Sad but true…
If the attacks are as described, just using a vulnerability in a server netcode dll and not a large DDOS attack, it would be quite simple even with just software like iptables/netfilter in linux to write a custom packet matching rule and filter out the bad packets that cause the servers to choke. I’ve done it myself on another game my own community hosted.
The sad truth though is that the companies that rent out the Rust servers don’t know how to do it(I’ve just spoken with the support of one such company), since these companies don’t actually own the servers themselves, they rent them by the rack in datacenters so they are like second hand providers and the control they have over the server is pretty much limited to the virtual server provisioning system they are using.
Sad but true…
I think the official servers are windows servers
Funny you mention this. I put a honeypot server online last night with the intention of watching the packet flow so that I could see if the attacks were coming from a single IP or a handful of them. I managed to get one IP, blocked it and the attacks on the server stopped - but I don’t know if it was coincidence or not (it was 3-4am and I didn’t think of trying another server!).
This is something I suggested GSPs do a few days ago: http://forum.facepunch.com/showthread.php?t=1339647&p=43334887#post43334887
I could try doing it again tonight.
It has been said many times before, but since people don’t like to find information…
This is not a typical DDoS attack where the attackers just flood the server with data.
The attackers are able to send empty packets to a DLL that is part of the uLink networking library. This is what is causing servers to lag out and go offline.
This is NOT a typical DDoS attack. Don’t you think that with all of the devs, mods, users, players they would have heard of this eventually? After THREE DAYS?
Thank you for your infinite wisdom. (sarcasm)
[editline]29th December 2013[/editline]
The attacks seem to stop around 8pm PST, so that may have been why it was working.
Plus it would be a waste of time/resources for the rust team to worry about a band-aid when they can work with the people at uLink to fix the vulnerability all together.
Seivers, he stated that he knew it wasn’t a normal Distributed Denial of Service attack. He says it in the very first sentence…
I already stated this in a different thread, if it ain’t volume, small box in between with:
would block most malicious packets.
The problem would be that they historically use windows here. Usually like hurrdurr windows masterOS, it’s fucking not.
Or the server hosting companies like multiplay could call up the datacenter support where they rent their servers and have them set up rules for it for them, if they aren’t renting cisco firewalls(which I bloody hope they do) in which case they can do it on that level. And match not by IP but the content/size/regular expression of the packet content…
The hosting company I spoke with actually admitted to losing customers that cancel their servers because of these attacks, so it would really be in their own interrest to do this until the dll exploit is fixed…