|*KoG*| King of Gores - general

ᶰ°Konͧsti 2021-06-04 05:00:48Z

send server

Ketama

Me is boting too

what kind of grammar is that

@Moderator

3

@picasso

there is a guy who is blocking and cant be banned

12:53

aip gores

Kebab

is it not possible to have anti ddos on servers ?

13:54

I can donate for it

Nicky Larson

I can donate for it

This too expensive

How much

~10k / month for our current network

ouch

13:57

and what about one server per regions ?

Thats not possible

Avolicious

~10k / month for our current network

huh

13:57

That doesn't make sense

Yes it does

13:58

Anti DDoS is very expensive

is it specific to game servers ? because anti ddos for web servers is not that expensive

As this game is based upon UDP you even have more trouble

13:58

Because HTTP based upon TCP

1

13:58

Teeworlds uses UDP

Ok I see thanks

13:59

then rewrite teeworlds with http and polling

13:59

pls

13:59

jk

One of the main problems which will be solved after ddnet 15.5 is the HTTP Master server

Will it improve the issues we have with ddos?

I guess, yes

14:00

because you dont leak your IP to all servers in the server list (edited)

but it's easy to get the ip with wireshark or whatever right

14:00

anyway

No

14:00

Right now if you refresh your server browser, you send requests to all servers in the list

14:00

This will leak your ip to servers itself

14:01

Due to its nature in UDP you can spoof ip addresses

14:01

Currently ddos against our servers comes from spoofed player ip addresses

14:01

HTTP(s) master will solve the problem of "leaking" your ip to servers before connection

If I understand correctly this means you can be sure of the ip of the person who accesses the list of servers

As I've written, if you refresh the server list, you send your ip to all servers within this list

14:03

There are some "honeypots" hosted by ddos kiddies, to catch those ip addresses

So the way they ddod

14:03

ddos

We do have anti-ddos external firewalls

is by refreshing the server list ?

No

14:04

You just expose your ip to them after server list refresh

14:04

& they will use your IP which is allowed to join our servers, because our external firewall got your ip covered

14:04

They just fake UDP pakets & change the src ip address within this header

Avolicious

As I've written, if you refresh the server list, you send your ip to all servers within this list

100% malicious the idea of this XD

No, you have to ping the servers

14:05

So everything is fine actually

I get that they can spoof IPs because of UDP that's clear thanks, I just don't get how it will improve with the new client

14:05

All you need is the server ip to ddos right

14:05

even if it makes it harder to get it

No

it's still somewhat easy to have it

We do have external firewalls

14:06

Our external firewalls is configured to allow only connected clients

Right

Yeah, but if you refresh your server browser you ping honeypots & they get your ip

14:07

then they can spam us with your ip address & our external firewall thinks its you

1

And in the udp packet you don't have access to the real ip ? like in the lower OSI layers

https://en.wikipedia.org/wiki/User_Datagram_Protocol#Packet_structure

User Datagram Protocol

In computer networking, the User Datagram Protocol (UDP) is one of the core members of the Internet protocol suite. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol (IP) network. Prior communications are not required in order to set up communication channels or data ...

So IP is not part of the packet

GG @Nicky Larson, you just advanced to level 6 !

Its part of the payload

14:08

It is in the packet

That's crazy

14:10

like as in bad

14:10

you could spoof any ip

Yes you could

14:10

Welcome to the internet

And how do they fix this issue with TCP ? Using protocols like https ?

https://github.com/ddnet/ddnet/blob/master/src/engine/server/server.cpp#L2064-L2116

ddnet/ddnet

DDraceNetwork, a cooperative racing mod of Teeworlds - ddnet/ddnet

Tyrone 2 2021-06-04 14:11:35Z

No, TCP would not be an option

I know I'm just curious

woo level 2

GG @Tyrone, you just advanced to level 1 !

How to prevent this issue for websites etc

HTTP is based upon TCP

14:12

Its easier to detect attacks

Banner is back

How? because you have those ack things?

No teeworlds protocol does have ack implemented

14:13

but its udp based

Yeah

14:14

Thanks networking master (edited)

But 15.5 implemented HTTP master

14:14

so your ip wont be "leaked" after server list refresh

And it's not possible to imagine a private key sent in every udp packet

14:15

to authentify the packets

WTF

14:15

This would kill nearly everything

14:15

100% CPU usage on client & server

14:15

xdddd

14:15

But dont send private keys

14:15

only public keys

Not sure, plenty of games encrypt their data

14:15

even real time games

14:16

yes whatever

14:16

you got my point

Yeah but encryption is adding complexity & more usage

14:16

You have to decrypt & encrypt all packages

At least it would be a viable solution, could be worth a try

Not its not worth it

HTTP(s) master is worth it

14:17

Because only the servers you connect to, get your ip address

14:17

it does not add complexity

Ah I think I got it

14:18

honeypots dont work anymore because you dont connect to it

14:18

only ping them

You dont even ping them

14:18

HTTP(s) master gives you all details about all servers

Ahhh

14:18

like a proxy

you can ping them afaik, but you have to enable it

14:18

No

they are calling the honeypots server

Every server sends heartbeats to master server

1

I see

https://master1.ddnet.tw/ddnet/15/servers.json

These ddos kids really invested some time jesus

3

14:19

seting up these honeypot sv

14:19

for such a shitty small game

its easy

14:19

not even 10 minutes

Yeah if you know the codebase etc

14:20

but it gets some time to get to know it

Well, 30 minutes & you're in the game

14:20

Without codebase knowledge

I'm afraid of these low level codes

14:22

c c++

14:22

networking

14:22

^^

2+2=4

7

-1 thats three quick mafs

Let me know if the master server update thingy is not enough I would be willing to invest a bit of time to at least do some research for udp encryption I'm sure there are plenty of solutions out there which shouldn't make the cpu cost skyrocket

You can open an issue on ddnet github

14:31

But you have to add fallback support for vanilla teeworlds

to connect to vanilla servers ? I guess in this case it would use the current mecanism

Yep

14:32

And 0.7 support

14:32

So have fun xd

I never touched teeworlds code

14:38

I don't even know what 0.7 changes