Man asks for help, you lay into him, blaming him for the attacks. Nice. Unfortunately, so long as you have to make your IP public and its static your ports will remain under attack. You could alter the server code so that slots are not assigned until the player has authenticated, which is the way it should be anyhow. This can be defeated of course by the attacker making the nodes actually perform a log in - I don't know how smart they are, they may not be capable of this level of code. Alternately, you could canvas the userlist of known servers or your past connection logs for valid playing IPs and whitelist them with your firewall. This might be a decent stopgap measure while you implement your security fix. -----Original Message----- From: netrek-dev-bounces at us.netrek.org [mailto:netrek-dev-bounces at us.netrek.org] On Behalf Of John R. Dennison Sent: Sunday, August 05, 2007 9:33 PM To: Bill Balcerski Cc: netrek-dev at us.netrek.org Subject: Re: [netrek-dev] Need help with security vulnerability in Vanilla server On Mon, Aug 06, 2007 at 12:19:37AM -0400, Bill Balcerski wrote: > Hi all. Over the past few months, netrek servers I run have come > under a distributed denial of service attack that has been pretty > constant and insistent. Initially the attacks started out as mass > flood connects from a few IPs, but after some measures were put into > place to prevent that, the attacks morphed into hundreds and thousands > of unique IPs connecting to the server in spaced out intervals so that > unique IPs occupy every slot. The slots sit at the login screen, > preventing players from connecting. This sort of attack, while > currently only directed at me (first at sturgeon, then at my bronco > server when I took sturgeon off the metaserver) can be used to knock > any netrek server out. With so few servers and server operators, I > really think this needs to be addressed. Quozl had put some things on > the todo list regarding this, namely some sort of handshake between > client and server, but this is really out of my league to implement. > So I am asking of the dev community, if you can contribute code to > deal with this security hole, please do so. Perhaps you shouldn't have pissed off so many people over the past few years by your behavior. It is completely evident that this is personal; no other servers have been attacked except for yours. *shrug*. > On another note, I am quite distressed at how much pressure is being > put on independent server operators to not run public servers. First > pulsar, then meeper, and now warped will all forced out of operation > by complaints (or criminal behavior) from a vocal few. I think it's a > shame we are losing developers due to this sort of thing. More > servers and server operators should be encouraged, not discouraged due > to fear of spreading out the playerbase. Umm, pulsar was shut down by it's admin, there was no external pressure to do so by anyone else. His server was, if memory serves, hanging and he didn't have time to deal with it. meeper was asked to stop hosting useless bot servers that served no purpose. He was then asked to shut down his hockey server that was tcp only and sitting on the end of a slow dsl line. It served no purpose and attracted newbies that were confused by the server. meeper is not a developer and had to have his hand held in compiling the server and getting it functional. Please get your facts straight. John -- "I'm sorry but our engineers do not have phones." As stated by a Network Solutions Customer Service representative when asked to be put through to an engineer. "My other computer is your windows box." Ralf Hildebrandt <sxem> trying to play sturgeon while it's under attack is apparently not fun.