After a ton of research, I have concluded that attackers seem to be using GameTracker to get IPs of game servers and then using them to send spoofed RCON or status packets to servers to attack others.

I run a CoD4 server. I have found that many games, including CS:S and some CoD series servers can be "exploited" to packet flood.

I was noticing a ton of extra bandwidth on my server, so I looked at the server support section on a popular forum and noticed other administrators were seeing tons of bandwidth usage, something that was definitely indicating something wrong. I was not being directly targeted personally, it seems the whole crowd is feeling repercussions.

I look into router logs and see the attack. It is only 200kbps, mind you I have a ton of bandwidth so it is not knocking me offline, however most of the attacking IPs, once googled, their first result is here at GameTracker. Servers are receiving forced getstatus or other RCON commands, and the server is responding to what it thinks is a legitimate command however it does not realize that it is being flooded the command a million times in order for it to be used to attack the spoofed IP, in this case, the victim.

I don't know how active these forums are, but hopefully we can figure out how to stop this attack. I just want others to know that they aren't the only ones, and I want this attack to stop as I can't host because of it.

Tom

yes, many br servers are offline at now made by ddos attack

I am having the same issue on a mohaa sp server. Is there a remedy?

Contact your game server provider and request that they invest in decent DDoS protection so it will occur less frequently and be easier to defend against.

Typical Response, Blame the ISP and try to sell your own service, instead of tying to help solve the issue.

mdknght2 wrote:
Typical Response, Blame the ISP and try to sell your own service, instead of tying to help solve the issue.
If you have any suggestions, you are welcome to post them. The only real solution GT could implement would be to universally hide all IP addresses but that does not address the underlying issue and users want to be able to connect and find servers. Giving more attention to the core of the issue is where the solution lies which is done by the systems administrators on the users end.

Having ISP do null route only places a bandaid on a gash and doesnt solve the issue at had

Perhaps Aliasing the IP. most people that use gametraker just click join or already have them bookmarked so knowing the IP is kinda mute.

Maybe sending out notices to popular gameserver companies offering to assist in any way.

Maybe making server rank a feature you have to have an account to see.
this would make it harder for an annonymous person from harvesting wich servers to hit, would also give a way to track huge amount of rank querries possibly alerting to a possible harvest of info.

In my opinion You guys have a great service here but it is also up to you to do what ever you can to maintain the security of the users of this service. I know you dont have to as per the TOS but if you dont then you lose users, as the current googled fix to this problem is to quit using gametracker and change IP's

I would be glad to offer suggestions as I think of them to help solve this problem as it will not stop until the attacker can no longer use gametraker to pick his targets.

mdknight2 wrote:
Having ISP do null route only places a bandaid on a gash and doesnt solve the issue at had

Perhaps Aliasing the IP. most people that use gametraker just click join or already have them bookmarked so knowing the IP is kinda mute.

Maybe making server rank a feature you have to have an account to see.
this would make it harder for an annonymous person from harvesting wich servers to hit, would also give a way to track huge amount of rank querries possibly alerting to a possible harvest of info.
Well my point was that "hiding" or "aliasing" the IP does not actually solve any issue. The server is still just as vulnerable as it was before, it is just publicly posted at one less place and that one place is severely handicapped in providing their service effectively. If the server is join-able, the IP can be determined... and can be determined easily.

GameTracker would lose both players and server owners by blocking the IP address from showing. It would also make it much more difficult for users to use the site, especially if they do not install GT Lite. This would similarly go with forcing people to log in to access it, which spammers can get around.

The real point is that people manage and join their servers differently. I'd be interested in seeing your research regarding how people use GameTracker (second sentence) - since GT does not publish usage information like that, I am rather interested in finding who exactly is making these claims to you.

mdknight2 wrote:
Maybe sending out notices to popular gameserver companies offering to assist in any way.

mdknight2 wrote:
In my opinion You guys have a great service here but it is also up to you to do what ever you can to maintain the security of the users of this service. I know you dont have to as per the TOS but if you dont then you lose users, as the current googled fix to this problem is to quit using gametracker and change IP's

Yes, true. The simple solution to lessen the chance of a DDoS attack is to not post IP addresses at all online. However, I do not believe most server owners would like this as they would lose a lot of players.

Companies like GameServers.com do implement custom measures to prevent abuse further than DDoS-like attacks. For instance, I believe in the COD series they "patched" an exploit in the engine (quake engine?) by preventing the characteristic request to the server by blocking it in the firewall. However, in the end it is up to each provider as to how much security they provide their users. This is not up to GameTracker and GameTracker does not provide any security service for hosting. GameTracker is focused on server tracking.

to help with any attempts on the rcon_password server try this.

put it in your server.cfg not the multiplayer.cfg

// Set the rcon_password
rcon_password "YOUR_PASSWORD"
//RCON Protection (5 10 5 30 defaults)
sv_rcon_banpenalty 5
sv_rcon_maxfailures 10
sv_rcon_minfailures 5
sv_rcon_minfailuretime 30