333 networks and our servers being attacked

=(V)= Server 1: Rocket-X
Image
Post Reply
User avatar
=(V)=RocketJedi
Lieutenant Colonel
Posts: 11559
Joined: Fri Oct 11, 2013 8:41 pm
Location: New York
Has thanked: 72 times
Been thanked: 17 times
Contact:

333 networks and our servers being attacked

Post by =(V)=RocketJedi »

We have been under attack for a while and I didn't piece it together until now. 333networks needs to be removed from our master server list. I just happened to look at one of the first router bans and it points back to 333networks

I dont know how to go about this. should we start a potential war and call them out or keep it quiet and let them attack other servers along with ours? When these guys first started this project a few well known forum members from ut99.org were concerned that they could carry these attacks out and they were not taken seriously.

We are running out of ip ban allocations on the router and that is why i was researching some of the ips we banned at the router. see for yourself if you are so inclined.

google this ip which is our first router ban https://www.robtex.com/ip-lookup/52.91.114.114 nm i did it for you. if you play enough you will see it points back to https://forum.errorist.tk/ aka 333 networks. I bet mar still has the ddos logs anyway here is the router ban list.

edit:
https://ut99.org/viewtopic.php?f=12&t=5 ... works+hack
Image

Image

=(V)=BloodyRabbit wrote: Tue Oct 10, 2017 3:13 pm That was EPIC! I just creamed all over my panties!!!
User avatar
=(V)=RocketJedi
Lieutenant Colonel
Posts: 11559
Joined: Fri Oct 11, 2013 8:41 pm
Location: New York
Has thanked: 72 times
Been thanked: 17 times
Contact:

Re: 333 networks and our servers being attacked

Post by =(V)=RocketJedi »

I Think the log may even be posted in our leader section
You do not have the required permissions to view the files attached to this post.
Image

Image

=(V)=BloodyRabbit wrote: Tue Oct 10, 2017 3:13 pm That was EPIC! I just creamed all over my panties!!!
User avatar
=(\/)=_\/3|\|0/\/\
Forums Master
Posts: 1679
Joined: Fri Oct 11, 2013 10:57 pm
Been thanked: 1 time

Re: 333 networks and our servers being attacked

Post by =(\/)=_\/3|\|0/\/\ »

I wouldn't stir up shit, drop em and keep an eye out if attacks continue, if they do, then drop the MOAB
User avatar
=(V)=RocketJedi
Lieutenant Colonel
Posts: 11559
Joined: Fri Oct 11, 2013 8:41 pm
Location: New York
Has thanked: 72 times
Been thanked: 17 times
Contact:

Re: 333 networks and our servers being attacked

Post by =(V)=RocketJedi »

well i messaged the guys on ut99.org to at least vindicate the poor guy who tried to warn everyone and he got denied any real attention to the matter. I also let the guy know who was trying to warn everyone that we had proof.
Image

Image

=(V)=BloodyRabbit wrote: Tue Oct 10, 2017 3:13 pm That was EPIC! I just creamed all over my panties!!!
=(V)=BloodyRabbit
Co-Leader
Posts: 2242
Joined: Mon Apr 25, 2016 7:59 pm
Location: Narnia
Has thanked: 22 times
Been thanked: 22 times

Re: 333 networks and our servers being attacked

Post by =(V)=BloodyRabbit »

=(V)=RocketJedi wrote: Mon Apr 17, 2017 11:23 am We have been under attack for a while and I didn't piece it together until now. 333networks needs to be removed from our master server list. I just happened to look at one of the first router bans and it points back to 333networks

I dont know how to go about this. should we start a potential war and call them out or keep it quiet and let them attack other servers along with ours? When these guys first started this project a few well known forum members from ut99.org were concerned that they could carry these attacks out and they were not taken seriously.

