Atomix Sro

Mykha* · 02/18/2012, 08:13

Thanks but it's not a hole issue. it's a botnet ddos'ing the box connection. on port 80.

(

Bartolini89 · 02/18/2012, 12:35

Just one question when we can expect server will be open ?

kevin_owner · 02/18/2012, 13:03

Quote:

Originally Posted by Dr.Abdelfattah

use plesk panel (got a small module protect u from that)
or just buy a webhost (for ur server website) and make ur database engine works with remote
Now open ur db engine port to ur webhost IP only and enjoy !

seriously you think that solves it?

Mokho said that they ddos port 80 if you close it or move it to another server they'll ddos that server or they just start ddosing the gatewayserver

and there is no small fix for a ddos there is NO fix for a ddos you can only prevent small ones with some hardware ddos protection. What you can do is buy more servers to host your stuffs but even that wouldn't solve the problem.

The best option is to report the ip's of the botnet to the police or some other company thinggy which investigates this kinda stuff.

Edit: <sarcasm> Sorry I talked to you Dr.Abdelfattah since I don't know all the stuff in your sig..... what are you better than everyone?</sarcasm>

Dr.Abdelfattah · 02/18/2012, 13:11

Quote:

Originally Posted by kevin_owner

seriously you think that solves it?

Mokho said that they ddos port 80 if you close it or move it to another server they'll ddos that server or they just start ddosing the gatewayserver

and there is no small fix for a ddos there is NO fix for a ddos you can only prevent small ones with some hardware ddos protection. What you can do is buy more servers to host your stuffs but even that wouldn't solve the problem.

The best option is to report the ip's of the botnet to the police or some other company thinggy which investigates this kinda stuff.

First u can't ddos on gateway or even agent

2nd host ur website on webhost solved that problem as (The hoster) protect the host webserver (i think u got my point)

kevin_owner · 02/18/2012, 14:02

... you can ddos those ports it doesn't matter which port you use as long a port is open you can spam it and get the server down....

For websites port 80 is the way to go but for a server like this there are plenty of ports you can use to ddos.

I mean check wikipedia only and you see the various attacks which you can call a ddos so if you make the botnet connect like a lot of times to the gateway or agent it'll get so many connections and crash or lots and lots of lagg. Also if you make all those single connections send a MASSIVE amount of small packets it'll be too busy to handle the packets from the real client.

result huge lagg / server down.

Dr.Abdelfattah · 02/18/2012, 14:42

Quote:

Originally Posted by kevin_owner

... you can ddos those ports it doesn't matter which port you use as long a port is open you can spam it and get the server down....

For websites port 80 is the way to go but for a server like this there are plenty of ports you can use to ddos.

I mean check wikipedia only and you see the various attacks which you can call a ddos so if you make the botnet connect like a lot of times to the gateway or agent it'll get so many connections and crash or lots and lots of lagg. Also if you make all those single connections send a MASSIVE amount of small packets it'll be too busy to handle the packets from the real client.

result huge lagg / server down.

look
let's talk about agent and gateway ports only
@webserv let's say it's out of game machine server
- Gateway contain it's security module which don't accept or even overflaw of any connection on it's port even from client, also if we say each ip needs 5 secound to re-connect to gateway (= can't ddos)
- Agent : we could say it in few wards {Don't accept connections don't accepted from gateway} and don't see and unknown packet {can't overflaw} at last can't ddos

summary :
You could say u can't crash/lag or made highLoad on server machine from gateway or agent ports
so all ur DDos attacks on those ports are nothing and cause nothing .

If you need to talk about webserv, Just 2 causes may let anyone could ddos on ur website
First ur web script u use
Secound ur webserver
3rd you web security (Most of panels like plesk and so provide the enough security for that {just small modules with it})
also there's many tools could help in blocking botnet (kinds_)
I can't give my point on webserv as it's too big and also maybe my skills isn't complete with it
But at last if he use his server just for hosting server files only and open 2 ports only like gateway and agent ports , and close all UDP ports , the server will works fine .

kevin_owner · 02/18/2012, 14:56

Look Abdelfattah I get your point I do but the fact is that the ddos'er CONNECTS with the gateway or agentserver port.

You don't even need to send valid info you can just send empty packets and even if the gateway and agent disconnect you they would be WAY to busy to refuse all those connections.

See it isn't magic the whole refuse connection.

A client connects to let's say the gateway so connection made then the gateway checks if the user is allowed to connect if he isn't allowed it disconnects the client.

