Guild icon
Teeworlds
discord.gg/teeworlds / development
For discussions around the development of the official Teeworlds
Between 2020-07-30 00:00:00Z and 2020-07-31 00:00:00Z
Avatar
Network engineer there. IP spoofing is highly unlikely if hacker is not your provider, hacked your router or being part of a very large hacker group that dares to spoof BGP. Cause to spoof IP address you need to be on the same broadcast domain or hack a router participating transporting of IP packets from your home to the place where TW server is hosted. The only router which is not a part of ISP infrastructure is yours. (edited)
07:00
At least IP spoofing on the network layer of the internet (which is IP protocol). But I dunno about vulnerabilities of TW network protocol itself. (edited)
07:06
So every time I hear about IP spoofing on the internet I cry. Its mostly architecturally impossible (refer to OSI model layers 2 and 3 and read how ARP spoofing attack works and its limitations). (edited)
07:08
So it must be vulnerabilities in TW protocol, TW server code or linux box itself is hacked and is mangling packets before giving them to a TW. (edited)
07:09
Please don't use term "IP spoofing" where this could be at most a "game protocol hacking". (edited)
07:10
On the other thought there is some NAT attack. So if your TW server is behind a NAT it could be exploited to spoof. But I don't think anyone will use NAT on server. (edited)
Avatar
u are wrong
07:15
spoofed ddos attacks happen often on tw
07:16
they find providers that dont properly check the source address that outbound packets claim to be from
07:16
@Deleted User its fairly obvious when they set the source ip to playerips that theyve sniffed from browser, or server ips that they want to try to take down with reflection attack, or anything else thats clearly spoofed
07:20
https://www.caida.org/projects/spoofer/ see this link for more info
Avatar
I've worked in a large ISP. Yes, you can spoof packets originating from a hacked ISP, but they will be rejected with ingress rules of other ISPs whilte transporting it cause IP ranges are bound to ASNs and every ISP have its list of ASNs (usually one). (edited)
Avatar
its not a 'hacked' isp
07:21
and i know that there are often limitations on what ranges can be spoofed from where but
07:21
ive been hosting a tw server for a couple years and ive seen all kinds of weird spoofed attacks
Avatar
Yes, the last one. I think you can compromise an ISP in Uruguay for example. But spoofed packets originating from it having source IP address of some USA ASN will not be accepted on the network outside the Uruguay.
Avatar
well that would explain why the traffic is heavier in some ranges than others
07:22
but whatever rules apply between isps still allow the attackers to use literally millions of different addresses
07:23
from (guessing by the bandwidth) only one server/provider
07:24
also im not exactly sure what u mean by nat attack but the attacks are usually spoofed udp packets
Avatar
There is a way to spoof a packet if receiver is behind a NAT and NAT is not configured very strictly and only checks destination port not the source IP.
Avatar
i thought the ability to spoof depended on the provider that its coming from + by the time the packets have reached the destination its too late to tell if they are spoofed
Avatar
Yes, I am just thinking about other opportunity. If a server is on home computer and is behind a router which has NAT there is another possibility to spoof.
07:28
"So every time I hear about IP spoofing on the internet I cry. Its mostly architecturally impossible", hah well sorry for you but yaah it does exist
07:28
😄
Avatar
someone was making this type of traffic a day or so ago
07:28
huge range of addresses
Avatar
And why do you think this is not a common DDoS but an IP spoofing is involved? (edited)
07:29
cuz we know how vali does his attacks
Avatar
ive seen attacks come from my old ips before lol
07:29
they knew my old ip so the packets were coming from that address
Avatar
I think all those IPs are just legal IPS of infected machines which have are part of botnet.
07:30
i also saw attacks coming from the ip of bombay server, on both my servers as well as ddnet
Avatar
they knew my old ip so the packets were coming from that address
wow
Avatar
because they were spoofing it
Avatar
cuz we know how vali does his attacks
How? Can I read about it?
