01:46 < Elise_> http://pastebin.com/RAG1qpyj DRDOS TOOL , DRDOS PROTOCOL TEEWORLDS, MAKE A DRDOS ATTACK USING THE MASTER SERVERS :D TOOL RELEASE BY CIDER :D
01:46 < Elise_> http://pastebin.com/RAG1qpyj DRDOS TOOL , DRDOS PROTOCOL TEEWORLDS, MAKE A DRDOS ATTACK USING THE MASTER SERVERS :D TOOL RELEASE BY CIDER :D
01:46 < Elise_> http://pastebin.com/RAG1qpyj DRDOS TOOL , DRDOS PROTOCOL TEEWORLDS, MAKE A DRDOS ATTACK USING THE MASTER SERVERS :D TOOL RELEASE BY CIDER :D
01:46 < Elise_> http://pastebin.com/RAG1qpyj DRDOS TOOL , DRDOS PROTOCOL TEEWORLDS, MAKE A DRDOS ATTACK USING THE MASTER SERVERS :D TOOL RELEASE BY CIDER :D
01:46 < Elise_> http://pastebin.com/RAG1qpyj DRDOS TOOL , DRDOS PROTOCOL TEEWORLDS, MAKE A DRDOS ATTACK USING THE MASTER SERVERS :D TOOL RELEASE BY CIDER :D
01:46 < Elise_> http://pastebin.com/RAG1qpyj DRDOS TOOL , DRDOS PROTOCOL TEEWORLDS, MAKE A DRDOS ATTACK USING THE MASTER SERVERS :D TOOL RELEASE BY CIDER :D
01:46 < Elise_> http://pastebin.com/RAG1qpyj DRDOS TOOL , DRDOS PROTOCOL TEEWORLDS, MAKE A DRDOS ATTACK USING THE MASTER SERVERS :D TOOL RELEASE BY CIDER :D
01:47 < Elise_> :D 8=======D~~~ deen i love you, i will abduct your girl too
01:48 <+devnull> outsch :D
10:59 <@EastByte> hello minus 
11:19 <+minus> oh, i can speak1
11:19 <@EastByte> yea
11:21 <+minus> so, who's running the servers now?
11:22 <+Learath2> EastByte is managing the servers iirc
11:23 <@EastByte> ddnet still has the same sponsors who are hosting servers
11:23 <@EastByte> we now have a huge team of teamleaders who are managing things
11:23 <@EastByte> I'm part of the technical staff
11:23 <+minus> a tw master is running on the GER server, i'd need an iptables rule put into place there
11:24 <@EastByte> ah, well afaik we don't have root access on ger.ddnet.tw (so only deen has)
11:24 <@EastByte> I can configure the hardware firewall of ger.ddnet.net though
11:25 <@EastByte> (deen is on a trip btw.)
11:25 <@EastByte> I'll try to contact him via skype
11:34 <+minus> i'm testing it on the master i've got root on if it works properly first
11:35 <@EastByte> okay, I have root access on GER now
11:35 <+minus> :D
11:35 <+minus> hm
11:36 <+minus> already 2 requests fell into my blocking rule
11:36 <+minus> in less than 5 minute
11:36 <@EastByte> there are a lot of grabbers
11:36 <+minus> oh
11:36 <+Learath2> huh isnt it funny that our spammer was advertising a tool to do reflection attacks ? :D
11:36 <+minus> seems like it's one that's requesting faster than 5/minute
11:37 <+minus> Learath2: i don't see how
11:37 <@EastByte> yea, afaik one grabber is requesting multiple times in two seconds or so
11:37 <+minus> why would you even do that
11:37 <@EastByte> !twp Roland
11:37 <+Nimda> Roland is currently playing blmapV5 on server : ! [BLOCKER 64p] r0x.fr S3 - Harmony-Hosting.com.
11:37 <@EastByte> ^ this is my grabber requesting once per 30 seconds
11:37 <@EastByte> minus: people do that to track other players ip addresses
11:38 <+minus> but you don't need the server list that often for that
11:38 <+Learath2> minus: surely wont work if there is a rate limit in place but it was just a basic spoofed source packet
11:38 <@EastByte> probably not
11:39 <+minus> hm, the server list is rebuilt every 5 seconds
11:40 <@EastByte> well, the attackers are probably doing a full reload master+servers each time
11:41 <@EastByte> I guess they didn't even look into the source of mastersrv
11:42 <+minus> the reflection attack tool just sends a req2, that's all
11:42 <+minus> didn't you see the code?
11:42 <+Learath2> just skimmed it really never checked which packet it sends
11:43 <+minus> anyway, the iptables rule just helps if an attacker is trying to attack a specific target using the masters
11:44 <+minus> if an attacker is just shooting requests with random source addresses at the masters i can't do as much
11:44 <+minus> i could still put a global limit in place
11:45 <+Learath2> minus: isnt sending a req2 with spoofed source address enough to get the master to send the whole server list ?
11:46 <@EastByte> sure
12:05 <+minus> EastByte: 79.133.48.200 isn't yours, is it?
12:05 <@EastByte> nope, why?
12:07 <+minus> it's spamming server list requests
12:07 <@EastByte> ah, well 84.200.208.199 is mine
12:07 <+minus> it's basically the only thing that gets caught in my filter
12:07 <+minus> ah, i've seen that ip as well
12:07 <+minus> proplay?
