Author Topic: Ddos and no End (Read 2339 times)

Meterweise · « **on:** Wednesday, April 24, 2013, 03:21:52 AM »

Looks like some Kids have Fun to Attack Servers. Our Server 2 got closed for short Time because it became too much :-)
My Hoster sent me a DoS Report to see who they are.

If u look what ip is most and do whois then u see where they come from and what Provider. U can also look Account History and look if possibly this ip is linked to a player. U can send abuse mail to Provider. But only thing u can do against it now is to take Server down for a Day and restart. Or close all Ports just open those who are needed by Punkbuster and AA25

I list the IP´s here because it is proof it contains the ip of the Idiots. But just the most listed i say again!

2013.04.19 22:50:45 UDP: 89.46.103.130:53 -> 46.228.199.116:2370 flags: size: 1076
2013.04.19 22:50:45 UDP: 5.9.90.52:53 -> 46.228.199.116:64524 flags: size: 78
2013.04.19 22:50:45 UDP: 89.23.8.1:53 -> 46.228.199.116:40330 flags: size: 664
2013.04.19 22:50:45 UDP: 5.9.85.39:53 -> 46.228.199.116:19190 flags: size: 1522
2013.04.19 22:50:45 UDP: 5.9.85.39:53 -> 46.228.199.116:19190 flags: size: 1522
2013.04.19 22:50:45 UDP: 94.60.120.1:53 -> 46.228.199.116:60292 flags: size: 648
2013.04.19 22:50:45 UDP: 5.9.39.175:53 -> 46.228.199.116:24409 flags: size: 1076
2013.04.19 22:50:45 UDP: 89.46.103.130:53 -> 46.228.199.116:25709 flags: size: 1076
2013.04.19 22:50:45 UDP: 5.9.49.244:53 -> 46.228.199.116:47201 flags: size: 1076
2013.04.19 22:50:45 UDP: 5.9.49.244:53 -> 46.228.199.116:47201 flags: size: 1076
2013.04.19 22:50:45 UDP: 89.23.16.1:53 -> 46.228.199.116:29051 flags: size: 664
2013.04.19 22:50:45 UDP: 5.9.24.200:53 -> 46.228.199.116:42173 flags: size: 1076
2013.04.19 22:50:45 UDP: 5.9.34.251:53 -> 46.228.199.116:32962 flags: size: 1076
2013.04.19 22:50:45 UDP: 200.4.145.138:53 -> 46.228.199.116:41875 flags: size: 1522
2013.04.19 22:50:45 UDP: 5.9.34.251:53 -> 46.228.199.116:42918 flags: size: 1076
2013.04.19 22:50:45 UDP: 5.9.85.39:53 -> 46.228.199.116:17521 flags: size: 1522
2013.04.19 22:50:45 UDP: 89.31.2.8:53 -> 46.228.199.116:17358 flags: size: 1076
2013.04.19 22:50:45 UDP: 94.60.120.1:53 -> 46.228.199.116:44271 flags: size: 648
2013.04.19 22:50:45 UDP: 89.23.16.1:53 -> 46.228.199.116:49125 flags: size: 664
2013.04.19 22:50:45 UDP: 94.63.85.18:63200 -> 46.228.199.116:10403 flags: size: 241
2013.04.19 22:50:45 UDP: 5.9.101.54:53 -> 46.228.199.116:46807 flags: size: 1076
2013.04.19 22:50:45 UDP: 200.4.145.138:3659 -> 46.228.199.116:10000 flags: size: 72
2013.04.19 22:50:46 UDP: 200.4.145.138:53 -> 46.228.199.116:7553 flags: size: 1522
2013.04.19 22:50:46 UDP: 94.60.41.1:11211 -> 46.228.199.116:46229 flags: size: 241
2013.04.19 22:50:46 UDP: 94.60.41.1:45347 -> 46.228.199.116:80 flags: size: 241
2013.04.19 22:50:46 UDP: 89.23.8.1:53 -> 46.228.199.116:41 flags: size: 664
2013.04.19 22:50:46 UDP: 94.63.85.18:53 -> 46.228.199.116:24135 flags: size: 1522