We are running out of ip ban allocations on the router and that is why i was researching some of the ips we banned at the router. see for yourself if you are so inclined.

google this ip which is our first router ban https://www.robtex.com/ip-lookup/52.91.114.114 nm i did it for you. if you play enough you will see it points back to https://forum.errorist.tk/ aka 333 networks. I bet mar still has the ddos logs anyway here is the router ban list.

edit:
https://ut99.org/viewtopic.php?f=12&t=5 ... works+hack
1) 333networks what is that? Is this an alternative master server run by non official UT sources? That's what I'm piecing together.

2) As for the dos attack I highly doubt someone would do it from a source that can be traced. But however it is still possible 333networks is behind it. But is it more likely or just as likely someone is IP spoofing 333networks because they have an issue with 333networks/admins/community for whatever reason and want to give them bad press?

3) Also. In the past while I was running a clan server someone in the community created an addon to help our server reach the top of the CTF server list. That person asked someone else to ask us to install it on our server. But I did not install the addon to the server as I was asked to do because I missed the comment. So the creator of the addon added our server IP address to his list thinking we instaleld it. What ended up happening was an accidental dos attack which caused our servers to crash. -- in simple laymans terms their computer was trying to contact our server and exchange information. Our server would not respond because it didn't recognize the incoming requests. What happened is their computer started flooding our server with requests to which it could not recognize and would not respond. This caused an accidental dos attack.
Reason I bring that instant up is because I want to ask, is it possible someone changed 333networks programming/tried updating their master server and it caused an issue which is accidentally effecting VM and potentially other servers?

4) Is it possible there is a malfunction on either end? Such as their internet card or VM's internet card is dropping packets or not receiving them/sending them causing something that looks like an attack because of the heightened data exchange/attempts? In my experience working with telephone systems and networks a lot of crazy wonky shit can happen.

5) if you check this link http://333networks.com/ut/63.251.20.60:7778 it reads,
Archive: =(V)= R O C K E T - X8 - www.vulpinemission.com - RIP =(V)=VendettA

You are now viewing archived information for the server that once resided on query address 63.251.20.60:7778. The server may have gone offline, or may not have been updated for a while. Some statistics are not displayed or missing from our database.

Current display was last updated on Sat Apr 8 18:08:37 2017.
It appears VM has been blocking this server since April 8th. Did something happen on April 8th that could have caused the 333networks to mistakenly send a lot of data (dos attack) to VM server? What happened that day or the days before? In my view I would investigate if it is likely the "attack" being experienced now may be caused for the reason I pointed in my 3rd comment above. That is my hunch at the moment. But I have no idea why/how they were blocked around the date of April 8th in the first placed. I'm not privy to that information ;)
What I would do is unblock them. Restart the server and be sure the block was removed and monitor the server and see if the "attack" still happens. -- I'm sure you can piece it together from there.

Keep us posted! =)
=(V)=RocketJedi wrote: Thu Feb 02, 2017 9:16 am WTF I shot this twat-a-potamus and he didn't die!
=(V)=RocketJedi wrote: Wed Jun 28, 2017 8:01 am wtf lag is that!
=(V)=RocketJedi wrote: Thu Aug 17, 2017 8:31 am I cant believe i have to waste my time on this
=(V)=RocketJedi wrote: Wed Sep 27, 2017 4:44 pm During the Cold War, the U.S. considered airdropping enormous condoms labeled "Medium" on the Soviets
=(V)=RocketJedi wrote: Thu Oct 05, 2017 8:36 am A free picture of DEEZ NUTZ
=(V)=RocketJedi wrote: Thu Dec 14, 2017 4:12 pm bahaha this is great news
=(V)=RocketJedi wrote: Sun Feb 18, 2018 6:33 pm how about we mute the entire server then all you can do is play or rage quit.
=(V)=RocketJedi wrote: Mon Mar 11, 2019 11:02 am FML im old and chics don't check me out anymore
=(V)=RocketJedi wrote: Mon Nov 20, 2017 10:49 pm BloodyRabbit is the sexiest man alive!! (Rubs nipples)

