Hi

Does anyone know why arma2oaserver.exe want to continuously send data to 208.53.128.27.. ie fennec.ws. ?? The data usage sits at about 88k/sec.

That i,s when I start the server and resource monitor, tick server.exe, and watch the network traffic, I can see packets going to various address but this one stands out as a bandwidth hog.

just looks sus...

Thanks....

Did you do an AV/malware check? Maybe your server got infected.

Got the same thing here, just a couple of hours ago. Killed a2oa since its not being used atm anyway.

from where you obtained the arma2oaserver.exe (just for sure) ?

using any "3rd" party tools from unknown sources ?

Did you do an AV/malware check? Maybe your server got infected.

We done a full virus scan and found nothing, the server is newly built and only been running for 5 days in a new data centre.



from where you obtained the arma2oaserver.exe (just for sure) ?

using any "3rd" party tools from unknown sources ?

All arma files obtained from sprocket. Fire Daemon and Rcon. We first suspected Rcon and shut it down but the problem persisted. As Gonk said its coming from or directed at the arma2oaserver.exe..

We ip blocked it and don't have any further issues. but still doing a google search and trace route on it finds some very shady info.

Does FDC Servers or DirectNIC have some kinda of relationship or are owned by etc your ISP?

Scanning the arma2oaserver.exe finds nothing.... using Security essentials and Nortons. still looking...

I was using the Linux server from the sticky with the rest of the required content downloaded via Steam (using a VM). A friend of mine was toying with mission editing and had access to the machine but he hasn't logged in for a month. According to ntop it was sending stuff over port 21.

port 21 is FTP ...

I have also notice more and more ip's having only Outbound network traffic from arma2oaserver.exe. They usually sit at about 50-70 k/sec. With no one connected to the game server... ip's like.. 109.169.x.x , 89.238.x.x, 216.246.x.x. Is there a security hole in this exe that ppl are exploiting ???

Where are you renting your server from? Or are you running the server on your PC?

we have our own server located at a Data Centre... (Co-location). We are only running on instance of amra2oaserver.exe. Just curious wheter other server admins are see this kind of activity.

Could this be related?

> XML parsing error: empty attribute name
http://dev-heaven.net/issues/21289

Either a mission (a picture or html file) or the server exe infected by the malware as it looks like.
I wasn't able to get to the source though.

I see similar behavior but connecting to chi.xfactorservers.com (88.198.6.24). No one on the server and the UDP traffic is from the arma2oaserver.exe. I disabled Battleye just to check, but the traffic still appears.

Confirmed the MD5 hash is correct, so don't think malware or a virus is at play.

I then added a firewall rule to block that IP address then restarted the arma2oaserver.exe. It tried to connect to the same address, but couldn't and eventually got to 0 bytes being sent. Then I restarted arma2oaserver.exe again and this time it connected to 66.150.214.8 (dallas-vetrilo.nfoservers.com). I repeated the same, blocking that IP and then restarted. So far it hasn't reconnected to anything with that high packet count.

Both xfactorservers.com and nfoservers.com are game server hosting companies, but can't see a reason why arma2oaserver.exe starts immediately sending 25k+ traffic continually to it ... with no traffic back that I can see.

Yep.those two are also on the block list. Saw them a couple of days ago. There must be away to see what is being sent.

Where are your servers located?

Australia

Same. Australia.

Cheers

Could you describe briefly how you do check the outgoing traffic,
so that others can check too that we get more data here. Thanks!

Most basic way to check network traffic within windows is to start Task Manager:
'Performance' Tab. At the bottom click 'Resource Monitor'.
Then 'Network' Tab

Most basic way to check network traffic within windows is to start Task Manager:
'Performance' Tab. At the bottom click 'Resource Monitor'.
Then 'Network' Tab

yep... then select arma2oaserver.exe to filter....

There must be away to see what is being sent.
Install Wireshark and capture the traffic. I will attempt that today but, as I pointed out above, after I temporarily blocked the IP address in my firewall rules the traffic stopped even after I removed the rules.

Install Wireshark and capture the traffic. I will attempt that today but, as I pointed out above, after I temporarily blocked the IP address in my firewall rules the traffic stopped even after I removed the rules.

rgr.. let us know what you find... I am plugging holes left and right...

174.x.x.x popped up today sucking 100k/sec. Will have a closer look on the weekend...

I came back this morning to find a new UDP session against 85.17.96.111 (hosted-by.leaseweb.com). I have checked with Wireshark and it's just ICMP (ping) traffic. There's no data in the packets I'm seeing on my server.

It's now really up to BIS to explain to us why the server is doing this as I really don't think it's a hack of any kind. I suspect it's related to the Gamespy support.

I came back this morning to find a new UDP session against 85.17.96.111 (hosted-by.leaseweb.com). I have checked with Wireshark and it's just ICMP (ping) traffic. There's no data in the packets I'm seeing on my server.

It's now really up to BIS to explain to us why the server is doing this as I really don't think it's a hack of any kind. I suspect it's related to the Gamespy support.

Have you tried the beta server yet ? this non-stop pinging response is eating into out data limit.

Under beta 82901, the behaviour is still present and even "worse" (because I don't know whether the behaviour is as-expected for some purpose). I now see 2 different UDP sessions, one runs at almost 70kbps and the other at 53kbps. Both are sending packets with the server details. My money is on the theory that this is Gamespy traffic and those IP addresses are providing server browser services for Gamespy.

on 66.150.214.8 is some ventrilo server but i assume that's coincidence

please try run this

http://support.kaspersky.com/downloads/utils/tdsskiller.exe

scan the system, tell us if comes out clean (reveals TDL-3 and TDL-4 rootkits)

then scan the system with http://public.avast.com/~gmerek/aswMBR.exe

which may reveal some more

There are comps connected to the dedicated server tasking arma2server.exe "active connections". Nobody is connected except myself, which I can see in the active connections plus master server connections. But these tasking connections seem like random servers used to try and DoS my dedicated server. It may be something legit but I never seen it before. Ideas?

EDIT: Here's one.
UDP IN
source 174.88.65.129:27005
destination x.x.x.x:2302
Bytes In 87.5KB{421 B/s}
Bytes Out Blah it went away but it was about 1.4MB already

I think it has something to do with people when they disconnect. One JUST joined...then disconnected.

EDIT: Another one.

UDP IN
source 124.197.26.174:27005
destination x.x.x.x:2302
Bytes In 4.4MB{4.0 KB/s}
Bytes Out 76.7MB{69.5 KB/s}

TDSKiller reports no problems. AswMBR comes back with no issues.

Dwarden, are you sure the server exe doesn't have some built-in function to advertise itself?

