Atomix Sro

kevin_owner · 02/18/2012, 16:38

Quote:

Originally Posted by Dr.Abdelfattah

Keep in ur head 3 thing
- IP blocking
- max connection on gateway 1500
- game client wait 10 seconds tell gateway replays if no replay it will show u server is offline or visit www for more info and so on

Hey i think i find a good explain for that :

U send me 20K packets or or from an IP
I accept 1.5k of them and close port as it's maximum allowed
I found all of those are un-known packets
I block ur IP for a time and re-open my port again with 0/1500 slots
and i will do the same every time .

clear now?

Alright well it's not entirely clear for me what you ment but I did a small test like a botnet could do.

I made a small program which looped 55k times to create 55k connections. It was all async so the loop was done in no time and all the requests were running. Result gatewayserver choked big time.

I'm not using the game client so I don't have to wait 10 seconds for something btw I assume you're talking about the sro_client 10 seconds waiting thinggy cause that isn't cause of the server letting you wait but the client loading about 300 mb of data.

Anyway here is a screenshot of the gateway:

See the amount of SockTcpCount and SessionCount and ClassLinkCount. It didn't even get to 55k cause I ran out of memory.

That little bump in the graph is the amount of established connections. During the test it went pretty high like 5k but it also lost the connections pretty fast but these are probably the "verified" connections so which have passed the handshake but still my 51k + connections were connected and none of them was disconnected.

Once I closed the gateway all the connections were aborted.

I have to say the gateway is doing a pretty good job with the cpu since that one isn't that high but I only connected 51k times and sended nothing. But the RAM usage was really REALLY high it went from 200 mb to 2.5 gb + and then I ran out of ram which made everything lagg like hell.

So the socket doesn't get closed after an x amount of connections is stays open and therefore you can ddos the gateway

EDIT: and since I have a feeling you're going to talk about the firewall or something else blocking these connections it's a ddos so it can't handle that many connections to refuse. The only fix would be like you said closing the port but it doesn't so you can ddos the gateway.

Dr.Abdelfattah · 02/18/2012, 16:48

Quote:

Originally Posted by kevin_owner

Alright well it's not entirely clear for me what you ment but I did a small test like a botnet could do.

I made a small program which looped 55k times to create 55k connections. It was all async so the loop was done in no time and all the requests were running. Result gatewayserver choked big time.

I'm not using the game client so I don't have to wait 10 seconds for something btw I assume you're talking about the sro_client 10 seconds waiting thinggy cause that isn't cause of the server letting you wait but the client loading about 300 mb of data.

Anyway here is a screenshot of the gateway:

See the amount of SockTcpCount and SessionCount and ClassLinkCount. It didn't even get to 55k cause I ran out of memory.

That little bump in the graph is the amount of established connections. During the test it went pretty high like 5k but it also lost the connections pretty fast but these are probably the "verified" connections so which have passed the handshake but still my 51k + connections were connected and none of them was disconnected.

Once I closed the gateway all the connections were aborted.

I have to say the gateway is doing a pretty good job with the cpu since that one isn't that high but I only connected 51k times and sended nothing. But the RAM usage was really REALLY high it went from 200 mb to 2.5 gb + and then I ran out of ram which made everything lagg like hell.

So the socket doesn't get closed after an x amount of connections is stays open and therefore you can ddos the gateway

EDIT: and since I have a feeling you're going to talk about the firewall or something else blocking these connections it's a ddos so it can't handle that many connections to refuse. The only fix would be like you said closing the port but it doesn't so you can ddos the gateway.

Look at ur Screen, AcceptCount (200)
I was wrong in some of my information but i was giving examples,
But as u see the smallest prove that gateway got it's own security module ..

Edit : also check ur CPU usage at the time u send packets .
But the packets u send seems to gateway not dangers ..

kevin_owner · 02/18/2012, 16:54

Quote:

Originally Posted by Dr.Abdelfattah

Look at ur Screen, AcceptCount (200)
I was wrong in some of my information but i was giving examples,
But as u see the smallest prove that gateway got it's own security module ..

Yes it prevents to connections from going futher into the gateway to request the server list and stuff like that but that's not the point of this all since a ddos only wants to get the gateway down which is easy since the connections are still alive. and 51k connections take ALOT of memory so with a botnet you easily kill the gateway.

So to get things clear the connections are alive but only not trough the security of the gateway which is the handshake probably so that's why the connection established stuff is 0.

Dr.Abdelfattah · 02/18/2012, 16:58

Quote:

Originally Posted by kevin_owner

Yes it prevents to connections from going futher into the gateway to request the server list and stuff like that but that's not the point of this all since a ddos only wants to get the gateway down which is easy since the connections are still alive. and 51k connections take ALOT of memory so with a botnet you easily kill the gateway.

So to get things clear the connections are alive but only not trough the security of the gateway which is the handshake probably so that's why the connection established stuff is 0.

