i was playing on tdm when spect attack began
check it if u can

yea i c it someones flooding with fake clients.


Attack started 11:42 with client ID 339356 (Nick: 1CI4vbIAK) and lasted until 12:01 with client ID 339501 (Nick: IVuhosI1OTT), so 146 bots were connected.
http://www.dswp.de/echelon/clients.php? ... 30.178.187

http://whois.domaintools.com/99.130.178.187
-> http://whois.arin.net/rest/net/NET-99-128-0-0-1
http://www.robtex.com/ip/99.130.178.187.html

i banned one client but that doesnt help, all different GUID, but always one IP (lol?), and looks like AT&T dialup from Indianapolis

how does no iptable rule prevent so many connections from one src?

edit:
so i had nothin better to do than trolling around abit. that machine wasnt running ssh, win service, socks etc. but... 80.

so lets have a look at this, i guess most likely compromised, machine:

Ain’t it just lovely (UrT forum):

Server COnnection Flooder
Admins: a new tool spotted

_________________
We have adopted affirmative action: for every warning/kick there must be an equivalent punishment for a player in your team.
We’re still evaluating its feasibility for bans; the most likely policy will be moving the cheater to the opposite team if needed.

Hm yea I think it doesn't make much traffic but it occupies all slots and i had to join server bye console.

as seen on screenshot...

i googled for something like that, flood tools for urt or q3 server, but found nothing usefull, thx for those links.
this can be easily fixed *imho* but whats the sense of that floodin? why should someone take that effort just to -fill- servers?
Or does it make more traffic than i can imagine?
i dont get the point of this -_-

i didnt do complete scan of that machine just checked a handfull ports, maybe someone gets an deeper nmap inspection on it. i'm pretty sure its a zombie.

Seems like he is going on, started @ 3:02 tonight and continues since, he is not connecting masses but only a few bots.
new ip ranges:

99.66.79.19
99.70.42.87
99.62.107.38
99.130.207.77
99.130.205.129

looks like he found some realy bad managed piece off hardware overthere.

alphahusky maybe was able to get the real guy, connecting from 84.109.92.101

Hm AFAIK theres no fix for this DOS Attack in the Q3 engine.
The exploit was found (as so often) by Luigi Auriemma, see here:
http://aluigi.altervista.org/poc.htm
He dont release prooves of concept for software wheres no fix.
if someone (who knows C) wanna have it for testing:
send me PM or ask Luigi for help, hes a friendly guy.
BTW. before u go fixing day+night, maybe check the IoQ3 Dev to find friends...

whats left atm: 99.130.192.0/20 as a new firewall rule, his subnet seem to change from time to time.

Whats possible from my POV:
Auto- Firewall these connections. We have always
- multiple clients
- connecting rapidly
- from the same IP
- ping is 999
- theres no GUID (sure)
Its the smaller solution then install this additional bot, plus it should work better...

####EDIT####
just read krachts IP list.
--> corrected to 99.0.0.0/8
we europeans are pinky pussies, thats teh fucking problem. right? good bye texas. say hello to mister bush.

_________________

yep, x connections in x time from 1 ip -> drop. should do it

thx for Luigi link

btw. Seen the same spec connecting spam tonight on two other servers.

_________________

what i noticed on q3 is that when such floader reconnects all the time its usualy the same slot number. so i once did !kick 7 for like 10 minutes til he gave up, since then i couldnt do ip-ban. but be carefull..

_________________
"Ana is concerned for the future of our world as the best and the brightest of our children are becoming lost in computer games"