Are we the only two with this issue ? Still not sure it if it is Game Spy or a ping bot doing the rounds. Both programs found nothing...

example.. this one 124.197.26.174 traces to china somewhere.. stops responding at a gateway...

So far it has been from Denmark, America, Africa, China and the UK... Popular game.

You are not the only one experiencing the issue. See the following thread where it's being discussed.

http://forums.bistudio.com/showthread.php?t=120552

I just saw someone create a new thread reporting the issue. I posted for them to come to this thread to keep the discussion in one place. I suspect that most server admins just aren't looking at their network usage as closely. Until you reported seeing the behavior, I never bothered to look either.

That would be me thx Focher. My Thread (http://forums.bistudio.com/showthread.php?t=122567) I have the same prob. Both Normal exe and Beta exe after a couple min will get tasked externally. It's going on right now. I can tell because my router is blinking and I'm the only one on the Ded server via LAN.

I just saw someone create a new thread reporting the issue. I posted for them to come to this thread to keep the discussion in one place. I suspect that most server admins just aren't looking at their network usage as closely. Until you reported seeing the behavior, I never bothered to look either.

Might be right... the theives in Australia charge for Data usage... hence the Mr Scrooge attitude.

Well, you are not alone... I have a test server online with password. But i do see my server send lot of UDP traffic to 72.241.243.204 and some other IP's on Remote port UDP 27005 and UDP 80

I found this info from site: http://pastebin.com/7Y64x0vQ
I don't know what kind of list that is, but that IP shows up in that list.

Player McLovin'! connected from 72.241.243.204:27005 <---- funny shit..

IP: 72.241.243.204 for 10 min, my server sent 40 500 254 Bytes Out, Protocol UDP and Remote Port UDP 27005 and 36 000 Packets

IP: 98.200.194.27 for 10 min, my server sent 18 043 392 Bytes Out, Protocol UDP and Remote Port UDP 80 and 16 584 Packets

IP: 24.2.33.74 (NoXiousNet.com) for 10 min, my server sent 38 844 864 Bytes Out, Protocol UDP and Remote Port UDP 27005 and 35 703 Packets

IP: 67.8.172.255 for 10 min, my server sent 39 153 360 Bytes Out, Protocol UDP and Remote Port UDP 80 and 37 720 Packets



BUT.... i think this is quite normally since the server is public, it's not only GameSpy that are collection info from your server, it's lot of other site out there that are doing the same, GameTracker, etc etc and all the other people that are in multiplayer browser in the game, six updates etc etc :)

And this is happen even if i set my server as Private: reportingIP="127.0.0.1"

IP: 67.8.172.255 for 10 min, my server sent 41 691 270 Bytes Out, Protocol UDP and Remote Port UDP 80 and 40 720 Packets

IP: 24.2.33.74 (NoXiousNet.com) stopped after 4 min, my server sent 14 152 092 Bytes Out, Protocol UDP and Remote Port UDP 27005 and 13 634 Packets

And port UDP 27005 are mostly used by master servers.

It really does not look like malicious traffic. It just looks very "chatty". The server is constantly sending the Arma server details (hostname, version, map name, player info, mod list, etc). The server then gets back exactly the same details every time. The "client" IP can change at launch of the server (then remains constant). It's UDP with a source port of 27005 (in both directions).



00 11 0a 5b 5e 9f 00 04 ed a2 23 5f 08 00 45 00
00 26 00 01 00 00 77 11 48 99 18 02 21 4a 3b a7
86 3a 69 7d 08 fe 00 12 ee 88 fe fd 00 48 4c 53
57 ff 00 00 00 00 00 00 00 00 00 00

I live in Los Angeles CA USA. 27005 is the port they use here to.
You think it's just a website/gamespy like deal poorly programmed to update stats?
I disabled my servers port forwards on the router now it's just pinging the hell out of the router but not getting through to the server. My setup is:

Verizon Fios Router > Personal Router (used as hardware firewall + DHCP + WiFi) > GB Hub
Ded Server > Hub
My game computer > Hub

Works good beside this.

---------- Post added at 08:34 PM ---------- Previous post was at 07:15 PM ----------

Opened it back up and used the servers software firewall to Block UDP In Source ports 27005, 40000, and 30000. Recording alot of hits on all those ports from the same IP addy 68.68.28.150

---------- Post added at 08:55 PM ---------- Previous post was at 08:34 PM ----------

Tried the Verizon Fios router to block and its working. I think it is a DoS attack. Not a good one.

Did you try to disable reporting to gamespy?

http://community.bistudio.com/wiki/server.cfg

reportingIP="<>";

I disabled the Gamespy reporting and didn't see a change. However, I noticed something new. When using Resource Monitor, those UDP sessions are shown as running under arma2oaserver.exe. However, the sessions are not shown in TCPview or CurrPorts.

While running Wireshark, I see the UDP traffic. I shut down arma2oaserver.exe and the traffic continues. So I reboot the machine and, without ever opening arma2oaserver.exe, I run Wireshark. I see all of the suspicious traffic.

It appears that what we see in Resource Monitor as sessions under arma2oaserver.exe is inaccurate for whatever reason. Resource Monitor shows the traffic as arma2oaserver.exe related but in fact, the traffic might have nothing to do with arma2oaserver.exe. It's talking on port 2302, though.

TDSkill didn't see anything, so I am currently running some other rootkit detection progams to see if they detect anything.

According to the traffic, I see a string of "HLSW" in the packet (which is only 10 bytes long, and always the same). A lookup of HLSW is that it's a game server browser and statistics software, which includes support for Arma 2. It could be that HLSW "learns" a server's IP address when arma2oaserver is running, and just keeps "talking" to the IP even when it doesn't get a reply.

I disabled the Gamespy reporting and didn't see a change. However, I noticed something new. When using Resource Monitor, those UDP sessions are shown as running under arma2oaserver.exe. However, the sessions are not shown in TCPview or CurrPorts.

While running Wireshark, I see the UDP traffic. I shut down arma2oaserver.exe and the traffic continues. So I reboot the machine and, without ever opening arma2oaserver.exe, I run Wireshark. I see all of the suspicious traffic.

It appears that what we see in Resource Monitor as sessions under arma2oaserver.exe is inaccurate for whatever reason. Resource Monitor shows the traffic as arma2oaserver.exe related but in fact, the traffic might have nothing to do with arma2oaserver.exe. It's talking on port 2302, though.

TDSkill didn't see anything, so I am currently running some other rootkit detection progams to see if they detect anything.

According to the traffic, I see a string of "HLSW" in the packet (which is only 10 bytes long, and always the same). A lookup of HLSW is that it's a game server browser and statistics software, which includes support for Arma 2. It could be that HLSW "learns" a server's IP address when arma2oaserver is running, and just keeps "talking" to the IP even when it doesn't get a reply.

