DDos fix - Rust - Facepunch Forum

The ddos attack is just a simple issue with the ulink protocol. It uses udp as it is fast, quick when you dont need all the data to be checked for loss and corruption. But ulink does not check if the incoming packet size is 0 bytes long. Ulink will try and read the data from the packet to see what it was asking for it to do but the buffer has a length of zero and when you try and read from the buffer there are two options, the server waits for the client to send the missing data leaving a infinite wait (or until it timesout) or a error is thrown. I also know that i should email garry but this is for host providers as a quick fix! Please note that i have read the playrust homepage To fix this there are 3 ways: 1) If you are using linux you can edit your iptables to block empty udp packets. The following command should work iptables -A input -m udp -p length –length 0 –j DROP 2) Use/write a proxy server where you tunnel the udp data and check the length before passing it on Might work on one of these 3) The rust developers could do a temp fix where they create a udp proxy and suggest server providers to block the main port. So: port = private real server port port + 1 = public fake udp server with options 2 built in The fixes above will only work util they change they way they are confusing the server, im guessing they will change over to a system of sending broken packets if people start blocking 0 packet length? If you have any other possible fixes please comment and i will add them to the list.

invade france

[QUOTE=csnewman;43356674]-snip-[/QUOTE] You should send garry an email, he said to send it to [email]garry@playrust.com[/email] Also check out his [URL="http://playrust.com/information-appeal/"]Information Appeal post[/URL] on the main site.

[QUOTE=Ussyless;43356677]invade france[/QUOTE] I do not think the British empire is still strong enough :D [editline]30th December 2013[/editline] [QUOTE=iAbstract;43356688]You should send garry an email, he said to send it to [email]garry@playrust.com[/email] Also check out his [URL="http://playrust.com/information-appeal/"]Information Appeal post[/URL] on the main site.[/QUOTE] I will but in the mean time this allows any server providers to fix there servers

[QUOTE=LuaChobo;43356930]much better option also, as long as something allows a connection, it can be flooded and rendered useless. There are no real "fixes" to attacks apart from just firewalling massive amounts of IPs, well, none that work permanently.[/QUOTE] Well this currently is not a spam ddos, its just a exploit. Most good server hosters will have anti ddos protection for the standard version of ddos,

DDoS attacks can be traced even through botnets. Why are these guys not already arrested?

[QUOTE=Jack B;43356965]DDoS attacks can be traced even through botnets. Why are these guys not already arrested?[/QUOTE] because its not easy to detect the the source of the DDOS attack. besides this isn't a DDOS attack.

[QUOTE=sumusiko;43356982]because its not easy to detect the the source of the DDOS attack. besides this isn't a DDOS attack.[/QUOTE] DDos is a denial of service. DDos is not just when you spam the server with losts of pings, it is anything that denys the service, like an exploit

[QUOTE=csnewman;43357007]DDos is a denial of service. DDos is not just when you spam the server with losts of pings, it is anything that denys the service, like an exploit[/QUOTE] Let me rephrase it. Besides this isn't a common DDOS attack.

So far as I look at it, Its evident that the uLink software makers don't know their software enough to fix it. I mean come on its been how many days since the DOS attacks started? Most software company's would have had a decent fix for it by now!

It is a DDoS attack. Just not the common one. Instead of huge amounts of data being spammed, only shells with nothing inside are being spammed. It's the same thing. The goal is to crash the server. --> Denial of service. I got another idea. What if Garry (temporarily) makes some kind of extra network layer. (not much to make but probably effective) a layer in front of uLink. The layer would function a bit like a firewall.. specifically designed to catch the things the uLink library can't handle. And all the rest, the layer just forwards to uLink to be further processed. If this is done, then they can still DDoS purely with huge amounts of data. But this CANNOT affect all servers. There would (maybe) be some servers that are getting a beating but... atleast not entire Rust will be offline. It's not an ideal solution but it would render the game playable again until uLink comes up with a more robust library. EDIT: A bit like option 3.

