Servers down?

[Loskene]

So, somebody didn't even bother to reboot his router to save $59,99? Seems unlikely. You have to have some basic networking intelligence to do this, there is no LOIC ED edition

The only thing you'd need the game client for is to get the address of the matchmaking server, from there you just point bad packets at it and hope for the best. That still doesn't take any more skill than a skiddie would come up with. 99% of DDoS attacks are entry level crap, successful ones that actually deny access to a service for a long period of time are usually politically or financially motivated and conducted by people with the appropriate skills and (most importantly) resources.
That said this easily could have been an accident by someone trying to hack their outgoing network data in such a way that caused problems on frontier's end. I don't think they managed to actually bruteforce the servers offline, but then we only have Ed's post to go on.

 

[Rall]

So, somebody didn't even bother to reboot his router to save $59,99? Seems unlikely. You have to have some basic networking intelligence to do this, there is no LOIC ED edition

ISP will have all the sessions logged, change of IP address won't do squat to protect you.

If he originated the attack from his own connection he's an idiot, though loner DOS attacks from your own connection almost never generate enough traffic to affect anything, with the exception of the rare people with access to 1G or 10G links.

My guess is one of the many online DDoS "services" though, bragging about it on-line and got pinged.

 

[kurush]

ISP will have all the sessions logged, change of IP address won't do squat to protect you.

And they will go ahead and share it with a stranger AKA FDev in a matter of day? Yeah, right. There are many ways to hide your IP and, more importantly, you cannot really DOS a corporate server from your home connection unless you are going against some poorly written application logic, meaning you have to authenticate.

- - - Updated - - -

The only thing you'd need the game client for is to get the address of the matchmaking server, from there you just point bad packets at it and hope for the best. That still doesn't take any more skill than a skiddie would come up with. 99% of DDoS attacks are entry level crap, successful ones that actually deny access to a service for a long period of time are usually politically or financially motivated and conducted by people with the appropriate skills and (most importantly) resources.

You at least need to understand what an IP is, meaning you'll know you don't want yours to show up in the logs. And matchmaking server is UDP, meaning you can really do it with a spoofed IP, you know, the one you can find in your verbose network log under logs folder .

 

[Dym]

Sounds like Dym is more than usually sympathetic to the plight of the hacker. Investigate him too! *points finger*

you are wrong cmdr, i m not sympathetic to any form of hacking, but to innocent until proven guilty i know that the amazon guys are pros but even for them its not possible to prove that after a weekend or do you think they got the traking ips from the inet provider over the weekend? anyway, let´s just hope they caught the right one.

 

[Rall]

The only thing you'd need the game client for is to get the address of the matchmaking server, from there you just point bad packets at it and hope for the best. That still doesn't take any more skill than a skiddie would come up with. 99% of DDoS attacks are entry level crap, successful ones that actually deny access to a service for a long period of time are usually politically or financially motivated and conducted by people with the appropriate skills and (most importantly) resources.
That said this easily could have been an accident by someone trying to hack their outgoing network data in such a way that caused problems on frontier's end. I don't think they managed to actually bruteforce the servers offline, but then we only have Ed's post to go on.

Could possibly be malformed packets, they can cause all sort of unexpected host behaviours. The also implies at least some skill on the part of the attacker, because any decent firewall or IPS will be catching the vast majority of malformed packet attacks available to script kiddies. And given they did track down and identify this clown, I really doubt any level of skill was involved.

The simplest explanation is usually correct, DDoS.

 

[TruffleSnout]

My WAG is that it was someone tinkering with hacking tools, unwittingly sent malformed packages that tickled a bug in the ED server networking stack.

Edit to clarify: malformed in this case meaning malformed at the application level, not the networking level. They were likely still well formed UDP packets (hence why they'd get through AWS or similar), but with a malformed application payload.

 

[Cmdr Eagleboy]

And they will go ahead and share it with a stranger AKA FDev in a matter of day? Yeah, right. There are many ways to hide your IP and, more importantly, you cannot really DOS a corporate server from your home connection unless you are going against some poorly written application logic, meaning you have to authenticate.

No, they will share with hypersecurity institutions which handle DDoS attacks and large hacks. ISPs are really interested to take such idiots down ASAP.

 

[Mithos09]

No, they will share with hypersecurity institutions which handle DDoS attacks and large hacks. ISPs are really interested to take such idiots down ASAP.

Caller: "Hello, I'm Peter from ReallySeriousBusiness. We have an ongoing DDoS attack from IP 193.258.258.23 and I'd like you to give me the name of the subscriber."
ISP: "Oh, ok, wait a moment, ... here you are: ..."

Plot of HyperCSI Aldebaran

 

[Rall]

And they will go ahead and share it with a stranger AKA FDev in a matter of day? Yeah, right. There are many ways to hide your IP and, more importantly, you cannot really DOS a corporate server from your home connection unless you are going against some poorly written application logic, meaning you have to authenticate.

- - - Updated - - -


You at least need to understand what an IP is, meaning you'll know you don't want yours to show up in the logs. And matchmaking server is UDP, meaning you can really do it with a spoofed IP, you know, the one you can find in your verbose network log under logs folder .