Hi.

Yeah, the traffic is still there even if you shutdown your arma 2 server. I tested this. I shutdown my arma 2 test server, my router still indicate traffic to my arma 2 test server. So i turn off my arma 2 server computer, and then the traffic stopped :)


Something to try:

Remove all your arma 2 server ports from your router/firewall/port forward.
Then change your "server.cfg" and remove reportingIP=xxxxxxxxx or just remove the line and add this one reportingIP="<>";
This will run your server Private, it's suppose to mean that your server will not be online/public. No one can see it.
Before you start your arma 2 server, change your arma 2 port to something else. Don't use the same port as you have.
Now see if you still got traffic out from the arma2oaserver.exe.
Theoretical, you should NOT have any traffic out now, since your server are in private and new port.

EDIT:

I did this test and i can report, there is no more traffic out :)
Status say: UDP Listen port 2802, 2804 and 2805. Port 2802 is my arma test server port, and port 2804 and 2805 is default.
I didn't open those port in my router/firewall.
This mean, there is no buggy buggy exe file :)

http://img109.imageshack.us/img109/3175/armaport.png

So all the traffic out is because gamespy and other sites are collection info of your arma 2 server session.

it's most likely some query service or users keeping running some monitoring tools ...

if you consider it too disruptive or bandwidth demanding you can always try ban that on firewall

It stopped the next morning after I blocked it on the Verizon Fios router. I blocked the IP addys (3) and the incoming ports (3). Just as a test I Disabled the block to see if their computer would slow down the pings, but the router auto-blocked them due to "UDP Flooding." Lol. So I just Enabled the blocks and all is good.

Looks like they're at it again this afternoon.

DELETED

Thats after blocking IPs and Ports on the FiosRouter.

Here is an area in the log that actually blocks.

DELETED

EDIT: n/m I had "Connection States" ON. Here is a better log:


Jul 24 18:15:55 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:55 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:54 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:54 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:53 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:53 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:52 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:52 2011 Firewall Info Rate Limit 138 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:51 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:51 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:50 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:50 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:49 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:49 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:48 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:48 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:47 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:47 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:46 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:46 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:45 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:45 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:44 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:44 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:43 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:43 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:42 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:42 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:41 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:41 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:40 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:40 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:39 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:39 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:38 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:38 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:37 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:37 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:36 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:36 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:35 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:35 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:34 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:34 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:33 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:33 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:32 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:32 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:31 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:31 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:30 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:30 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:29 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:29 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:28 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:28 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:27 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:27 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:26 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:26 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:25 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:25 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:24 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:24 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:23 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:23 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:22 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:22 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:21 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:21 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:20 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:20 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:20 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:20 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:18 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:18 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:17 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:17 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:16 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:16 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:15 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:15 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:14 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:14 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:13 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:13 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:12 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:12 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:11 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:11 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:10 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:10 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:09 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:09 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:09 2011 Outbound Traffic Accepted Traffic - Default policy TCP [Router/DHCP]:53377->74.125.53.188:5228 on eth1
Jul 24 18:15:09 2011 Outbound Traffic Accepted Traffic - Wireless Broadband Router initiated traffic UDP [VerizonFiosRouter]:1024->68.238.64.12:53 on eth1
Jul 24 18:15:08 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:08 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:07 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:07 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:06 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:06 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:05 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:05 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:04 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:04 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:03 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:03 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:02 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:02 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:01 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:01 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:00 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:00 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:59 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:14:59 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:58 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:58 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:57 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:14:57 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:56 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:14:56 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:55 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:55 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:54 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:54 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:53 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:53 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:52 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:52 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:51 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:14:51 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:50 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:50 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:49 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:14:49 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:48 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:48 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:47 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:14:47 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:46 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:46 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:45 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:45 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:44 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:44 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:43 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:43 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:42 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:14:42 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:41 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:14:41 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:40 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:40 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:39 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:39 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:39 2011 Outbound Traffic Accepted Traffic - Default policy TCP [Router/DHCP]:50198->81.0.236.117:2323 on eth1
Jul 24 18:14:38 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:38 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:37 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:37 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:36 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:36 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:35 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:35 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:34 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:34 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:33 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:33 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:32 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:32 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:31 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:31 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:30 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:30 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:29 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:29 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:28 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:28 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:27 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:27 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:26 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:26 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:25 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:25 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:24 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:24 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:23 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:23 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:22 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:22 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:22 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:22 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:22 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:22 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)

Looks like they're at it again this afternoon.

DELETED

Thats after blocking IPs and Ports on the FiosRouter.

Here is an area in the log that actually blocks.

DELETED

EDIT: n/m I had "Connection States" ON. Here is a better log:


Jul 24 18:15:55 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:55 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:54 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:54 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:53 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:53 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:52 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:52 2011 Firewall Info Rate Limit 138 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:51 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:51 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:50 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:50 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:49 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:49 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:48 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:48 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:47 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:47 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:46 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:46 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:45 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:45 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:44 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:44 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:43 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:43 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:42 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:42 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:41 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:41 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:40 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:40 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:39 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:39 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:38 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:38 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:37 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:37 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:36 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:36 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:35 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:35 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:34 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:34 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:33 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:33 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:32 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:32 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:31 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:31 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:30 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:30 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:29 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:29 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:28 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:28 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:27 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:27 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:26 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:26 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:25 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:25 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:24 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:24 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:23 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:23 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:22 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:22 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:21 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:21 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:20 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:20 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:20 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:20 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:18 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:18 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:17 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:17 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:16 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:16 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:15 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:15 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:14 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:14 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:13 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:13 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:12 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:12 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:11 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:11 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:10 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:10 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:09 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:09 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:09 2011 Outbound Traffic Accepted Traffic - Default policy TCP [Router/DHCP]:53377->74.125.53.188:5228 on eth1
Jul 24 18:15:09 2011 Outbound Traffic Accepted Traffic - Wireless Broadband Router initiated traffic UDP [VerizonFiosRouter]:1024->68.238.64.12:53 on eth1
Jul 24 18:15:08 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:08 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:07 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:07 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:06 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:06 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:05 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:05 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:04 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:04 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:03 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:03 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:02 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:02 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:01 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:15:01 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:15:00 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:15:00 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:59 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:14:59 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:58 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:58 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:57 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:14:57 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:56 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:14:56 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:55 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:55 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:54 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:54 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:53 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:53 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:52 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:52 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:51 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:14:51 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:50 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:50 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:49 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:14:49 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:48 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:48 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:47 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:14:47 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:46 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:46 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:45 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:45 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:44 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:44 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:43 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:43 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:42 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:14:42 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:41 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 67.201.15.235:27015->[Router/DHCP]:2302 on eth1
Jul 24 18:14:41 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:40 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:40 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:39 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:39 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:39 2011 Outbound Traffic Accepted Traffic - Default policy TCP [Router/DHCP]:50198->81.0.236.117:2323 on eth1
Jul 24 18:14:38 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:38 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:37 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:37 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:36 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:36 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:35 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:35 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:34 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:34 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:33 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:33 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:32 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:32 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:31 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:31 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:30 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:30 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:29 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:29 2011 Firewall Info Rate Limit 142 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:28 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:28 2011 Firewall Info Rate Limit 139 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:27 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:27 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:26 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:26 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:25 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:25 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:24 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:24 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:23 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:23 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:22 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:22 2011 Firewall Info Rate Limit 141 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:22 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:22 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)
Jul 24 18:14:22 2011 Inbound Traffic Blocked - Advanced Filter Rule /fw/policy/0/chain/fw_eth1_in/rule/0: UDP 217.23.6.19:111->[Router/DHCP]:2302 on eth1
Jul 24 18:14:22 2011 Firewall Info Rate Limit 140 messages of type [44] Advanced Filter Rule suppressed in 1 second(s)