Just try to make auto loop to ur script which send those packets (so will keep sends packets tell u close ur script) and give me screenshot of gateway .

kevin_owner · 02/18/2012, 17:18

Quote:

Originally Posted by Dr.Abdelfattah

Just try to make auto loop to ur script which send those packets (so will keep sends packets tell u close ur script) and give me screenshot of gateway .

Why would I want to do that? A botnet isn't working that way so there is no point of testing it.

Besides I would have to use the silkroadsecurityapi which is kinda tricky so that would take some time.

But the point is that the gateway floods with too many connections == ddos.

Dr.Abdelfattah · 02/18/2012, 17:26

Quote:

Originally Posted by kevin_owner

Why would I want to do that? A botnet isn't working that way so there is no point of testing it.

Besides I would have to use the silkroadsecurityapi which is kinda tricky so that would take some time.

But the point is that the gateway floods with too many connections == ddos.

the gateway just reads the packets which send on it's port but accept 200 only (so just allow 200 to take effect with it {CPU usage same})
and send 55K for onetime isn't flood, if u need to check if the gateway is able to ddos on it or will block ur ip u need to make ur flood script auto loop every moment and so ..
As i tell u before gateway just see those packets u send un-degrus packets, as u know it's like the packets which check if port is opened or not {cuz of send 1 time only}

kevin_owner · 02/18/2012, 17:36

Quote:

Originally Posted by Dr.Abdelfattah

the gateway just reads the packets which send on it's port but accept 200 only (so just allow 200 to take effect with it {CPU usage same})
and send 55K for onetime isn't flood, if u need to check if the gateway is able to ddos on it or will block ur ip u need to make ur flood script auto loop every moment and so ..
As i tell u before gateway just see those packets u send un-degrus packets, as u know it's like the packets which check if port is opened or not {cuz of send 1 time only}

Yes but in this case only the connection is spam enough. I'm not sending 55k packets one time i'm creating 55k CONNECTIONS.

So the gateway has 55k connections running and if a botnet creates this many connections it'll screw up the gateway.

Also the 55k connections made the gateway use like 2.3 gb RAM extra than normal so if you have a botnet you wouldn't get a problem with the CPU or bandwidth but with the RAM

and since I made the connections async you can keep spamming new connections if the gateway decides to close them.

In my test I just loop 55k times but I could also add stuff like connect when a connection is closed so you keep those 55k open all the time and if they can't connect they'll just keep on trying.

So result is the gateway gets to many connections from the botnet and probably needs to a restart to clean the memory what are all those clients doing? well they simply reconnect flooding the ram again.

Btw this the same way REAL clients connect so if the gateway can't handle the amount of connections anymore due lack of ram like I had it won't accept them so real users can't connect either.

Dr.Abdelfattah · 02/18/2012, 17:41

Quote:

Originally Posted by kevin_owner

Yes but in this case only the connection is spam enough. I'm not sending 55k packets one time i'm creating 55k CONNECTIONS.

So the gateway has 55k connections running and if a botnet creates this many connections it'll screw up the gateway.

Also the 55k connections made the gateway use like 2.3 gb RAM extra than normal so if you have a botnet you wouldn't get a problem with the CPU or bandwidth but with the RAM

and since I made the connections async you can keep spamming new connections if the gateway decides to close them.

In my test I just loop 55k times but I could also add stuff like connect when a connection is closed so you keep those 55k open all the time and if they can't connect they'll just keep on trying.

So result is the gateway gets to many connections from the botnet and probably needs to a restart to clean the memory what are all those clients doing? well they simply reconnect flooding the ram again.

Btw this the same way REAL clients connect so if the gateway can't handle the amount of connections anymore due lack of ram like I had it won't accept them so real users can't connect either.

You are completely right but just need from u to made connection (flood) on this ip ns1.elitexmen.com:15779 cuz i need to show u something ..

Mykha* · 02/18/2012, 17:58

Atomix is now up. We are really sorry for the down time. -Mykha

kevin_owner · 02/18/2012, 18:05

Quote:

Originally Posted by Dr.Abdelfattah

You are completely right but just need from u to made connection (flood) on this ip ns1.elitexmen.com:15779 cuz i need to show u something ..

I'm not gonna flood with my own ip I could send you the program with source if you want so you can check it by yourself. Also is that server yours cause you should definitly not try to spam another server.

Owh and what do you want to show me?

Dr.Abdelfattah · 02/18/2012, 18:10

Quote:

Originally Posted by kevin_owner

I'm not gonna flood with my own ip I could send you the program with source if you want so you can check it by yourself. Also is that server yours cause you should definitly not try to spam another server.

Owh and what do you want to show me?

\\
yes server is mine and also it's oky send me ur program
after i test i will show u, cuz i'm sure of something but needs a test first ..

kevin_owner · 02/18/2012, 18:15

Clean your private message stuff i'm not gonna post this stuff right here^^

Dr.Abdelfattah · 02/18/2012, 18:16

ah sorry

, oky u could send right now