10-2107:03 gnu-sense has joined (~gnu-sense@c-98-223-179-205.hsd1.in.comca

1. 10-21
2.  
3.  
4. 07:03 gnu-sense has joined (~gnu-sense@c-98-223-179-205.hsd1.in.comcast.net)
5. 07:03 delusional: this is getting silly
6. 07:04 delusional: tell me again why we can't just ban his ass, i mean, the attack has to be coming from somewhere
7. 08:13 blast007: it's coming from the Internet
8. 08:13 blast007: better ban it all
9. 08:14 blast007: unplug the server from the network! solved!
10. 08:14 delusional: what, he's got a botnet?
11. 08:16 blast007: proxiese
12. 08:16 blast007: proxies*
13. 08:16 delusional: cant we ban the proxies?
14. 08:16 blast007: there's tens of thousands of them, so, no
15. 08:17 delusional: well, if we did ban the ones he's using right now, we'd at least get a temporary repreive?
16. 08:17 blast007: last time I tried adding a huge list of proxies to my firewall I made my server very unhappy
17. 08:17 blast007: yeah, for a few minutes until he refreshes the proxy page and gets 10 more
18. 08:18 blast007: sounds like you think it's not easy to get a list of several hundred proxies...
19. 08:18 delusional: why cant we detect them quicker?
20. 08:18 blast007: and then there's also Tor (which is actually easy to block) and VPNs
21. 08:19 delusional: why cant we detect, and ban them quicker?
22. 08:19 blast007: or I should say that Tor is easy to block completely, but a bit more challenging if you only want to block Tor exit nodes that have an exit policy that allows them to talk to your ports that are under attack
23. 08:20 blast007: how would you detect a proxy?
24. 08:20 delusional: by detecting the attack
25. 08:20 delusional: i know,,, thats what we're trying to do
26. 08:21 blast007: so really then the detecting the proxy is irrelevant - you just want to detect the attack and react to that
27. 08:21 blast007: I'd imagine it's possible to write a Snort ruleset for the attack
28. 08:21 delusional: so... when he joins, we never get the full IP?
29. 08:21 blast007: but I've never used Snort before
30. 08:21 blast007: what?
31. 08:22 delusional: we see the multiple attempts to join.. or whatever it is he's doing... don't we get the IP address from that?
32. 08:27 blast007: of course
33. 08:27 blast007 has changed mode: -o blast007
34. 08:28 delusional: why are we having such a problem detecting that?
35. 08:28 blast007: because nobody has tried to detect it?
36. 08:30 delusional: I don't know, but it seems to me it should be relatively simple to get the address, and move it over to the firewall banlist. Why are we having such a probem getting the address?
37. 08:33 delusional: I'm getting really fucking pissed off.
38. 08:35 delusional: I guess if he knows his way around with proxies, he can continue to run rings around us forever.
39. 09:57 blast007: again, I don't think anyone is trying to do that yet
40. 15:32 blast007: also, if you do get flooded with connections and you firewall them out, the connections will still remain there for a LONG time, though that may depend on how you firewall them.
41. 15:54 blast007: I've used a tool called killcx before to forcefully kill connections
42. 15:56 blast007: I had ended up using a command like this:
43. 15:56 blast007: netstat -nut | grep '186.150.130.118' | awk '{ print $5 }' | xargs -l1 -t -I {} ./killcx {} 2>&1 | less
44. 15:56 blast007: where 186.150.130.118 was the attacker IP address
45. 15:58 blast007: might actually want to replace the order of that awk and the grep though just to be safe..
46. 15:59 blast007: netstat -nut | awk '{ print $5 }' | grep '186.150.130.118' | xargs -l1 -t -I {} ./killcx {} 2>&1 | less
47. 15:59 blast007: of course, you'd want to do that *after* you firewall, and only if the connections hang around
48. 16:00 blast007: I used that when DR had flooded my server with connections, and I wanted to see if I could fix it without simply restarting bzfs
49. 16:00 blast007: http://killcx.sourceforge.net/
50. 16:01 blast007: needs a few perl modules as well, and needs to be run as root (I think)
51. 18:28 delusional: it's makin me sick
52. 19:56 You have joined the channel
53. 19:56 delusional has joined (~delusiona@pool-173-71-173-74.pitbpa.fios.verizon.net)
54. 19:56 Topic: BZFlag Anti-Cheater Task Force
55. 19:56 blast007 set the topic at: Oct 15, 2014, 7:38 PM
56. 19:56 Mode: +Cnpst
57. 19:56 Created at: Oct 15, 2014, 1:29 PM
58.  