Hi.

It' more likely like i told and Dwarden



it's most likely some query service or users keeping running some monitoring tools ...


After i set my serve to private and removed my open ports. The traffic stopped after couple of days.
This is query services or game monitoring from sites that keeps your server info posted somewhere and there is other tools around here that are doing the same.

I've got about 2 Mbit upload going out of my server nearly all times of the day, spread over multiple connections.
One of them even downloads with 100 kbyte/sec.

This isn't normal monitoring tools traffic - e.g if I monitor from my client, I see like 100 bytes/sec with some peaks, and rather many silence.

Why would anyone be downloading 100 kbyte/sec from an empty server??
Must be a software bug or malicious intent.

---------- Post added at 11:49 ---------- Previous post was at 11:42 ----------

Now it's even 6-7 mbit/sec, someone's downloading with ~700 KB/sec from my empty server, some with 70 KB/sec, and some with much lower. Is this for real? :)
Mind you, if this continues, it moves 63 GB / day!

---------- Post added at 12:19 ---------- Previous post was at 11:49 ----------

I've done some analysis with WireShark, and it's indeed gamespy network traffic.
The issue seems to be that several hosts seem to bombard the server with gamespy info requests, multiple times per second.
So instead of checking periodically, every x seconds, some hosts seem to do it 100's of times / second.

The packet sent by them contains the string: HLSW, i'll be checking that tool to see whats up.

---------- Post added at 12:30 ---------- Previous post was at 12:19 ----------

I've tried the HLSW tool and when I monitor my server, I fetch about 2 - 4 KB/sec data, and a lot less frequent than what the other hosts are doing.
Thinking it might be up to a specific version of the software, or specific settings.
Analysis continues..

The hosts generating the high traffic request the gamespy info 100's of times / second; http://i55.tinypic.com/124a26s.png

we got the same on DAO,

banned out some ips but there come new ones.

Same for us. I've suspended our "persistent DS" arma2oaserver.exe process now to save bandwidth and cpu. I'll resume it when I know we go there to play.

i have HLSW myself both public and upcoming build and it's never going over 5kB/s on server (depending of amount info on server)

so this is definitely very strange

Ticketed @<hidden> http://dev-heaven.net/issues/22808 (http://dev-heaven.net/issues/22808)

Yes the kellys Heroes server is seeing the same incoming traffic from the same ip's (83.222.230.122 for example) on our empty server.

It's pulled 8.8GB's in the last 4 hours.

Updated the ticket with more ips and info http://dev-heaven.net/issues/22808

Yeah this is actually a pretty big issue. According to my box provider, we've used 1TB of traffic this month compared to 448.64GB from last month.

To summarize: the servers are flooded with incoming packets which look like a Gamespy query. They respond by sending back their complete details. Can you confirm my understanding of the problem is correct?

What I miss: How does the incoming packet look like? What kind of query it is?

To summarize: the servers are flooded with incoming packets which look like a Gamespy query. They respond by sending back their complete details. Can you confirm my understanding of the problem is correct?

What I miss: How does the incoming packet look like? What kind of query it is?That's correct.
The requests also come from multiple hosts so the flooding is multiplied by multiple hosts.

The request looks like:

0000 00 1e 8c 0a b7 41 00 50 7f cd 02 b0 08 00 45 00 .....A.P ......E.
0010 00 26 00 01 00 00 79 11 14 c4 53 de e6 7a c0 a8 .&....y. ..S..z..
0020 32 01 1e 61 09 34 00 12 07 9a fe fd 00 48 4c 53 2..a.4.. .....HLS
0030 57 ff 00 00 00 00 00 00 00 00 00 00 W....... ....
Screenshot @<hidden> http://dev-heaven.net/attachments/13246/wireshark_filtered_icmp.png

FYI, a BE Server update will be released shortly that firewalls your server against these excessive requests.

---------- Post added at 09:54 ---------- Previous post was at 09:44 ----------


The request looks like:

Screenshot @<hidden> http://dev-heaven.net/attachments/13246/wireshark_filtered_icmp.png

Correction: The actual UDP packet payload (data) looks like:

0000 fe fd 00 48 4c 53 57 ff 00 00 ...HLSW...

Nice, I guess that gives us some options for now - hopefully BIS implements something for it as well - seeing not everyone runs BattlEye.

My guess is that the arma servers are being used as DOS flood amplifiers. The addresses you see in the from fields are the targets/victims of this.

The big idea is to have the victim receive loads more data than the attacker is able to send, by using other hosts as amplifiers. It also hides the true identity of the attacker to all but his ISP. Basically, the attackers would be sending these ~100byte packets with a false "from" header. If the "to" header host responds to the false from (victim) with a packet significantly bigger than the original packet...


Rate limit the responses arma2 servers give to requests to a certain IP (else they'll just cycle ports and be back in business) (might use small burst value to compensate for NATed clients) and the problem will go away.

My guess is that the arma servers are being used as DOS flood amplifiers. The addresses you see in the from fields are the targets/victims of this.

The big idea is to have the victim receive loads more data than the attacker is able to send, by using other hosts as amplifiers. It also hides the true identity of the attacker to all but his ISP. Basically, the attackers would be sending these ~100byte packets with a false "from" header. If the "to" header host responds to the false from (victim) with a packet significantly bigger than the original packet...