Oh RJ, the things you say. This is worth the super long sig :laugh :vmrocks

Image
User avatar
=(V)=RocketJedi
Lieutenant Colonel
Posts: 11559
Joined: Fri Oct 11, 2013 8:41 pm
Location: New York
Has thanked: 72 times
Been thanked: 17 times
Contact:

Re: 333 networks and our servers being attacked

Post by =(V)=RocketJedi »

=(V)=BloodyRabbit wrote: Mon Apr 17, 2017 5:52 pm
=(V)=RocketJedi wrote: Mon Apr 17, 2017 11:23 am We have been under attack for a while and I didn't piece it together until now. 333networks needs to be removed from our master server list. I just happened to look at one of the first router bans and it points back to 333networks

I dont know how to go about this. should we start a potential war and call them out or keep it quiet and let them attack other servers along with ours? When these guys first started this project a few well known forum members from ut99.org were concerned that they could carry these attacks out and they were not taken seriously.

We are running out of ip ban allocations on the router and that is why i was researching some of the ips we banned at the router. see for yourself if you are so inclined.

google this ip which is our first router ban https://www.robtex.com/ip-lookup/52.91.114.114 nm i did it for you. if you play enough you will see it points back to https://forum.errorist.tk/ aka 333 networks. I bet mar still has the ddos logs anyway here is the router ban list.

edit:
https://ut99.org/viewtopic.php?f=12&t=5 ... works+hack
1) 333networks what is that? Is this an alternative master server run by non official UT sources? That's what I'm piecing together.

2) As for the dos attack I highly doubt someone would do it from a source that can be traced. But however it is still possible 333networks is behind it. But is it more likely or just as likely someone is IP spoofing 333networks because they have an issue with 333networks/admins/community for whatever reason and want to give them bad press?

3) Also. In the past while I was running a clan server someone in the community created an addon to help our server reach the top of the CTF server list. That person asked someone else to ask us to install it on our server. But I did not install the addon to the server as I was asked to do because I missed the comment. So the creator of the addon added our server IP address to his list thinking we instaleld it. What ended up happening was an accidental dos attack which caused our servers to crash. -- in simple laymans terms their computer was trying to contact our server and exchange information. Our server would not respond because it didn't recognize the incoming requests. What happened is their computer started flooding our server with requests to which it could not recognize and would not respond. This caused an accidental dos attack.
Reason I bring that instant up is because I want to ask, is it possible someone changed 333networks programming/tried updating their master server and it caused an issue which is accidentally effecting VM and potentially other servers?

4) Is it possible there is a malfunction on either end? Such as their internet card or VM's internet card is dropping packets or not receiving them/sending them causing something that looks like an attack because of the heightened data exchange/attempts? In my experience working with telephone systems and networks a lot of crazy wonky shit can happen.

5) if you check this link http://333networks.com/ut/63.251.20.60:7778 it reads,
Archive: =(V)= R O C K E T - X8 - www.vulpinemission.com - RIP =(V)=VendettA

You are now viewing archived information for the server that once resided on query address 63.251.20.60:7778. The server may have gone offline, or may not have been updated for a while. Some statistics are not displayed or missing from our database.

Current display was last updated on Sat Apr 8 18:08:37 2017.
It appears VM has been blocking this server since April 8th. Did something happen on April 8th that could have caused the 333networks to mistakenly send a lot of data (dos attack) to VM server? What happened that day or the days before? In my view I would investigate if it is likely the "attack" being experienced now may be caused for the reason I pointed in my 3rd comment above. That is my hunch at the moment. But I have no idea why/how they were blocked around the date of April 8th in the first placed. I'm not privy to that information ;)
What I would do is unblock them. Restart the server and be sure the block was removed and monitor the server and see if the "attack" still happens. -- I'm sure you can piece it together from there.

