BF42 server querys broken

freddy
Posts: 1267
Joined: Sun Oct 18, 2009 4:58 pm

Post by freddy »

thanks, i will try but very carefully, i managed to kill the vnc thread on the dedi server once and there i stood like a monkey sniffing myself in the but and couldnt do anything about anything :) (luckily the bf servers was up and running)
User avatar
yeknoM
Posts: 2
Joined: Mon Jan 24, 2011 5:30 pm

Re: BF42 server querys broken

Post by yeknoM »

We get this line all the time "Couldn't get server status! Segment did not contain a queryid." Just run a network activity trace and drop them in the firewall. Most if not all the IP addresses come from China.

We have seen this from time to time for the last few years, but it has gotten MUCH worse in the last 9-12 months.

If you have direct box access you can install Wireshark and find this pretty fast and only need a few seconds to scan and you can stop it. Look for "rules" in the code the other is usually normal game traffic.

If you do not have box access you might have a harder time getting the GSP to do this for you.

If you need more info hit me up over at MoonGamers and I can get more to you.

I can also provide a list of all IP addresses that have got us over the years so you can either just add them or watch for them to show in your network traffic.

These are only form the last 6 months as before we dropped them in with all the others but as they increased I wanted to track them so they have their own little rule.

69.162.110.123
96.42.17.206
69.162.65.228
69.162.99.35
69.162.99.38
99.198.97.162
173.243.123.69
66.96.240.87
67.171.212.25
72.29.89.12
69.162.67.21
173.244.221.96
67.212.88.102
freddy
Posts: 1267
Joined: Sun Oct 18, 2009 4:58 pm

Post by freddy »

thanks for the info yeknoM.

it seems that this phenomena targets all or most of the bf42 servers up and running and i have never seen a DoS in that scale before
Jeronimo
Posts: 196
Joined: Sun Dec 27, 2009 8:55 pm
Location: Germany
Contact:

Re: BF42 server querys broken

Post by Jeronimo »

Grabbi from PFC contacted the hoster and this is what they answered. Looks like they're the victims themselves:
http://www.nfoservers.com/forums/viewto ... =25&t=4960
The ip used to belong to "DOV" clan (http://dovgaming.net/forums/index.php) and they ran a CS:S server there. Somebody must have gotten banned, got mad and started to DRDoS them, using our BF42 servers... :x

edit: Vunerability known and unpatched since 2003: http://www.derkeiler.com/Mailing-Lists/ ... /0060.html
Image
Jeronimo
Posts: 196
Joined: Sun Dec 27, 2009 8:55 pm
Location: Germany
Contact:

Re: BF42 server querys broken

Post by Jeronimo »

Old attack gone, new one to follow soon... We have another DRDoS attack, this time on IPs 208.86.154.242 and 208.86.154.248. Block these through your server's ACL if you're having timeouts/connection problems/BFRM disconnects.
Image
freddy
Posts: 1267
Joined: Sun Oct 18, 2009 4:58 pm

Post by freddy »

wtf a new one? this starting to be a lot of work, thanks for the heads up!

oh it seems it already started, getting timeout in hlsw
tekk
Posts: 171
Joined: Fri Dec 11, 2009 6:12 pm

Re: BF42 server querys broken

Post by tekk »

What exactly is a "Server ACL" ? , what process would be taken to block these on either a server box or dedicated server ?. These recent attacks , could they lead to server lag issues ?
Nodbrother- "getting whiped every single game by some over-active 9 year old kid with too much spare time and a reaction time that is a third of yours."
Jeronimo
Posts: 196
Joined: Sun Dec 27, 2009 8:55 pm
Location: Germany
Contact:

Re: BF42 server querys broken

Post by Jeronimo »

Access Control List - so to say the definition for what is allowed and what not, in this case concerning ingoing IP addresses.
How to do this depends very much on your OS. For a Windows server I've described it a little earlier in this topic, but for linux I got no clue :?

btw... HLSW is clear again, attack seems gone.
Image
freddy
Posts: 1267
Joined: Sun Oct 18, 2009 4:58 pm

Post by freddy »

@Jeronimo, do you know if i can use the HOST file in win to block this ip´s?
Jeronimo
Posts: 196
Joined: Sun Dec 27, 2009 8:55 pm
Location: Germany
Contact:

Re: BF42 server querys broken

Post by Jeronimo »

Hm, guess no. It's used for resolving hostnames to ip addresses, but I wouldn't know how to block an ip with that. You might also be able to modify the routing table with the "route" command, so the packets don't go out anymore. But that doesn't help much, too, since you need to stop the querys before they reach the server.
I think except with some third partie software, on Windows this should only be doable with the ip security guidelines in gpedit.msc. There's lots of tutorials in the web, also by MS. It worked good for me so far, no side effects like cutting the own wire or such ^^
Image
Post Reply