Teeworlds - development

Teeworlds

discord.gg/teeworlds / development

For discussions around the development of the official Teeworlds

Between 2020-07-30 00:00:00Z and 2020-07-31 00:00:00Z

Network engineer there. IP spoofing is highly unlikely if hacker is not your provider, hacked your router or being part of a very large hacker group that dares to spoof BGP. Cause to spoof IP address you need to be on the same broadcast domain or hack a router participating transporting of IP packets from your home to the place where TW server is hosted. The only router which is not a part of ISP infrastructure is yours. (edited)

07:00

At least IP spoofing on the network layer of the internet (which is IP protocol). But I dunno about vulnerabilities of TW network protocol itself. (edited)

07:06

So every time I hear about IP spoofing on the internet I cry. Its mostly architecturally impossible (refer to OSI model layers 2 and 3 and read how ARP spoofing attack works and its limitations). (edited)

07:08

So it must be vulnerabilities in TW protocol, TW server code or linux box itself is hacked and is mangling packets before giving them to a TW. (edited)

07:09

Please don't use term "IP spoofing" where this could be at most a "game protocol hacking". (edited)

07:10

On the other thought there is some NAT attack. So if your TW server is behind a NAT it could be exploited to spoof. But I don't think anyone will use NAT on server. (edited)

u are wrong

07:15

spoofed ddos attacks happen often on tw

07:16

they find providers that dont properly check the source address that outbound packets claim to be from

07:16

@Deleted User its fairly obvious when they set the source ip to playerips that theyve sniffed from browser, or server ips that they want to try to take down with reflection attack, or anything else thats clearly spoofed

07:20

https://www.caida.org/projects/spoofer/ see this link for more info

I've worked in a large ISP. Yes, you can spoof packets originating from a hacked ISP, but they will be rejected with ingress rules of other ISPs whilte transporting it cause IP ranges are bound to ASNs and every ISP have its list of ASNs (usually one). (edited)

its not a 'hacked' isp

07:21

and i know that there are often limitations on what ranges can be spoofed from where but

07:21

ive been hosting a tw server for a couple years and ive seen all kinds of weird spoofed attacks

Yes, the last one. I think you can compromise an ISP in Uruguay for example. But spoofed packets originating from it having source IP address of some USA ASN will not be accepted on the network outside the Uruguay.

well that would explain why the traffic is heavier in some ranges than others

07:22

but whatever rules apply between isps still allow the attackers to use literally millions of different addresses

07:23

from (guessing by the bandwidth) only one server/provider

07:24

also im not exactly sure what u mean by nat attack but the attacks are usually spoofed udp packets

There is a way to spoof a packet if receiver is behind a NAT and NAT is not configured very strictly and only checks destination port not the source IP.

i thought the ability to spoof depended on the provider that its coming from + by the time the packets have reached the destination its too late to tell if they are spoofed

Yes, I am just thinking about other opportunity. If a server is on home computer and is behind a router which has NAT there is another possibility to spoof.

07:28

"So every time I hear about IP spoofing on the internet I cry. Its mostly architecturally impossible", hah well sorry for you but yaah it does exist

07:28

someone was making this type of traffic a day or so ago

Image attachment

07:28

huge range of addresses

And why do you think this is not a common DDoS but an IP spoofing is involved? (edited)

07:29

cuz we know how vali does his attacks

ive seen attacks come from my old ips before lol

07:29

they knew my old ip so the packets were coming from that address

I think all those IPs are just legal IPS of infected machines which have are part of botnet.

no lol

07:30

i also saw attacks coming from the ip of bombay server, on both my servers as well as ddnet

they knew my old ip so the packets were coming from that address

wow

because they were spoofing it

cuz we know how vali does his attacks

How? Can I read about it?

07:31

I've got xush's spoofing programs that does use a list of bogons as source IP

07:31

i also saw attacks coming from the ip of bombay server, on both my servers as well as ddnet

But they could just buy VPS instance on hoster you've been hosted and receive this IP?

he just finds server providers that havent been setup properly to prevent spoofing

07:31

and no i dont think it works like that

@Deleted User what are bogons there?

07:31

"invalid" IP ranges

they have a dedicated server

07:32

dont think anyone else can use their address

or not alloced IPs by ISP

07:32

10.0.0.0/8 is a bogon for example

@Deleted User im right that if i see atacks coming from the bombay server address its obviously spoofed?