2013.04.19 22:50:46 UDP: 5.9.96.26:53 -> 46.228.199.116:44554 flags: size: 1076
2013.04.19 22:50:46 UDP: 200.4.145.138:53 -> 46.228.199.116:53769 flags: size: 1522
2013.04.19 22:50:46 UDP: 89.23.8.1:53 -> 46.228.199.116:6528 flags: size: 664
2013.04.19 22:50:46 UDP: 5.9.39.175:53 -> 46.228.199.116:47866 flags: size: 1076
2013.04.19 22:50:46 UDP: 200.4.145.138:0 -> 46.228.199.116:0 flags: size: 72
2013.04.19 22:50:46 UDP: 94.46.248.29:53 -> 46.228.199.116:54270 flags: size: 1076
2013.04.19 22:50:46 UDP: 94.46.248.29:53 -> 46.228.199.116:54270 flags: size: 1076
2013.04.19 22:50:46 UDP: 5.9.85.39:80 -> 46.228.199.116:64584 flags: size: 241
2013.04.19 22:50:46 UDP: 5.9.14.106:53 -> 46.228.199.116:54932 flags: size: 1076
2013.04.19 22:50:46 UDP: 94.63.85.18:80 -> 46.228.199.116:2713 flags: size: 241
2013.04.19 22:50:46 UDP: 94.63.85.18:53 -> 46.228.199.116:55793 flags: size: 1522
2013.04.19 22:50:46 UDP: 5.9.85.39:53 -> 46.228.199.116:55793 flags: size: 241
2013.04.19 22:50:46 UDP: 89.46.103.130:53 -> 46.228.199.116:945 flags: size: 1076
2013.04.19 22:50:46 UDP: 89.23.16.1:53 -> 46.228.199.116:1914 flags: size: 664
2013.04.19 22:50:46 UDP: 5.9.96.26:53 -> 46.228.199.116:27044 flags: size: 1076
2013.04.19 22:50:46 UDP: 5.9.42.114:53 -> 46.228.199.116:44238 flags: size: 1076
2013.04.19 22:50:46 UDP: 89.46.103.130:53 -> 46.228.199.116:26482 flags: size: 1076
2013.04.19 22:50:46 UDP: 5.9.85.39:53 -> 46.228.199.116:37437 flags: size: 1522
2013.04.19 22:50:46 UDP: 89.23.16.1:53 -> 46.228.199.116:31049 flags: size: 664
2013.04.19 22:50:46 UDP: 94.46.248.29:53 -> 46.228.199.116:23155 flags: size: 1076
2013.04.19 22:50:46 UDP: 5.9.85.39:59465 -> 46.228.199.116:80 flags: size: 241
2013.04.19 22:50:46 UDP: 94.60.120.1:53 -> 46.228.199.116:59261 flags: size: 648
2013.04.19 22:50:46 UDP: 5.9.39.175:53 -> 46.228.199.116:59348 flags: size: 1076
2013.04.19 22:50:46 UDP: 5.9.14.106:53 -> 46.228.199.116:49409 flags: size: 1076
2013.04.19 22:50:46 UDP: 89.23.8.1:53 -> 46.228.199.116:13037 flags: size: 664
2013.04.19 22:50:46 UDP: 94.46.248.29:53 -> 46.228.199.116:62214 flags: size: 1076
2013.04.19 22:50:46 UDP: 5.9.85.39:53320 -> 46.228.199.116:19000 flags: size: 241
2013.04.19 22:50:46 UDP: 201.214.175.24:57812 -> 46.228.199.116:1716 flags: size: 73
2013.04.19 22:50:46 UDP: 5.9.24.200:53 -> 46.228.199.116:25279 flags: size: 1076
2013.04.19 22:50:46 UDP: 5.9.93.242:53 -> 46.228.199.116:44042 flags: size: 1076
2013.04.19 22:50:46 UDP: 94.63.85.18:53 -> 46.228.199.116:41693 flags: size: 1522
2013.04.19 22:50:46 UDP: 89.31.2.8:53 -> 46.228.199.116:22610 flags: size: 1076
2013.04.19 22:50:46 UDP: 5.9.101.54:53 -> 46.228.199.116:46669 flags: size: 1076
2013.04.19 22:50:46 UDP: 94.60.41.1:57367 -> 46.228.199.116:28960 flags: size: 241
2013.04.19 22:50:46 UDP: 5.9.39.175:53 -> 46.228.199.116:35554 flags: size: 1076
2013.04.19 22:50:46 UDP: 94.60.41.1:50802 -> 46.228.199.116:9999 flags: size: 241
