I'm interested in knowing if you guys keep a log of who and when people add a server to your website.

The reason why i'm asking is that i am not interested in having my server advertised or added on your website for many reasons, but none that i will go into right here and now.

The server in question that i am wondering about is the same IP as the machine i am posting from. 83.227.76.250

One of our servers has been added which is our COD 4 server which runs on default port (83.227.76.250:28960), server name is "^5=BC=^0|^1HC ^3SND^0|^5FF=ON ^0(b3) ^5www.banditcompany.com ^0| ^3Recruiting"

We have removed the server now but we are very interested in knowing WHO added it to your website. We only want the IP or IPs involved, nothing more.

I might add that we've deleted the record by registering it and then deleting it. But we'd like to know an IP record if any.

If you have questions or need more elaboration, feel free to ask.

Regards,
BarryBlack

Hi,

As you can imagine, private user information cannot be given out for privacy reasons. You can only find what you can normally find out from the website.

I would recommend blocking 108.61.78.* from scanning your server. That should prevent your server from being added by blocking the scanners. Please note that this, of course, does not prevent anyone from scanning your server. There are a number of other tracking websites that people can add your server to if they would like to view the stats.

I would also recommend putting a password on your server. That way you can prevent unwanted users from joining your server.

burn wrote:
Hi,
As you can imagine, private user information cannot be given out for privacy reasons. You can only find what you can normally find out from the website.
Yes of course, privacy... it's a bad excuse when i only ask for an IP but fair enough. Privacy rights are privacy rights and you do need to keep those.

burn wrote:
I would recommend blocking 108.61.78.* from scanning your server. That should prevent your server from being added by blocking the scanners. Please note that this, of course, does not prevent anyone from scanning your server. There are a number of other tracking websites that people can add your server to if they would like to view the stats.
A more specific IP would be nice since blocking 255 ips is out of the question. Other websites do not concern me, only yours. Read below for reasons.

burn wrote:
I would also recommend putting a password on your server. That way you can prevent unwanted users from joining your server.
It has nothing to do with not wanting "unwanted" users to join the server. The reason why i myself do not want my server added to your website is because www.gametracker.com is being used by large botnets to attack large server centers.

Call of duty games and quake games run on quake protocols which has an exploit which allows clever hackers/botnets to use those servers to attack other servers hosted in server centers.

DDOS is one thing, but this is a redirect DDOS attack which is quite clever really.

To explain... they are scanning your website for potential servers to use as attackers and scanning for source engine servers to attack (which also has a weakness). This is the first stage.

Once they have enough IP's of servers, they start distributing them throughout the botnet and start spamming these servers with the command "get status".

For a quake based server, this means it's supposed to answer "yes, i am a call of duty 4 server, i have 4 people playing, this is their ping and their names" and a whole lot of other info.

Now, remember i said redirect DDOS or rather DRDOS.
[quote]Reflected / Spoofed attack

A distributed reflected denial of service attack (DRDoS) involves sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target.

ICMP Echo Request attacks (Smurf Attack) can be considered one form of reflected attack, as the flooding host(s) send Echo Requests to the broadcast addresses of mis-configured networks, thereby enticing many hosts to send Echo Reply packets to the victim. Some early DDoS programs implemented a distributed form of this attack.

Many services can be exploited to act as reflectors, some harder to block than others.[15] DNS amplification attacks involve a new mechanism that increased the amplification effect, using a much larger list of DNS servers than seen earlier.
This is a brief explanation you can find on wikipedia.

My point here being is that whether you'll want to admit it or acknowledge it or even want to believe it, is that your site is being used by a VERY large botnet to attack servers around the world. We are talking about thousands of servers with massive bandwidth that are being used to attack others.

Now it needs to pointed out that your website (among others) is just a info site for potential victims they can use.