07:31
I've got xush's spoofing programs that does use a list of bogons as source IP
07:31
i also saw attacks coming from the ip of bombay server, on both my servers as well as ddnet
But they could just buy VPS instance on hoster you've been hosted and receive this IP?
Avatar
he just finds server providers that havent been setup properly to prevent spoofing
07:31
and no i dont think it works like that
Avatar
@Deleted User what are bogons there?
07:31
"invalid" IP ranges
Avatar
they have a dedicated server
07:32
dont think anyone else can use their address
Avatar
or not alloced IPs by ISP
07:32
10.0.0.0/8 is a bogon for example
Avatar
@Deleted User im right that if i see atacks coming from the bombay server address its obviously spoofed?
Avatar
(but impossible to transmit over the internet)
Avatar
since ur not flooding my server with ur server i assume lmao
Avatar
@noby well, you could tell to @Deleted User how we received infos responses of a lot of valve servers
07:32
10.0.0.0/8 is not a bogon. It is a grey/private address network that should be dropped on any internet backbone router.
Avatar
@Deleted User 10.0.0.0/8 is a bogon
Avatar
they were also using valve servers like counterstrike to do reflection attacks
07:33
send inforequests to those servers with the source ip set to bombays
07:33
all the counterstrike servers send bigger replies to bombay
Avatar
In IP networking, a private network is a network that uses private IP address space. Both the IPv4 and the IPv6 specifications define private IP address ranges. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments...
07:33
Have you been blacklisted in error? Learn more here. What Is a Bogon, and Why
07:33
I let you read that
07:33
07:33
Its a private network. That's all.
07:34
read the link
07:34
😄
Avatar
the point is that if u see packets coming from addresses starting with 10.xx its fake but
Avatar
Anyone ca use those addresses. But they will be discarded at the exit of private area and will not be retranslated to the internet backbone.
Avatar
not as relevant since the attacks i usually see on tw dont use this source address
07:34
yea
07:34
probably cant
07:35
Ah ok, it seems that we're talking about the same thing
07:35
What Is a Bogon, and Why Should I Filter It? A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPNs or other tunnels) should never have an address in a bogon range. These are commonly found as the source addresses of DDoS attacks.
07:35
so there is nothing to argue at
Avatar
We've just called them as they are, private network spaces
07:35
I just never heard term bogon
07:36
and every router has a rule denying routing from/to at
07:36
especially border routers
07:36
+, a long time ago we've made a list of potential spoofed packets, and all those packets were matching suddently to that list
07:36
Look, if your server is hosted not in a third world hoster he will 100% have deny rule from private servers.
07:36
But internet backbone routers also will have that.
Avatar
but u dont know by the time a packet reaches ur server whether it came from a host like that or not
Avatar
You'd never seen a 10.0.0.0/8 IP in your log. Have you? (edited)
07:37
no, private addresses will never pass over the internet
Avatar
no, theres a fair amount of networks that exist that arent setup correctly enough to allow this type of thing to happen
07:37
and no havent seen 10.xx ip
07:37
but have seen obviously spoofed ip
Avatar
@Deleted User right. That's I am talking about. (edited)
07:38
yes, but bogons are not private subnets only
07:38
You mean unallocated IPs?
07:38
Does IPv4 even has them btw?
07:38
I thought no unallocated IPv4 addresses left.
Avatar
for example
07:38
07:39
either @Deleted User was attacking me (lmao)
07:39
or this was a spoofed attack
07:39
which it clearly was
Avatar
yes or maybe u've done it yourself FeelsGoodMan feelsamazingman
07:39
lmao
Avatar
This ASN Information tool displays information about an IP address's Autonomous System Number (ASN) such as IP owner, registration.