[QUOTE=LuaChobo;43357020]uh, unless the botnet owner is fucking retarded thats not the case generally the "order" comes from a master server which then tells all the infected computers to do whatever, unless the owner uses his own pc in the botnet the chances of finding the dude without checking the master servers logs are pretty much nil[/QUOTE] It is possible by accessing one of the infected computers and check for the IP sending the orders to the infected computer. Again, if the user is smart he would be behind a few VPN's which wouldn't be as "easy" to find the source.

[QUOTE=Jack B;43356965]DDoS attacks can be traced even through botnets. Why are these guys not already arrested?[/QUOTE] These packets only need to travel one-way, so there's nothing stopping the source from being spoofed. Also, even assuming no spoofing is occurring, you could get access to a shared, low-speed botnet of 1000 computers for a few bucks, and that's all you'd need to carry out this attack indefinitely. It only takes something like 20kb/sec of empty packets to make a current Rust server rubberband horribly so it's completely unplayable - that'd only take like 5 dial up connections! Or one shitty DSL. The servers are not getting flooded with data (more expensive to do) - instead, they are being confused by specific packets which exploit bugs in the networking code. Even assuming you traced all 1000 of those theoretical 'bot' computers, what would you do? As soon as any are blocked they can just be replaced by more, cheaply and instantly.

So the only things we really know is that their TeamSpeak server is located in Paris to a company who has been hacked several times in the past. They speak french. Did you notice yesterday a lot of people posting their TS info were from Canada. Let's say French Canadian. I found the answer. Blame Canada!!!!

Jeez, people still talking botnets even though it's quite easy to determine that there isn't a botnet involved...

[QUOTE=csnewman;43356674] To fix this there are 3 ways: 1) If you are using linux you can edit your iptables to block empty udp packets. The following command should work iptables -A input -m udp -p length –length 0 –j DROP 2) Use/write a proxy server where you tunnel the udp data and check the length before passing it on [/QUOTE] These actually aren't bad ideas. Are you sure the exploit is zero-length packets?

The only thing that really helps against a DDoS that doesn't utilize an application-level exploit to make itself more effective is to have a network of proxy servers that filter out suspected illegitimate requests. Those proxy servers have to be able to handle more packets and have more bandwidth available to them than the main server, so it sort of defeats the purpose, but there are companies that will put their machines in their way on the cheap rather than bumping up the main server's specs or trying to do it yourself.

Invade france! Kill the western infidel! ... wait.... I'm the western infidel... Shit?

We cannot invade/nuke/delete France, MaxOfS2D lives there =/

You guys are so funny.

Ok well here's one thing that could be done if someone could get a hold of the ip from the person who is causing the DDoS we could all ip ban him from our servers someone said they managed to get the ip and he banned it and didn't receive the DDoS attack anymore

Any possible solution for FreeBSD (Multiplay servers?)

[QUOTE=LuaChobo;43356930]much better option also, as long as something allows a connection, it can be flooded and rendered useless. There are no real "fixes" to attacks apart from just firewalling massive amounts of IPs, well, none that work permanently.[/QUOTE] I am in the networking field so I don't know about servers, but in routers you can put a deny all in and add exceptions. It could work like 802.1x. So my take on that would be, what if you required to have a client-side certificate to be able to access the server listing (the listing when you click "play game"). You know, some type of authentication. Then if they continue to attack the servers, you know for a fact that one person whom has a certificate is doing the DDoS. This would cut down the number of people you have to sift through to find out who is doing this. Then, the only thing they could do if they didn't authenticate is bring down the distribution server, but users could still connect directly to individual servers. That is if the DDoS is dynamically updating the hosts to attack. I don't know if I am using the right lingo for you server guys, or if this is even possible to program, but if it is it could work.

[QUOTE=csnewman;43357007]DDos is a denial of service. DDos is not just when you spam the server with losts of pings, it is anything that denys the service, like an exploit[/QUOTE] More specifically, a DDoS is a Distributed Denial of Service. That means it would be multiple machines across multiple networks all attacking the same server. If it's just one machine/one network, it's just a DoS.

