<html>
<head>
<base href="https://bugzilla.icculus.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - DDOS with getchallenge"
href="https://bugzilla.icculus.org/show_bug.cgi?id=5954#c5">Comment # 5</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW --- - DDOS with getchallenge"
href="https://bugzilla.icculus.org/show_bug.cgi?id=5954">bug 5954</a>
from <span class="vcard"><a class="email" href="mailto:jawfin@gmail.com" title="jawfin@gmail.com">jawfin@gmail.com</a>
</span></b>
<pre>I notice a person is assigned to this, does this mean it's being addressed?
Either way, I've noticed a flaw in the flood protect of getchallenge.
The server was successfully lagged by one person with one IP with a repeated
packet which shows in the logs (developer 1) thusly: -
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
There was 134 on that port, then 156 on port -29022, then 192 on port -20149
etc
All told there was over 300,000 getchallenge's in less than 1 minute from IP
12.4.2.5
It could be a spoofed packet via a DDOS, but unlikely that so many bots would
all be on ISP without Ingress filtering. It may just be a spoofed packet from
one person but not that IP. Either way, it completely bypassed the flood
filter. I can't give anymore information here as the server is hosted and I
don't have remove virtual control, and its unlikely EscapedTurkey was running
wireshark for the 5 minutes this attack lasted.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
</ul>
</body>
</html>