Avatar
it is not a bogon network address, it belongs to ASN (edited)
Avatar
i know, bogons not too relevant to this
07:39
imo
Avatar
149.202.19.227 = bombay.reitw.fr, but we're telling you that spoofing does exist
Avatar
its just not allocated to the person whos actually sending the traffic
07:39
because ye
07:40
that address is only allocated to reis server
07:40
and i have root there and i trust hes not the one sending this traffic
👌 1
Avatar
+
07:41
let me show you something @Deleted User 😄
Avatar
nor is it compromised since we'd see on the network monitor that its sending a high amount of shit
07:41
and then look into it
Avatar
this was an abuse report that I've received, someone reported my IP for VSE flooding
07:42
Maybe a hacker has VPS on the same subnet and been able too spoof ip via plain old arp spoofing?
Avatar
i dont think any ovh vpses can spoof
Avatar
the main issue is, my virtual servers are not behind any NAT, + I've got only a single program running on that "8404" port, and it's a teeworlds server, not any valve client
07:43
i dont think any ovh vpses can spoof
You're right. Maybe VPS cannot spoof.
(edited)
Avatar
im fairly sure that the attacker just uses one server thats behind a network thats so poorly setup that it allows him to spoof a very wide range of the internet
07:43
not all addresses like u said, he cant do 10.0.0.0/8, but still
07:43
oh i meant nothing from ovh can
Avatar
I think that he is fairly limited to what he can use as source IP.
Avatar
but he isnt lol
07:44
look at the image i posted
07:44
07:44
the volume of this attack would be way higher if it was actually this many separate compromised devices
Avatar
Why don't you think that there are TWO types of attack? Most are DDoS w/o spoofing and the one spoofing a rais server IP is from a spoofer? (edited)
Avatar
because the type of attack in general is the same lol
07:45
same types of packets, same range of volume
Avatar
@Deleted User You may know that I've got some old experiences in that domain (from some years ago)
Avatar
he just sometimes changes the source addresses or the type of tw packet hes spoofing
Avatar
And we weren't using any kind of botnets :D, everything was spoofed
Avatar
sometimes uses random address and whatever gets thru gets thru, sometimes playerips, sometimes specific server/player ips, etc
07:46
and since there are really very few people doing attacks on teeworlds in 2020 it seems like a reasonable conclusion that such similar attacks are done in the same way
07:46
by the same person* lol
07:47
also if it was a true ddos with a botnet the bandwidth would be wayyyyyy higher
Avatar
Hm.... so you're telling that those packets are originating presumably from one machine?
07:47
can be 1, 2, x
07:47
almost definitely 1
Avatar
Also that maybe 90-99% spoofed IP ranges are filtered somewhere and only 1-10% of traffic goes to your machine?
07:47
depends of how many spoofed servers they have :v
Avatar
otherwise why would he never be able to produce more than 1gbit at a time
07:47
with multiple machines/botnet that should be ez
Avatar
With DDoS he could just bought attack time with price based on capacity.
07:49
Too bad it's ovh. Their support is the worst.
07:49
Haven't you considered to move for example to DO?
07:49
i used to have do
Avatar
They could have stricter policies on ingress traffic?
Avatar
i moved to ovh because it doesnt nullroute
07:49
and has some builtin ddos protection
Avatar
Also they could be more willing to investigate on abuse.
07:49
i used to host on digitalocean
Avatar
Ah okay.
Avatar
there was no builtin ddos protection
07:50
once there started being attacks over a few gbit/s they jsut nullrouted
07:50
so we moved to ovh
07:50
but these big attacks were not the same person
07:50
just some kid with a paid stresser
Avatar
But what is impact? Is it hight CPU on tw process which have to filter invalid packets?
07:51
Or real spoofing/drop of connections.
Avatar
it depends on the type of packets theyre sending
07:51
usually its inforequest flood which
Avatar
Yeah, but what are problems now?
Avatar
yeah consumes cpu by trying to assemble and send replies to tens/hundreds of thousands of inforequests per second
07:51
or by whatever it does to try to filter it
Avatar
That's interesting. I would like to theoretise how server could mitigate that.
