to the hackers that crash the game

[Guest TFSE]

we just changed servers afaik

[Electron 0]

The attack type is called a syn flooding DDoS. It's misusing a flaw in the TCP protocol which will overload the resources of the victim machine.

 

The attacker uses several (stolen or not) machines (clients) and launches an attack by sending 'connection requests' to the server, the server then replies to that connection request by sending a confirmation back to the client, but the clients never respond, the server will wait 2 minutes or so waiting for the responds, this is using up memory (RAM).

 

In the connection request packet the attackers (clients) put a *spoofed* random source ip (spoofed source ip means that he sends a fake IP, not his real IP). This way it's completely impossible for a simple server to know what the source of the attack is.

 

The attack is quite big, a 60mbit/s IN traffic (and 60mbit/s OUT as the server responds) = 120mb/s total. The server was 100mb/s max so it would overload the line and thus lagging everyone out.

 

The server at first had 1 IP, this means the attacker could attack 1 IP and the whole server would go down. My first measure to block this was to start using multiple IPs and keep switching back and forth between IPs when the attacker attacks 1 IP (I had to release a patch for the game to allow this). However the attacker seems resilient in attacking the servers and sometimes even after 10 minutes he already pointed his attack machines to the new IP. This wouldn't last as I would have to be here 24/7 to switch the IPs all the time (switching IPs takes a few minutes too), plus everyone in the game would keep DCing all the time.

 

Also I changed the launcher so when the attacker decided to attack the website, the launcher would still let players get in-game (usually when he sleeps he seems to point his attack machines to the website rather than the game servers).

 

Anyway as I said this wasn't enough. So I had decided to move the servers to a new host, with upgraded traffic lines and upgraded the server with significantly better specs and alot more resources to hold off a resource-consuming attack. That server was ready yesterday and it took about 18 hours to set it up (mostly moving data took alot of time and I slept abit too).

 

The good news is that he's at this very moment attacking the game servers again and it looks like the new servers are holding out pretty well.

[punkrocke 0]

The attack type is called a syn flooding DDoS. It's misusing a flaw in the TCP protocol which will overload the resources of the victim machine.

 

The attacker uses several (stolen or not) machines (clients) and launches an attack by sending 'connection requests' to the server, the server then replies to that connection request by sending a confirmation back to the client, but the clients never respond, the server will wait 2 minutes or so waiting for the responds, this is using up memory (RAM).

 

In the connection request packet the attackers (clients) put a *spoofed* random source ip (spoofed source ip means that he sends a fake IP, not his real IP). This way it's completely impossible for a simple server to know what the source of the attack is.

 

The attack is quite big, a 60mbit/s IN traffic (and 60mbit/s OUT as the server responds) = 120mb/s total. The server was 100mb/s max so it would overload the line and thus lagging everyone out.

 

The server at first had 1 IP, this means the attacker could attack 1 IP and the whole server would go down. My first measure to block this was to start using multiple IPs and keep switching back and forth between IPs when the attacker attacks 1 IP (I had to release a patch for the game to allow this). However the attacker seems resilient in attacking the servers and sometimes even after 10 minutes he already pointed his attack machines to the new IP. This wouldn't last as I would have to be here 24/7 to switch the IPs all the time (switching IPs takes a few minutes too), plus everyone in the game would keep DCing all the time.

 

Also I changed the launcher so when the attacker decided to attack the website, the launcher would still let players get in-game (usually when he sleeps he seems to point his attack machines to the website rather than the game servers).

 

Anyway as I said this wasn't enough. So I had decided to move the servers to a new host, with upgraded traffic lines and upgraded the server with significantly better specs and alot more resources to hold off a resource-consuming attack. That server was ready yesterday and it took about 18 hours to set it up (mostly moving data took alot of time and I slept abit too).

 

The good news is that he's at this very moment attacking the game servers again and it looks like the new servers are holding out pretty well.

Did i tell u that i love you?