If you want to know if this is true just start up the silkroad launcher to a random server you'll notice that it directly shows you the launcher since it connected to the server. Then you inject a packet or and you'll notice that the gateway closes the connection. Once you try to reconnect the launcher will be shown the same way as the previous startup (so it connects) but then you get a connection closed.

So you CAN ddos the gateway and agent since you just make them very busy to refuse all the connections.

I could go into much more detail with a lot more examples and I will if you still think if I'm wrong but I think you get my point.

Also tools to blcok botnets are useless they'll only work for small botnets to refuse connections cause it works the same way as the gateway or agent server server. If you aren't allowed to connect they close the connection.

Oke last thing I haven't even mentioned this but these "protection methods" are SOFTWARE based which means that they go trough your server. They take up cpu time and other resources so eventually it'll be too much for the server.

The hardware ddos protection is created for a reason since it's highly optimized and is able to refuse connections a lot faster *it also has software in it but you get my point*. The server files have to refuse the connection trough all the network layers of windows which makes them a lot slower to refuse connections.

Mykha* · 02/18/2012, 15:00

all my respect to you Dr.Abdelfattah, But srsly you got to stop talking about anything "DDOS" related.. i am not saying that you dunno **** nah you are good at some stuff but when it comes to this point you should read more.. BTW most of those servers that goes off due to attacks are being hit on 15779..

)
Thanks. -Mykha

Kevin. please do add me on skype:Mykha-
Heard alot about you from kellogz :P

Dr.Abdelfattah · 02/18/2012, 15:21

Quote:

Originally Posted by kevin_owner

Look Abdelfattah I get your point I do but the fact is that the ddos'er CONNECTS with the gateway or agentserver port.

You don't even need to send valid info you can just send empty packets and even if the gateway and agent disconnect you they would be WAY to busy to refuse all those connections.

See it isn't magic the whole refuse connection.

A client connects to let's say the gateway so connection made then the gateway checks if the user is allowed to connect if he isn't allowed it disconnects the client.

If you want to know if this is true just start up the silkroad launcher to a random server you'll notice that it directly shows you the launcher since it connected to the server. Then you inject a packet or and you'll notice that the gateway closes the connection. Once you try to reconnect the launcher will be shown the same way as the previous startup (so it connects) but then you get a connection closed.

So you CAN ddos the gateway and agent since you just make them very busy to refuse all the connections.

I could go into much more detail with a lot more examples and I will if you still think if I'm wrong but I think you get my point.

Also tools to blcok botnets are useless they'll only work for small botnets to refuse connections cause it works the same way as the gateway or agent server server. If you aren't allowed to connect they close the connection.

Oke last thing I haven't even mentioned this but these "protection methods" are SOFTWARE based which means that they go trough your server. They take up cpu time and other resources so eventually it'll be too much for the server.

The hardware ddos protection is created for a reason since it's highly optimized and is able to refuse connections a lot faster *it also has software in it but you get my point*. The server files have to refuse the connection trough all the network layers of windows which makes them a lot slower to refuse connections.

I got your Point kevin and also you aren't wrong
But I will just let u see the right way
I won't say try to ddos on gateway port, but let me tell u something more, let me say every 1 gateway could handel 1500 connection at the same time (i mean same time = same click)
that's oky tell now, let's say the Botnets are flooding on gateway port , u will see gateway write notice IP x.x.x.x try to exploit
IP blocked for a time as the type of packet it send
for example the Botnets are coming from proxies, so they are connected from many IPsss
gateway could handel as i say before 1500 connection at the same time, If we say 1500 IP of botnets are connecting, now gateway won't be able to allow any more connection But will block all of those for a time, then u will have more than slot if more botnets with different ips, gateway will do same work again, the only effect that maybe some of users will try 2 or 3 times to connect to the game (that's if the attack is really toooooooooooooooo high as they could send botnets from more than 1500 IPs and that's impossible or possible but isn't easy)
What about the blank or unknown packets which send to gateway, will do the same as botnets, but don't forgot u can't made overflaw or even lag on gateway..
All ways u could say DDos on this module is impossible (possible but cause nothing)
Look joymax or yahoo for sure before they coded gateway or even the rest modules think about this point as where going to make a very big game, Online users 100K ++
So they were need no way for any kind of attacks on those modules,
The reason that they run more than gateway cuz every gateway could handel 1500 and the users are more than that ........
well and also i think they made something i have no information about it that don't take any effect with botnets or blank packets , so u could say send 435345 times from 435345 IPs can't make any effect with gateway or even the slots of gateway
Or If i'm wrong so i could make gateway takes overflaw with small stupid packet .