I have the same thought, but this might just be an attack against the game servers themselves (simply causing excessive bandwidth usage). All those machines supposedly sending these requests might not even exist. Maybe this is the work of some ArmA hacker that found a new way to annoy server admins.

i came to same assumption that the game servers itself aren't the victims but abused for DDOS against other servers on internet ...

ofcourse overally victims are both the DDOS targets and the abused servers as it eats bw, increase CPU usage due I/O increase

but this might just be an attack against the game servers themselves

Implausible.


Exhibit 1) If they are not spoofing their source address, they would be DOSing themselves, particularly from hitting so many servers in parallel. If so, it would stop rather quickly, and wouldn't change source often; we can therefore assume they are spoofing.

Exhibit 2) If they really wanted to hit arma servers rather than the return address, they would* spoof it such that each packet came from a random IP each time. That would make it practically impossible to block outside of a handshake like tcp, (low-size initial reply) or making the gamespy master the only redistribution point for that info - it probably does not do that for several reasons.

It would also have made it far harder to detect what exactly was going on with all that traffic in the first place, and the causes would have remained unexplained (but "annoying") for far longer.

* I'm assuming that they wouldn't be so dumb as to be unable to figure that out. They are, after all, smart enough to create the attack software, or at least set it up, in the first place.


Exhibit 3) There's far more motive to do a proper DOS against a third party than to cause some minor load against arma servers. To then believe (if you really do) this is really directed at us, not recognizing we're actually quite insignificant, is egocentric. That said, to bring it up as a mere possibility is appropriate.

I call it minor because the network isn't the bottleneck for arma servers. At least those that aren't home-hosted will likely have connections good enough to withstand the extra traffic without problems. Until caps are reached.


Exhibit 4) If we assume the source addresses are the target, this would merely be the latest in a loooooooooong tradition of dos amplification. Inflating the meaning of an event ("Blowing things out of proportion") rarely gets you closer to the truth.


Potential exhibit 5) Guessing from dwarden's signature, and the packet content (HLSW), this seems to use a protocol not specific to arma. Are other games being hit as well? (Have they rate limited it already?)

If we assume the others aren't already doing rate limiting, are other types of servers using the same protocol also affected? If yes, that'll immediately kill the theory of this hitting us specifically.



[targets] might not even exist
Then we're still hitting the network connections up to the network on which that address belongs. There's very few unicast ipv4 addresses that aren't routed somewhere. And we also cannot say with any certainty it doesn't exist; even if it would respond to pings in the first place, it may be unreachable because of the ongoing DOS.


Also, that there was a ventrilo server running on one of the targets gives a few hints to the type of person perpetrating this.

Potential exhibit 5) Guessing from dwarden's signature, and the packet content (HLSW), this seems to use a protocol not specific to arma. Are other games being hit as well?
Yes, there has been similar exploits performed using other game servers. Reference: for example (http://seclists.org/bugtraq/2003/Jan/178)

Possible solution: Make use of the new "v3" challenge-response variant of the GameSpy query protocol?

FYI, a BE Server update will be released shortly that firewalls your server against these excessive requests.[COLOR="Silver"]


Good news $able :)

Exhibit 1) If they are not spoofing their source address, they would be DOSing themselves, particularly from hitting so many servers in parallel. If so, it would stop rather quickly, and wouldn't change source often; we can therefore assume they are spoofing.

I tend to think the same.


Exhibit 2) If they really wanted to hit arma servers rather than the return address, they would* spoof it such that each packet came from a random IP each time. That would make it practically impossible to block outside of a handshake like tcp, (low-size initial reply) or making the gamespy master the only redistribution point for that info - it probably does not do that for several reasons.

Maybe they just want to confuse and cause innocent hosts to be accused? No one knows why they are doing this, I just know that hackers always loved to annoy this community (and especially server admins). I am merely pointing out a possibility.


Exhibit 3) There's far more motive to do a proper DOS against a third party than to cause some minor load against arma servers. To then believe (if you really do) this is really directed at us, not recognizing we're actually quite insignificant, is egocentric. That said, to bring it up as a mere possibility is appropriate.

Again, I am simply pointing out another possibility. It has nothing to do with being egocentric.


Potential exhibit 5) Guessing from dwarden's signature, and the packet content (HLSW), this seems to use a protocol not specific to arma. Are other games being hit as well? (Have they rate limited it already?)

If we assume the others aren't already doing rate limiting, are other types of servers using the same protocol also affected? If yes, that'll immediately kill the theory of this hitting us specifically.

It's the GameSpy query protocol.


Then we're still hitting the network connections up to the network on which that address belongs. There's very few unicast ipv4 addresses that aren't routed somewhere. And we also cannot say with any certainty it doesn't exist; even if it would respond to pings in the first place, it may be unreachable because of the ongoing DOS.

I was referring to those machines actually sending these requests, which is not the case if IP spoofing is used.

---------- Post added at 17:25 ---------- Previous post was at 16:51 ----------


FYI, a BE Server update will be released shortly that firewalls your server against these excessive requests.

Released now.

FYI, a BE Server update will be released shortly that firewalls your server against these excessive requests.
Released now.Thanks $able!

---------- Post added at 17:54 ---------- Previous post was at 17:29 ----------

The new BE (v119) seems to block genuine gamespy requests that request the player info.

So the server info request seems to work (0xFF, 0x00, 0x00) but player packet fails (0x00, 0xFF, 0x00). I have not tested the full info packet (0xFF, 0xFF, 0xFF).

Im using Six Updater, fetching server info happens by two requests, first the server info request, and then immediately following the seperate player request.

The new BE (v119) seems to block genuine gamespy requests that request the player info.

So the server info request seems to work (0xFF, 0x00, 0x00) but player packet fails (0x00, 0xFF, 0x00). I have not tested the full info packet (0xFF, 0xFF, 0xFF).

Im using Six Updater, fetching server info happens by two requests, first the server info request, and then immediately following the seperate player request.

Right now the BE Server allows one query packet (per IP) every 0.5 seconds. I will change the implementation to fix your problem.

Thanks! Perhaps it would be nice to be able to configure these limits, if it wouldn't involve a lot of work :)

It looks like the changes for gamespy requests are working $able, I've yet to come across the excessive bandwidth usage (fingers crossed).
Thanks again!

Looking back at our server traffic stats, it would seem that this thing began on our server somewhere around after first week / middle of june. up until june our server was outputting somewhere around 100gb / month, but on june the end result was 385gb where as in july it is already at 595gb! No more running arma servers without someone actually playing there....

No more running arma servers without someone actually playing there....There's updated BE that mitigates the problem, as well as changes made to gamespy master to prevent the issues as well;
http://dev-heaven.net/issues/22808#note-55

we enabled the security feature on Gamespy protocol, all queries now need validate ...

also BE will be updated soon to support both data and player info query

I will change the implementation to fix your problem.