2013.04.19 22:50:46 UDP: 200.4.145.138:3661 -> 46.228.199.116:27115 flags: size: 72
2013.04.19 22:50:46 UDP: 5.9.85.39:1193 -> 46.228.199.116:1193 flags: size: 241
2013.04.19 22:50:46 UDP: 5.9.81.172:53 -> 46.228.199.116:22943 flags: size: 1076
2013.04.19 22:50:46 UDP: 5.9.96.26:53 -> 46.228.199.116:16900 flags: size: 1076
2013.04.19 22:50:46 UDP: 200.4.145.138:59967 -> 46.228.199.116:2939 flags: size: 72
2013.04.19 22:50:46 UDP: 94.46.248.29:53 -> 46.228.199.116:58690 flags: size: 1076
2013.04.19 22:50:46 UDP: 5.9.85.39:53 -> 46.228.199.116:36419 flags: size: 1522
2013.04.19 22:50:46 UDP: 5.9.34.251:53 -> 46.228.199.116:65448 flags: size: 1076
2013.04.19 22:50:46 UDP: 94.60.41.1:54442 -> 46.228.199.116:3710 flags: size: 241
2013.04.19 22:50:46 UDP: 94.60.120.1:53 -> 46.228.199.116:40059 flags: size: 648
2013.04.19 22:50:46 UDP: 5.9.24.200:53 -> 46.228.199.116:57279 flags: size: 1076
2013.04.19 22:50:46 UDP: 89.46.103.130:53 -> 46.228.199.116:23497 flags: size: 1076
2013.04.19 22:50:46 UDP: 200.4.145.138:53 -> 46.228.199.116:53054 flags: size: 1522
2013.04.19 22:50:46 UDP: 94.63.85.18:57335 -> 46.228.199.116:1101 flags: size: 241
2013.04.19 22:50:46 UDP: 89.31.2.8:53 -> 46.228.199.116:19339 flags: size: 1076
2013.04.19 22:50:46 UDP: 94.60.120.1:53 -> 46.228.199.116:33541 flags: size: 648
2013.04.19 22:50:46 UDP: 94.60.41.1:62667 -> 46.228.199.116:9987 flags: size: 241
2013.04.19 22:50:46 UDP: 89.31.2.8:53 -> 46.228.199.116:33021 flags: size: 1076
2013.04.19 22:50:46 UDP: 94.60.41.1:0 -> 46.228.199.116:0 flags: size: 241
2013.04.19 22:50:46 UDP: 5.9.24.200:53 -> 46.228.199.116:57174 flags: size: 1076
2013.04.19 22:50:46 UDP: 94.63.85.18:53 -> 46.228.199.116:850 flags: size: 1522
2013.04.19 22:50:46 UDP: 94.60.41.1:55666 -> 46.228.199.116:9988 flags: size: 241
2013.04.19 22:50:46 UDP: 94.60.41.1:27005 -> 46.228.199.116:27025 flags: size: 241
2013.04.19 22:50:46 UDP: 89.31.2.8:53 -> 46.228.199.116:24574 flags: size: 1076
2013.04.19 22:50:46 UDP: 200.4.145.138:53 -> 46.228.199.116:48380 flags: size: 1522
2013.04.19 22:50:46 UDP: 5.9.90.52:53 -> 46.228.199.116:32647 flags: size: 78
2013.04.19 22:50:46 UDP: 89.46.103.130:53 -> 46.228.199.116:6686 flags: size: 1076
2013.04.19 22:50:46 UDP: 94.63.85.18:53 -> 46.228.199.116:9545 flags: size: 1522
2013.04.19 22:50:46 UDP: 94.46.248.29:53 -> 46.228.199.116:40349 flags: size: 1076
2013.04.19 22:50:46 UDP: 5.9.34.251:53 -> 46.228.199.116:8456 flags: size: 1076
2013.04.19 22:50:46 UDP: 5.9.14.106:53 -> 46.228.199.116:15428 flags: size: 1076
2013.04.19 22:50:46 UDP: 5.9.96.26:53 -> 46.228.199.116:54088 flags: size: 1076
2013.04.19 22:50:46 UDP: 89.23.8.1:53 -> 46.228.199.116:62579 flags: size: 664
2013.04.19 22:50:46 UDP: 5.9.42.114:53 -> 46.228.199.116:15984 flags: size: 1076
2013.04.19 22:50:46 UDP: 5.9.85.39:53 -> 46.228.199.116:64248 flags: size: 1522
2013.04.19 22:50:46 UDP: 200.4.145.138:53 -> 46.228.199.116:63312 flags: size: 1522

