Anyone know what's going on exactly? A solution to these attacks?

[NvrGnaStp]

So lately damn near every server has been attacked. From personal experience we have stopped it temporarily by changing the ports the server uses and blocking inbound connections through certain ports using the firewall, but this has only proven to be a temporary, couple hour fix. Has anyone come up with a permanent solution? It sounds like even Gamigo was attacked earlier, with a 2 hour downtime, and ragezone has been offline twice in the past 48 hours. When we first stopped the attack I think we upset the attacker because moments later we ran into a DoS attack, recognized by commview and took it out within minutes. Now consider the low population of the server, we are really not a threat to anyone so I assume it is the same person. Anyone else have more information to help us sort this out?

[MentaL]

[SeanLiT]

If it's some dood going around dosing servers there's nothing much you can do other than purchase protection. I don't really understand what is really going on but is he attacking in on ports to make a service crash or something? I quickly read another thread about it...

[NvrGnaStp]

It's not a dos attack... It's some sort of attack on the port of either the login, or the world manager service which causes the world manager service to crash, and the firewall doesn't help.

[munozvo5]

Matthew 24:14: And this gospel of the kingdom will be preached in the whole world as a testimony to all nations, and then the end will come.

[Manova]

From what you're describing, it sounds like packet manipulation. I could be wrong though. :)

[hannesa]

It is a Invalides packet which is sent to the World Manager and this brings to the crash.
The solution is pretty simple, although perhaps only temporarily until the aggressor program be rewritten.

But I think this attack is very fair in contrast to those which paralyze the whole server.

I'm sorry for this broken english but im very tired right now and used google translate

[Delius]

From what I've viewed from starring at TCPView the attacker is under a Tor Proxy that seems to be on a very specific timer of roughly 45 minutes. It seems to make a quick 0.5 connection sending a total of 5 bytes/packets, w/e and then kills the connection. Next 45 minutes round it seems to be under a new proxy name. It seems if you keep all services offline but the manager server it doesn't get attacked, but as soon as the "login" service is turned on the attacks begin?

Hope this gives enough information for someone to think of something.

[Ashers]

There are dark clouds approaching.

[Kalachu]

From what I've viewed from starring at TCPView the attacker is under a Tor Proxy that seems to be on a very specific timer of roughly 45 minutes. It seems to make a quick 0.5 connection sending a total of 5 bytes/packets, w/e and then kills the connection. Next 45 minutes round it seems to be under a new proxy name. It seems if you keep all services offline but the manager server it doesn't get attacked, but as soon as the "login" service is turned on the attacks begin?

Hope this gives enough information for someone to think of something.

look up blocking tor hope that helps then if they use a vpn :) block that as well there's other methods but try that.

[Delius]

look up blocking tor hope that helps then if they use a vpn :) block that as well there's other methods but try that.

Okay thanks! I'll give that a go, however will blocking Tor just cause the attacking address appear as a normal old IP?

[NextIdea]

From what I've viewed from starring at TCPView the attacker is under a Tor Proxy that seems to be on a very specific timer of roughly 45 minutes. It seems to make a quick 0.5 connection sending a total of 5 bytes/packets, w/e and then kills the connection. Next 45 minutes round it seems to be under a new proxy name. It seems if you keep all services offline but the manager server it doesn't get attacked, but as soon as the "login" service is turned on the attacks begin?

Hope this gives enough information for someone to think of something.

The 5 bytes is probably sent by the login service as all Fiesta services send that data when whoever connects.
That isn't enough to determine are other services running and it just is to test ports to find the Manager.


It would help if someone could capture the packets before the Manager service crash.

[ChubbyCrab]

That's the problem with pservers that run with precompiled services and no sourcecode available.
You can code a "port-guard" to prevent package manipulation attacks like this. It's a service all incoming connections will be passed trough. All other ports can be closed this way. The service then forwards the packages internal to the corresponding fiesta-services.
To prevent the attacks, it have to check for the manipulated package and stops it before the World_manager tries to process it.
So it is a kind of "try & catch"-error service/guard, of course it would be much easier with sourcecode =/

Problem with this solution is the performance, becaue the service have to handle ALOT of packages per second, so maybe a good coded multi-threading service would be needed OR you have to run 5 or more instances of the guard, like you can do with the ZoneServers at the moment.

[Delius]

This is the Fiesta community. Dat most likely ain't gonna happen.

It would help if someone could capture the packets before the Manager service crash.

I will try my best. But it will be hard as the connection doesn't show up for much more than a second; unless ofc someone can recommend a better program?

Either way I think it will just have to result in waiting it out and hoping that this no life dude/girl finds a nice boy/girl to "pass time" with rather than taking down Pservers
The "Its Gamigo!" has already begun :c

[Wicious]

This is the Fiesta community. Dat ain't gonna happen.

Not with that attitude.

[NextIdea]

I will try my best. But it will be hard as the connection doesn't show up for much more than a second; unless ofc someone can recommend a better program?

FiestaShark was created to capture all Fiesta related packets.