Fixed now.

Sable,

Linux servers are now having issues reponsing to game tracker.

A while a go i also wrote a tool for our admin that queries the server for stats too.
The packet looks like following:
pack("c*",0xFE,0xFD,0x00,0x04,0x05,0x06,0x07,0xFF,0xFF,0xFF);


The server no longer responds to that packet. As well as packets sent by GameTracker.

Fixed now.Thanks! Will confirm later tonight once SU v3 support is up.

@<hidden>:
Probably nothing to do with BattEye but with the new GameSpy v3 protocol activated by BIS: http://dev-heaven.net/issues/22808#note-55

The v3 should become active after restarting the server since today.

You'll need to send challenge request, and include the proper response in the info query packet.

GameQ has support for it for instance:
https://github.com/Austinb/GameQ/blob/v2/gameq/protocols/gamespy3.php (https://github.com/Austinb/GameQ/blob/v2/gameq/protocols/gamespy3.php)
https://github.com/Austinb/GameQ/blob/v2/gameq/protocols/bf2.php

In essence, it comes down to:

base_packet = "\xFE\xFD\x00"
challenge_packet = "\xFE\xFD\x09"
random_id = "\x10\x20\x30\x40"
info_packet = "\xFF\xFF\xFF\x01"

1. Send the challenge request packet (challenge_request_packet = challenge_packet + random_id)
2. Receive response, parse the response: only take the numbers after 0@<hidden> Do some bitwise shifting:

challenge_response_packet = sprintf("%c%c%c%c", challenge_response >> 24, challenge_response >> 16, challenge_response >> 8, challenge_response >> 0)
3. Send the info request packet with the new calculated challenge response.
full_packet = base_packet + random_id + challenge_response_packet + info_packet

Determining if the server requires a challenge response:
If the response to the challenge request contains at the end: 0@<hidden> then it does not require the challenge response.


Note for non-php users, e.g Ruby:
Negative numbers need to be converted first, php does this automatically, ruby does not:

def handle_chr(number)
number = ((number % 256)+256) if number < 0
number = number % 256 if number > 255
number
end
challenge_response = sprintf("%c%c%c%c", handle_chr(str >> 24), handle_chr(str >> 16), handle_chr(str >> 8), handle_chr(str >> 0))

What is the latest version of BE server?

Also, i can not change the exchange the GameTracker queries :). It seems a lot of popular servers are having the same issue.

See my updated post.

Latest BE seems to be v1.120 currently.

Yeah, i saw the response.
Okay, than we are good in terms of BE version. However i'm concerned that none of our servers are listed on GameTracker as populated. :(
10:35:45 BattlEye Server: Initialized (v1.120)

Perhaps notify the gametracker staff about ArmA 2 / OA change to v3.

Well, what seems odd is that some servers are ok while others are not. Which doesn't make much sense.

Well, what seems odd is that some servers are ok while others are not. Which doesn't make much sense.
It does in relation to:
The v3 should become active after restarting the server since today.

Let's just say some heads up would have been appreciated.

Sorry, should have payed more attention :)

so just once again for sure! :)

to enable the flooding protection on Your server
1. restart server
2. use BattlEye

both steps combined give best results

[snip]


base_packet ="\xFE\xFD\x00\x10\x20\x30\x40"
info_packet = "\xFF\xFF\xFF\x01"
full_packet = base_packet + challenge_packet + info_packet

The base_packet is actually just: "\xfe\xfd\x00"

The 4 bytes after that is a request ID which should be 4 random bytes. These bytes will then be sent after the header in all further packets. Verifying these bytes protects the client against spoofed replies.

Cheers, updated the post.

It appears servers which have not been restarted are not replying at all to challenge response packets.
Is anyone else seeing this?

I'm missing something like 500 servers on http://arma2.swec.se/server/list

The challenge response im getting on servers that are still on old, contains 0@<hidden> at the end, which im using to determine that the server doesn't need one.

The challenge response im getting on servers that are still on old, contains 0@<hidden> at the end, which im using to determine that the server doesn't need one.
Thanks. That was fairly obvious when pointed out. :)

Thx guys for moving on this. I'll update BE.

http://www.gametracker.com/games/arma/forum.php?post=241891

We are currently on "raporting ip" setting as "localhost". It was the only method to "enable the flooding protection". Even commenting the line in cfg wouldn't help. Will see with the new BE, yesterday version 119 was no go.
What a shame with GT.

We are currently on "raporting ip" setting as "localhost". It was the only method to "enable the flooding protection". Even commenting the line in cfg wouldn't help. Will see with the new BE, yesterday version 119 was no go.
What a shame with GT.

Keep in mind that the GameSpy and BE fix cannot prevent these excessive requests from reaching your host. Only a firewall in front of your server can achieve that.

To disable the GameSpy reporting you need to add a faulty string like:

reportingIP="<>";

Keep in mind that the GameSpy and BE fix cannot prevent these excessive requests from reaching your host. Only a firewall in front of your server can achieve that.The requests will hopefully subside once the tools or people wielding them figure out it is now useless :)

In any case the excessive requests are but a fraction of the data that was generated before :)

I can confirm the fixes for BE are working too - I can successfully query server-info first and then player-info, thanks!

In essence, it comes down to:

base_packet = "\xFE\xFD\x00"
challenge_packet = "\xFE\xFD\x09"
random_id = "\x10\x20\x30\x40"
info_packet = "\xFF\xFF\xFF\x01"


If you want to have death stats in the info packet change the info request
from info_packet = "\xFF\xFF\xFF\x01" to info_packet = "\xFF\xFF\xFF\xFF"

PS: thanks for the help, everyone.

PPS: the random_id is actually a timestamp, but for server queering does not matter.

glad to see this is being addressed... good work..

If you want to have death stats in the info packet change the info request
from info_packet = "\xFF\xFF\xFF\x01" to info_packet = "\xFF\xFF\xFF\xFF"Not sure what the difference is, it seems to give the same information that you receive already from player info, but in a different format:
Instead of: PlayerName - Team - Score - Deaths per player
You get: First all PlayerNames, then all Teams, then all Scores, then all Deaths.

Also it seems it doesn't matter if you send "\xFF\xFF\xFF\x01" or "\xFF\xFF\xFF\xFF". Both will send the player info in the "First all playernames, then all teams", etc format. While leaving out the last byte, or replacing it with e.g \x00, it will list players in the normal format.

Personally, I actually send \xFF\x00\x00 first to get only the server-info, and then I send \x00\xFF\x00 to get the player-info seperately.
Because the packets only support up to 1400 bytes, servers with lots of players / mods etc don't fit everything in 1 packet.
(I have been unable to figure out how to receive multiple packets for the same info query; if anyone knows im all ears :)).

