Reality Check

[Goshdern_VZ]

If someone is DoS'ing the Login Server (I have been working in the IT world for a decade and this appears like a classic Smurf attack), this is for you.

I am 35 years old, I lost my job as the Internet Sales Manager for a GM dealership back in November. I am now a stay at home dad. After the kids go to sleep and my wife stops complaining about having to be the breadwinner now I just want to log on and play EQ and remember how much fun I had years ago.

Please stop, I am one of hundreds if not thousands during the course of each week lately that are dissapointed when we try to log on.

I am hoping you too can remember the "good ol times".

Think of the rest of us I beg you.

[Aergad]

the software needs to be fixed and hew hardware gotten, and it probably is a classic type of an attack probably one that should have been plugged up years ago but this is what happens when no real development is done on software for years at a time for whatever reason vulnerabilities that shouldnt be a problem are a problem

[man101]

as nice as that would be of whoever is doing it i highly doubt we will ever see that happen it was a good nice gesture to post that but i doubt they care

[kashaph]

I have a Cisco and Checkpoint firewall at home. Either of these would and are capable of negating these attacks when properly configured. There are some attacks, however, that need to be stopped at the server level, which usually simply requires updates to the software in order to remove the vulnerability. I would not mind lending some assistance if I were given the required details and access in order to investigate this issue.

note: I am not the be all, end all of knowledge, but I do spend quite a bit of time reading, learning, and of course doing this at work.

[ryder911]

Quote:

Originally Posted by kashaph

I have a Cisco and Checkpoint firewall at home. Either of these would and are capable of negating these attacks when properly configured. There are some attacks, however, that need to be stopped at the server level, which usually simply requires updates to the software in order to remove the vulnerability. I would not mind lending some assistance if I were given the required details and access in order to investigate this issue.

note: I am not the be all, end all of knowledge, but I do spend quite a bit of time reading, learning, and of course doing this at work.

I'm pretty sure its not a simple dos attack or a packet attack doing this... I think its something with their server that they launch that crashes it and they do this delibaterly, I could be wrong. I think if it was just a simple firewall issue they would've set that up already.

[Mysaphar]

I'm glad I listened to my wife and put potential donation money into a re-upping my live subscription. This stuff is getting pretty ridiculous.

[Goshdern_VZ]

revised....

[shalll]

i am seriously thinking about going to live as well, as i understand it there will be a new progression server that will stop at luclin

[KingMort]

Goshdern_VZ....

I totally feel you man... Though I do not play on any Eqemu server not even my own... I have worked very hard on my server for many many years (7 years this June) ...

Thats 12% of my life... and this is my life... I quit my job to do this full time though I live in a mold infested crap apartment... I am dedicated to my work..

This has had a huge impact on me as well... As it has to probably every server op involved in this project..

When this is over, I promise you... Everything will be vindicated... Doodman and KLS have worked hard to get this stuff working right spending very long hours...

This community will thrive no matter what, and you can take that to the bank..

King Mortenson
www.raidaddicts.org

[varsas]

i dont get it ... is something serious happening?

first i see people posteing about the ls server just being down, nothing new but now this?

soooo ya is something bad going on like a hacker messing things up or what???

[WillowyLady]

Makes me think a little.

If the LS is indeed receiving DoS attacks, surely the culprit(s) can be traced and reported to thier ISP. However, I think they would be savvy enough to hide behind proxy server(s), even then is it not possible to trace to that server and Identfy the owner and report the attacks?

I don't know if the outfits the run these anon proxy servers can be held to account for the traffic that passes through, especailly if that traffic is malicious in intent.

Is this just some random numptie(s), or someone who has an axe to grind, are these recent occurances, or have we had a history of such attacks.

There is no real accounting for some peoples defective mind states that they would derive some perverse pleasure by depriving other a little pleasure with themselves or thier friends.

Just hope an end is put to the nonsence.

[Aergad]

just block the ips from the server iptables and the problem is solved cant attack what they cant connect to that will give them time to actually fix the code

[AndMetal]

Quote:

Originally Posted by WillowyLady

If the LS is indeed receiving DoS attacks, surely the culprit(s) can be traced and reported to thier ISP. However, I think they would be savvy enough to hide behind proxy server(s), even then is it not possible to trace to that server and Identfy the owner and report the attacks?

I would say possible, but not probable. Until computer users stop running viruses (see Zombie Computer), you can report issues to ISPs and they will usually inform the user of the issue (sometimes disconnecting their service until they can prove they have the virus removed), but with all of the anonymous proxies out there, that all depends on the willingness of the proxy owner to help.

Quote:

Originally Posted by Aergad

just block the ips from the server iptables and the problem is solved cant attack what they cant connect to that will give them time to actually fix the code

The problem with just blocking the IPs @ the firewall is they start coming from another IP (mostly proxies, but not all of them). Doodman was trying to force 500-series errors to trick the bots into giving up, although I'm not really sure what became of that (I stopped following the IRC logs about a week or so ago).

The issue is the web server was being DoS'd, not the login server (out of 10,000 connections available, ~9,000 of those were from a single IP). That was causing the issues with the main page, forums, etc from being accessed. However, this wasn't really affecting the login server.

The issue with the login server was a buffer overflow exploit (my money's on the user count). Doodman addressed this in the post in the News section, including that a fix has been put in for the issue:

Quote:

Originally Posted by Doodman

The loginserver was running pretty well for a long time, until someone in the community found a buffer overrun bug in the loginserver and decided to exploit the fact that they could make it crash. It wasn't a random crash. It was crashing in the same spot, from the same user, sending the same information. I hastily implemented a fix to prevent the attack, which ended up fixing the issue but introducing the "incorrect password" issue that was seen for a day or so. That is also now fixed. The login server has been up (except for a restart by me) w/o crash for day in a half. Which, sadly, considering the past few weeks is quite a bit.

The bottom line is, yes, there are more than likely enhancements that can be made to the existing login server source, but if a more powerful server was in place, it would have been much more likely for it to shrug off the DoS attack, which was the main problem. That's still going to be the biggest bottleneck, not an issue in the software that has already been patched.

[coreyoli]

Logged in, was having fun.. got hung up zoning and now can't get back in.. Thinking my zoning problem was related to the problem that is also causing the login problem...

I wish Live would implement an old world server.. :(