DDoS and now something new again?

Kilatamoro

@Nuggets One could damage their connection, thus disconnecting from FAF and chat, and then only reconnect to FAF.

Sturmgewehr

@Nuggets said in DDoS and now something new again?:

This is kind of a massive issue. The attacker(s) can find out everyone's ip without being in the game itself and without connecting to the lobby (as i had restrictions enabled).

If I didn't know better, I would say it's the live replay, where you can watch as an observer with a delay of a few minutes.

When you read about people's experiences, it's usually during these 3-5 minutes that there are in-game problems.

Are the IPs transmitted when connecting to a live replay, or can someone intercept them?

This particular problem doesn't seem to exist in matchmaking (at least one person has written about this).
I don't play matchmaking (ladder) myself, only global. So custom games.
In other words, what is displayed as a live replay.

Perhaps the live replay should be disabled on a trial basis.

Kilatamoro

@Sturmgewehr Matchmaker games are present in live replays.

Sturmgewehr

@Kilatamoro said in DDoS and now something new again?:

@Sturmgewehr I am pretty sure matchmaker games are also in live replays. Why wouldn't they be?

The attacker must be getting the IPs from somewhere during ongoing games.
If it's from the chat system, he could attack all IPs at once. But it happens a few minutes after a game has started.
So he must know when a game has started, and he could find that out via the live replays (how else?).
Perhaps matchmaking (ladder) games are not attacked because there are too few players/too little effect, because there are few players in a match and it's not worth it?

Who knows, there must be some motivation behind it.
At least I can say that custom games with +10 players are very often attacked.

If they are attacks. No one is commenting on the situation.

Kilatamoro

@Sturmgewehr People say he attacks games with specific players, like streamers.

Brutus5000

Our IRC should not expose ips. The live-replay server surely does not expose ips.
However, if you are in a custom lobby and someone connects to you, then you expose your IP for da direct p2p connection.

xxx_LenKing_xxx

@Brutus5000 , did u know, that no ru streamer can stream faf, because they have been ddosing since february non-stop, as soon as they start a game, they literally follow at least me, Putin and Robogear even at night. And if I played without a stream, everything was OK. But now they have started ddosing everyone, SO why not make same adapter like in GAF, that hide ur ip, im shure that they ddosed faf to try lure players to their server.

xxx_LenKing_xxx

this problem has been going on for more than two years, what's the problem with making a new connector so as not to show the IP? Is there really any doubt that this is a DDoS or is there hope that it will somehow stop on its own? I assure you, FAF will be killed if nothing is done now. These DDoSers will do this endlessly.

Brutus5000

The ice adapter can do that in theory. This is called using a relay server. We used to run our own but they get killed by DDoS too. Now we are running the relay servers at a 3rd party provider but they are very expensive. so we cannot allow everybody to use it just to hide their ips.

We tried a cheaper provider but it doesn't work with the current ice adapter. So we're trying to rewrite it, but it doesn't work reliably beyond 1v1

Sturmgewehr

@Brutus5000 said in DDoS and now something new again?:

The ice adapter can do that in theory. This is called using a relay server. We used to run our own but they get killed by DDoS too. Now we are running the relay servers at a 3rd party provider but they are very expensive. so we cannot allow everybody to use it just to hide their ips.

We tried a cheaper provider but it doesn't work with the current ice adapter. So we're trying to rewrite it, but it doesn't work reliably beyond 1v1

I'm sure you have statistics for everything.
How much would it cost to force all game sessions to run via relay servers and prevent player-to-player connections from being established?

How much would need to be collected each month to cover the costs?
https://www.patreon.com/faf

Since IPs are not transmitted via the chat system or the live replay (which is once again a Hetzner server 167.235.217.62), only the custom lobbies would be affected anyway, because in matchmaking, the attacker would first have to manage to get into the randomly assembled match in order to obtain the IPs.
If he can't access the IPs anywhere else via a security vulnerability...

It doesn't have to be forever, a test for a few weeks is enough to see how the situation is in terms of connection quality/disconnections (force all game sessions to run via relay servers).

Brutus5000

The statistics of our provider are broken because our library doesn't correctly terminate connections, so we just don't know.
Assuming currently only 5% of connections run through a relay, upscaling this to 100% would increase traffic to 20x, so we'd from ~100GB to 2TB. Since prices go down the more bandwith you use with our current provider we'd be at 499$ per month (you can lookup the pricing here https://xirsys.com/pricing)

nullptr

The only solution for now is to friend all players you'd want to play with and host for friends only or host with password.

Kilatamoro

@Ctrl-K Or matchmaker, and get suspicious of who you play with, as if your local connection drops, they may be responsible. And the less players, the safer it is.

Nuggets

@Ctrl-K said in DDoS and now something new again?:

The only solution for now is to friend all players you'd want to play with and host for friends only or host with password.

I dont think thats the solution actually. I'm enforcing rating so others cant join; Rezy hosts for friends only. It still happens

Although im not 100% sure if it happens to Rezy's lobbies..

magge

It is unclear to me whether these sudden disconnects are related to background DDoS activity, or specifically targeted attacks, or unexpected bugs in FAF, or connection issues on the users side, or a combination of all of 'em.

I can offer to look into targeted DDoS cases, but to do so, I need specific logs and timestamps when it occurred.

To be clear: I will not be able to solve the issue, but perhaps together we can find a strategy, or can narrow it down.

Hopefully, the core issue will be resolved in the future - until then, if you have time to spare and want someone to look over your case, please create a moderation ticket in Discord and ping me.

Sainse

@magge said in DDoS and now something new again?:

but to do so, I need specific logs and timestamps when it occurred.

How can we provide it? Is there a need to enable specific log settings in the client?

magge

The FAF-related logs would include the game log, IRC log, and ICE log with the exact timestamps when the issue occurred.

Additional helpful logs would be from network diagnostic tools, network/router and/or firewall logs. These are more user/system/environment-specific and need to be handled individually in the ticket itself.

All these (additional) logs may probably beyond the scope of the average user to know about, but I will try to keep the instructions as simple as possible to help find this information.

Sainse

@magge

There are many log options in client that are disabled be default. For a guideline one would not only need to specify where to find them, but also which bars to enable to begin with. Should log be DEBUG or TRACE? I don't see IRC log option here, am I missing anything?

Thorkan

Who are the people who have access to players IP?

xirsys.com
...
...

Thorkan

I got DDoS'd the first and only time when I clicked on this guys link. Ever since my internet recovered I seem to be the laggy one in games. I think he was farming our IP's as soon as we open his randomly generated cat girl links. The DDoS happened exactly after the game finished. Replay: #25421055

1. How can I see who the host of this game was?
2. How can I see past DM conversation with him in FAF? That's where the link is that he sent me, after which I got DDoS'd and never recovered fully to have smooth games again.