[QUOTE=OneBadPanda;43358520]I am in the networking field so I don't know about servers, but in routers you can put a deny all in and add exceptions. It could work like 802.1x. So my take on that would be, what if you required to have a client-side certificate to be able to access the server listing (the listing when you click "play game"). You know, some type of authentication. Then if they continue to attack the servers, you know for a fact that one person whom has a certificate is doing the DDoS. This would cut down the number of people you have to sift through to find out who is doing this. Then, the only thing they could do if they didn't authenticate is bring down the distribution server, but users could still connect directly to individual servers. That is if the DDoS is dynamically updating the hosts to attack. I don't know if I am using the right lingo for you server guys, or if this is even possible to program, but if it is it could work.[/QUOTE] How can you say you're in the networking field, yet not know about servers? :v: [editline]30th December 2013[/editline] I'm taking a networking class in my High School, and that's actually exactly what we're learning about at the moment.

[QUOTE=LuaChobo;43358750]First thing, If you were in the networking field you would know about servers. Now heres the big issue with what you said. Botnets and most DDoS attacks arent from a single IP range, its from thousands of IPs around the world. Also, an authentication feature wouldn't do shit, to authenticate a connection you still have to accept a connection to check it, and anyone that knows how a generic denial of service attack works could tell you is enough to abuse with an attack.[/QUOTE] First thing, I am in the Air Force and they segregate our career fields extensively. I work on switches, routers, and I am supposed to work on phone switches too (but I don't) and that is it. If you knew anything about routers, if something is on a deny list it checks the list and your IP isn't on it, it drops the packet without opening anything inside the frame. If the problem is what I have been reading and the packets are falsifying their length, a decent router could keep up with shit-tons (a scientific measurement) of bogus traffic without overloading the CPU. How about you quit being a jerk and simply say, "As a server guy, I don't see how this could be implemented." Or, this is not currently possible instead of attacking me. Basically, I am a plumber of a network. I don't care what kind of water you are transporting, I just make sure it gets there. I understand the flow of traffic, and the different protocols-not how the traffic is used. OSI model layers 1 through 5.

[QUOTE=OneBadPanda;43359013]First thing, I am in the Air Force and they segregate our career fields extensively. I work on switches, routers, and I am supposed to work on phone switches too (but I don't) and that is it. If you knew anything about routers, if something is on a deny list it checks the list and your IP isn't on it, it drops the packet without opening anything inside the frame. If the problem is what I have been reading and the packets are falsifying their length, a decent router could keep up with shit-tons (a scientific measurement) of bogus traffic without overloading the CPU. How about you quit being a jerk and simply say, "As a server guy, I don't see how this could be implemented." Or, this is not currently possible instead of attacking me.[/QUOTE] This guy right here. I like this guy. He knows his shit.

[QUOTE=csnewman;43356674]The ddos attack is just a simple issue with the ulink protocol. It uses udp as it is fast, quick when you dont need all the data to be checked for loss and corruption. But ulink does not check if the incoming packet size is 0 bytes long. Ulink will try and read the data from the packet to see what it was asking for it to do but the buffer has a length of zero and when you try and read from the buffer there are two options, the server waits for the client to send the missing data leaving a infinite wait (or until it timesout) or a error is thrown. I also know that i should email garry but this is for host providers as a quick fix! Please note that i have read the playrust homepage To fix this there are 3 ways: 1) If you are using linux you can edit your iptables to block empty udp packets. The following command should work iptables -A input -m udp -p length –length 0 –j DROP 2) Use/write a proxy server where you tunnel the udp data and check the length before passing it on Might work on one of these 3) The rust developers could do a temp fix where they create a udp proxy and suggest server providers to block the main port. So: port = private real server port port + 1 = public fake udp server with options 2 built in The fixes above will only work util they change they way they are confusing the server, im guessing they will change over to a system of sending broken packets if people start blocking 0 packet length? If you have any other possible fixes please comment and i will add them to the list.[/QUOTE] Packets will not have a length 0, they have at the very least an IP Header. A more robust approach is to write a signature to match specific patterns in packets, for instance an empty payload in regex "^$" but they would need some sort of IPS solution to do it. This is ofcourse in lieu of being able to fix the bug at a software level.

Wow you guys did it, you solved DDOS attacks.

I got this from my provider yesterday: "Our system detected a (D)DoS against your service on IP address at this time, described as 'empty UDP packets', and added a filter to our router to block it for about 5 days." Since then, we haven't had any issues at all with this.