MantisBT - Zandronum
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0000680Zandronum[All Projects] Bugpublic2012-02-19 15:592018-09-30 22:38
ReporterAlexMax 
Assigned ToTorr Samaho 
PrioritynormalSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version98d 
Target VersionFixed in Version 
Summary0000680: Connection DDoS Mitigation
DescriptionIt seems that Skulltag 98d is vulnerable to a DDoS where someone connects and repeatedly passes bad version information. I think that temporarily banning IP's that make X bad connection attempts in Y amount of time would be a good idea. It should be a short ban, but the 'start time' of the ban should automatically update for as long as the flood from that IP is going on.
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2012-02-19 15:59AlexMaxNew Issue
2012-02-19 15:59AlexMaxNote Added: 0002645
2012-02-19 16:49Konar6Note Added: 0002646
2012-02-19 19:54DuskNote Added: 0002647
2012-02-19 19:55DuskNote Edited: 0002647bug_revision_view_page.php?bugnote_id=2647#r1338
2012-02-19 19:59DuskNote Edited: 0002647bug_revision_view_page.php?bugnote_id=2647#r1339
2012-02-19 23:32Torr SamahoNote Added: 0002648
2012-02-19 23:33Torr SamahoAssigned To => Torr Samaho
2012-02-19 23:33Torr SamahoStatusnew => feedback
2012-02-19 23:33DuskNote Added: 0002649
2012-02-19 23:34DuskNote Edited: 0002649bug_revision_view_page.php?bugnote_id=2649#r1341
2012-02-19 23:59Torr SamahoNote Added: 0002650
2012-06-09 13:22Torr SamahoCategoryGeneral => Bug
2015-09-01 21:00DuskNote Added: 0013377
2015-09-01 21:00DuskStatusfeedback => resolved
2015-09-01 21:00DuskResolutionopen => fixed
2015-09-01 21:00DuskNote Edited: 0013377bug_revision_view_page.php?bugnote_id=13377#r8001
2018-09-30 22:38Blzut3Statusresolved => closed

Notes
(0002645)
AlexMax   
2012-02-19 15:59   
Here is the original topic where someone reported this issue:

'http://www.skulltag.com/forum/viewtopic.php?f=172&t=30906 [^]'
(0002646)
Konar6   
2012-02-19 16:49   
Note that this attack is immune from server bans. The connection is still processed and logged, which sends the server to a lagging hell and makes the logs tens of megabytes big within seconds.
Possible solution - ban and ignore the offending IP completely. Have the server check whether the client is banned prior to further communicating with it. Currently it checks other stuff before that. Also don't log those "X bad connection attempts in Y amount of time".
(0002647)
Dusk   
2012-02-19 19:54   
(edited on: 2012-02-19 19:59)
I whipped up a throttle system to mitigate too quickly reconnecting clients as an afternoon challenge of sorts :P . If a client connects twice every sv_throttlethreshold seconds, they get ignored for 10 seconds.

'https://bitbucket.org/CrimsonDusk/notebola/changeset/12cdaab115bb [^]'

Not sure how well it works in practice or if there's a better way to implement this, I can only test this on my local machine and that's not really good enough, other than that it technically works. If I reconnect too quickly to my server I do get throttled but does it help under a real DDOS?
(0002648)
Torr Samaho   
2012-02-19 23:32   
I don't think that this kind of throttling is better than Skulltag's existing anti-flood mechanism. So I extended the existing mechanism to take care of this by ignoring any further net packet from an IP of a client that was disconnected due to an error for 10 seconds:'https://bitbucket.org/Torr_Samaho/skulltag/changeset/977a8d543834 [^]'
(0002649)
Dusk   
2012-02-19 23:33   
(edited on: 2012-02-19 23:34)
Ah damn. How come I never thought of that...? Oh well... still good practice. :)
(0002650)
Torr Samaho   
2012-02-19 23:59   
> How come I never thought of that...?

Don't worry. Considering that you only have access to the source since one week you're doing pretty well :).
(0013377)
Dusk   
2015-09-01 21:00   
Was addressed in Skulltag 98e but never closed for whatever reason.

Man, I look so naive in my posting in this ticket.