Patch the game to prevent DDOS exploit please!

[PreedSwe]

As it stands, currently ArmA server can be attacked by a DDOS attack using spoofed IP's to make the gameserver in turn send replies to the spoofed IP.
This has happened to our server lately and I have had to nullroute several subnets and send apologizing emails to host providers after receiving abuse emails from them.

Make the game handshake by having the client send a request, server replies ok, but please send back this cookie, client replies with cookie and server establishes session..

/ Preed

[=WFL= Sgt Bilko]

Not sure I understand how this will prevent the attacker from spamming initial requests and the server forwarding the spam by replying "OK" to the spoofed IP (with or without "cookie")?

Don't get me wrong, I look forward to a working generic solution, since this problem is rampaging in many other games as well.

[PreedSwe]

Well, it prevents amplification.. But I guess maybe you could also throw in a time based block on traffic from that IP for a period of time.. Like 30 seconds, if the spoofed IP doesn't reply back like the gameserver expects..
Another way could be to have a control connection on TCP.. And not respond to any traffic from an ip that doesnt have a corresponding TCP connection.. But this will take a bit more work to implement.

[Andrews]

Hey Preed,

I too have experienced this. Would be interested in finding a solution.

[Leopardi]

"organized" attacks aren't the real problem, but simply thousands of people trying to get on DayZ servers by spamming enter which causes servers to die.

[Sickboy]

Are you guys referring to GameSpy query, or actual game traffic? Because re GameSpy they switched to the protocol revision with handshake some months ago?
Perhaps good idea to make a private ticket on the Community Issue Tracker with some more details, perhaps logs etc.

[Dwarden]

provide proof of concept , to my email (obviously obvious my nickname on forum at bistudio.com)

[BasileyOne]

1. Heavily tune firewall. switch from FW-grimmick lick conntrack stuff to something more serious. like zorp or so. in especially-hostile environment, turn on and tune convener-attacking feats.
[sometimes]it would be surprising to attacker 2 see message shortly before being offended too. not recommended "in general".
2. deploy/update/configure full-scale IPS/IDS, such as Snort, Suricata and etc.
3. purchase hardware IPS/Firewall thingy. partially offload/shrug-off ~40% of stuff.
4. ENFORCE DEP/NX full-time[Windows users can use something like "bcdedit.exe/set nx AlwaysOn" with administrator privilege/rights, for reference].
5. put tiny/LW EWS IDS-stuff, alike PSAD on server and heavily tune it on-topic too.

[Imago]

Well, it prevents amplification.. But I guess maybe you could also throw in a time based block on traffic from that IP for a period of time.. Like 30 seconds, if the spoofed IP doesn't reply back like the gameserver expects..
Another way could be to have a control connection on TCP.. And not respond to any traffic from an ip that doesnt have a corresponding TCP connection.. But this will take a bit more work to implement.

Hi Preed. The Life Mission servers have always been targets of multi source packet flood attack as you say DDOS exploit (lol)

Here is what I did:

Make your server appear down to Novatech0, no matter where he is trying to "see your server" from. He'll think he has won and the attack will cease.

Also order him a pizza? *nod to da. / AAA*

For obvious reasons I will not disclose any technical details here. Catch me creeping on these TS3 servers for now 72.20.13.74, ts3.arma2life.com:9988 or ts3.lifeprojectrpg.com if you'd like more infos.

[SnR]

Or send your infos to Dwarden. Thanks.