Man asks for help, you lay into him, blaming him for the attacks.  Nice.

Unfortunately, so long as you have to make your IP public and its static
your ports will remain under attack.  You could alter the server code so
that slots are not assigned until the player has authenticated, which is the
way it should be anyhow.  This can be defeated of course by the attacker
making the nodes actually perform a log in - I don't know how smart they
are, they may not be capable of this level of code.

Alternately, you could canvas the userlist of known servers or your past
connection logs for valid playing IPs and whitelist them with your firewall.
This might be a decent stopgap measure while you implement your security
fix.

-----Original Message-----
From: netrek-dev-bounces at us.netrek.org
[mailto:netrek-dev-bounces at us.netrek.org] On Behalf Of John R. Dennison
Sent: Sunday, August 05, 2007 9:33 PM
To: Bill Balcerski
Cc: netrek-dev at us.netrek.org
Subject: Re: [netrek-dev] Need help with security vulnerability in Vanilla
server

On Mon, Aug 06, 2007 at 12:19:37AM -0400, Bill Balcerski wrote:
> Hi all.  Over the past few months, netrek servers I run have come 
> under a distributed denial of service attack that has been pretty 
> constant and insistent.  Initially the attacks started out as mass 
> flood connects from a few IPs, but after some measures were put into 
> place to prevent that, the attacks morphed into hundreds and thousands 
> of unique IPs connecting to the server in spaced out intervals so that 
> unique IPs occupy every slot.  The slots sit at the login screen, 
> preventing players from connecting.  This sort of attack, while 
> currently only directed at me (first at sturgeon, then at my bronco 
> server when I took sturgeon off the metaserver) can be used to knock 
> any netrek server out.  With so few servers and server operators, I 
> really think this needs to be addressed.  Quozl had put some things on 
> the todo list regarding this, namely some sort of handshake between 
> client and server, but this is really out of my league to implement.
> So I am asking of the dev community, if you can contribute code to 
> deal with this security hole, please do so.

	Perhaps you shouldn't have pissed off so many people over the
	past few years by your behavior.  It is completely evident that
	this is personal; no other servers have been attacked except
	for yours.

	*shrug*.

> On another note, I am quite distressed at how much pressure is being 
> put on independent server operators to not run public servers.  First 
> pulsar, then meeper, and now warped will all forced out of operation 
> by complaints (or criminal behavior) from a vocal few.  I think it's a 
> shame we are losing developers due to this sort of thing.  More 
> servers and server operators should be encouraged, not discouraged due 
> to fear of spreading out the playerbase.

	Umm, pulsar was shut down by it's admin, there was no external
	pressure to do so by anyone else.  His server was, if memory
	serves, hanging and he didn't have time to deal with it.

	meeper was asked to stop hosting useless bot servers that
	served no purpose.  He was then asked to shut down his 
	hockey server that was tcp only and sitting on the end of 
	a slow dsl line.  It served no purpose and attracted newbies
	that were confused by the server.  meeper is not a developer
	and had to have his hand held in compiling the server and
	getting it functional.

	Please get your facts straight.




							John


--
"I'm sorry but our engineers do not have phones."
As stated by a Network Solutions Customer Service representative when asked
to be put through to an engineer.

"My other computer is your windows box."
                                     Ralf Hildebrandt <sxem> trying to play
sturgeon while it's under attack is apparently not fun.