(but impossible to transmit over the internet)

since ur not flooding my server with ur server i assume lmao

@noby well, you could tell to @Deleted User how we received infos responses of a lot of valve servers

07:32

10.0.0.0/8 is not a bogon. It is a grey/private address network that should be dropped on any internet backbone router.

o yah

@Deleted User 10.0.0.0/8 is a bogon

they were also using valve servers like counterstrike to do reflection attacks

07:33

send inforequests to those servers with the source ip set to bombays

07:33

all the counterstrike servers send bigger replies to bombay

@Deleted User no https://en.wikipedia.org/wiki/Private_network

Private network

In IP networking, a private network is a network that uses private IP address space. Both the IPv4 and the IPv6 specifications define private IP address ranges. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments...

07:33

https://team-cymru.com/community-services/bogon-reference/

The Bogon Reference

Have you been blacklisted in error? Learn more here. What Is a Bogon, and Why

07:33

I let you read that

07:33

Image attachment

07:33

Its a private network. That's all.

07:34

read the link

07:34

the point is that if u see packets coming from addresses starting with 10.xx its fake but

Anyone ca use those addresses. But they will be discarded at the exit of private area and will not be retranslated to the internet backbone.

not as relevant since the attacks i usually see on tw dont use this source address

07:34

yea

07:34

probably cant

Image attachment

07:35

Ah ok, it seems that we're talking about the same thing

07:35

What Is a Bogon, and Why Should I Filter It? A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPNs or other tunnels) should never have an address in a bogon range. These are commonly found as the source addresses of DDoS attacks.

07:35

so there is nothing to argue at

right

We've just called them as they are, private network spaces

07:35

I just never heard term bogon

07:36

and every router has a rule denying routing from/to at

07:36

especially border routers

07:36

+, a long time ago we've made a list of potential spoofed packets, and all those packets were matching suddently to that list

07:36

Look, if your server is hosted not in a third world hoster he will 100% have deny rule from private servers.

07:36

https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt

07:36

But internet backbone routers also will have that.

but u dont know by the time a packet reaches ur server whether it came from a host like that or not

You'd never seen a 10.0.0.0/8 IP in your log. Have you? (edited)

07:37

no, private addresses will never pass over the internet

no, theres a fair amount of networks that exist that arent setup correctly enough to allow this type of thing to happen

07:37

and no havent seen 10.xx ip

07:37

but have seen obviously spoofed ip

@Deleted User right. That's I am talking about. (edited)

07:38

yes, but bogons are not private subnets only

07:38

You mean unallocated IPs?

07:38

Does IPv4 even has them btw?

07:38

I thought no unallocated IPv4 addresses left.

for example

07:38

Embedded image

07:39

either @Deleted User was attacking me (lmao)

07:39

or this was a spoofed attack

07:39

which it clearly was

yes or maybe u've done it yourself FeelsGoodMan

FeelsGoodMan

feelsamazingman

u

07:39

lmao

@noby but it is allocated https://www.ultratools.com/tools/asnInfoResult?domainName=149.202.19.227

ASN Lookup Tool | UltraTools

This ASN Information tool displays information about an IP address's Autonomous System Number (ASN) such as IP owner, registration.

yeah

it is not a bogon network address, it belongs to ASN (edited)

i know, bogons not too relevant to this

07:39

imo

149.202.19.227 = bombay.reitw.fr, but we're telling you that spoofing does exist

its just not allocated to the person whos actually sending the traffic

07:39

because ye

07:40

that address is only allocated to reis server

07:40

and i have root there and i trust hes not the one sending this traffic

1

+

07:41

let me show you something @Deleted User

nor is it compromised since we'd see on the network monitor that its sending a high amount of shit

07:41

and then look into it

Image attachment

lol

this was an abuse report that I've received, someone reported my IP for VSE flooding

07:42

Maybe a hacker has VPS on the same subnet and been able too spoof ip via plain old arp spoofing?

i dont think any ovh vpses can spoof

the main issue is, my virtual servers are not behind any NAT, + I've got only a single program running on that "8404" port, and it's a teeworlds server, not any valve client

07:43

i dont think any ovh vpses can spoof

You're right. Maybe VPS cannot spoof. (edited)

im fairly sure that the attacker just uses one server thats behind a network thats so poorly setup that it allows him to spoof a very wide range of the internet

07:43

not all addresses like u said, he cant do 10.0.0.0/8, but still

07:43

oh i meant nothing from ovh can

I think that he is fairly limited to what he can use as source IP.

but he isnt lol

07:44

look at the image i posted

07:44

Embedded image

07:44

the volume of this attack would be way higher if it was actually this many separate compromised devices

Why don't you think that there are TWO types of attack? Most are DDoS w/o spoofing and the one spoofing a rais server IP is from a spoofer? (edited)

because the type of attack in general is the same lol

07:45

same types of packets, same range of volume

@Deleted User You may know that I've got some old experiences in that domain (from some years ago)

he just sometimes changes the source addresses or the type of tw packet hes spoofing

And we weren't using any kind of botnets :D, everything was spoofed

sometimes uses random address and whatever gets thru gets thru, sometimes playerips, sometimes specific server/player ips, etc

07:46

and since there are really very few people doing attacks on teeworlds in 2020 it seems like a reasonable conclusion that such similar attacks are done in the same way

07:46

by the same person* lol

07:47

also if it was a true ddos with a botnet the bandwidth would be wayyyyyy higher

Hm.... so you're telling that those packets are originating presumably from one machine?