07:52
But later.
07:52
just rework that shitty protocol & you're done
Avatar
u tell me xd
07:52
well thats the ultimate fi
07:52
x
Avatar
Thanks for the info. Seems that internet is far worse configured place than it was where I've worked.
Avatar
if they make it so that all the connectionless shit like inforequests and master registration and initial connection use tcp
07:53
and then everything from there normal udp once verified
07:53
that would be the biggest fix
07:53
and yeah take a look at the caida website ive linked
Avatar
@Deleted User probably cuz where you've worked is a company and their network is private, FeelsGoodMan
Avatar
ull probably find that the providers ranked high on spoofing ability are literaly random ones uve never heard of
Avatar
@Deleted User I've worked in a large backbone ISP
07:54
There were tons of internet traffic policies and security measurements (edited)
07:54
all was safe and tidy
07:54
That's why I've thought initially this type of attack isn't possible
Avatar
would be nice if it wasnt possible
Avatar
Cause if every router on the internet or at least on backbone would be configured strictly this wouldn't be possible
Avatar
But it seems that there are providers which are accepted to backbone but who do almost no traffic filtering at all
07:55
TIL
07:55
yes some of them are quite bad
07:56
:v)
Avatar
also, years ago, we had a host that didn't care of spoofed trafic, you could even talk to them about it in the support
Avatar
they would be like "hey my friend"
07:56
yes
Avatar
but you have to look at countries like russia, & close to that
Avatar
i had always assumed that these providers didnt even know that its a thing
Avatar
no, my friend with who I was working on that, even asked for an amp list to the host
07:57
the host gave it
Avatar
amp list?
Avatar
yes, for a specific method (don't remember which), but let's just take memcache as an example, amp list is just a worldwide scan to check which server is vulnerable to memcached amp attacks (so no security, and the memcache server is publicly open). once you've done that, you just spoof the target IP in the source IP field, (before that you add a data to the memcache server, a single variable that would return a big amount of data), and you send a request with that spoofed packet to all memcached servers from that amp list
08:01
lmao
08:01
wow
08:01
sketchy af 😂
Avatar
memcached attacks was cool, that was one of the biggest attacks in recent years
Avatar
heard about it i guess
Avatar
well I just found out a good link from cf
08:02
don't remember but one of the biggest attacks with that protocol reached more than 1Tb/s
Avatar
lol crazy
08:03
yea another example of obvious ip spoofing abuse
Avatar
yes, this requires to spoof source IP address
08:06
Was that infamous rewriting of netcode from 0.6 to 0.7 helped anything?
08:07
I've heard that netcode is more neat now but haven't compared.
08:08
well a little bit, the only issue is that some people decided to suddently add 0.6 protocol again
08:10
Wow, a bilingua tw server!
08:10
That would be a pain to support.
08:10
yes with some juicy vulnerabilities
Avatar
i have a .6 server but i added the support code so that 0.7 can join
08:12
credit to timakro or whoever did the work for unique server since thats where 95%+ of it came from
Avatar
but you have to look at countries like russia, & close to that
i had always assumed that these providers didnt even know that its a thing
but... I am from Russia )
08:53
We have 2-3 backbone providers that give traffic to all lower level ISPs. Even if some of them misconfigured smth, those major backbone ISP should fix that (by filtering wrong traffic). I've worked in one of them, policies are really strict there. As I've had said there were literally tons of access control rules updating every day. Maybe Russia is a third-world country, but ISPs there are not. At least big ones. (edited)
08:56
But whatever. Can anybody tell me is there any way to tell if a .map file is in 0.6 or 0.7 format? Or is there even such a thing as version of a map file? I've checked headers but they are the same. (edited)
08:56
Also I have found no utility that can print info on a .map file.