[SWISS]Merlin · « **Reply #1 on:** Wednesday, April 24, 2013, 08:20:14 AM »

if you close all ports, they do very easy a port scan and do the attack at the opend ports.
so leave it like it is and wait, it will end for sure.
but your provider can put a filter in to stop that ip - but normaly by ddos it is not the attacking one.
good luck

BiG_SerGiO · « **Reply #2 on:** Wednesday, April 24, 2013, 12:33:52 PM »

Searched for like 20 of those ip's and no match.

82nd_DXO_COL=Shad · « **Reply #3 on:** Wednesday, April 24, 2013, 13:04:50 PM »

The incoming ip's won't matter, as they are zombie infected pc's being commanded to bombard your AA. The person doing it won't be connected to your PC unless they're stupid. Usually they have a dos program that commands a ddos army, like loic or some such.

Meterweise · « **Reply #4 on:** Thursday, April 25, 2013, 03:17:42 AM »

I did also some Account Checks but no match :-(
It ended after Server was down for half day. Was down on purpose. Well maybe they use a Botnet or maybe they don´t and the are stupid. One thing is sure. They will lose the lust to do this and we will never lose the Lust to play Americas Army 2.5 :-)

Rob_LD · « **Reply #5 on:** Thursday, April 25, 2013, 05:53:58 AM »

Well, let me get into this a little.

First obvious thing:
The requests are coming from port 53.
So it is likely DNS related.

Second obvious thing:
A lot IP's are repeating over and over again.
I would recommend to limit the connects per time from one IP.

It would be nice to have some packet captures during an ongoing attack.
Without it will be difficult to find proper solutions.

Rob_LD · « **Reply #6 on:** Thursday, April 25, 2013, 17:56:39 PM »

I am thinking about this case for hours now.
It does not make a lot of sense to me.

Are you sure that your server downtime is caused due to requests to AA 2.5?

I just compared your log to my server packet captures and cant see any commonalities.

The most weird thing is, like I said before, the DNS source port.
As an immediate action I would recommend to drop all packets from the source port 53.
(If your server is just used as a game server)

A NIDS like "Snort" can do this pretty easy.

But there maybe any other leak at your server as well.

82nd_DXO_COL=Shad · « **Reply #7 on:** Wednesday, May 15, 2013, 11:52:30 AM »

Your event was dns (port 53). If YOUR server is not running a name server, you need to contact your provider to harden their dns server against attacks. If you are running Linux, and run Bind, turn off recursion.

Rob_LD · « **Reply #8 on:** Wednesday, May 15, 2013, 15:16:06 PM »

That's what I'm talking about.

Forum

ASSIST, AMERICA'S ARMY COMMUNITY - RELIVE THE GLORY DAYS OF AMERICA'S ARMY 2.5

Author Topic: Ddos and no End (Read 2339 times)

Meterweise

Ddos and no End

[SWISS]Merlin

Re: Ddos and no End

BiG_SerGiO

Re: Ddos and no End

82nd_DXO_COL=Shad

Re: Ddos and no End

Meterweise

Re: Ddos and no End

Rob_LD

Re: Ddos and no End

Rob_LD

Re: Ddos and no End

82nd_DXO_COL=Shad

Re: Ddos and no End

Rob_LD

Re: Ddos and no End

Download Assist

Download Game Client

Download Server Manager