A call to (nerdy) arms

azxten · #1 07-19-2013, 11:28 AM

I'd be interested to see a packet capture as well or hear something from staff.

Considering the amount of trouble this has caused I imagine this is something more custom built which mimics legitimate traffic. Login server login attempts or something like that.

Then I would guess there is a firewall rule which watches for X packets per Y time to the server which is considered abnormal and blacklists the IP for some period of time.

So, every time there is a lag spike its when the attack starts from a new collection of IPs which must be allowed access for a period of time to determine if they are malicious or not.

This is all just a rough guess but hopefully it provides some insight into how these things work for those who are curious.

rickjames · #2 07-19-2013, 12:07 PM

There are two potential effects:

A) There is a socket connection and the server is requested to perform some sort of task (i.e. login) This taxes the servers process resources.

B) Its mostly dropped trash traffic (ICMP flood etc.) and overwhelms network equipment.

Scenario B is mitigated by over-provisioning bandwidth usually. Scenario A is much more difficult to respond to unless a solution is developed to trust connections sources and therefore drop packets before they reach the server.

Regardless, to fix the problem by throwing money at it is unlikely to be very efficient or effective.

Now one potential theory I had (im a receptionist at an IT firm too) is that they may be abusing socket connections to the webserver (spam HTTP requests) as it seems the website goes down (colocated/same box/same VM) with the game server. If someone would be able to confirm or refute this, i would be willing to pony up a little cash to help get the website/forums hosted on a separate instance to mitigate that vulnerability.

MaximiusM · #3 07-19-2013, 01:10 PM

Quote:

Originally Posted by rickjames [You must be logged in to view images. Log in or Register.]

Now one potential theory I had (im a receptionist at an IT firm too) is that they may be abusing socket connections to the webserver (spam HTTP requests) as it seems the website goes down (colocated/same box/same VM) with the game server. If someone would be able to confirm or refute this, i would be willing to pony up a little cash to help get the website/forums hosted on a separate instance to mitigate that vulnerability.

you've essentially come to the same conclusion as me, fellow internet receptionist. PM'ing with details.

August · #4 07-19-2013, 05:48 PM

If I can help in any way let me know. I have a background in cryptography and filter analysis and have been in software for 7 years.

More importantly, if you need to find out how to do something, I can find that out almost assuredly. I'm not an expert in cyber security, however.

Pringles · #5 07-19-2013, 05:47 PM

Quote:

Originally Posted by rickjames [You must be logged in to view images. Log in or Register.]

=
Now one potential theory I had (im a receptionist at an IT firm too) is that they may be abusing socket connections to the webserver (spam HTTP requests) as it seems the website goes down (colocated/same box/same VM) with the game server. If someone would be able to confirm or refute this, i would be willing to pony up a little cash to help get the website/forums hosted on a separate instance to mitigate that vulnerability.

Except that would stand out like a sore thumb as the cause and Rogean would have already resolved it.