or higher.

  16. Post #16
    JamieH is a retarded bitch <3
    Pantho's Avatar
    July 2008
    1,965 Posts
    Programs actually rather handy :)

    Doesn't help much when the attacks are large, but it does let you see what type of gameservers are hitting you. Counter strike, quake, multiple cod games. Lots and lots of terrible fun :(

  17. Post #17
    My Scriptz
    nuttyboffin's Avatar
    December 2009
    743 Posts
    Why dont we aquire the program, decompile it and have some fun with by telling it to devnull some of the servers devnull client talks with or somthing?
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Dumb Dumb x 1Funny Funny x 1 (list)

  18. Post #18
    ExEcuteFox's Avatar
    June 2011
    121 Posts
    Why dont we aquire the program, decompile it and have some fun with by telling it to devnull some of the servers devnull client talks with or somthing?
    I believe the devnull tells for example the cod4 server list to send all the packets to the IP of the target so If you devnull the servers involved it would just mean you are ddosing a random person's server
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Agree Agree x 5 (list)

  19. Post #19
    Dragon Dildoes
    Dennab
    April 2009
    4,432 Posts
    Funfact: Our server was just attacked, dos attack was mitigrated within 10 seconds, devnull has nothing against Hetzner
    Reply With Quote Edit / Delete Reply Windows 7 Germany Show Events Funny Funny x 13Agree Agree x 1 (list)

  20. Post #20
    Gold Member
    maurits150's Avatar
    February 2007
    1,795 Posts
    How big was the attack?
    Reply With Quote Edit / Delete Reply Windows 7 Netherlands Show Events Agree Agree x 1 (list)

  21. Post #21
    Gold Member
    Hentie's Avatar
    May 2010
    2,116 Posts
    He told me 4~5 servers?
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Dumb Dumb x 1 (list)

  22. Post #22
    Dragon Dildoes
    Dennab
    April 2009
    4,432 Posts
    He told me 4~5 servers?
    Correction, 400-500 servers.
    Reply With Quote Edit / Delete Reply Windows 7 Germany Show Events Agree Agree x 5 (list)

  23. Post #23
    DefaultText.ini
    Charrax's Avatar
    February 2011
    1,331 Posts
    Correction, 400-500 servers.

    Big deal I can LOIC that shit in seconds.    /Sarcasm   

    :3
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Funny Funny x 6Optimistic Optimistic x 1 (list)

  24. Post #24
    Gold Member
    maurits150's Avatar
    February 2007
    1,795 Posts
    I mean how many megabits/sec
    Reply With Quote Edit / Delete Reply Windows 7 Netherlands Show Events Agree Agree x 1 (list)

  25. Post #25
    Gold Member
    The freeman's Avatar
    October 2007
    6,200 Posts
    There's a program now that is specialized for DDoS'ing gmod servers?


    um ok wow
    GMod server's are just IPs with a port on them, its not like they are special
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 4 (list)

  26. Post #26
    Gold Member
    Blasphemy's Avatar
    December 2009
    374 Posts
    I mean how many megabits/sec
    Devnull doesn't usually deal hardcore in megabits/second. It's mostly packets per second.
    ( In my experience anyways. It really depends how much they paid. )
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Disagree Disagree x 1Dumb Dumb x 1 (list)

  27. Post #27
    Gold Member
    Hentie's Avatar
    May 2010
    2,116 Posts
    Packets can be measured in bits.

  28. Post #28
    Dog
    What's worse than biting into an apple and finding a dick?

    March 2011
    3,729 Posts
    Funfact: Our server was just attacked, dos attack was mitigrated within 10 seconds, devnull has nothing against Hetzner
    How did you stop it?

  29. Post #29
    Chrik's Avatar
    November 2008
    223 Posts
    How did you stop it?


    I have a major problem about that as well. How do you stop it? People says its so easy to block it, but how?

  30. Post #30
    JamieH is a retarded bitch <3
    Pantho's Avatar
    July 2008
    1,965 Posts
    I have a major problem about that as well. How do you stop it? People says its so easy to block it, but how?
    US Host NFOServers are pretty fucking awesome at mitigating it, only on there VPS systems, but they are dedicated VPS and mine are all on e3-1270's so good enough for me :D

    EU however, I can't find any magical host that does all the work for me, for now I'm trying some stuff and failing :)

  31. Post #31
    Chrik's Avatar
    November 2008
    223 Posts
    US Host NFOServers are pretty fucking awesome at mitigating it, only on there VPS systems, but they are dedicated VPS and mine are all on e3-1270's so good enough for me :D

    EU however, I can't find any magical host that does all the work for me, for now I'm trying some stuff and failing :)
    The ping and the $$$ kinda stops me being motivated however.
    Reply With Quote Edit / Delete Reply Windows XP Denmark Show Events Agree Agree x 1 (list)

  32. Post #32
    I made WAYWO a better place
    OldFusion's Avatar
    September 2011
    1,311 Posts
    on a good day there are about 7k COD4 servers, because i am feeling generous lets double that amount because not all servers are dedicated and say there are 14k servers. lets say the person is Stan's boyfriend and also has access to the ET exploit adding another 200 servers. That leaves us at about 14200 IP's how the hell did you ever managed to have a 100k IP block list?

