Author Topic: DDoS Attacks.  (Read 16888 times)

Sir

  • *
  • Posts: 915
    • View Profile
DDoS Attacks.
« on: April 28, 2013, 09:32:52 am »
Hello guys,

As some of you might know, we have a vicious bastard among us who likes to use VPS/Dedicated servers to DDoS CCT2 Cup Matches.
These attacks are no joke and are quite big in size, even going over 1GBps of constant traffic.
I've decided to trace all the IPs that were logged at the same time. Consistent IPs that are returning with every DDoS attack.

This is in no way an exposure of a player and or personal info, these IPs are all public IPs from VPS/Dedicated servers located in Datacenters. These IPs are not connected to players.

Most of the attacks are hosted by ServInt and Axarnet.
The reason I'm posting this is because you can easily look up the IP-Ranges from these hosters, if you have a nice host you can ask them to simply filter these IP Ranges before they reach your server port.
If you're assuming that your IPTables will fend off the attack, you are wrong. The point of this DDoS is to saturate your port speed. You will of course prevent the data from coming in, but there's no space left for actual game-data.
------------------

Spain - Madrid.
ISP: Axarnet Comunicaciones SL
Organization: Level 3 Communications

91.142.209.105
91.142.209.101
91.142.212.68
91.142.208.174
91.142.219.63
91.142.219.60
91.142.212.29
91.184.4.157
----------------------------------------

<<United States - Washington>>

ISP: ServInt
Organization: ServInt

64.131.69.160
64.131.80.188
64.131.78.79
64.131.66.205
----------------------------------------

ISP: Lunar Pages
Organization: Lunar Pages

64.50.162.16
----------------------------------------

ISP:    Las Vegas NV Datacenter
Organization:   Las Vegas NV Datacenter

64.235.56.90
----------------------------------------

ISP: Latisys-Denver, LLC
Organization: Latisys-Denver, LLC

64.119.186.36
----------------------------------------

ISP: Peer 1 Network
Organization: ServerBeach / Peer 1 Network

64.34.199.8
64.34.186.12
----------------------------------------

ISP: ThePlanet.com Internet Services
Organization: myostrich.com

64.5.62.82
----------------------------------------

ISP: Hurricane Electric
Organization: Houston Internet Servers

64.71.162.170

----------------------------------------

France - Paris
ISP: Ikoula Net SAS
Organization: Dedicated Server

80.93.89.137
----------------------------------------

Canada - Ottawa / United States - Washington.
ISP: ServInt
Organization: Gridasoft / 3 Media Web Solutions

64.64.4.206
64.64.26.114
----------------------------------------

Reminder; These are consistent IPs, they show up during every DDoS attack.
« Last Edit: April 30, 2013, 07:19:16 am by Sir »
Group Owner of :| SirPlease
Config Dev :| Zonemod 1.8

nikeon

  • ****
  • Posts: 459
  • To Err is human,to GET SOME! is divine.
    • View Profile
    • MyTube.
Re: DDoS Attacks.
« Reply #1 on: April 28, 2013, 09:44:27 am »
Well its a shame and shows how less pride you have to have to ddos Tournament games in a game that is almost dead.

But over this its funny how much time this little kid puts into attacking the tournament-I guess your real life is full of joy :].

Anyways i like to wish you a nice traffic accident in near future and hope all server owners in CCT2.# take this serious and team up against this kid.

For further informations just throw us a message in steam.

3yebex

  • *****
  • Posts: 1285
  • All of the above!
    • View Profile
    • Steam Profile
Re: DDoS Attacks.
« Reply #2 on: April 28, 2013, 01:12:15 pm »
Wow that is a lot of IP addresses. Someone really is going all out to DDOS (Yes, DDOS, not DOS now, lmost hilarious thing!ol.) the tournament. It's unfortunate that this keeps occurring, and wish the best of luck to the CCT admins (and other server owners) to avoid these DDOS attacks.

colors

  • *****
  • Posts: 502
    • View Profile
    • StickupKidz
Re: DDoS Attacks.
« Reply #3 on: April 28, 2013, 01:20:52 pm »
Kid is super mad that he's too shitty to play comp. I mean, xbye plays, how bad must this kid be?

3yebex

  • *****
  • Posts: 1285
  • All of the above!
    • View Profile
    • Steam Profile
Re: DDoS Attacks.
« Reply #4 on: April 28, 2013, 01:22:38 pm »
Kid is super mad that he's too shitty to play comp. I mean, xbye plays, how bad must this kid be?
Colours is worse than me and Kobra though!

Sir

  • *
  • Posts: 915
    • View Profile
Re: DDoS Attacks.
« Reply #5 on: April 29, 2013, 08:36:20 am »
Just a small update, The Spanish Provider Axarnet has replied to my tickets and have checked the IPs and their outgoing netflow and have confirmed outgoing attacks and will take action accordingly. They said they'd keep me up to date on the matter, so hopefully we'll have full confirmation soon

Still waiting for a follow-up on ServInt's ticket.