[[D]ohkito 2]

^ Good work, bro !

[Geovane 78]

Good work as always Wartale

 

Do you think it's any other PT server who is doing these attacks?

[Calii - Atorp 0]

I really hope that mimimi noobs shut the fvck up right now.

Sv situation is already explained.

Gz Wartale, really good job mr (:

 

 

Edit: Some mods must translate this Wartale's explanation and post it in Language Forums to calm down desperate players (:

[MinJee 1]

Anyway, when you installwtclient, Wartale why don't add a patch that include VPN on (such as SSL VPN), there are some outside from opensource might help? Cause this game is private and also install a client on like other VPN Client did, then will solve this DDoS flooding issue from their zoombies. So, the only flooding come fromwtcommunity then easier to manage. VPN is the best solution for DDoS such the game like this. Otherwise, will really costly to get Intrustion Prevention System to protect come with its firewall.

[Electron 0]

Anyway, when you installwtclient, Wartale why don't add a patch that include VPN on (such as SSL VPN), there are some outside from opensource might help? Cause this game is private and also install a client on like other VPN Client did, then will solve this DDoS flooding issue from their zoombies. So, the only flooding come fromwtcommunity then easier to manage. VPN is the best solution for DDoS such the game like this. Otherwise, will really costly to get Intrustion Prevention System to protect come with its firewall.

 

That'll probably be too slow / inconvenient. And no longer needed For the time being atleast

 

SynAttackProtect

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

 

Data type: REG_DWORD

Range: 0 | 1

Default value: 0

 

Description

Determines whether the SYN flooding attack protection feature of TCP/IP is enabled. SYN flooding attack protection is enabled when the value of this entry is 1 and the value of the TcpMaxConnectResponseRetransmissions entry is at least 2 (see note below).

 

The SYN flooding attack protection feature of TCP detects symptoms of denial-of-service attacks (also known as SYN flooding ), and it responds by reducing the time the server spends on connection requests that it cannot acknowledge.

 

Value Meaning

0 SYN flooding attack protection is not enabled.

1 SYN flooding attack protection is enabled.

 

Note

This value is used only when the number of SYN-ACK retransmissions is likely to impair the server, that is, when the value of the TcpMaxConnectResponseRetransmissions entry is at least 2.

 

Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

 

Yeah I looked that up but that's for Windows Server 2000, new versions have those options built in by default and you can't modify the settings. Plus it won't protected against a 120mb/s attack on a 100mb/s line

[Crius 0]

SYN flood protection in Windows (Linux-based server can use SYN cookies instead) helps alleviate the problem, but it will not solve it. You can harden the server, but only hope that the attacker does not have the resources to simply increase the amount of traffic that is sent. For SYN floods, it's also a good idea to reduce the number of SYN-ACK retransmissions (this is essentially what the Windows SYN flood protection does, but you can lower it further manually) so that half-open connections time out faster. If memory serves, it expires after 3 seconds without retransmissions.

IDS/IPS systems can help in these attacks too, but they have to be trained first. Putting them up in the middle of an attack will do nothing. They are also rather costly and you risk moving the point of failure to that system instead if the attacker can simply overload them.

 

Anyway, thanks for the update.

[-Darkfire- 0]

And there are rules made to attacker for doing such action.

https://legalpiracy.wordpress.com/2011/01/10/ddos-attacks-and-the-law/

 

I played ones in some other online games,same thing happen attacked by ddos'er,server shuts down for a couple of weeks.But the good news is they provide a continually details about the attacker somehow they manage to locate it and provide pictures of the actual raid.

[easternheretic 0]

Looks like they are attacking once again.

 

Here we go... fasten your seat belts.

[fbrzin1 17]

server down again

[camachojordan 0]

lol yeah this is crazy. but all pt private server went through this or had horible management. this server is a good server with a good support team this is just rediculous im sure sandur is stressed the hell out. if their anything i can do to help let me know gms