HUGE New Flood Attack

[livewiremaxx]

Ok, before you start asking, here is that answer - latest version of TS2 being used. version number 2.0.23.19

This morning, we started getting a flood attack. Ok, nothing new. TSAFD working great....

Heres the problem. The person is changing IP addresses with each new login, happening every second. TSAFD cant keep up with it.

We have shut the server down for 30 min, Still comes right back when I start things back up. User is using ID's that start with the number 1, and persistantly goes to different numbers. So cant really ban a nick, or part of a nick.

Any suggestions?

[maxi1990]

Look up the ip: for example 85.24.87.56

Then you can ringban the ip: Add new IP: 85.24.*.* and klick on add.

[livewiremaxx]

The IP's are too random, no pattern always beginning with something different.
I think we are going to have to try and change the port. Then if the person follows, it means its a personal attack

09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 82.81.82.71, Nick: 116, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 88.152.88.140, Nick: 117, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 84.108.50.173, Nick: 118, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 88.155.44.145, Nick: 119, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 84.109.41.107, Nick: 120, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 84.108.42.28, Nick: 121, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 82.81.215.119, Nick: 122, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 88.154.98.195, Nick: 123, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 141.157.208.9, Nick: 124, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 84.108.177.50, Nick: 125, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 87.69.78.250, Nick: 126, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 84.229.81.75, Nick: 127, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 77.124.19.238, Nick: 128, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 87.69.106.17, Nick: 129, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 88.153.109.217, Nick: 130, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 80.178.29.22, Nick: 131, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 84.228.253.152, Nick: 132, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 80.178.137.159, Nick: 133, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 89.139.46.148, Nick: 134, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 87.69.28.161, Nick: 135, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 88.154.241.173, Nick: 136, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 88.154.171.59, Nick: 137, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 212.179.253.105, Nick: 138, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 84.229.3.50, Nick: 139, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 80.230.106.68, Nick: 140, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 84.228.171.55, Nick: 141, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 81.5.4.214, Nick: 142, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 89.139.214.108, Nick: 143, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 80.178.4.244, Nick: 144, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 88.154.12.88, Nick: 145, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 221.18.155.98, Nick: 146, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 82.166.183.213, Nick: 147, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 89.139.4.140, Nick: 148, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 88.155.21.247, Nick: 149, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 77.124.19.17, Nick: 150, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 83.130.52.76, Nick: 151, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 80.230.153.202, Nick: 152, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 80.230.24.111, Nick: 153, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 88.155.24.176, Nick: 154, Version: 2.0.32.60]
09-08-07 06:30:14,ALL,Info,AccessLog, SID: 1 client connected [IP: 79.179.114.132, Nick: 155, Version: 2.0.32.60]
09-08-07 06:30:15,ALL,Info,AccessLog, SID: 1 client connected [IP: 82.81.87.76, Nick: 156, Version: 2.0.32.60]
09-08-07 06:30:15,ALL,Info,AccessLog, SID: 1 client connected [IP: 84.94.145.164, Nick: 157, Version: 2.0.32.60]
09-08-07 06:30:15,ALL,Info,AccessLog, SID: 1 client connected [IP: 84.108.178.159, Nick: 158, Version: 2.0.32.60]
09-08-07 06:30:15,ALL,Info,AccessLog, SID: 1 client connected [IP: 84.110.217.39, Nick: 159, Version: 2.0.32.60]
09-08-07 06:30:15,ALL,Info,AccessLog, SID: 1 client connected [IP: 87.69.48.206, Nick: 160, Version: 2.0.32.60]
09-08-07 06:30:15,ALL,Info,AccessLog, SID: 1 client connected [IP: 84.95.117.94, Nick: 161, Version: 2.0.32.60]
09-08-07 06:30:15,ALL,Info,AccessLog, SID: 1 client connected [IP: 217.132.202.141, Nick: 162, Version: 2.0.32.60]
09-08-07 06:30:15,ALL,Info,AccessLog, SID: 1 client connected [IP: 217.132.104.166, Nick: 163, Version: 2.0.32.60]
09-08-07 06:30:15,ALL,Info,AccessLog, SID: 1 client connected [IP: 88.154.224.241, Nick: 164, Version: 2.0.32.60]
09-08-07 06:30:15,ALL,Info,AccessLog, SID: 1 client connected [IP: 79.179.10.76, Nick: 165, Version: 2.0.32.60]

[BHKai]

What are the ip's? If they only have the last two octets different. Go to the isp for those ip's and contact the abuse team and you can stop it there. Banning IP ranges could also be banning other people that go on your server.

[maxi1990]

Damn that's hard...

Put a password on your server until they stop...

[BHKai]

They are all ip's from Israel. Which is not a big chance that the people that go on that server will have that ip. If you want I can give you the ranges to block them.

[livewiremaxx]

Yes if you do have the range that would be appreciated

[BHKai]

Do you have a firewall? This is too many for ts to handle, plus some span over the second octet in ranges.

Israel
77.124.0.0 to 77.127.255.255
79.176.0.0 to 79.183.255.255
80.178.0.0 to 80.179.255.255
80.230.0.0 to 80.230.255.255
81.5.0.0 to 81.5.63.255
82.80.0.0 to 82.81.255.255
82.166.0.0 to 82.166.255.255
83.130.0.0 to 83.130.255.255
84.94.0.0 to 84.95.255.255
84.108.0.0 to 84.111.255.255
84.228.0.0 to 84.229.255.255
87.68.0.0 to 87.71.255.255
88.152.0.0 to 88.155.255.255
89.138.0.0 to 89.139.255.255
212.179.0.0 to 212.179.255.255
217.132.0.0 to 217.132.255.255

JAPAN
221.16.0.0 to 221.31.255.255 (make sure not someone you want on before banning.)

USA
141.152.0.0 to 141.159.255.255 (make sure not someone you want on before banning.)

[livewiremaxx]

thanks, yeah got it all plugged into apf, and now the guy is on a frendh IP
90.16.120.71

I dont get this

[livewiremaxx]

well we ended up changing the server ports ... hoping he dont catch on and come back. But now we have a lot of users to chase down and get back

In the 2 years Ive used TS as a server I have never had this much of an attack on me, nor heard of one happening elsewhere. Sounds like some one has a new TS Flood script that changes IP's with each login

[BHKai]

Like maxi said you can keep the same port just put a password on it. Registered users do not require to know the server password, just the login information for their account. Makes it a little harder to get new users, but you will remain safe.

[ANR Daemon]

"Put a password on `default' channel" he mean.

But aside from that, You'll better contact with Your ISP and ask them what they can do to stop such flood. Sure thay have much more ideas on what should be done in that case.

[Vulcan219]

I noticed that the same IPs were on an attack on me recently, I had 3 different attacks, one actually took over the server and changed its name and everything, I had the older version of the server on that attack, and now have the newer one, they have tried again, I now have a password on the server now, and only people who need to know will get it, and it has helped on keeping the offenders out, so far

Also is there an exploit that they used to gain access to the older version
Because the names used had the SA CA R on them and not in the parentesis as they would with the normal connection, just curious.

Vulcan