dswp.de :: View topic - some spect sht on tdm - FLOAD DETECTED

dswp.de http://www.dswp.de/old/

some spect sht on tdm - FLOAD DETECTED http://www.dswp.de/old/installation-updates-bugs/some-spect-sht-on-tdm-fload-detected-t4011.html	Page 1 of 1

Author:	MadaFakir [ 09.19.11 ]
Post subject:	some spect sht on tdm - FLOAD DETECTED
i was playing on tdm when spect attack began check it if u can

Author:	SKracht [ 09.19.11 ]
Post subject:	Re: some spect sht on tdm
yea i c it someones flooding with fake clients. Attack started 11:42 with client ID 339356 (Nick: 1CI4vbIAK) and lasted until 12:01 with client ID 339501 (Nick: IVuhosI1OTT), so 146 bots were connected. http://www.dswp.de/echelon/clients.php? ... 30.178.187 http://whois.domaintools.com/99.130.178.187 -> http://whois.arin.net/rest/net/NET-99-128-0-0-1 http://www.robtex.com/ip/99.130.178.187.html i banned one client but that doesnt help, all different GUID, but always one IP (lol?), and looks like AT&T dialup from Indianapolis how does no iptable rule prevent so many connections from one src? edit: so i had nothin better to do than trolling around abit. that machine wasnt running ssh, win service, socks etc. but... 80. so lets have a look at this, i guess most likely compromised, machine:

Author:	JRandomNoob [ 09.19.11 ]
Post subject:	Re: some spect sht on tdm
Ain’t it just lovely (UrT forum): Server COnnection Flooder Admins: a new tool spotted

Author:	SKracht [ 09.19.11 ]
Post subject:	Re: some spect sht on tdm
Hm yea I think it doesn't make much traffic but it occupies all slots and i had to join server bye console. as seen on screenshot... i googled for something like that, flood tools for urt or q3 server, but found nothing usefull, thx for those links. this can be easily fixed imho but whats the sense of that floodin? why should someone take that effort just to -fill- servers? Or does it make more traffic than i can imagine? i dont get the point of this -_- i didnt do complete scan of that machine just checked a handfull ports, maybe someone gets an deeper nmap inspection on it. i'm pretty sure its a zombie.

Author:	SKracht [ 09.20.11 ]
Post subject:	Re: some spect sht on tdm - FLOAD DETECTED
Seems like he is going on, started @ 3:02 tonight and continues since, he is not connecting masses but only a few bots. new ip ranges: 99.66.79.19 99.70.42.87 99.62.107.38 99.130.207.77 99.130.205.129 looks like he found some realy bad managed piece off hardware overthere. alphahusky maybe was able to get the real guy, connecting from 84.109.92.101

Author:	wurst [ 09.20.11 ]
Post subject:	Re: some spect sht on tdm - FLOAD DETECTED
Hm AFAIK theres no fix for this DOS Attack in the Q3 engine. The exploit was found (as so often) by Luigi Auriemma, see here: http://aluigi.altervista.org/poc.htm He dont release prooves of concept for software wheres no fix. if someone (who knows C) wanna have it for testing: send me PM or ask Luigi for help, hes a friendly guy. BTW. before u go fixing day+night, maybe check the IoQ3 Dev to find friends... whats left atm: 99.130.192.0/20 as a new firewall rule, his subnet seem to change from time to time. Whats possible from my POV: Auto- Firewall these connections. We have always - multiple clients - connecting rapidly - from the same IP - ping is 999 - theres no GUID (sure) Its the smaller solution then install this additional bot, plus it should work better... ####EDIT#### just read krachts IP list. --> corrected to 99.0.0.0/8 we europeans are pinky pussies, thats teh fucking problem. right? good bye texas. say hello to mister bush.

Author:	SKracht [ 09.20.11 ]
Post subject:	Re: some spect sht on tdm - FLOAD DETECTED
yep, x connections in x time from 1 ip -> drop. should do it thx for Luigi link

Author:	HumppaLakki [ 09.20.11 ]
Post subject:	Re: some spect sht on tdm - FLOAD DETECTED
btw. Seen the same spec connecting spam tonight on two other servers.

Author:	Ana [ 09.20.11 ]
Post subject:	Re: some spect sht on tdm - FLOAD DETECTED
what i noticed on q3 is that when such floader reconnects all the time its usualy the same slot number. so i once did !kick 7 for like 10 minutes til he gave up, since then i couldnt do ip-ban. but be carefull..

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/