DDos fix

The ddos attack is just a simple issue with the ulink protocol. It uses udp as it is fast, quick when you dont need all the data to be checked for loss and corruption. But ulink does not check if the incoming packet size is 0 bytes long. Ulink will try and read the data from the packet to see what it was asking for it to do but the buffer has a length of zero and when you try and read from the buffer there are two options, the server waits for the client to send the missing data leaving a infinite wait (or until it timesout) or a error is thrown.

I also know that i should email garry but this is for host providers as a quick fix! Please note that i have read the playrust homepage

To fix this there are 3 ways:

  1. If you are using linux you can edit your iptables to block empty udp packets. The following command should work
    iptables -A input -m udp -p length –length 0 –j DROP
  2. Use/write a proxy server where you tunnel the udp data and check the length before passing it on
    Might work on one of these
  3. The rust developers could do a temp fix where they create a udp proxy and suggest server providers to block the main port. So:
    port = private real server port
    port + 1 = public fake udp server with options 2 built in

The fixes above will only work util they change they way they are confusing the server, im guessing they will change over to a system of sending broken packets if people start blocking 0 packet length?
If you have any other possible fixes please comment and i will add them to the list.

invade france

You should send garry an email, he said to send it to garry@playrust.com

Also check out his Information Appeal post on the main site.

I do not think the British empire is still strong enough :smiley:

[editline]30th December 2013[/editline]

I will but in the mean time this allows any server providers to fix there servers

much better option

also, as long as something allows a connection, it can be flooded and rendered useless.
There are no real “fixes” to attacks apart from just firewalling massive amounts of IPs, well, none that work permanently.

Well this currently is not a spam ddos, its just a exploit. Most good server hosters will have anti ddos protection for the standard version of ddos,

DDoS attacks can be traced even through botnets. Why are these guys not already arrested?

because its not easy to detect the the source of the DDOS attack. besides this isn’t a DDOS attack.

DDos is a denial of service. DDos is not just when you spam the server with losts of pings, it is anything that denys the service, like an exploit

Let me rephrase it.

Besides this isn’t a common DDOS attack.

uh, unless the botnet owner is fucking retarded thats not the case

generally the “order” comes from a master server which then tells all the infected computers to do whatever, unless the owner uses his own pc in the botnet the chances of finding the dude without checking the master servers logs are pretty much nil

So far as I look at it, Its evident that the uLink software makers don’t know their software enough to fix it. I mean come on its been how many days since the DOS attacks started?
Most software company’s would have had a decent fix for it by now!

It is a DDoS attack. Just not the common one. Instead of huge amounts of data being spammed, only shells with nothing inside are being spammed. It’s the same thing. The goal is to crash the server. --> Denial of service.

I got another idea. What if Garry (temporarily) makes some kind of extra network layer. (not much to make but probably effective) a layer in front of uLink. The layer would function a bit like a firewall… specifically designed to catch the things the uLink library can’t handle. And all the rest, the layer just forwards to uLink to be further processed.

If this is done, then they can still DDoS purely with huge amounts of data. But this CANNOT affect all servers. There would (maybe) be some servers that are getting a beating but… atleast not entire Rust will be offline.

It’s not an ideal solution but it would render the game playable again until uLink comes up with a more robust library.
A bit like option 3.

It is possible by accessing one of the infected computers and check for the IP sending the orders to the infected computer. Again, if the user is smart he would be behind a few VPN’s which wouldn’t be as “easy” to find the source.

These packets only need to travel one-way, so there’s nothing stopping the source from being spoofed. Also, even assuming no spoofing is occurring, you could get access to a shared, low-speed botnet of 1000 computers for a few bucks, and that’s all you’d need to carry out this attack indefinitely. It only takes something like 20kb/sec of empty packets to make a current Rust server rubberband horribly so it’s completely unplayable - that’d only take like 5 dial up connections! Or one shitty DSL. The servers are not getting flooded with data (more expensive to do) - instead, they are being confused by specific packets which exploit bugs in the networking code.

Even assuming you traced all 1000 of those theoretical ‘bot’ computers, what would you do? As soon as any are blocked they can just be replaced by more, cheaply and instantly.

did you even read what i said, the owner generally uses a master server IE the orders come from that, not from him.

you have to be the most retarded fuckin’ dude to use your own connection to send the orders.

So the only things we really know is that their TeamSpeak server is located in Paris to a company who has been hacked several times in the past. They speak french. Did you notice yesterday a lot of people posting their TS info were from Canada. Let’s say French Canadian. I found the answer.

Blame Canada!!!

Jeez, people still talking botnets even though it’s quite easy to determine that there isn’t a botnet involved…

the discussion is DDoS
while they might be using an exploit at this point in time, it still stands to say that even if thats patched they could easily return to more primitive attacks

prepare for the worst, don’t expect the best

These actually aren’t bad ideas. Are you sure the exploit is zero-length packets?