dswp.de http://www.dswp.de/old/ |
|
some spect sht on tdm - FLOAD DETECTED http://www.dswp.de/old/installation-updates-bugs/some-spect-sht-on-tdm-fload-detected-t4011.html |
Page 1 of 1 |
Author: | MadaFakir [ 09.19.11 ] |
Post subject: | some spect sht on tdm - FLOAD DETECTED |
i was playing on tdm when spect attack began check it if u can |
Author: | SKracht [ 09.19.11 ] |
Post subject: | Re: some spect sht on tdm |
yea i c it someones flooding with fake clients. Attack started 11:42 with client ID 339356 (Nick: 1CI4vbIAK) and lasted until 12:01 with client ID 339501 (Nick: IVuhosI1OTT), so 146 bots were connected. http://www.dswp.de/echelon/clients.php? ... 30.178.187 http://whois.domaintools.com/99.130.178.187 -> http://whois.arin.net/rest/net/NET-99-128-0-0-1 http://www.robtex.com/ip/99.130.178.187.html i banned one client but that doesnt help, all different GUID, but always one IP (lol?), and looks like AT&T dialup from Indianapolis how does no iptable rule prevent so many connections from one src? edit: so i had nothin better to do than trolling around abit. that machine wasnt running ssh, win service, socks etc. but... 80. so lets have a look at this, i guess most likely compromised, machine: |
Author: | JRandomNoob [ 09.19.11 ] |
Post subject: | Re: some spect sht on tdm |
Ain’t it just lovely (UrT forum): Server COnnection Flooder Admins: a new tool spotted |
Author: | SKracht [ 09.19.11 ] |
Post subject: | Re: some spect sht on tdm |
Hm yea I think it doesn't make much traffic but it occupies all slots and i had to join server bye console. as seen on screenshot... i googled for something like that, flood tools for urt or q3 server, but found nothing usefull, thx for those links. this can be easily fixed *imho* but whats the sense of that floodin? why should someone take that effort just to -fill- servers? Or does it make more traffic than i can imagine? i dont get the point of this -_- i didnt do complete scan of that machine just checked a handfull ports, maybe someone gets an deeper nmap inspection on it. i'm pretty sure its a zombie. |
Author: | SKracht [ 09.20.11 ] |
Post subject: | Re: some spect sht on tdm - FLOAD DETECTED |
Seems like he is going on, started @ 3:02 tonight and continues since, he is not connecting masses but only a few bots. new ip ranges: 99.66.79.19 99.70.42.87 99.62.107.38 99.130.207.77 99.130.205.129 looks like he found some realy bad managed piece off hardware overthere. alphahusky maybe was able to get the real guy, connecting from 84.109.92.101 |
Author: | wurst [ 09.20.11 ] |
Post subject: | Re: some spect sht on tdm - FLOAD DETECTED |
Hm AFAIK theres no fix for this DOS Attack in the Q3 engine. The exploit was found (as so often) by Luigi Auriemma, see here: http://aluigi.altervista.org/poc.htm He dont release prooves of concept for software wheres no fix. if someone (who knows C) wanna have it for testing: send me PM or ask Luigi for help, hes a friendly guy. BTW. before u go fixing day+night, maybe check the IoQ3 Dev to find friends... whats left atm: 99.130.192.0/20 as a new firewall rule, his subnet seem to change from time to time. Whats possible from my POV: Auto- Firewall these connections. We have always - multiple clients - connecting rapidly - from the same IP - ping is 999 - theres no GUID (sure) Its the smaller solution then install this additional bot, plus it should work better... ####EDIT#### just read krachts IP list. --> corrected to 99.0.0.0/8 we europeans are pinky pussies, thats teh fucking problem. right? good bye texas. say hello to mister bush. |
Author: | SKracht [ 09.20.11 ] |
Post subject: | Re: some spect sht on tdm - FLOAD DETECTED |
yep, x connections in x time from 1 ip -> drop. should do it thx for Luigi link |
Author: | HumppaLakki [ 09.20.11 ] |
Post subject: | Re: some spect sht on tdm - FLOAD DETECTED |
btw. Seen the same spec connecting spam tonight on two other servers. |
Author: | Ana [ 09.20.11 ] |
Post subject: | Re: some spect sht on tdm - FLOAD DETECTED |
what i noticed on q3 is that when such floader reconnects all the time its usualy the same slot number. so i once did !kick 7 for like 10 minutes til he gave up, since then i couldnt do ip-ban. but be carefull.. |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |