Forum

ASSIST, AMERICA'S ARMY COMMUNITY


Author Topic: DDoS and the facts about it  (Read 41370 times)

0 Members and 1 Guest are viewing this topic.

Offline [SWISS]Merlin

DDoS and the facts about it
« on: Friday, June 03, 2016, 15:07:09 PM »
fact #1:

server admins, check out the following file, located at your system/pb folder of aa2:

pbpower.dat

this entry will be appended to this file, you will be surprised:

[06.03.2016 18:00:22] 100 7695df6c0524a57e511e2f720f56db46 "?"

the value of 100 will give to this GUID high power on your server (which you maybe dont want)!! If you try to delete this, it will be appended again by assist.


and another surprise! guess who is in line with this GUID (Global User ID)?
we check now:

Code: [Select]
aa250logs\Logs\Server30.log:05/02/16 21:49:26 Log: 25AssistSM: Player GUID Computed 7695df6c0524a57e511e2f720f56db46(-) (slot #8) 201.29.60.184:53314 Possessed
aa250logs\Logs\Server30.log:05/02/16 22:04:39 Log: 25AssistSM: Player GUID Computed 7695df6c0524a57e511e2f720f56db46(-) (slot #4) 201.29.60.184:64031 Possessed
aa250logs\Logs\Server30.log:05/02/16 22:39:43 Log: 25AssistSM: Player GUID Computed 7695df6c0524a57e511e2f720f56db46(-) (slot #5) 201.29.60.184:54918 Possessed
aa250logs\Logs\Server30.log:05/21/16 03:21:17 Log: 25AssistSM: Player GUID Computed 7695df6c0524a57e511e2f720f56db46(-) (slot #2) 187.78.164.96:55316 Possessed

Offline [SWISS]Merlin

Re: DDoS and the facts about it
« Reply #1 on: Friday, June 03, 2016, 15:07:40 PM »
fact #2:

because of this fact, Possessed will be able to join every server with this extra power and without any knowing of you all.
and i dont want this on my private servers. so i did ban this GUID, Possessed will not be able to join my servers again.

5 days later, i had the first DDoS attack on my internet IP, selected by port 8080, which is my apache servers port, using to add some informations to my clan page.
so the guy doing this attack do know my clanpage and - specially - my port 8080 using it, which is not normal (http port is normal 80, not 8080).
so the proof is done, the attacker did know my clanpage and more - the usage of the special port of 8080 :)
« Last Edit: Friday, June 03, 2016, 15:11:47 PM by [SWISS]Merlin »

Offline [SWISS]Merlin

Re: DDoS and the facts about it
« Reply #2 on: Friday, June 03, 2016, 15:08:25 PM »
fact #3:

using a local bot net is much more cheap then using a big one, working with computers together loacated all over the world.
the following extract of my router logfile does show:
Code: [Select]
Date Time Source Port Target Type Action IP Location

02.06.2016 20:34:47 191.22.145.76 11256 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 191.164.61.48 22765 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 191.153.233.208 13013 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:47 191.50.131.29 58317 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 191.41.38.220 34340 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 191.75.189.181 32913 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:47 191.88.179.46 56253 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:47 191.23.31.159 24530 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 191.168.85.128 57035 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 179.141.255.122 5283 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 191.233.32.56 21893 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Japan
02.06.2016 20:34:47 179.55.60.239 24615 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 191.182.107.232 25673 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 191.212.139.126 50328 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 191.29.246.181 36160 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 191.93.29.116 15848 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:47 179.96.148.253 37840 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 191.164.8.87 17908 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 179.253.198.231 54719 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 191.57.26.104 21420 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 191.209.228.181 3216 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 179.122.198.187 58627 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 191.217.16.223 786 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 191.94.55.176 47195 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:47 179.129.118.226 10919 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:47 191.197.49.208 22846 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.230.45.116 26206 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.173.23.55 26431 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.192.246.243 4652 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.122.133.134 46124 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.130.102.199 31634 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.90.32.236 27 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.182.54.75 6475 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.104.66.6 32630 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.69.19.39 3270 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.229.46.216 12745 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.230.31.154 4102 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 179.15.60.114 30438 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.84.136.150 27849 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Argentina
02.06.2016 20:34:48 179.212.25.176 38225 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.60.136.95 15975 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.114.226.146 36411 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Chile
02.06.2016 20:34:48 191.68.68.176 50488 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.127.202.85 35969 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Chile
02.06.2016 20:34:48 191.136.147.227 1971 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.102.221.254 8107 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.10.180.207 53979 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.59.40.2 29224 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.141.14.246 56847 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.157.213.83 10573 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.223.185.72 2671 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.87.28.67 44763 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Bolivia
02.06.2016 20:34:48 179.58.117.62 51689 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Chile
02.06.2016 20:34:48 191.117.2.220 3593 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Chile
02.06.2016 20:34:48 191.119.158.20 9154 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Chile
02.06.2016 20:34:48 191.134.50.115 36094 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.229.133.28 27148 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.238.103.51 29667 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Ireland
02.06.2016 20:34:48 191.182.239.204 35494 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.106.139.155 24260 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.35.194.247 64275 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.94.23.29 63218 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.118.222.163 2919 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Chile
02.06.2016 20:34:48 191.27.96.206 11391 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.22.146.17 19425 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.11.91.82 33318 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.60.192.203 20561 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 179.86.104.34 39607 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 179.218.127.28 42472 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.199.255.166 25818 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 179.32.196.75 59188 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.4.192.93 12852 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.76.33.138 55070 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.165.175.142 43483 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.95.208.113 65522 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.248.129.183 39598 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.106.168.110 34871 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.43.30.162 8050 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.85.215.114 9905 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Argentina
02.06.2016 20:34:48 191.72.34.179 22186 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.94.68.134 10479 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.66.64.165 50720 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.115.105.166 25374 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Chile
02.06.2016 20:34:48 191.187.3.157 59211 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.211.201.42 32162 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.80.174.196 60143 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Argentina
02.06.2016 20:34:48 179.206.37.107 25701 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.34.31.78 45483 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.84.30.220 35974 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Argentina
02.06.2016 20:34:48 179.183.10.219 54594 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.14.217.246 34220 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.198.54.4 65223 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.196.86.68 32617 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.142.41.22 14115 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.59.10.158 39024 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.104.203.72 30956 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.83.189.236 31847 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Argentina
02.06.2016 20:34:48 191.179.65.11 9546 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.48.136.52 6813 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.248.106.69 54866 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.168.196.152 1114 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.111.71.124 31493 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 179.226.109.5 24284 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.74.70.174 49179 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.239.130.202 56528 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Japan
02.06.2016 20:34:48 191.86.199.141 13259 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.225.110.213 39624 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.65.2.8 35147 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.183.141.66 18078 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.239.207.214 20752 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.183.155.44 56682 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.86.33.76 30015 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 191.67.57.227 16239 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Colombia
02.06.2016 20:34:48 191.197.71.252 19314 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil
02.06.2016 20:34:48 179.9.182.88 19953 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Chile
02.06.2016 20:34:49 191.117.3.197 27190 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Chile
02.06.2016 20:34:49 191.223.2.49 39992 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Chile
02.06.2016 20:34:49 179.98.174.186 23343 192.168.1.61:8080 [type=Flood-Detection(4026531840)] Drop Packet Brazil

Offline [SWISS]Merlin

Re: DDoS and the facts about it
« Reply #3 on: Friday, June 03, 2016, 15:09:13 PM »
fact #4:                  

this attack is done by a method called smurf attack. my router had within 60 minutes 100'000 request to handle. he did it, but it went laggy for sure.
so all player did leave the nomad servers because of that. as a result of it, you can have a look at the end of my router log after stoping the attack:                     

Code: [Select]

02.06.2016 21:40 191.36.176.138:44560  192.168.1.61:8080          [type=Flood-Detection(4026531840)] TCP-Flood Action: Drop Packet
02.06.2016 21:40 179.4.87.187:13288    192.168.1.61:8080          [type=Flood-Detection(4026531840)] TCP-Flood Action: Drop Packet
02.06.2016 21:40 191.203.201.27:57443  192.168.1.61:8080          [type=Flood-Detection(4026531840)] TCP-Flood Action: Drop Packet
02.06.2016 21:40 191.82.98.255          92.107.22.140              [type=ICMP-Decoder(4043309086)] icmp-smurf Action: Drop Packet
02.06.2016 21:41 179.182.157.255        92.107.22.140              [type=ICMP-Decoder(4043309086)] icmp-smurf Action: Drop Packet
02.06.2016 21:41 191.6.100.255          92.107.22.140              [type=ICMP-Decoder(4043309086)] icmp-smurf Action: Drop Packet
02.06.2016 21:41 191.223.54.255        92.107.22.140              [type=ICMP-Decoder(4043309086)] icmp-smurf Action: Drop Packet
               
                     
you can easy see that my router could catch the end of the attack with this entries (see also above, no entries there after the real attack:

Code: [Select]
02.06.2016 21:40 191.82.98.255          92.107.22.140              [type=ICMP-Decoder(4043309086)] icmp-smurf Action: Drop Packet
02.06.2016 21:41 179.182.157.255        92.107.22.140              [type=ICMP-Decoder(4043309086)] icmp-smurf Action: Drop Packet
02.06.2016 21:41 191.6.100.255          92.107.22.140              [type=ICMP-Decoder(4043309086)] icmp-smurf Action: Drop Packet
02.06.2016 21:41 191.223.54.255        92.107.22.140              [type=ICMP-Decoder(4043309086)] icmp-smurf Action: Drop Packet
                  

this means that the attacker system had IP adresses of:

191.82.98.255
179.182.157.255   
191.6.100.255
191.223.54.255   
                     
                     
this does mean that the attacking servers are located at - funny but true - Brazil.

Offline [SWISS]Merlin

Re: DDoS and the facts about it
« Reply #4 on: Friday, June 03, 2016, 15:10:14 PM »
fact #5:

because its only a game, i dont really care. i did ask - listen Possessed - my "specialists" at work. and i was really surprised, because they offered
me - oh yeah, i forgot to say what part of specialists they are. they are our ciber crime specialist, btw. at one of the biggest financial institute
of Switzerland - to contact the friends of them at the Swiss Gouverment working for Melanie (this is the Swiss part of the NSA in the States) to analyse
my router/firewall logs in a very deep way. i do stay back with this, but if you try it again, i would like to see what happend there; it will be
a kind of test for me what they can do.

Offline ronski

Re: DDoS and the facts about it
« Reply #5 on: Friday, June 03, 2016, 15:34:58 PM »
fact #2:

... my port 8080 using it, which is not normal (http port is normal 80, not 8080).
so the proof is done, the attacker did know my clanpage and more - the usage of the special port of 8080 :)
I don't know much about ports but I've used more 8080 than 80 so I guess it's not that rare after all?

Interesting thread, let's see what will follow. Hopefully everything will get cleared!

Offline Placid-

  • Full Member
  • ***
  • Posts: 102
    • View Profile
  • AA: empty
Re: DDoS and the facts about it
« Reply #6 on: Friday, June 03, 2016, 15:40:54 PM »
Im not an IT guy, but i still dont see a connection, other then that the is from brasil. Is his IP in that list?
And what does a guid with 100 means? Does that mean he is admin on every server ?

Offline Koden

  • Cogito Ergo Khodohn
  • Global Moderator
  • Epic Poster
  • *
  • Posts: 2,323
  • Hmmm rainbows.
    • View Profile
Re: DDoS and the facts about it
« Reply #7 on: Friday, June 03, 2016, 15:42:13 PM »
I don't know much about ports but I've used more 8080 than 80 so I guess it's not that rare after all?

Interesting thread, let's see what will follow. Hopefully everything will get cleared!
It isn't really important, being the port tipically used for http you can usually try and see if the server answers from that specific port.

Offline Koden

  • Cogito Ergo Khodohn
  • Global Moderator
  • Epic Poster
  • *
  • Posts: 2,323
  • Hmmm rainbows.
    • View Profile
Re: DDoS and the facts about it
« Reply #8 on: Friday, June 03, 2016, 15:52:07 PM »
It's kind of funny you started with "fact #1", about pbpower, something that hasn't anything to do with the topic (it doesnt relate to the Ddos in any way), although I don't really agree with the practice either.

Offline ronski

Re: DDoS and the facts about it
« Reply #9 on: Friday, June 03, 2016, 15:52:24 PM »
Im not an IT guy, but i still dont see a connection, other then that the is from brasil. Is his IP in that list?
And what does a guid with 100 means? Does that mean he is admin on every server ?
I think it's the highest PBPower value you can have, which makes you kinda invisible player admin.

fact #1:

server admins, check out the following file, located at your system/pb folder of aa2:

pbpower.dat

this entry will be appended to this file, you will be surprised:

[06.03.2016 18:00:22] 100 7695df6c0524a57e511e2f720f56db46 "?"

the value of 100 will give to this GUID high power on your server (which you maybe dont want)!! If you try to delete this, it will be appended again by assist.


and another surprise! guess who is in line with this GUID (Global User ID)?
we check now:

Code: [Select]
aa250logs\Logs\Server30.log:05/02/16 21:49:26 Log: 25AssistSM: Player GUID Computed 7695df6c0524a57e511e2f720f56db46(-) (slot #8) 201.29.60.184:53314 Possessed
aa250logs\Logs\Server30.log:05/02/16 22:04:39 Log: 25AssistSM: Player GUID Computed 7695df6c0524a57e511e2f720f56db46(-) (slot #4) 201.29.60.184:64031 Possessed
aa250logs\Logs\Server30.log:05/02/16 22:39:43 Log: 25AssistSM: Player GUID Computed 7695df6c0524a57e511e2f720f56db46(-) (slot #5) 201.29.60.184:54918 Possessed
aa250logs\Logs\Server30.log:05/21/16 03:21:17 Log: 25AssistSM: Player GUID Computed 7695df6c0524a57e511e2f720f56db46(-) (slot #2) 187.78.164.96:55316 Possessed


I can verify this, I found the very same file from both IGC and BIG servers with 78 rows of same command, giving pb power for same GUID, I don't know for whom it belongs but Im sure Merlin has it right over there.

Im curious as well why on earth this PB Power thing was done, my guess is it's connected to the drama we had when Pit got booted, guess Possessed wanted to make sure if he sees him online he can deal with him straight away?  :?

Also like Placid said nothing there seems to be connected to any person, so maybe these are two different cases: PB Power - gate and DDoS attacks

Offline =IGC=-=W!CK!D

  • Epic Poster
  • ******
  • Posts: 1,603
    • View Profile
Re: DDoS and the facts about it
« Reply #10 on: Friday, June 03, 2016, 16:00:00 PM »
I think it's the highest PBPower value you can have, which makes you kinda invisible player admin.

I can verify this, I found the very same file from both IGC and BIG servers with 78 rows of same command, giving pb power for same GUID, I don't know for whom it belongs but Im sure Merlin has it right over there.

Im curious as well why on earth this PB Power thing was done, my guess is it's connected to the drama we had when Pit got booted, guess Possessed wanted to make sure if he sees him online he can deal with him straight away?  :?

which is wrong he shouldn't have power on any servers

Offline ronski

Re: DDoS and the facts about it
« Reply #11 on: Friday, June 03, 2016, 16:00:55 PM »
fact #2:

because of this fact, Possessed will be able to join every server with this extra power and without any knowing of you all.
and i dont want this on my private servers. so i did ban this GUID, Possessed will not be able to join my servers again.

5 days later, i had the first DDoS attack on my internet IP, selected by port 8080, which is my apache servers port, using to add some informations to my clan page.
so the guy doing this attack do know my clanpage and - specially - my port 8080 using it, which is not normal (http port is normal 80, not 8080).
so the proof is done, the attacker did know my clanpage and more - the usage of the special port of 8080 :)
Did your violation log catch any other banned users trying to join than me? I mean you're speaking in this post of Possessed and DDoS attacks as well kind of connecting them together, did he even know he was banned?

Offline Placid-

  • Full Member
  • ***
  • Posts: 102
    • View Profile
  • AA: empty
Re: DDoS and the facts about it
« Reply #12 on: Friday, June 03, 2016, 16:02:37 PM »
I can verify this, I found the very same file from both IGC and BIG servers with 78 rows of same command, giving pb power for same GUID, I don't know for whom it belongs but Im sure Merlin has it right over there.

There is a command for this, like a code you need to type, or is this assist related?. But, like you and koden pointed out, it still doesnt mean anything. Besides that, if he doesnt abuse it, i dont care anyway, since he is admin of the game.

Offline ronski

Re: DDoS and the facts about it
« Reply #13 on: Friday, June 03, 2016, 16:03:03 PM »
which is wrong he shouldn't have power on any servers
true, unless Assist Admin badge gives those admin privileges already - which would be totally fine to me, the most important thing is shared knowledge about their rights.

Offline Robert

Re: DDoS and the facts about it
« Reply #14 on: Friday, June 03, 2016, 16:03:52 PM »
Interesting topic :)

 

Download Assist

×

Download Game Client


Download Server Manager