12:07 <@EastByte> yea :p
12:08 <@EastByte> 1 eur/month christmas vps <3
12:08 <+minus> 5€/month christmas kvm :D
12:08 <@EastByte> :p
12:08 <+minus> okay
12:09 <+minus> you got nfbpf_compile on GER, EastByte?
12:09 <@EastByte> oh you are using a bpf filter?
12:09 <+minus> for matching the req2 in the packet, yes
12:09 <+minus> iptables -I INPUT -p udp --dport 8300 -m bpf --bytecode "$(nfbpf_compile RAW 'udp[18:4]=0x72657132')" -m hashlimit --hashlimit-above 10/minute --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name twmasterreq2 -j DROP
12:10 <@EastByte> hm nfbpf_compile appears to be not on it
12:10 <@EastByte> any debian package?
12:10 <+minus> nah
12:10 <@EastByte> ...
12:10 <+minus> it's part of iptables, usually not compiled
12:10 <+minus> had to read and grep makefiles and source code to find how to build it
12:10 <+minus> iptables -I INPUT -p udp --dport 8300 -m bpf --bytecode "12,48 0 0 0,84 0 0 240,21 0 8 64,48 0 0 9,21 0 6 17,40 0 0 6,69 4 0 8191,177 0 0 0,64 0 0 18,21 0 1 1919250738,6 0 0 65535,6 0 0 0" -m hashlimit --hashlimit-above 10/minute --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name twmasterreq2 -j DROP
12:10 <@EastByte> hm just give me the bytecode
12:10 <+minus> precompiled for 64bit
12:11 <+minus> if you ever need to build it yourself: --enable-bpf-compiler with ./configure
12:11 <@EastByte> okay
12:11 <@EastByte> hm can you send the command via paste service?
12:12 <+minus> can't copy from irc? weechat/irssi?
12:12 <@EastByte> weechat, dunno how to copy properly
12:13 <+minus> http://ix.io/lJB
12:15 <@EastByte> Couldn't load match `bpf':No such file or directory
12:15 <@EastByte> hm looks like something missing
12:15 <@EastByte> stupid debian
12:17 <+minus> worked fine on a debian 8 machine
12:17 <+minus> maybe the kernel module isn't installed for your running kernel
12:19 <@EastByte> oh it's a 2.6 stable kernel
12:19 <+minus> ouch!
12:19 <@EastByte> AH wait
12:19 <+minus> isn't that a dedicated server?
12:19 <@EastByte> wrong server :p
12:20 <@EastByte> lol, same error but 3.2.0-4-amd64
12:20 <@EastByte> it's a fully virtualized server
12:21 <@EastByte> (no container like thingie I mean)
12:21 <@EastByte> iptables v1.4.14
12:22 <+minus> iptables v1.4.21
12:23 <@EastByte> sigh
12:24 <@EastByte> mind using u32 instead of bpf?
12:24 <+minus> i don't mind
12:24 <+minus> bpf was just the first thing to work, i tried u32 too
12:24 <@EastByte> I still have an example lying around which detects gie3
12:24 <+minus> heh
12:24 <@EastByte> iptables -A INPUT -i eth0 -p udp -m u32 --u32 "38=0x67696533" -j DROPGIE3
12:24 <@EastByte> or something
12:25 <+minus> i'll take a look after lunch
12:25 <@EastByte> okay :)
13:57 <+Nimda> Nostalgia by Bolox just released on Brutal at 2015-10-31 13:53
15:48 <@EastByte> minus: /twmaster
15:48 <+minus> hm?
15:49 <@EastByte> whoops wrong terminal
15:49 <+minus> hm
15:49 <@EastByte> do you have access to the twmaster user on ger?
15:49 <+minus> yes
15:50 <@EastByte> is there something requesting https://teeworlds.com ?
15:51 <@EastByte> just wondering where that traffic comes from
15:51 <+minus> yeah
15:52 <+minus> a cronjob pulling the master bans
15:52 <@EastByte> ah alright
15:53 <+minus> oh boy, someone's spamming req2s
15:53 <+minus> someone from bavaria ona telekom line
15:53 <@EastByte> low traffic on ger.ddnet.tw
16:05 <+minus> EastByte: iptables -I INPUT -p udp --dport 8300 -m u32 --u32 '0>>22&0x3C@18=0x72657132' -m hashlimit --hashlimit-above 10/minute --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name twmaster -j DROP
16:05 <+minus> EastByte: http://ix.io/lJK
16:10 <+WolfAlex> 10/min ? 
16:11 <+WolfAlex> with just 10 requests i can block a player from accessing the serverlist? :D
16:12 <@EastByte> hm 10/min is indeed a bit too low, a kid spaming the refresh button won't see any servers anymore
17:43 <+minus> oughta teach em
17:43 <+minus> also, it's got a 20/min burst
17:43 <+minus> -/min
18:10 <@EastByte> minus: what's a burst?
18:10 <+minus> how much is in the bucket in the beginning
18:11 <@EastByte> 'at the beginning' does it refill?
18:11 <+minus> 10/minute is the refill rate
18:12 <@EastByte> okay I get it now
18:13 <+minus> it's a token bucket filter
18:13 <@EastByte> new to me