kevin_owner · 02/18/2012, 15:32

Quote:

Originally Posted by Dr.Abdelfattah

I got your Point kevin and also you aren't wrong
But I will just let u see the right way
I won't say try to ddos on gateway port, but let me tell u something more, let me say every 1 gateway could handel 1500 connection at the same time (i mean same time = same click)
that's oky tell now, let's say the Botnets are flooding on gateway port , u will see gateway write notice IP x.x.x.x try to exploit
IP blocked for a time as the type of packet it send
for example the Botnets are coming from proxies, so they are connected from many IPsss
gateway could handel as i say before 1500 connection at the same time, If we say 1500 IP of botnets are connecting, now gateway won't be able to allow any more connection But will block all of those for a time, then u will have more than slot if more botnets with different ips, gateway will do same work again, the only effect that maybe some of users will try 2 or 3 times to connect to the game (that's if the attack is really toooooooooooooooo high as they could send botnets from more than 1500 IPs and that's impossible or possible but isn't easy)
What about the blank or unknown packets which send to gateway, will do the same as botnets, but don't forgot u can't made overflaw or even lag on gateway..
All ways u could say DDos on this module is impossible (possible but cause nothing)
Look joymax or yahoo for sure before they coded gateway or even the rest modules think about this point as where going to make a very big game, Online users 100K ++
So they were need no way for any kind of attacks on those modules,
The reason that they run more than gateway cuz every gateway could handel 1500 and the users are more than that ........
well and also i think they made something i have no information about it that don't take any effect with botnets or blank packets , so u could say send 435345 times from 435345 IPs can't make any effect with gateway or even the slots of gateway
Or If i'm wrong so i could make gateway takes overflaw with small stupid packet .

Sorry but you couldn't be even more wrong.

I'll try to explain it one more time.

Alright well you have a botnet which exists out of 1000 unique pc's which is well not that big. but this doesn't equal to 1000 connections. I mean one pc could easily connect 1000 times to the gateway port which means a million connection to the same gateway.

So the gateway would have to refuse refuse refuse refuse all these connections ALL the time which takes A LOT of cpu time. and if they are also going to send a small packet and i'm not talking about the overflow thing but even if it protects for the overflow it needs to be CHECKED. which takes CPU time.

So no matter WHAT do you or block it'll take cpu which makes your server slower.

Btw one pc can have 65k connections at the same time to same server since that is the limit of internal ports ( or you need to ues a workarround) so a lot of connections

But do you understand the part of the refusing takes cpu even if it is blocked? This part makes the server go very slow if you ddos it.

Dr.Abdelfattah · 02/18/2012, 15:46

Quote:

Originally Posted by kevin_owner

Sorry but you couldn't be even more wrong.

I'll try to explain it one more time.

Alright well you have a botnet which exists out of 1000 unique pc's which is well not that big. but this doesn't equal to 1000 connections. I mean one pc could easily connect 1000 times to the gateway port which means a million connection to the same gateway.

So the gateway would have to refuse refuse refuse refuse all these connections ALL the time which takes A LOT of cpu time. and if they are also going to send a small packet and i'm not talking about the overflow thing but even if it protects for the overflow it needs to be CHECKED. which takes CPU time.

So no matter WHAT do you or block it'll take cpu which makes your server slower.

Btw one pc can have 65k connections at the same time to same server since that is the limit of internal ports ( or you need to ues a workarround) so a lot of connections

But do you understand the part of the refusing takes cpu even if it is blocked? This part makes the server go very slow if you ddos it.

I will move with u point by point
But let me first say that when i mention that gateway handle max 1500 connections, i don't mention by it the hole port (also u could change the max connections to a Port)
oky let's go to next , Over 1500 connection for example 1501 will see port is closed (gateway is not working anymore{what's happen so where could be high load on CPU?})
It's not closed but it closed it self and to close isn't need to take a time,
let's say gateway is the module which control it's port so it control the hole 15779 port (i think u got why i say that)
let's go to the point of gateway refuce
before that u know now there isn't any high will may cause on CPU usage
For example I send 24234234 times from an IP to gateway
gateway will just see 1500 of them, then gateway will found that all for example are wrong packets, It will block that IP for a time and nothing will more will happen (gateway will write fatal ip x.x.x.x try to exploit)
the same for anything else
I wasn't wrong, But i'm sure what i'm saying , else let me give u gateway IP and port and made ur best with attack or botnets etc etc etc and if the server or CPU just got high load for moment so i will go delete

After all maybe i couldn't explain my point well .