59.  
60.  
61.  
62. 10-20
63.  
64. 03:46 Flash: On my machine, I can join/quit/join ... I wonder what is different
65. 03:46 Flash: unfortunately, I am completely out of time for tonight
66. 08:13 gnu-sense has joined (~gnu-sense@c-98-223-179-205.hsd1.in.comcast.net)
67. 08:49 delusional: I'm having no problems right now
68. 08:55 delusional: i could join rejoin at will, until a second player got there
69. 08:56 delusional: and you can just wail away on the enter key, trying to connect, easy way to recreate the hack
70. 10:32 You have joined the channel
71. 10:32 delusion_ has joined (~delusiona@pool-173-71-173-74.pitbpa.fios.verizon.net)
72. 10:32 Topic: BZFlag Anti-Cheater Task Force
73. 10:32 blast007 set the topic at: Oct 15, 2014, 7:38 PM
74. 10:32 Mode: +Cnpst
75. 10:32 Created at: Oct 15, 2014, 1:29 PM
76. 10:50 You have joined the channel
77. 10:50 delusional has joined (~delusiona@pool-173-71-173-74.pitbpa.fios.verizon.net)
78. 10:50 Topic: BZFlag Anti-Cheater Task Force
79. 10:50 blast007 set the topic at: Oct 15, 2014, 7:38 PM
80. 10:50 Mode: +Cnpst
81. 10:50 Created at: Oct 15, 2014, 1:29 PM
82. 11:11 You have joined the channel
83. 11:11 delusion_ has joined (~delusiona@pool-173-71-173-74.pitbpa.fios.verizon.net)
84. 11:11 Topic: BZFlag Anti-Cheater Task Force
85. 11:11 blast007 set the topic at: Oct 15, 2014, 7:38 PM
86. 11:11 delusional has left IRC (Read error: Connection reset by peer)
87. 11:11 Mode: +Cnpst
88. 11:11 Created at: Oct 15, 2014, 1:29 PM
89. 14:25 delusion_: Help Me Obi-Flash-Kenobi, you're my only hope.
90. 17:08 Flash: ok, that should fix it
91. 17:08 Flash: I even think I understand why :)
92. 17:08 Flash: but all the cheater limiting is gone
93. 17:09 Flash: allejo should be able to add it back in, if he is so inclined
94. 17:29 allejo: wait, so are we back at square 1? lol
95. 17:45 Flash: sort of
96. 17:45 Flash: I took out most all of what I did, mostly because it was never supposed to be committed like that
97. 17:46 Flash: However, the first thing I did (eliminate random memory read) broke it (init time of last action to 0)
98. 17:46 Flash: This last change correctly fixes the problem noted in the first change
99. 17:47 Flash: https://github.com/BZFlag-Dev/bzflag-import-3/commit/2ac2df538edc28969fcf69703cf91238fbacf33b
100. 17:47 Flash: put the bzfs change back in if you like
101. 17:48 Flash: it should be better now
102. 18:01 allejo: so reimplement that patch with the current trunk?
103. 18:01 Flash: yes, just the bzfs file
104. 18:14 allejo: makes changes to bzfs.cxx
105. 18:15 Flash: crosses fingers
106. 18:16 allejo: compiles and i can rejoin freely :D
107. 18:16 allejo: i think
108. 18:16 allejo: delusion was saying he could rejoin freely until more people joined
109. 18:18 Flash: it was actually until 10 mins after the first join
110. 18:19 Flash: I see libcommon.a as part of the build.
111. 18:19 allejo: oh
112. 18:19 Flash: wrong window
113. 18:21 apeman has joined (~vtw15@132.181.52.166)
114. 18:30 Flash: no more than 3 joined so far, but seems better
115. 18:36 Flash: had up to 5; saw some jitter issues
116. 18:36 Flash: no lag to speak of
117. 19:29 delusion_: i don't have a working client
118. 19:43 Flash: still tough. Are you seeing any denied?
119. 20:03 apeman: yes, clients are definitely being denied
120. 21:52 gnu-sense has left IRC (Quit: gnu-sense)
121. 23:30 Flash: it occurs to me that rather than close the bad sockets, we should hold them open.
122. 23:43 delusion_: he cant come back?
123. 23:48 Flash: well, if we close the socket, it's an immediate indication to his script to open a new one. but if we keep it open, he can keep sending data until his TCP buffer fills up
124. 23:48 Flash: we just wouldn't read it