• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

AAC New DDos in tibia`s site and Extortion

R

roriscrave

Advanced OT User
Joined
Dec 7, 2011
Messages
1,188
Solutions
34
Reaction score
200
Recently a person contacted me, and said that he can take down the site of 95% of the otlist servers.
He took down my site and took down some other sites to prove to me that he could do it.
And is asking for money for give a 'possible solution'

he said he brought this Ddos from other mmorpgs (he calls it a proxy).
even websites with cloudflare are down, I will send some information below.

1) He attacked a server with +- 800 players online and cloudflare (https://ntoultimate.com.br/)
error in website during attack:
https://imgur.com/a/j4WsuXe

2) He attacked a server with +- 1000 players online and cloudflare (otPokemon Jogar Pokémon Online MMORPG (https://otpokemon.com/))
error in website during attack:
https://imgur.com/a/MQQopTH

3) he tried to attack kasteria.pl and was unsuccessful

4) the photo he sent me of how he attacks the site:
https://imgur.com/a/t5loqhC

5) when he attacked my website, i used this command in linux to check all conections, and oddly enough, the ip that was attacking me was 127.0.0.1 (localhost)
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
https://imgur.com/a/tiFBuOZ

obs: he took down the site of several servers, sites in gesior, znote and myacc.
 
Sort by date Sort by votes
Also good to mention, there are companies out there scanning entire IP ranges to figure out goes what where, and who it belongs to etc. Which could easily expose your origin IP address. . (such as Home • Censys (https://censys.io)). But can be easily combated if you only allow these IP ranges to access port 80/443 IP Ranges | Cloudflare (https://www.cloudflare.com/ips/)

Though be careful of what you're doing so you don't lock yourself out from SSH or something like that.
 
Upvote 0 Downvote
roriscrave said:
1) He attacked a server with +- 800 players online and cloudflare (https://ntoultimate.com.br/)
error in website during attack:
https://imgur.com/a/j4WsuXe

2) He attacked a server with +- 1000 players online and cloudflare (otPokemon Jogar Pokémon Online MMORPG (https://otpokemon.com/))
error in website during attack:
https://imgur.com/a/MQQopTH
Click to expand...
This is not even a "good" or difficult attack. The website actually works. It just can't render the correct output due to overload. That's one of the most trivial attacks, it doesn't require any botnet, any UDP flood, any points of origin with bandwidth and therefore, Cloudflare may not even realize it's an attack - that's how simple it is.

What's happening here, according to the screenshots is: (1) concurrent limit of MySQL connections is hit and (2) possible the limit of PHP worker pool is hit (although error would typically be 503, though they can differ.
How to do that? Take any crappy AAC (and most of them are far from quality of any modern PHP development), find out the slowest piece of it and repeatedly call it.
How to fix it? Cache it.

roriscrave said:
5) when he attacked my website, i used this command in linux to check all conections, and oddly enough, the ip that was attacking me was 127.0.0.1 (localhost)
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
https://imgur.com/a/tiFBuOZ
Click to expand...
That could be because either Apache is calling PHP-FPM over loopback interface instead of unix socket or PHP is calling MySQL over loopback interface instead of socket. These are not spoofed UDP connections because UDP "connections" are not really shown the same way or reliably.

Now, just to test my theory, I actually looked at the website of ntoultimate.com.br. You can test the speed of it using e.g. Pingdom Tools (https://tools.pingdom.com/) but you're likely to get hCaptcha from Cloudflare in the test instead of the real website, so Chrome Dev tools will have to do.
I noticed that excluding all the typical DNS queries, connections negotiations, SSL handshake and transferring response time, the website actually takes 1.78 seconds to generate. That's a horrible result. Over a decade ago, 1 second complete page load (including transfer of data and rendering) was considered maximum acceptable time. I don't even want to see what kind of "amazing" scripts they have in there, but assuming they have a default of 100 max open connections to MySQL (default for most MySQL packages) it takes only 50 requests per second to make it lock up, theoretically.
 
Upvote 0 Downvote
jlnunez89 said:
Those seem to be UDP packets?
IDK about newer versions of OpenTibia in general (well, anything after 2011...), but AFAIK you don't need UDP ports open, only TCP. Close all UDP ports...
Click to expand...

Closing the ports don't prevent a DDOS attack.

Closing the porst would just stop them getting in and showing in logs, the DDOS would still be in affect because the packets are still reaching your host.
 
Upvote 0 Downvote

Similar threads

Jpstafe
  • Solved
Erro Rook_Sample created(MYACC)
Replies
2
Views
260
Jpstafe
Jpstafe
Back
Top