Keep us posted! =)
I forgot about ip spoofing. I Was a victim of that as well and accused of hacking the hof server. Also about 5 years or more earlier accused of attacking wings when it was their own host working with a rival clan member :omg-shocked

yes in April sounds about right we had a specific ddos attack that is known to be done against the query port. after banning that address it happened again a few months later from another address belonging to same network

hope I am wrong
Image

Image

=(V)=BloodyRabbit wrote: Tue Oct 10, 2017 3:13 pm That was EPIC! I just creamed all over my panties!!!
=(V)=BloodyRabbit
Co-Leader
Posts: 2242
Joined: Mon Apr 25, 2016 7:59 pm
Location: Narnia
Has thanked: 22 times
Been thanked: 22 times

Re: 333 networks and our servers being attacked

Post by =(V)=BloodyRabbit »

=(V)=RocketJedi wrote: Mon Apr 17, 2017 7:33 pm I forgot about ip spoofing. I Was a victim of that as well and accused of hacking the hof server. Also about 5 years or more earlier accused of attacking wings when it was their own host working with a rival clan member :omg-shocked

yes in April sounds about right we had a specific ddos attack that is known to be done against the query port. after banning that address it happened again a few months later from another address belonging to same network

hope I am wrong
Omg really? haha! dude!


Is the UT query port the same port the 333networks uses for their server list? If the ports are the same it is highly likely in my view there is a communication problem between the VM server and the 333networks server causing this attack. Especially if it's coming from the same IP address 333networks uses for their server list. Especially if it's the right packet size and right protocol TCP/UDP. -- If you can capture some of the packets you're being attacked with you could even do some packet dissection to inspect what they are sending you and maybe compare it to what they should be sending you if you have some from before that are legit packets. (Just a crazy idea of mine :boff )

Again, I do not know all the details.
=(V)=RocketJedi wrote: Thu Feb 02, 2017 9:16 am WTF I shot this twat-a-potamus and he didn't die!
=(V)=RocketJedi wrote: Wed Jun 28, 2017 8:01 am wtf lag is that!
=(V)=RocketJedi wrote: Thu Aug 17, 2017 8:31 am I cant believe i have to waste my time on this
=(V)=RocketJedi wrote: Wed Sep 27, 2017 4:44 pm During the Cold War, the U.S. considered airdropping enormous condoms labeled "Medium" on the Soviets
=(V)=RocketJedi wrote: Thu Oct 05, 2017 8:36 am A free picture of DEEZ NUTZ
=(V)=RocketJedi wrote: Thu Dec 14, 2017 4:12 pm bahaha this is great news
=(V)=RocketJedi wrote: Sun Feb 18, 2018 6:33 pm how about we mute the entire server then all you can do is play or rage quit.
=(V)=RocketJedi wrote: Mon Mar 11, 2019 11:02 am FML im old and chics don't check me out anymore
=(V)=RocketJedi wrote: Mon Nov 20, 2017 10:49 pm BloodyRabbit is the sexiest man alive!! (Rubs nipples)

Oh RJ, the things you say. This is worth the super long sig :laugh :vmrocks

Image
User avatar
=(V)=RocketJedi
Lieutenant Colonel
Posts: 11559
Joined: Fri Oct 11, 2013 8:41 pm
Location: New York
Has thanked: 72 times
Been thanked: 17 times
Contact:

Re: 333 networks and our servers being attacked

Post by =(V)=RocketJedi »

=(V)=BloodyRabbit wrote: Mon Apr 17, 2017 9:06 pm
=(V)=RocketJedi wrote: Mon Apr 17, 2017 7:33 pm I forgot about ip spoofing. I Was a victim of that as well and accused of hacking the hof server. Also about 5 years or more earlier accused of attacking wings when it was their own host working with a rival clan member :omg-shocked

yes in April sounds about right we had a specific ddos attack that is known to be done against the query port. after banning that address it happened again a few months later from another address belonging to same network

hope I am wrong
Omg really? haha! dude!


