Author Topic: PSA: Several servers are being DDoS attacked by a botnet. (Read 34445 times)

-Paint- · August 31, 2017, 04:53:48 AM

So adding a password to the server would change nothing?

Ad Bot · Advertisement

TheBlackParrot · August 31, 2017, 05:01:06 AM

Quote from: -Paint- on August 31, 2017, 04:53:48 AM

So adding a password to the server would change nothing?

yes

CRITAWAKETS · August 31, 2017, 08:14:39 AM

Quote from: -Paint- on August 31, 2017, 04:53:48 AM

So adding a password to the server would change nothing?

Considering that hellspy's RP servers which are almost all of the time passworded never got hit, i can assume passwording your server could help.

Then again it might actually be a fanatic member of the servers and that passwording your server wont do anything.

Metario · August 31, 2017, 09:17:19 AM

Quote from: CRITAWAKETS on August 31, 2017, 08:14:39 AM

Considering that hellspy's RP servers which are almost all of the time passworded never got hit, i can assume passwording your server could help.

Then again it might actually be a fanatic member of the servers and that passwording your server wont do anything.

call me crazy but I don't think a fanatic member of your server can generate 1.5 gbps of traffic

Dannu · August 31, 2017, 09:22:40 AM

Quote from: Metario on August 31, 2017, 09:17:19 AM

call me crazy but I don't think a fanatic member of your server can generate 1.5 gbps of traffic

There are botnets for hire out there, which you are obviously aware of.

Scout31 · August 31, 2017, 10:34:53 AM

Quote from: TheBlackParrot on August 31, 2017, 04:08:58 AM

viso's getting hit again, i'm not being hit yet

I think we should correlate attack times and position on server list when they happen. I’m thinking (from nature of traffic logs) that there’s only one attack at any given time and it’s on a top server, persisting until it crashes or disappears from the server list.

Kyuande · August 31, 2017, 10:37:38 AM

Quote from: TheBlackParrot on August 31, 2017, 04:08:58 AM

viso's getting hit again, i'm not being hit yet

I'm not sure if it was a hit, I did not get any emails or anything about the attack during that time, the CPU was very high and it was at a constant percentage for some reason (25% - blockland never hits it that high on the VPS, max is usually 20% when it starts up) when I checked it a few minutes ago but nothing was coming out of trace other than a loop - but that can't be the problem.

TheBlackParrot · August 31, 2017, 11:27:36 AM

Quote from: Kyuande on August 31, 2017, 10:37:38 AM

I'm not sure if it was a hit, I did not get any emails or anything about the attack during that time, the CPU was very high and it was at a constant percentage for some reason (25% - blockland never hits it that high on the VPS, max is usually 20% when it starts up) when I checked it a few minutes ago but nothing was coming out of trace other than a loop - but that can't be the problem.

this was at 3:07AM central, not a few minutes ago lol

Kyuande · August 31, 2017, 12:44:26 PM

No I am saying I checked the vps usuage a few minutes ago during that post and it still did not change the cpu usuage of the server

Scout31 · August 31, 2017, 03:00:01 PM

Quote from: Scout31 on August 31, 2017, 02:58:30 PM

The first DDoS protected server is currently experiencing a DDoS attack with no drop in latency. 90k packets per second, 409.99 Mbps. Attack would need to be 24x as large to impact the server.

All attack traffic is originating from port 111. Sample traffic below:

Code: [Select]

2017-08-31 18:51:06 UTC IP 14.102.147.147:111 > 104.207.133.58:28000 UDP, length 4554780, packets 8192
2017-08-31 18:51:06 UTC IP 45.125.247.197:111 > 104.207.133.58:28000 UDP, length 4554780, packets 8192
2017-08-31 18:51:06 UTC IP 37.48.125.223:111 > 104.207.133.58:28000 UDP, length 4554780, packets 8192
2017-08-31 18:51:06 UTC IP 58.141.87.16:111 > 104.207.133.58:28000 UDP, length 4227100, packets 8192
2017-08-31 18:51:06 UTC IP 58.251.132.25:111 > 104.207.133.58:28000 UDP, length 5537820, packets 8192
2017-08-31 18:51:07 UTC IP 45.46.76.13:111 > 104.207.133.58:28000 UDP, length 4390940, packets 8192
2017-08-31 18:51:07 UTC IP 14.42.40.251:111 > 104.207.133.58:28000 UDP, length 4227100, packets 8192

Figure · August 31, 2017, 03:49:45 PM

*cue witch hunt*

Scout31 · August 31, 2017, 03:50:39 PM

Trying to find who's doing it will be a waste of time. There's likely zero evidence other than a confession that would be useful.

Marios · August 31, 2017, 09:53:46 PM

False confessions exist. God knows who would falsely confess to DDoSing us, but god also knew who would hire a botnet to attack us. Are keys more expensive than a DDoS attack?

Rolfey95 · August 31, 2017, 09:58:32 PM

Quote from: Scout31 on August 31, 2017, 03:50:39 PM

Trying to find who's doing it will be a waste of time.

I find it ironic that the BLID daprogs website is down.
And yes looking up BLID 111 shows 2 people, one who hasn't been online in 2 years (dimper) and the other one appariently has never been on (None).
¯\_(ツ)_/¯

Guess we just wait.

Scout31 · August 31, 2017, 10:00:18 PM

Really don't think this belongs in the drama section. This isn't a set of personal attacks, it's targeted at Blockland as a whole. Visibility of GD would help communicate the issue.

Quote from: Rolfey95 on August 31, 2017, 09:58:32 PM

I find it ironic that the BLID daprogs website is down.
And yes looking up BLID 111 shows 2 people, one who hasn't been online in 2 years (dimper) and the other one appariently has never been on (None).
¯\_(ツ)_/¯

Guess we just wait.

Port 111, not BLID 111.