Group Owner of :| SirPlease
Config Dev :| Zonemod 1.8

3yebex

  • *****
  • Posts: 1285
  • All of the above!
    • View Profile
    • Steam Profile
Re: DDoS Attacks.
« Reply #6 on: April 29, 2013, 10:06:37 am »
Last night I think one of our scrims fell victim to a DOS attack, but not through normal means. A player with only 1 previous name (Mad EU kid is mad) had joined the server, who is a friend of someone who was trolling with some guy named ssssh (Ohzy?) and after he joined the server, the server timed out for a good 5seconds and pretty much kicked us back to lobby. It's as if he crashed the server from the inside? Maybe a series of console commands or a sourcemod exploit?

Sir

  • *
  • Posts: 915
    • View Profile
Re: DDoS Attacks.
« Reply #7 on: April 29, 2013, 10:22:17 am »
Last night I think one of our scrims fell victim to a DOS attack, but not through normal means. A player with only 1 previous name (Mad EU kid is mad) had joined the server, who is a friend of someone who was trolling with some guy named ssssh (Ohzy?) and after he joined the server, the server timed out for a good 5seconds and pretty much kicked us back to lobby. It's as if he crashed the server from the inside? Maybe a series of console commands or a sourcemod exploit?

The ssshh guy is one of the attackers, yes.
I'd post the attackers publicly, but I can't due to not wishing to break the rules myself.

The reason it kicked you back to lobby is because the server crashed after the attack, it couldn't handle it.
Group Owner of :| SirPlease
Config Dev :| Zonemod 1.8

fig newtons

  • *
  • Posts: 1882
    • View Profile
    • configs
Re: DDoS Attacks.
« Reply #8 on: April 29, 2013, 12:08:47 pm »
On topic:

I strongly recommend that everyone who controls a l4d2 server should contact epilimic about having their server added to the LTD l4d2 logger.

He has found a plugin that stores login information to a mySQL backend and I built some queries that identify account sharing / smurfing / sockpuppets at the click of a button. But it can only search what we have in the logs. The more servers we have writing to the mySQL database, the easier it will be to sniff out the identities of DoSers, returning cheaters, etc.

Unlike the method I had been using in the past that relied on server logs, this is lightning fast and does not require that you disclose your FTP login or password to us. All you have to do is run a plugin and your server will be secured.

« Last Edit: April 29, 2013, 12:17:03 pm by fig newtons »

Luckylock

  • ****
  • Posts: 327
    • View Profile
Re: DDoS Attacks.
« Reply #9 on: April 29, 2013, 02:19:53 pm »
It's really nice to see y'all make efforts to fight off the annoying ddos kids, it's appreciated!

marr

  • **
  • Posts: 80
    • View Profile
Re: DDoS Attacks.
« Reply #10 on: April 29, 2013, 07:10:21 pm »
On topic:

I strongly recommend that everyone who controls a l4d2 server should contact epilimic about having their server added to the LTD l4d2 logger.

He has found a plugin that stores login information to a mySQL backend and I built some queries that identify account sharing / smurfing / sockpuppets at the click of a button. But it can only search what we have in the logs. The more servers we have writing to the mySQL database, the easier it will be to sniff out the identities of DoSers, returning cheaters, etc.

Unlike the method I had been using in the past that relied on server logs, this is lightning fast and does not require that you disclose your FTP login or password to us. All you have to do is run a plugin and your server will be secured.



Just want to clarify none of the owners of LTD have been talked with about this including myself. This could be a possibility, but it might cause some challenges for us to work around or may not be possible. So this will not be happening until I speak with Fig since he never asked me about this. Also need to check on other things.

Visor

  • *
  • Posts: 1149
    • View Profile
    • Steam Profile
Re: DDoS Attacks.
« Reply #11 on: April 30, 2013, 02:04:17 pm »
$10 says you aren't anywhere near a controlling position of the L4D3 scene in any continent when it happens.

Thing is he does what he wants, cause his able to and we are letting him do that. He abuses hes place and power in this community and people like me get banned for no reason. Only thing visor wants is more and more control so he can do what ever he wants.

Sir

  • *
  • Posts: 915
    • View Profile
Re: DDoS Attacks.
« Reply #12 on: April 30, 2013, 02:35:24 pm »
Yup, just as I thought. It's a rented botnet.
Group Owner of :| SirPlease
Config Dev :| Zonemod 1.8

3yebex

  • *****
  • Posts: 1285
  • All of the above!
    • View Profile
    • Steam Profile
Re: DDoS Attacks.
« Reply #13 on: April 30, 2013, 04:26:15 pm »
People pay to ddos a tourny on a small community game, the hell is this world coming to
It's actually pretty cheap to buy a premade botnet. A small community where the competitive scene is hosted outside of official companies' servers is also a pretty good target if you ask me. A bigger community would have more resources, more voices to contact officials, ect. I don't think anyone in their right mind would target a bigger community/official companies' servers. Could be wrong though!

epilimic

  • *****
  • Posts: 742
  • Sexy: 9001
    • View Profile
    • buttsecs
Re: DDoS Attacks.
« Reply #14 on: May 04, 2013, 12:12:34 am »
Just want to let everybody know that we have the green light to add in more servers to the database. I've got a few setup so far and am quite eager to get more on board!

Either send me a PM on here or contact me on steam and I'll get you all setup. As fig said you'll be doing the community as a whole a huge favor by connecting with us in a centralized location.

http://steamcommunity.com/id/epilf
what what, in the mutt

 

A dedicated community website to competitive L4D and L4D2, ran by the community, for the community. L4DNation supports all continents of play and focuses on bringing together the community as a whole to a central hub of information.