Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 10-21
- 07:03 gnu-sense has joined (~gnu-sense@c-98-223-179-205.hsd1.in.comcast.net)
- 07:03 delusional: this is getting silly
- 07:04 delusional: tell me again why we can't just ban his ass, i mean, the attack has to be coming from somewhere
- 08:13 blast007: it's coming from the Internet
- 08:13 blast007: better ban it all
- 08:14 blast007: unplug the server from the network! solved!
- 08:14 delusional: what, he's got a botnet?
- 08:16 blast007: proxiese
- 08:16 blast007: proxies*
- 08:16 delusional: cant we ban the proxies?
- 08:16 blast007: there's tens of thousands of them, so, no
- 08:17 delusional: well, if we did ban the ones he's using right now, we'd at least get a temporary repreive?
- 08:17 blast007: last time I tried adding a huge list of proxies to my firewall I made my server very unhappy
- 08:17 blast007: yeah, for a few minutes until he refreshes the proxy page and gets 10 more
- 08:18 blast007: sounds like you think it's not easy to get a list of several hundred proxies...
- 08:18 delusional: why cant we detect them quicker?
- 08:18 blast007: and then there's also Tor (which is actually easy to block) and VPNs
- 08:19 delusional: why cant we detect, and ban them quicker?
- 08:19 blast007: or I should say that Tor is easy to block completely, but a bit more challenging if you only want to block Tor exit nodes that have an exit policy that allows them to talk to your ports that are under attack
- 08:20 blast007: how would you detect a proxy?
- 08:20 delusional: by detecting the attack
- 08:20 delusional: i know,,, thats what we're trying to do
- 08:21 blast007: so really then the detecting the proxy is irrelevant - you just want to detect the attack and react to that
- 08:21 blast007: I'd imagine it's possible to write a Snort ruleset for the attack
- 08:21 delusional: so... when he joins, we never get the full IP?
- 08:21 blast007: but I've never used Snort before
- 08:21 blast007: what?
- 08:22 delusional: we see the multiple attempts to join.. or whatever it is he's doing... don't we get the IP address from that?
- 08:27 blast007: of course
- 08:27 blast007 has changed mode: -o blast007
- 08:28 delusional: why are we having such a problem detecting that?
- 08:28 blast007: because nobody has tried to detect it?
- 08:30 delusional: I don't know, but it seems to me it should be relatively simple to get the address, and move it over to the firewall banlist. Why are we having such a probem getting the address?
- 08:33 delusional: I'm getting really fucking pissed off.
- 08:35 delusional: I guess if he knows his way around with proxies, he can continue to run rings around us forever.
- 09:57 blast007: again, I don't think anyone is trying to do that yet
- 15:32 blast007: also, if you do get flooded with connections and you firewall them out, the connections will still remain there for a LONG time, though that may depend on how you firewall them.
- 15:54 blast007: I've used a tool called killcx before to forcefully kill connections
- 15:56 blast007: I had ended up using a command like this:
- 15:56 blast007: netstat -nut | grep '186.150.130.118' | awk '{ print $5 }' | xargs -l1 -t -I {} ./killcx {} 2>&1 | less
- 15:56 blast007: where 186.150.130.118 was the attacker IP address
- 15:58 blast007: might actually want to replace the order of that awk and the grep though just to be safe..