---------- Post added at 11:27 ---------- Previous post was at 10:52 ----------

Actually, if you include the 4th character in the info packet (\x01, or \xFF), you will also receive a "Splitnum" value, if it is \x00, there are more packets. If it's something else it seems to mark the end of available packets.

Actually, if you include the 4th character in the info packet (\x01, or \xFF), you will also receive a "Splitnum" value, if it is \x00, there are more packets. If it's something else it seems to mark the end of available packets.

The byte following the 'splitnum\0' can be parsed like this:
flag = s.get_byte.unpack("C")[0]
index = flag & 127
final = flag & 0x80 > 0

index is the packets index in the series, it's possible to recieve packets out of order so reassembly in the correct order is required to query some servers.

In any case the excessive requests are but a fraction of the data that was generated before :)

I can confirm the fixes for BE are working too

That is what I can also confirm, the 120 version keeps the server stable and the requests if any they have no impact

Gametracker shame on you

The BE "fix" is as good as it can get. There's nothing you can really do to stop the inbound UDP packet. At most, you can block it at your firewall but the ISP / provider is still going to see that as inbound traffic. If you are on a quota, it will hit your quota.

However, the inbound UDP packets are quite small - only 60 bytes in length. It was the outbound response that was causing most of the traffic. This is now shut off with BE.

Thanks to gonk for first seeing and reporting the problem, and thanks to $able for providing a quick fix.

The problems are gone with and without BE due to BIS activating the enhanced gamespy protocol for the arma servers, which require a challenge/response.
http://dev-heaven.net/issues/22808 (http://dev-heaven.net/issues/22808)

---------- Post added at 08:21 ---------- Previous post was at 08:20 ----------


The byte following the 'splitnum\0' can be parsed like this:
flag = s.get_byte.unpack("C")[0]
index = flag & 127
final = flag & 0x80 > 0

index is the packets index in the series, it's possible to recieve packets out of order so reassembly in the correct order is required to query some servers.
Thanks! Only thing left is glueing the packets properly together, it seems for player info the first entry of the next packet might have to overwrite the last entry of the previous packet completely as it might be incomplete.

The problems are gone with and without BE due to BIS activating the enhanced gamespy protocol for the arma servers, which require a challenge/response.
Well, sorta. Whoever or whatever is initiating the UDP packets appears to have a cache of the IP addresses of servers that it "knows". So while armaserver.exe itself no longer reacts to the incoming UDP packets, in many cases the packets will continue to come into the server at the network stack. If you run Wireshark and have experienced these packets, it's very likely that you will still see the inbound UDP packets (60 bytes long) but without the reply from armaserver.exe.

I suspect this will drop off over time, but the updates to BE and the use of v3 of the Gamespy protocol do not fully stop the traffic...just the majority of it. As we've seen, each inbound UDP packet of 60 bytes was causing outbound traffic of 1-2KB so the exponential effect was pretty significant. The fixes have removed the outbound part, but can do nothing about the inbound.

That's what I was saying and have been saying past pages.
The inbound traffic is neglible - so that's why I call the problems gone, and the inbound traffic will probably subside in time.

Hi Sickboy... is there any chance that you will update your Advanced GameSpy Server Query Script (http://www.armaholic.com/page.php?id=243), please..

:rolleyes:

Hi Sickboy... is there any chance that you will update your Advanced GameSpy Server Query Script (http://www.armaholic.com/page.php?id=243), please..

:rolleyes:
Hi i'm afraid not, kinda abandoned php quite a while ago :) Anyone's free to modify it (if they really wanted to ;))
I could recommend to check http://gameq.sourceforge.net/ (http://gameq.sourceforge.net/) (make sure to select the gamespy v3 protocol),
or any of the other php-based solutions that are floating around :)

Or get an image etc @<hidden> www.gametracker.com

Sickboy, do you have any Ruby code for the new queries? This is what I have:


sock.send("\xFE\xFD\x09\x58\xEF\xD0\xC8", 0, server_ip, port)

challenge = sock.recv(64).gsub(/[^0-9\-]/, "").to_i

sock.send("\xFE\xFD\x00\x58\xEF\xD0\xC8#{x(challenge >> 24)}" +
"#{x(challenge >> 16)}#{x(challenge >> 8)}" +
"#{x(challenge >> 0)}\xFF\xFF\xFF\x01", 0, server_ip, port)

response = sock.recv(512)


A challenge packet is received, but after sending back the final request there is no response. (x is the handle_chr function you posted.)

Some debug output:


The challenge is: 77381309
Challenge info: 4 1180 302270 77381309 (24 / 16 / 8 / 0, and the spaces are only there in the debug output)

(This is for a script to fix the yellow server browser issue with the Linux server. The idea is to accept the original requests, but use iptables string matching to drop the response. The script uses libpcap to find that request, and makes its own query to the server, fixes the hash, and forwards it. The firewall rule isn't in place right now, so that's definitely not the issue. I'll also be releasing this as soon as it's working.)

Ah a fellow Rubyist eh :) Ahoy!

This is what I use; https://github.com/sickboy/six-updater-gui/blob/develop/SixUpdaterGui/Applications/six/query/gamespy.rb#L215
But the UDPSocket/Client im using isn't the one from Ruby but from .NET, so you'll have to switch that.

The problem in your implementation seems to be that you're returning the challenge response as numbers, while you should convert it to string (im using sprintf).

Btw Max Packet size is 1400 not 512, and you can receive up to 7 of them, splitnum tells you which ID this packet has and if it's the last packet.

And interesting use case - kudos to you :)

---------- Post added at 09:17 ---------- Previous post was at 09:03 ----------

BTW, there's a bug currently in Arma gamespy implementation, if a single server info field value cannot fit in a single packet, http://dev-heaven.net/issues/23389
(The ticket also contains 2 links to some example packet output, the linked pastie also includes my response incl challenge).

Hi all,

I only came across this thread last night and found it a very interesting read (especially the part about ACE being a botnet - naughty ACE team!!!).

Anyway, after reading the full thread I am a little confused as to what the solution is for my server...

1. I have been keeping it up to date with the latest beta's (for OA).
2. I have not rebooted it for a few weeks (actually a lot of a few weeks).

Does the latest beta also install the latest BattleEye?
Should I re-boot the server? It is in use 24 hours so I have to pick a good time to re-boot.
Is there anything I need to add to the server.cfg for Arma2OAServer?

I got a traffic alert from the datacentre a few weeks ago, but this was at the same time as I released a new app to the server (it also has to work for it's keep) so I can't be sure if I fell foul of this exploit or not.

Apologies if the answer is already posted, but there is a lot of info in this thread and it's hard to see where the diagnosis ends and the solution starts!! All good stuff though.