07:47

can be 1, 2, x

yes

07:47

almost definitely 1

Also that maybe 90-99% spoofed IP ranges are filtered somewhere and only 1-10% of traffic goes to your machine?

07:47

depends of how many spoofed servers they have :v

otherwise why would he never be able to produce more than 1gbit at a time

07:47

with multiple machines/botnet that should be ez

With DDoS he could just bought attack time with price based on capacity.

07:49

Too bad it's ovh. Their support is the worst.

07:49

Haven't you considered to move for example to DO?

lmao

07:49

i used to have do

They could have stricter policies on ingress traffic?

i moved to ovh because it doesnt nullroute

07:49

and has some builtin ddos protection

Also they could be more willing to investigate on abuse.

no xd

07:49

i used to host on digitalocean

Ah okay.

there was no builtin ddos protection

07:50

once there started being attacks over a few gbit/s they jsut nullrouted

07:50

so we moved to ovh

07:50

but these big attacks were not the same person

07:50

just some kid with a paid stresser

But what is impact? Is it hight CPU on tw process which have to filter invalid packets?

07:51

Or real spoofing/drop of connections.

it depends on the type of packets theyre sending

07:51

usually its inforequest flood which

Yeah, but what are problems now?

yeah consumes cpu by trying to assemble and send replies to tens/hundreds of thousands of inforequests per second

07:51

or by whatever it does to try to filter it

That's interesting. I would like to theoretise how server could mitigate that.

07:52

But later.

07:52

just rework that shitty protocol & you're done

u tell me xd

07:52

well thats the ultimate fi

07:52

x

Thanks for the info. Seems that internet is far worse configured place than it was where I've worked.

if they make it so that all the connectionless shit like inforequests and master registration and initial connection use tcp

07:53

and then everything from there normal udp once verified

07:53

that would be the biggest fix

07:53

and yeah take a look at the caida website ive linked

@Deleted User probably cuz where you've worked is a company and their network is private, FeelsGoodMan

FeelsGoodMan

ull probably find that the providers ranked high on spoofing ability are literaly random ones uve never heard of

@Deleted User I've worked in a large backbone ISP

07:54

There were tons of internet traffic policies and security measurements (edited)

07:54

all was safe and tidy

07:54

That's why I've thought initially this type of attack isn't possible

would be nice if it wasnt possible

Cause if every router on the internet or at least on backbone would be configured strictly this wouldn't be possible

right

But it seems that there are providers which are accepted to backbone but who do almost no traffic filtering at all

07:55

TIL

07:55

yes some of them are quite bad

07:56

:v)

lol

also, years ago, we had a host that didn't care of spoofed trafic, you could even talk to them about it in the support

rly

they would be like "hey my friend"

07:56

yes

ahhah

but you have to look at countries like russia, & close to that

i had always assumed that these providers didnt even know that its a thing

no, my friend with who I was working on that, even asked for an amp list to the host

07:57

the host gave it

amp list?

yes, for a specific method (don't remember which), but let's just take memcache as an example, amp list is just a worldwide scan to check which server is vulnerable to memcached amp attacks (so no security, and the memcache server is publicly open). once you've done that, you just spoof the target IP in the source IP field, (before that you add a data to the memcache server, a single variable that would return a big amount of data), and you send a request with that spoofed packet to all memcached servers from that amp list

ahhhh

08:01

lmao

08:01

wow

08:01

sketchy af

memcached attacks was cool, that was one of the biggest attacks in recent years

heard about it i guess

well I just found out a good link from cf

08:02

https://www.cloudflare.com/learning/ddos/memcached-ddos-attack/

08:02

don't remember but one of the biggest attacks with that protocol reached more than 1Tb/s

lol crazy

08:03

yea another example of obvious ip spoofing abuse

yes, this requires to spoof source IP address

08:06

Was that infamous rewriting of netcode from 0.6 to 0.7 helped anything?

08:07

I've heard that netcode is more neat now but haven't compared.

08:08

well a little bit, the only issue is that some people decided to suddently add 0.6 protocol again

08:10

Wow, a bilingua tw server!

08:10

That would be a pain to support.