In IPv4 address is a 32 bit unique network identifier defined in RFC 791. I've been a network engineer for 18 years, I live SYN/ACKs.
(Though to be honest for the first five, I worked with telecoms transmission networks, ATM, Frame-relay and good ol serial TDM.)

Spoofed traffic can only be used to flood traffic one way, it can't be used for anything else. If your spoofing your source address, there is no way to route return the traffic to the origination host. Regardless, spoofed IP traffic is actually pretty uncommon now, unless the ISP are incompetent, they should be dropping all outgoing unidentifiable source addresses at the customer aggregation routers.

ISP are usually more than happy to comply with abuse requests, and UK has some pretty draconian laws regarding Internet attacks. Since they identified the guy at all, I guessing he was based in the UK. Or shooting his mouth off on-line and got pinged.

 

[kurush]

Spoofed traffic can only be used to flood traffic one way, it can't be used for anything else. If your spoofing your source address, there is no way to route return the traffic to the origination host. Regardless, spoofed IP traffic is actually pretty uncommon now, unless the ISP are incompetent, they should be dropping all outgoing unidentifiable source addresses at the customer aggregation routers.

Exactly, and to do a 2-way over UDP you would have to authenticate, it should just drop everything else as garbage. And I would agree with the rest of your statement if I didn't do a network sniff on my home network recently, after opening some UDP ports, only to discover a lot of total garbage coming through with non-existent source IPs. The port configuration was for ED btw, I noticed better instancing when you open a port and add it to the config file.

 

[Edward Lewis]

Well if indeed it was a DDoS attack. I now realise the reason we had no updates and I humbly apologise for my comments.
Still unnerving though that one clown can take down a game.

No need to worry, not quite as black and white as that. Nothing to worry about at all.

 

[Zieman]

Nothing to worry about at all.

Isn't this the British phrase for: "We're totally screwed, run for your lives!" ?

 

[Cmdr Eagleboy]

Caller: "Hello, I'm Peter from ReallySeriousBusiness. We have an ongoing DDoS attack from IP 193.258.258.23 and I'd like you to give me the name of the subscriber."
ISP: "Oh, ok, wait a moment, ... here you are: ..."

Plot of HyperCSI Aldebaran

It doesn't happen like in TV. It does happen fast enough though.

 

[Marc Alexander]

Isn't this the British phrase for: "We're totally screwed, run for your lives!" ?

For some reason, this sprung to mind

Spoiler

[video=youtube;3l_3-23zAWM]https://www.youtube.com/watch?v=3l_3-23zAWM[/video]

 

[Agony_Aunt]

For some reason, this sprung to mind

Spoiler

https://www.youtube.com/watch?v=3l_3-23zAWM

This one comes to my mind:

Spoiler

 

[Rall]

Exactly, and to do a 2-way over UDP you would have to authenticate, it should just drop everything else as garbage. And I would agree with the rest of your statement if I didn't do a network sniff on my home network recently, after opening some UDP ports, only to discover a lot of total garbage coming through with non-existent source IPs. The port configuration was for ED btw, I noticed better instancing when you open a port and add it to the config file.

Upstream providers won't even peer with you if your not filtering on outbound these days, and they double that up by dropping any traffic not from your ASNs IP prefixes. Most of the junk spoofed traffic comes from third world countries and is pretty harmless if not being used as part of DoS, which is pretty much all you can do with spoofed traffic.

Also I read back your posts so I actually understand what your saying, I completely missed the context - sorry for that.

It could absolutely be a targeted attack from a compromised account, which would imply some skill - come through a service like TOR, more likley from a compromised host though, especially if it was easy to trace. Though a lone moron with access to a Gig link can do a uprising amount of mischief when targeting a single server.

 

[Rall]

It doesn't happen like in TV. It does happen fast enough though.

It never happen quickly, it usually involve me getting out of bed at 3am, nothing happens quickly at 3am.

This only works for idiots though, to track back to any attacker of skill is a long slow process, and involves law enforment and a lot warrants. Usually it's not the techs that catch these guys, but plain old fashioned police work.

 

[DextersIndignation]

Thanks for your patience everyone, we understand that a number of you experienced intermittent service over the weekend. The outages were caused by an automated attack on our game server which affected a small number of our servers, but the online team worked over the weekend to ensure that our servers remained online. We have also managed to track down the source and the player responsible who has now been banned from the game.

Service should now be restored to normal - thanks to everyone who reported problems to us during this period.

No need to worry, not quite as black and white as that. Nothing to worry about at all.

A player?

An employee?

A random?


It seems soon to have a suspect, though maybe your team are "ace" or Amazon are amazing or... The guy who did it is old school and left his name and contact details...


Have you offered him a job?

 

[Asp Explorer]

It never happen quickly, it usually involve me getting out of bed at 3am, nothing happens quickly at 3am.

This only works for idiots though, to track back to any attacker of skill is a long slow process, and involves law enforment and a lot warrants. Usually it's not the techs that catch these guys, but plain old fashioned police work.

In my own experience, it's usually the employers which notice first. A backup cluster going wild at odd times, weird spikes in the throughput, printers being commanded to spam, usually by recently let-go associates or security teams having a laugh.

 

[Jognt]

And we're down again!