huannan5300 Posted April 16, 2020 Share Posted April 16, 2020 Staff, come in and have a look. It's a fatal mistake Hello, I'm a Chinese player. In our servers in China, a very terrible thing happened, which led to a 50% reduction in the number of servers killed in seven days in China. This situation lasted for about a month. The reason is that someone used the vulnerability of seven days to attack the server, resulting in the server dropping off the line. This is the difference between the attack form and the traditional attack. Check the firewall No DDoS attacks were found. He did it for the seven day kill gameA way to attack! I hope you can pay attention to it and solve it Output log: https://pastebin.com/2k8et0av Link to comment Share on other sites More sharing options...
Boidster Posted April 16, 2020 Share Posted April 16, 2020 That server had a lot of mods running. Were vanilla servers affected? Was EAC enabled or disabled? Link to comment Share on other sites More sharing options...
huannan5300 Posted April 16, 2020 Author Share Posted April 16, 2020 That server had a lot of mods running. Were vanilla servers affected? Was EAC enabled or disabled? When EAC is enabled, it is not only my server that is attacked, but also the server of the whole Chinese players, including those without mod. When EAC is opened, the output log is the same as mine Link to comment Share on other sites More sharing options...
mr.devolver Posted April 16, 2020 Share Posted April 16, 2020 This is sad. Wasn't Easy Anti-Cheat (EAC) supposed to stop all kinds of cheaters and hackers? Link to comment Share on other sites More sharing options...
huannan5300 Posted April 17, 2020 Author Share Posted April 17, 2020 This is sad. Wasn't Easy Anti-Cheat (EAC) supposed to stop all kinds of cheaters and hackers? If it can be prevented, it will not be so serious. The form of his attack does not need to enter the server Link to comment Share on other sites More sharing options...
Dethar Posted April 17, 2020 Share Posted April 17, 2020 This has been major issue in other games that have official servers. I mainly see this for Conan, which is the only other forums I read, but mainly for any new update news. So I have read MANY post where players say official servers are rekt with DDoS attacks and hackers, and unplayable. From what I understand alot of this is coming from China. But what do I know, I only play multiplayer on my pc or friends. I assume Funcom is bigger studio, and if they can't do anything about it I dont think TFP will be able to either. Link to comment Share on other sites More sharing options...
huannan5300 Posted April 17, 2020 Author Share Posted April 17, 2020 This has been major issue in other games that have official servers. I mainly see this for Conan, which is the only other forums I read, but mainly for any new update news. So I have read MANY post where players say official servers are rekt with DDoS attacks and hackers, and unplayable. From what I understand alot of this is coming from China. But what do I know, I only play multiplayer on my pc or friends. I assume Funcom is bigger studio, and if they can't do anything about it I dont think TFP will be able to either. His attack mode can ignore the defense of the server itself. At present, only the official can solve the attack mode against the server Link to comment Share on other sites More sharing options...
pApA^LeGBa Posted April 17, 2020 Share Posted April 17, 2020 This is sad. Wasn't Easy Anti-Cheat (EAC) supposed to stop all kinds of cheaters and hackers? EAC is as effective as a sign that says "Please don´t enter" on a unlocked door. Link to comment Share on other sites More sharing options...
meganoth Posted April 17, 2020 Share Posted April 17, 2020 EAC has nothing to do with this attack because the attacker does not login at all, he just gives nonsensical username and password which needs to be checked by the server. Each such login attempt starts a few threads on the server and that gets expensive if >100 such attempts arrive in just a few seconds. TFP could make sure that the server handles and accepts only say 8 simultaneous login attempts and ignores further attempts until these have been handled. Also they could check that only 8 are allowed from the same ip address every 10 minutes. It would be still possible for an attacker with a botnet to prevent logins, but whoever is already logged in could play without the server machine breaking down Link to comment Share on other sites More sharing options...