08:10

yes with some juicy vulnerabilities

i have a .6 server but i added the support code so that 0.7 can join

08:12

credit to timakro or whoever did the work for unique server since thats where 95%+ of it came from

but you have to look at countries like russia, & close to that

i had always assumed that these providers didnt even know that its a thing

but... I am from Russia )

08:53

We have 2-3 backbone providers that give traffic to all lower level ISPs. Even if some of them misconfigured smth, those major backbone ISP should fix that (by filtering wrong traffic). I've worked in one of them, policies are really strict there. As I've had said there were literally tons of access control rules updating every day. Maybe Russia is a third-world country, but ISPs there are not. At least big ones. (edited)

08:56

But whatever. Can anybody tell me is there any way to tell if a .map file is in 0.6 or 0.7 format? Or is there even such a thing as version of a map file? I've checked headers but they are the same. (edited)

08:56

Also I have found no utility that can print info on a .map file.

i think it has less to do with the country and more to do with the isp itself like

09:09

a large provider with many thousands of customers probably has its shit together and doesnt allow spoofing

09:10

tiny providers that dont have many customers seem less likely to have fixed things like this

09:12

@Deleted User and i dont know much about mapping but i do know that some 0.6 maps will work with 0.7 without any changes atall, which makes me think it is the same underlying format, and im not sure what the other changes on top of this are

09:12

so probably no way to instantly tell which version a map is designed for (?)

Thanks. I've thought the same on compatibility

that's a long conversation there. in 0.6 we had a lot of fun with spoofed ips, especially of admins, which then executed commands that they never typed in :D, one of many examples, I guess. (edited)

non-ddnet-based server?

yeah. I bet ddnet based server might have had that at some point as well, tho never hosted one, so cannot tell.

at some point maybe

09:46

but i think the version ive used isnt vulnerable to it

09:46

at least the rcon thing

we are far from that time

09:46

it's been fixed long ago

ah

@Deleted User I have a 0.7 mod and support 0.6 clients. But I forced it to only allow ddnet based clients, because they have tokens. If a ddnet based client like baumalein joins, it even cant move on the server because its sending wrong playerflags and 0.7 is clamping them, thats why aimline doesnt work as a playerflag anymore in 0.7

[teeworlds/teeworlds] Pull request opened: #2677 Remove insecure tempfile.mktemp

Found by lgtm.com mentioned by @jxsl13 :) tempfile.mktemp is deprecated since Python 2.3 and considered weak https://cwe.mitre.org/data/definitions/377.html change is untested Sadly I could not get all dependencies building (https://github.com/planetbeing/libdmg-hfsplus/issues/14) and thus could not test this branch of code. If one has the binaries for hfsplus please test this.

Thanks. By the chance don't you know possible reason why 0.7 client might parse correctly but silently fail to apply tune parameters received from 0.7if they are sent not from admin console?

10:23

I want to implement a freeze effect like in FNG, but still ground_control_speed received from a server don't have any effect on the client. I've doublechecked the received value.

uh

10:24

baumalein doesnt send any different playerflags compared to normal ddnet

10:24

u must detect it by version number or the way it sends inputs when the bots are on

@jxsl13 still, some processes could be done differently through tcp which will be easier to filter

11:19

fstd, gie3, tken, etc... all of that could be done over tcp, and ingame data over udp

In theory only the snapshot and the input snap need to be udp

well once the client has opened his tcp session, everything could be just udp behind

Today one could just use quic with datagram extension

but yah, just as an example gie3 flood over udp just result as a massive code execution, data generation & outgoing bandwidth

11:23

over tcp it would require the three way hs before, and s-a packets are so small

11:23

+ a lot of attacks like syn flooding are already filtered by some hosts like ovh

@fokkonaut #2669 was about the connection to the 0.7 master, right? With your code I'm always getting warnings about the 0.6 master not responding, but a few seconds later it is registered again. It happens without anyone joining the server. For the 0.7 master everything is working. Tried with gcc 9.3, 120 clients, high bandwidth, ... No matter what I try to break it, everything is still fine

masters have some issues recently

11:35

yesterday also

11:39

@redix cuz sadly vali's team is back

Hmm okay

mh

Is the 0.6 master still having issues today? It still gives me [register6]: WARNING: Master server is not responding, switching master but registers again immediately

[teeworlds/teeworlds] Issue opened: #2678 [Editor2] Feature: search and replace by index

Would be nice to be able to select an area or the whole map and provide two indices to search and replace all occurrences of these tiles. Can come in super handy when gametiles or mapres change.

@redix You can check the current master server status at https://status.tw/status/. Master 3 is up and fine

Status - status.tw

A service for displaying and analyzing the status and statistics of Teeworlds servers and players

okay thanks

than it's really an issue with the code

I didn't say it's perfect. there is always room for improvments. It's just currently kind of works.

Exported 273 message(s)