Hey Jedra,

BIS has activated the improved gamespy protocol a couple of weeks ago, if you haven't rebooted your server since then, please do, so the new protocol is activated.
BE afaik updates automatically at server start or mission start.
Having both will protect you best.

Hey Jedra,

BIS has activated the improved gamespy protocol a couple of weeks ago, if you haven't rebooted your server since then, please do, so the new protocol is activated.
BE afaik updates automatically at server start or mission start.
Having both will protect you best.

Cheers, thanks for the response. Some of the corporations I have slaved myself to in the past would have killed for this kind of collective diagnosis!

Ah a fellow Rubyist eh :) Ahoy!

This is what I use; https://github.com/sickboy/six-updater-gui/blob/develop/SixUpdaterGui/Applications/six/query/gamespy.rb#L215
But the UDPSocket/Client im using isn't the one from Ruby but from .NET, so you'll have to switch that.

The problem in your implementation seems to be that you're returning the challenge response as numbers, while you should convert it to string (im using sprintf).

Btw Max Packet size is 1400 not 512, and you can receive up to 7 of them, splitnum tells you which ID this packet has and if it's the last packet.

And interesting use case - kudos to you :)

---------- Post added at 09:17 ---------- Previous post was at 09:03 ----------

BTW, there's a bug currently in Arma gamespy implementation, if a single server info field value cannot fit in a single packet, http://dev-heaven.net/issues/23389
(The ticket also contains 2 links to some example packet output, the linked pastie also includes my response incl challenge).

Thanks!

I'm only forwarding on the "browser info" packet - the one that provides the server name, mod details, number of players, and status/mission. The player names and other data are sent in a different packet, I believe. I've only seen the browser info use one packet, at least with the default BAF/PMC mods.

I don't expect anyone with very long mod fields to be using this (chances are that with so many mods, they'd have a private server for friends/members and wouldn't care about the yellow browser anyway), so I'm just going to assume one packet only to avoid the added complexity. If it does become an issue, that can always be changed later.

And of course, I'll post the finished version in the Linux server thread. I already have the work-in-progress version posted there.

---------- Post added at 11:22 ---------- Previous post was at 10:30 ----------

Sickboy, I got the queries working. Thanks!

What I'm trying to do now: the packet I'm sending seems to be the full info packet. I can't seem to figure out how to get the server browser info query - the one that only provides the server name, version, mods, platform, and the hash. This is the packet I'm looking for:


0000 00 57 8d 65 d6 5b 54 65 61 6d 44 65 61 64 6c 79 .W.e.[TeamDeadly
0010 2e 63 6f 6d 5d 20 5a 61 72 67 61 62 61 64 20 4c .com] Zargabad L
0020 69 66 65 20 32 00 00 36 00 34 35 00 5a 61 72 67 ife 2..6.45.Zarg
0030 61 62 61 64 00 54 65 61 6d 00 5a 61 72 67 61 62 abad.Team.Zargab
0040 61 64 20 4c 69 66 65 20 49 49 20 28 47 61 6e 67 ad Life II (Gang
0050 20 57 61 72 46 61 72 65 29 00 31 35 00 30 00 30 WarFare).15.0.0
0060 00 32 30 30 35 00 31 35 39 00 31 35 39 00 41 72 .2005.159.159.Ar
0070 6d 61 20 32 3a 20 4f 70 65 72 61 74 69 6f 6e 20 ma 2: Operation
0080 41 72 72 6f 77 68 65 61 64 3b 41 72 6d 61 20 32 Arrowhead;Arma 2
0090 3a 20 42 72 69 74 69 73 68 20 41 72 6d 65 64 20 : British Armed
00a0 46 6f 72 63 65 73 20 28 4c 69 74 65 29 3b 41 72 Forces (Lite);Ar
00b0 6d 61 20 32 3a 20 50 72 69 76 61 74 65 20 4d 69 ma 2: Private Mi
00c0 6c 69 74 61 72 79 20 43 6f 6d 70 61 6e 79 20 28 litary Company (
00d0 4c 69 74 65 29 00 30 00 37 00 31 00 6c 69 6e 75 Lite).0.7.1.linu
00e0 78 00 36 35 35 34 35 00 00 31 00 31 00 6a 73 72 x.65545..1.1.jsr
00f0 73 66 61 3b 62 69 00 31 00 50 4d 43 20 76 2e 20 sfa;bi.1.PMC v.
0100 31 2e 30 31 3b 42 41 46 20 76 2e 20 31 2e 30 32 1.01;BAF v. 1.02
0110 3b 64 61 33 39 61 33 65 65 35 65 36 62 34 62 30 ;da39a3ee5e6b4b0
0120 64 33 32 35 35 62 66 65 66 39 35 36 30 31 38 39 d3255bfef9560189
0130 30 61 66 64 38 30 37 30 39 00 0afd80709.

To get that, here's what the game sent:


0000 fe fd 00 57 8d 65 d6 42 2d f7 77 19 01 04 08 0a ...W.e.B-.w.....
0010 05 06 6f 10 13 64 65 66 67 68 69 6a 6b 6c 6d 1f ..o..defghijklm.
0020 6e 70 72 71 73 00 00 nprqs..

I assumed the last 4 bytes (0x71730000) be what I need, but that's not working.

The random ID seems to be 0x188D65D6, and the last 3 bytes of that seems to be present in both packets. Not sure where the 0x18 went though.

Try to use this as the query part of the packet you send;
0xFF, 0x00, 0x00, 0x00 (notice the last byte not being 0x01)
or leave out that 4th byte:
0xFF, 0x00, 0x00

But hmm, the game seems to send and receive some specific/special format, e.g the returned packet is lacking field names... the above probably wouldn't make that happen.

Try to use this as the query part of the packet you send;
0xFF, 0x00, 0x00, 0x00 (notice the last byte not being 0x01)
or leave out that 4th byte:
0xFF, 0x00, 0x00

But hmm, the game seems to send and receive some specific/special format, e.g the returned packet is lacking field names... the above probably wouldn't make that happen.

Thanks - that's much closer, but still not the exact same. Probably the closest I'll get at least using the "public" protocol.

The game definitely seems to be using another format - the response to the challenge seems to be much longer as well.

Either way, I think I've got enough info from the response to parse it and create my own response that's similar to the original. That's probably the best way to go at this point.

Found it:


\x19\x01\x04\x08\x0a\x05\x06\x6f\x10\x13\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x1f\x6e\x70\x72\x71\x73\x00\x00

This returns the proper output without the field names. No clue why it's so long - but it works.

(Now I'm trying to figure out PacketFu - doesn't seem to be sending the packet properly, with the source port.)