Is the UT query port the same port the 333networks uses for their server list? If the ports are the same it is highly likely in my view there is a communication problem between the VM server and the 333networks server causing this attack. Especially if it's coming from the same IP address 333networks uses for their server list. Especially if it's the right packet size and right protocol TCP/UDP. -- If you can capture some of the packets you're being attacked with you could even do some packet dissection to inspect what they are sending you and maybe compare it to what they should be sending you if you have some from before that are legit packets. (Just a crazy idea of mine :boff )

Again, I do not know all the details.

there are two types of queries

the normal one should be asking for max players etc trans no trans etc /maxplayers /timelimit etc
the other is proven malicious which is what we got from 333. which the query looks like /xyz2342rwdsdfs something like that.

You sir are quite smart :) packet inspection is the right idea. We are able to do that via the firewall and our logs output that info that is why we are 100% sure it was a malicious attack.
Image

Image

=(V)=BloodyRabbit wrote: Tue Oct 10, 2017 3:13 pm That was EPIC! I just creamed all over my panties!!!
=(V)=BloodyRabbit
Co-Leader
Posts: 2242
Joined: Mon Apr 25, 2016 7:59 pm
Location: Narnia
Has thanked: 22 times
Been thanked: 22 times

Re: 333 networks and our servers being attacked

Post by =(V)=BloodyRabbit »

=(V)=RocketJedi wrote: Mon Apr 17, 2017 7:33 pm there are two types of queries

the normal one should be asking for max players etc trans no trans etc /maxplayers /timelimit etc
the other is proven malicious which is what we got from 333. which the query looks like /xyz2342rwdsdfs something like that.

You sir are quite smart :) packet inspection is the right idea. We are able to do that via the firewall and our logs output that info that is why we are 100% sure it was a malicious attack.
You flatter me haha. Well damn, good job in your investigation. Still may be spoofing though. Is there any easy way to tell the attacks come and go? Like I mean is there a constant expected flow of data from 333networks with the correct packets then every once in a while there is an attack? It's circumstantial but if there is a steady flow of correct data/communication and then on top of that random bouts of dos attacks to me it says someone may be spoofing their IP address attacking the server. The 3 most likely reasons I see for dos attack spoofing are: 1) For fun shits and giggles. 2) Some gripe against VM. or 3) Some gripe against 333networks.

Also still.. there could potentially be an error with 333network programming causing this jumbled data and attack. So I would suggest tread carefully before making bold accusations.

Not to imply accusations but for investigation purposes, but the cheater Minirax who has been coming here lately showed back up around that time right? Hmm how interesting....
=(V)=RocketJedi wrote: Thu Feb 02, 2017 9:16 am WTF I shot this twat-a-potamus and he didn't die!
=(V)=RocketJedi wrote: Wed Jun 28, 2017 8:01 am wtf lag is that!
=(V)=RocketJedi wrote: Thu Aug 17, 2017 8:31 am I cant believe i have to waste my time on this
=(V)=RocketJedi wrote: Wed Sep 27, 2017 4:44 pm During the Cold War, the U.S. considered airdropping enormous condoms labeled "Medium" on the Soviets
=(V)=RocketJedi wrote: Thu Oct 05, 2017 8:36 am A free picture of DEEZ NUTZ
=(V)=RocketJedi wrote: Thu Dec 14, 2017 4:12 pm bahaha this is great news
=(V)=RocketJedi wrote: Sun Feb 18, 2018 6:33 pm how about we mute the entire server then all you can do is play or rage quit.
=(V)=RocketJedi wrote: Mon Mar 11, 2019 11:02 am FML im old and chics don't check me out anymore
=(V)=RocketJedi wrote: Mon Nov 20, 2017 10:49 pm BloodyRabbit is the sexiest man alive!! (Rubs nipples)

Oh RJ, the things you say. This is worth the super long sig :laugh :vmrocks

Image
Post Reply

Return to “Server 1 - =(V)= R O C K E T - X8 - www.vulpinemission.com”