kevin_owner · 02/18/2012, 15:50

Quote:

Originally Posted by Dr.Abdelfattah

I will move with u point by point
But let me first say that when i mention that gateway handle max 1500 connections, i don't mention by it the hole port (also u could change the max connections to a Port)
oky let's go to next , Over 1500 connection for example 1501 will see port is closed (gateway is not working anymore{what's happen so where could be high load on CPU?})
It's not closed but it closed it self and to close isn't need to take a time,
let's say gateway is the module which control it's port so it control the hole 15779 port (i think u got why i say that)
let's go to the point of gateway refuce
before that u know now there isn't any high will may cause on CPU usage
For example I send 24234234 times from an IP to gateway
gateway will just see 1500 of them, then gateway will found that all for example are wrong packets, It will block that IP for a time and nothing will more will happen (gateway will write fatal ip x.x.x.x try to exploit)
the same for anything else
I wasn't wrong, But i'm sure what i'm saying , else let me give u gateway IP and port and made ur best with attack or botnets etc etc etc and if the server or CPU just got high load for bet so i will go delete
After all maybe i couldn't explain my point well .

Alright I think I got what you're saying not sure so I'll summerize it.

You say that if the Gateway server and Agent server reaches a certain amount of connections it closes the connection socket?

If that is true that would definitly solve the ddos problem BUT if you have a lot of users connecting it would make the server slow since opening/closing a socket is relatively slow.

But I will check it out right now by starting the gatewayserver with it's default stuff non patched ect and create a small client which connects 2k times and post the result if it closes the connection or not.

EDIT: I have been thinking about this thing but if the gateway or agent closes the port that would mean that no legal user could connect so a single person would be able to take down a server by creating 2k connections. Result server would close the port it opens the port again once the connections are refused but if you just keep connecting the server will be busy with closing the socket and refuse all the connections from my ip and reopen the socket and start accepting and then you're the way arround with the client connecting 2k times and server closing ect.

Dr.Abdelfattah · 02/18/2012, 16:01

Quote:

Originally Posted by kevin_owner

Alright I think I got what you're saying not sure so I'll summerize it.

You say that if the Gateway server and Agent server reaches a certain amount of connections it closes the connection socket?

If that is true that would definitly solve the ddos problem BUT if you have a lot of users connecting it would make the server slow since opening/closing a socket is relatively slow.

But I will check it out right now by starting the gatewayserver with it's default stuff non patched ect and create a small client which connects 2k times and post the result if it closes the connection or not.

Ya that's what i mean and also waiting ur test result

(but don't forgot all that done in moment not more)

Quote:

BUT if you have a lot of users connecting it would make the server slow since opening/closing a socket is relatively slow.

ya but as all of that happen in moment so maybe users will connected in 1~3 seconds , as u see at isro sometimes the clients take some seconds to view Start and so on .
But anyway u will see the x.x.x.x ip try to exploit and will be blocked for a time .

kevin_owner · 02/18/2012, 16:04

Quote:

Originally Posted by Dr.Abdelfattah

ya but as all of that happen in moment so maybe users will connected in 1~3 seconds , as u see at isro sometimes the clients take some seconds to view Start and so on .
But anyway u will see the x.x.x.x ip try to exploit and will be blocked for a time .

The block is inside the gateway so the client needs to CONNECT first which is the same way everone connects then it can close the connect but this still counts as a connection so the 1500 will get full pretty quickly. Just an infinite loop and some async connecting from one pc and you could get the server down but one pc is easily blockable in the firewall but a botnet is just too much.

Dr.Abdelfattah · 02/18/2012, 16:05

Quote:

Originally Posted by kevin_owner

EDIT: I have been thinking about this thing but if the gateway or agent closes the port that would mean that no legal user could connect so a single person would be able to take down a server by creating 2k connections. Result server would close the port it opens the port again once the connections are refused but if you just keep connecting the server will be busy with closing the socket and refuse all the connections from my ip and reopen the socket and start accepting and then you're the way arround with the client connecting 2k times and server closing ect.

Keep in ur head 3 thing
- IP blocking
- max connection on gateway 1500
- game client wait 10 seconds for gateway replays if no replay it will show u server is offline or visit www for more info and so on

Hey i think i find a good explain for that :

U send me 20K packets or or from an IP
I accept 1.5k of them and close port as it's maximum allowed
I found all of those are un-known packets
I block ur IP for a time and re-open my port again with 0/1500 slots
and i will do the same every time .

clear now?

Edit : the process which i explained happen in moment ..

and client could wait to 10 seconds for gateway replay ...