- 15:59 blast007: netstat -nut | awk '{ print $5 }' | grep '186.150.130.118' | xargs -l1 -t -I {} ./killcx {} 2>&1 | less
- 15:59 blast007: of course, you'd want to do that *after* you firewall, and only if the connections hang around
- 16:00 blast007: I used that when DR had flooded my server with connections, and I wanted to see if I could fix it without simply restarting bzfs
- 16:00 blast007: http://killcx.sourceforge.net/
- 16:01 blast007: needs a few perl modules as well, and needs to be run as root (I think)
- 18:28 delusional: it's makin me sick
- 19:56 You have joined the channel
- 19:56 delusional has joined (~delusiona@pool-173-71-173-74.pitbpa.fios.verizon.net)
- 19:56 Topic: BZFlag Anti-Cheater Task Force
- 19:56 blast007 set the topic at: Oct 15, 2014, 7:38 PM
- 19:56 Mode: +Cnpst
- 19:56 Created at: Oct 15, 2014, 1:29 PM
- 10-20
- 03:46 Flash: On my machine, I can join/quit/join ... I wonder what is different
- 03:46 Flash: unfortunately, I am completely out of time for tonight
- 08:13 gnu-sense has joined (~gnu-sense@c-98-223-179-205.hsd1.in.comcast.net)
- 08:49 delusional: I'm having no problems right now
- 08:55 delusional: i could join rejoin at will, until a second player got there
- 08:56 delusional: and you can just wail away on the enter key, trying to connect, easy way to recreate the hack
- 10:32 You have joined the channel
- 10:32 delusion_ has joined (~delusiona@pool-173-71-173-74.pitbpa.fios.verizon.net)
- 10:32 Topic: BZFlag Anti-Cheater Task Force
- 10:32 blast007 set the topic at: Oct 15, 2014, 7:38 PM
- 10:32 Mode: +Cnpst
- 10:32 Created at: Oct 15, 2014, 1:29 PM
- 10:50 You have joined the channel
- 10:50 delusional has joined (~delusiona@pool-173-71-173-74.pitbpa.fios.verizon.net)
- 10:50 Topic: BZFlag Anti-Cheater Task Force
- 10:50 blast007 set the topic at: Oct 15, 2014, 7:38 PM
- 10:50 Mode: +Cnpst
- 10:50 Created at: Oct 15, 2014, 1:29 PM
- 11:11 You have joined the channel
- 11:11 delusion_ has joined (~delusiona@pool-173-71-173-74.pitbpa.fios.verizon.net)
- 11:11 Topic: BZFlag Anti-Cheater Task Force
- 11:11 blast007 set the topic at: Oct 15, 2014, 7:38 PM
- 11:11 delusional has left IRC (Read error: Connection reset by peer)
- 11:11 Mode: +Cnpst
- 11:11 Created at: Oct 15, 2014, 1:29 PM
- 14:25 delusion_: Help Me Obi-Flash-Kenobi, you're my only hope.
- 17:08 Flash: ok, that should fix it
- 17:08 Flash: I even think I understand why :)
- 17:08 Flash: but all the cheater limiting is gone
- 17:09 Flash: allejo should be able to add it back in, if he is so inclined
- 17:29 allejo: wait, so are we back at square 1? lol
- 17:45 Flash: sort of
- 17:45 Flash: I took out most all of what I did, mostly because it was never supposed to be committed like that
- 17:46 Flash: However, the first thing I did (eliminate random memory read) broke it (init time of last action to 0)
- 17:46 Flash: This last change correctly fixes the problem noted in the first change
- 17:47 Flash: https://github.com/BZFlag-Dev/bzflag-import-3/commit/2ac2df538edc28969fcf69703cf91238fbacf33b
- 17:47 Flash: put the bzfs change back in if you like
- 17:48 Flash: it should be better now
- 18:01 allejo: so reimplement that patch with the current trunk?
- 18:01 Flash: yes, just the bzfs file
- 18:14 allejo: makes changes to bzfs.cxx
- 18:15 Flash: crosses fingers
- 18:16 allejo: compiles and i can rejoin freely :D
- 18:16 allejo: i think
- 18:16 allejo: delusion was saying he could rejoin freely until more people joined
- 18:18 Flash: it was actually until 10 mins after the first join
- 18:19 Flash: I see libcommon.a as part of the build.
- 18:19 allejo: oh
- 18:19 Flash: wrong window
- 18:21 apeman has joined (~vtw15@132.181.52.166)
- 18:30 Flash: no more than 3 joined so far, but seems better
- 18:36 Flash: had up to 5; saw some jitter issues
- 18:36 Flash: no lag to speak of
- 19:29 delusion_: i don't have a working client
- 19:43 Flash: still tough. Are you seeing any denied?
- 20:03 apeman: yes, clients are definitely being denied
- 21:52 gnu-sense has left IRC (Quit: gnu-sense)
- 23:30 Flash: it occurs to me that rather than close the bad sockets, we should hold them open.
- 23:43 delusion_: he cant come back?
- 23:48 Flash: well, if we close the socket, it's an immediate indication to his script to open a new one. but if we keep it open, he can keep sending data until his TCP buffer fills up
- 23:48 Flash: we just wouldn't read it
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement