• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

AAC New DDos in tibia`s site and Extortion

roriscrave

Advanced OT User
Joined
Dec 7, 2011
Messages
1,188
Solutions
34
Reaction score
200
Recently a person contacted me, and said that he can take down the site of 95% of the otlist servers.
He took down my site and took down some other sites to prove to me that he could do it.
And is asking for money for give a 'possible solution'

he said he brought this Ddos from other mmorpgs (he calls it a proxy).
even websites with cloudflare are down, I will send some information below.

1) He attacked a server with +- 800 players online and cloudflare (https://ntoultimate.com.br/)
error in website during attack:
2) He attacked a server with +- 1000 players online and cloudflare (otPokemon Jogar Pokémon Online MMORPG (https://otpokemon.com/))
error in website during attack:
3) he tried to attack kasteria.pl and was unsuccessful

4) the photo he sent me of how he attacks the site:

5) when he attacked my website, i used this command in linux to check all conections, and oddly enough, the ip that was attacking me was 127.0.0.1 (localhost)
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

obs: he took down the site of several servers, sites in gesior, znote and myacc.
 
Sounds like they are doing a connection drain attack: Using a bot fleet, open up connections (either sending data slowly or not at all) and keep them open until you drain the server, preventing any real client from being able to establish a new TCP connection.

You can't do much if your architecture is a single server, and I'm guessing Cloudflare can't do much either if your entire model is forwarding all connections to the application, because how would they know which one to block?, but I'm just speculating here.
 
I don't know if it's the same person, but I have ddos problems now

9ca5d81aef1ebe9aef0ff5141d3e9b5e.png
 
Those seem to be UDP packets?
IDK about newer versions of OpenTibia in general (well, anything after 2011...), but AFAIK you don't need UDP ports open, only TCP. Close all UDP ports...
 
That is what surprises me.

The only open ports are:
80 (apache) and 6968 (server)
both in: TCP
I also don't have port 7171 open

but I have UDP attack packets on a port that I don't have open xd
 
Only solution was to rewrite whole site (kasteria.pl has acc. maker made just for that server) to make it work the best with cloudflare.
It took 400 hours to rewrite it, so for most server hosters it's impossible to protect from that kind of attack. You also need optimized linux configuration, network infrastructure and really good hardware. In times of that attack kasteria was hosted using few dedicated servers that total cost over 700 euro per month....
... and with all that work and money kasteria.pl server is still not 100% protected. Only real change for kasteria is that ddosing website cannot affect game server. It is also prepared to switch to paid cloudflare plan and become 100% protected, but it would cost extra 1000-5000 euro per month!
That is what surprises me.

The only open ports are:
80 (apache) and 6968 (server)
both in: TCP
I also don't have port 7171 open

but I have UDP attack packets on a port that I don't have open xd
In case of OVH datacenter, you can close ports on anti-ddos firewall (ovh panel -> dedics -> IP (left panel) -> firewall) and it make packets do not route to your server. It can handle gigabytes per second easily.
You can also block types of packets like UDP and GRE. Just make them not route to your server.
Closing ports on machine is almost useless as these packets still comes to your machine and waste mb/s of your server.
 
Last edited:
Social enginner that mfucker into some website you host and get his IP even if it's a proxy/vpn you can start a dox over there.

He should feel really 1337 with his stupid booter probably some missconfigured Mirai shit


Shoot me a PM and I'll help you to track down that bitch and we'll fucking swat him


Lols I get angry at ddos skids sorry but shoot me a PM I'll do my best to track down that motherfucker
 
possible solution: 5 downed sites (znote, gesior, myacc), both use Apache.
3 sites he failed to take down (2gesior and 1 znote), the all 3 websites use ngix
I believe it may be flawed in some standard Apache configuration.
I switched to ngix and so far I haven't had any problems, I will still leave the topic open for a few days before giving the final result
 
Some random Portuguese rookie that's trying to make a living off of being a scumbag and fraud. Track him down & eliminate.
 
There is one way to kill web-servers using Apache, I don't think it's allowed to post a link here, but yeah, the best solution is to either use Nginx or set some strict keep-alive policy.
 
I can do so if someone from the mod team approves it. Don't want to get on their bad side again after being so good the past few years.
 
There was an exhaust attack on Apache old versions, maybe you were using the affected version. Always remember to setup proper timeouts on your http server...

Maybe this pro hacker is just running Slowloris attacks on very old Apache servers =P
 
maybe posting it will help awareness and fixing attempts
It's dead simple, just make an infinite loop of an image from a website you want to kill


Nothing new, ddos is something that is resolved once you dox whoever is poking your assets and report him to the correct authorities with proof.
 
Ok let's talk about some of the things you guys mentioned.

5) when he attacked my website, i used this command in linux to check all conections, and oddly enough, the ip that was attacking me was 127.0.0.1 (localhost)
IP spoofing in DDoS attacks is quite common. It's easy to do and works without any problems as long as you use UDP. UDP, other than TCP, doesn't require any acknowledgments and is therefore a much lighter protocol. But also brings its disadvantages.

You can't do much if your architecture is a single server
Well if that's all you got, true.

and I'm guessing Cloudflare can't do much either if your entire model is forwarding all connections to the application, because how would they know which one to block?, but I'm just speculating here.
Well they can, but of course they also need to stay up to date.
But what you guys seem to not know about cloudflare is that they neither support the UDP protocol, nor any port or protocol besides HTTP ports as well as HTTP as a protocol. If you understand what I mean. So only the default ports like 80,443,8080,8443 and HTTP itself. And that's it.
Now you can forward any other protocol and port, but that will remove a huge part of your protection and it's gonna be much easier (actually really easy if you know what you're doing) to figure out your real IP.

Those seem to be UDP packets?
IDK about newer versions of OpenTibia in general (well, anything after 2011...), but AFAIK you don't need UDP ports open, only TCP. Close all UDP ports...
DDoS is generally done using UDP because of it's structure and simply the way the protocol works. But yes, closing UDP ports is definitely helpful since you don't need any UDP service running an OT.

That is what surprises me.

The only open ports are:
80 (apache) and 6968 (server)
both in: TCP
I also don't have port 7171 open

but I have UDP attack packets on a port that I don't have open xd
I hate that people only mention port 80. It's not 2007 anymore. Use protection! Use encryption! Use port 443! (as well as port 80 to redirect to port 443)

possible solution: 5 downed sites (znote, gesior, myacc), both use Apache.
3 sites he failed to take down (2gesior and 1 znote), the all 3 websites use ngix
I believe it may be flawed in some standard Apache configuration.
I switched to ngix and so far I haven't had any problems, I will still leave the topic open for a few days before giving the final result
Now that is interesting.
But one of the most common mistakes in IT-Security is people not keeping their services and software up to date. It is way more likely that in older versions of apache there has been a vulnerability, which is most likely fixed by now and never existed in nginx.
Many huge attacks could have been stopped if the company just kept their software up to date.

UPDATE YOUR SOFTWARE GOD DAMNIT!


Oh by the way, I forgot to mention, if you are using cloudflare, but someone knows your actual IP anyways, cloudflare isn't going to help you.
Then you're simply an open target.
 
Back
Top