    On top of that i would like to add that running every packet true a 100K IP block list is very CPU demanding task.
    If you are looking for a proper solution i suggest you set up a Virtual Firewall and do DPI
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Funny Funny x 4 (list)

  33. Post #33
    SammySung's Avatar
    January 2010
    451 Posts
    on a good day there are about 7k COD4 servers, because i am feeling generous lets double that amount because not all servers are dedicated and say there are 14k servers. lets say the person is Stan's boyfriend and also has access to the ET exploit adding another 200 servers. That leaves us at about 14200 IP's how the hell did you ever managed to have a 100k IP block list?

    On top of that i would like to add that running every packet true a 100K IP block list is very CPU demanding task.
    If you are looking for a proper solution i suggest you set up a Virtual Firewall and do DPI
    Because most of them are seemingly fake.

  34. Post #34
    JamieH is a retarded bitch <3
    Pantho's Avatar
    July 2008
    1,965 Posts
    on a good day there are about 7k COD4 servers, because i am feeling generous lets double that amount because not all servers are dedicated and say there are 14k servers. lets say the person is Stan's boyfriend and also has access to the ET exploit adding another 200 servers. That leaves us at about 14200 IP's how the hell did you ever managed to have a 100k IP block list?

    On top of that i would like to add that running every packet true a 100K IP block list is very CPU demanding task.
    If you are looking for a proper solution i suggest you set up a Virtual Firewall and do DPI
    DNS, ET, Quake, unreal 3 games, some CS servers, cod4.

    There are only 5-7k CoD4 servers on the master list, dedicated or otherwise. Although I did give peerblocker a try with just a direct rip from CoD4 master servers and it didn't block many at all, using the list provided in this thread blocked an insane amount.

    It is however very CPU demanding.

  35. Post #35
    SammySung's Avatar
    January 2010
    451 Posts
    DNS, ET, Quake, unreal 3 games, some CS servers, cod4.

    There are only 5-7k CoD4 servers on the master list, dedicated or otherwise. Although I did give peerblocker a try with just a direct rip from CoD4 master servers and it didn't block many at all, using the list provided in this thread blocked an insane amount.

    It is however very CPU demanding.
    In retrospect, those lists are about a year old. Next time there is an attack, use wireshark to log packets, remove appropriate IP's and make a list for them.

    Easiest way to make a list is in excel and save it as a txt file and remove spaces.
    Reply With Quote Edit / Delete Reply Windows 7 Australia Show Events Funny Funny x 6 (list)

  36. Post #36
    zzaacckk's Avatar
    June 2009
    2,126 Posts
    Why dont we aquire the program, decompile it and have some fun with by telling it to devnull some of the servers devnull client talks with or somthing?
    a. This wouldn't work because his server does the attacking, all the client does it send a packet to his server saying where to attack.
    b. Why don't you just make your own script? Its not that overly complicated..
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Dumb Dumb x 2 (list)

  37. Post #37
    Nexus435's Avatar
    July 2010
    1,451 Posts
    A DRDoS script can easily be made with a batch/shell script and a simple UDP packet sender.

  38. Post #38
    Hello, my name is Penis. Please refer to me as such. I'm totally cool with it.
    SPESSMEHREN's Avatar
    November 2009
    4,512 Posts
    Why not start going after the ones using DevNull if you cannot go after the one who makes it? Scare the kids away from using it.

    Set up a dummy server, record the IP addresses of people who come in and threaten to DDoS the server, and if the server's DDoS'd the second the kids leave, use your own DDoSer to DDoS the DevNull users' Internet connections. Knock 'em offline for a while.

    If you don't have access to a botnet, maybe some concerned GMod users could set up a community botnet for the purpose of DDoSing DevNull users?
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Dumb Dumb x 10Agree Agree x 2Optimistic Optimistic x 1Winner Winner x 1 (list)

  39. Post #39
    CALL ME ON
    07839 041601

    January 2012
    28 Posts
    If you don't have access to a botnet, maybe some concerned GMod users could set up a community botnet for the purpose of DDoSing DevNull users?
    That's the stupidest thing I've read in 2012.
    Reply With Quote Edit / Delete Reply Windows 7 Netherlands Show Events Agree Agree x 27Funny Funny x 3Dumb Dumb x 1Winner Winner x 1 (list)

  40. Post #40
    DefaultText.ini
    Charrax's Avatar
    February 2011
    1,331 Posts
    SOPA will stop DDoS! +1 SOPA !!!

    Its a conspiracy! Wikipedia and all the other sites that closed are seths otsher servers.

    VOTE FOR SOAP WOO!
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Dumb Dumb x 15Funny Funny x 6Winner Winner x 2Optimistic Optimistic x 1 (list)