Avatar
i think it has less to do with the country and more to do with the isp itself like
09:09
a large provider with many thousands of customers probably has its shit together and doesnt allow spoofing
09:10
tiny providers that dont have many customers seem less likely to have fixed things like this
09:12
@Deleted User and i dont know much about mapping but i do know that some 0.6 maps will work with 0.7 without any changes atall, which makes me think it is the same underlying format, and im not sure what the other changes on top of this are
09:12
so probably no way to instantly tell which version a map is designed for (?)
Avatar
Thanks. I've thought the same on compatibility
Avatar
that's a long conversation there. in 0.6 we had a lot of fun with spoofed ips, especially of admins, which then executed commands that they never typed in :D, one of many examples, I guess. (edited)
Avatar
non-ddnet-based server?
Avatar
yeah. I bet ddnet based server might have had that at some point as well, tho never hosted one, so cannot tell.
Avatar
at some point maybe
09:46
but i think the version ive used isnt vulnerable to it
09:46
at least the rcon thing
Avatar
we are far from that time
09:46
it's been fixed long ago
Avatar
@Deleted User I have a 0.7 mod and support 0.6 clients. But I forced it to only allow ddnet based clients, because they have tokens. If a ddnet based client like baumalein joins, it even cant move on the server because its sending wrong playerflags and 0.7 is clamping them, thats why aimline doesnt work as a playerflag anymore in 0.7
Avatar
Found by lgtm.com mentioned by @jxsl13 :) tempfile.mktemp is deprecated since Python 2.3 and considered weak https://cwe.mitre.org/data/definitions/377.html change is untested Sadly I could not get all dependencies building (https://github.com/planetbeing/libdmg-hfsplus/issues/14) and thus could not test this branch of code. If one has the binaries for hfsplus please test this.
Avatar
Thanks. By the chance don't you know possible reason why 0.7 client might parse correctly but silently fail to apply tune parameters received from 0.7if they are sent not from admin console?
10:23
I want to implement a freeze effect like in FNG, but still ground_control_speed received from a server don't have any effect on the client. I've doublechecked the received value.
10:24
baumalein doesnt send any different playerflags compared to normal ddnet
10:24
u must detect it by version number or the way it sends inputs when the bots are on
Avatar
@jxsl13 still, some processes could be done differently through tcp which will be easier to filter
11:19
fstd, gie3, tken, etc... all of that could be done over tcp, and ingame data over udp
Avatar
In theory only the snapshot and the input snap need to be udp
Avatar
well once the client has opened his tcp session, everything could be just udp behind
Avatar
Today one could just use quic with datagram extension
Avatar
but yah, just as an example gie3 flood over udp just result as a massive code execution, data generation & outgoing bandwidth
11:23
over tcp it would require the three way hs before, and s-a packets are so small
11:23
+ a lot of attacks like syn flooding are already filtered by some hosts like ovh
Avatar
@fokkonaut #2669 was about the connection to the 0.7 master, right? With your code I'm always getting warnings about the 0.6 master not responding, but a few seconds later it is registered again. It happens without anyone joining the server. For the 0.7 master everything is working. Tried with gcc 9.3, 120 clients, high bandwidth, ... No matter what I try to break it, everything is still fine
Avatar
masters have some issues recently
11:35
yesterday also
11:39
@redix cuz sadly vali's team is back
Avatar
Hmm okay
Avatar
Is the 0.6 master still having issues today? It still gives me [register6]: WARNING: Master server is not responding, switching master but registers again immediately
Avatar
Would be nice to be able to select an area or the whole map and provide two indices to search and replace all occurrences of these tiles. Can come in super handy when gametiles or mapres change.
Avatar
@redix You can check the current master server status at https://status.tw/status/. Master 3 is up and fine
A service for displaying and analyzing the status and statistics of Teeworlds servers and players
Avatar
okay thanks 🙂 than it's really an issue with the code
Avatar
I didn't say it's perfect. there is always room for improvments. It's just currently kind of works.
Exported 273 message(s)