Fox Posted April 17, 2020 Share Posted April 17, 2020 I just noticed this is a duplicate topic and this one being in the wrong section. Link to comment Share on other sites More sharing options...
meganoth Posted April 17, 2020 Share Posted April 17, 2020 I just noticed this is a duplicate topic and this one being in the wrong section. Good point. Moving it to General support Link to comment Share on other sites More sharing options...
huannan5300 Posted April 18, 2020 Author Share Posted April 18, 2020 EAC has nothing to do with this attack because the attacker does not login at all, he just gives nonsensical username and password which needs to be checked by the server. Each such login attempt starts a few threads on the server and that gets expensive if >100 such attempts arrive in just a few seconds. TFP could make sure that the server handles and accepts only say 8 simultaneous login attempts and ignores further attempts until these have been handled. Also they could check that only 8 are allowed from the same ip address every 10 minutes. It would be still possible for an attacker with a botnet to prevent logins, but whoever is already logged in could play without the server machine breaking down Please tell me how TFP is set. Can you explain in detail that our server has been hit to crash and has been crashing. Help, thank you Link to comment Share on other sites More sharing options...
huannan5300 Posted April 18, 2020 Author Share Posted April 18, 2020 At present, there are IP attacks from foreign countries, including Russia, the United States, Japan, Canada, etc Link to comment Share on other sites More sharing options...
meganoth Posted April 18, 2020 Share Posted April 18, 2020 I am only a moderator (which means that I for example intervene if someone misbehaves on the forum or someone needs help with the forum). Apart from that I am a normal forum user and player with no internal knowledge about TFP. I can tell you just from experience (as a programmer and forum reader), that any help you can get from TFP is probably (!?) months away. And may only fix the problem halfway. There is no universal fix for DDoS , even giant companies like Sony can not prevent a DDoS and need to hire specialists like Akamai to fight a DDoS with a lot of manpower and manual intervention. If someone hires a botnet to stop your server, all you can do is wait until the attacker doesn't want to pay anymore for the botnet. (A whitelist might help, see below.) But your logfile shows that at least your attacker did not use a botnet but a single PC for the attack. This means he doesn't have any expenses and could continue indefinitely. But you can more easily defend against it yourself: So if someone uses his and his friends PCs to stop your server, you can try to filter out their IPs or IP ranges on the server (a blacklist). You need to do this on the level of the operating system. The filter list would be daily changing as most of them get a new IP address every day and you don't want to filter some ranges completely (since also allowed players use the same big providers as the attackers). But you need knowledge how to do such filtering for your operating system and some scripts to help you do the filtering fast and efficient. If you operate the server 24 hours a day, you need scripts to automatically detect a DDOS attempt and filter such IPs. Or even better maybe you can make a whitelist of people allowed to connect. A possible method would be that you require players to send you an email with their current IP before they start playing. You would have a script that automatically extracts the ip from emails of valid email senders and allows these ips. Instead of daily changing IPs you now have fixed email addresses that you allow to connect to your server. These are just ideas that might work in your situation. I don't have such scripts ready. And besides having a good knowledge of network protocols I have not been in the actual situation of having to prevent such attacks. But I'm confident a whitelist would work well to prevent the attack that happened in your logfile. A whitelist might even help against a botnet as long as the botnet isn't just drowning out the traffic completely, which needs a bigger more expensive botnet. Link to comment Share on other sites More sharing options...
Jugginator Posted April 20, 2020 Share Posted April 20, 2020 I don't know about how your ISPs work in China, but I know some ISPs here can help mitigate the issue. What Meganoth said is 100% true, there's not much you can do but get your ISP / you block IPs, or you change to a whitelisted server. Configuring the server to only accept, say, 1 authentication attempt per like 5 minutes, it still has to reject the connections -- you're only barely lowering the load. If it's your own dedicated server/machine, perhaps look into installing an IPS (software works too, don't need a dedicated box). And as Meganoth is, I've only dealt with DDOS attacks in simulation, not in reality; but, that network security course section is about a week's worth of typing with scripts/instruction prevention systems and all of that, therefor I'd suggest you so some Googling there (it's possible) lol. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.