Before you ask any stupid and obvious questions if we've made sure the host computer we use is not infected and really a botnet machine. No ... we've re-installed that machine many times now. We've changed our IP address. And for a brief few days, our servers are DRDOS free. Until ... wait for it ... it pops up on your website. Then the DRDOS begins.

It's taken us about 5months to manage to track this down and fully understand exactly how this happens.

To point out more facts from our side. We have a second COD4 server + 1 CODwaw server, neither of them are added to gametracker and neither of them are being used to attack with.

They have on the other hand been added earlier, and were then used for a DRDOS attack.

By our research, proffessional game server hosters are not being used in this manner because they have fancy hardware routers that are specifically built to handle and detect DDOS and DRDOS and such and block such requests.
So what you're looking at is normal home owner hosters like ourselves that cannot afford hardware routers which block these attacks or afford software in the 200 - 400 dollar range which does the same.

To have it said, yes i understand that WE are the attackers here.
But we are being used. And the source for IPs to abuse comes from your website and others.

For some magical reason, our servers keep being added to gametracker without any of us doing it. Hence the reason for the request for an IP or IPs.

We've told all our members not to add our server because they've been informed of the reasons for this.
So by our account it's either regulars on the server, bots or some other form of means that is adding it.

I'm not here to flame you, by all means you should be proud of your website and the progress and growth of the website. Cudos to you all. But these are the facts i'm sad to say.

While we've already gotten an answer on the whole privacy issue so i won't press the issue.
But i have to ask you to search to see if any of these hostnames/domain names are saved and being automatic added somehow.

ts.banditcompany.com
ts3.banditcompany.com
mw2.banditcompany.com
mw.banditcompany.com
cod.banditcompany.com

Or basically anything related to *.banditcompany.com.

Because if it is, please remove it.

I have to say tho, that i've enjoyed using your banners and such in the past when i didn't know about this kind of abuse. And i would still love to use your website so i could use the banners. But because of the magnitude of the attacks and not to mention how much bandwidth we are using on these attacks (between 3-10megabyte a second). We cannot allow ourselves to be abused and used in this manner hurting other server owners and not to mention being part of taking down large service centers.

I know this is a whole lot to chew on, and if it's something that was unknown to you before, then i guess it's a blow to the face which is easily dismissed on grounds that there's very little proof to it. You have the right to do that, you're of course proud of what you do and the service you give. And you should be proud!

Again, none of this is to flame you. We and tons of others are very fond of your services. But this has got to stop somehow.

The idea of blocking gametracker from scanning our servers actually never occured to me and my fellow geek administrators.
But i'll say it again that specific IPs would be appreciated.

It's very late here, so i'll stop writing as of now.
Hit me back, and i'll answer any questions you might have.

Regards,
BarryBlack

Hi,

I believe the main scanners are just:

108.61.78.147
108.61.78.148
108.61.78.149
108.61.78.150

Hope this helps.

Thank you very much for your help.
I hope one day these lowlife botnet people will stop abusing and exploiting these things so i can use your server banners again.

Regards,
BarryBlack

Hi BarryBlack,

Your feedback on this topic is much appreciated.

Yes, attacks like these ruin gaming experiences for many. I'm sorry to hear that you are being succumbed to these attacks. As you have mentioned, this type of attack typically happens to Quake-protocol based games. As a side note - the GameServers.com team works to prevent these types of attacks on their servers, should you ever decide to go with a managed hosting solution.

Although it is unlikely that we will see further patches for COD4, CODWAW - urging the developers patch these types of exploits is always a good idea. This particular issue would be best patched in the game server itself.

Best regards.

Sorry to open up a old topic, but this is the most related topic to my question.

Regarding your scanners, do you have more IP's now than those noted here in this topic?

Nevermind, found this and i think this will solve my problems with your services.

http://pastebin.com/AbJAajja

FYI that is the same message as what you receive when GT is unable to scan your server. You can also find the IPs in http://www.gametracker.com/forums/forum.php?site=1&thread=42545