Coders Please Read...

[reaper]

The MAC stays local to the ethernet LAN.  So the MAC address your server sees is the routers mac.  If the game uses UDP, it might have something like.. you send a packet and it processes it, and does whatever, and nothing has to be routed back to the client, so it could come from any ip.  Or even the game could accept certain ip's as trusted and you could fake those, and send UDP packets to do whatever, quake had an exploit like that  a long time ago.

[console]

The MAC stays local to the ethernet LAN.

In the context of this thread, I took "mac spoofing" to simply mean a technique for immediately leasing a different IP address.

(Because I can't think of any other applicable use of that term in this situation...)

[reaper]

ah gotcha, so if someone is grabbing new ip's by changing their mac address, something does a reverse lookup on the ip, and bans based on the who owns the ip?

I think the cable companies probably tie their modem/router mac to dhcp, so you can't change the mac on the pc, or modem anymore.  Also  if it is only a one packet attack, how does the hotmask banning initally work.  Only the IP would be in the packet, is some kind of reverse lookup or whois request done before the packet is processed?

[quadz]

ah gotcha, so if someone is grabbing new ip's by changing their mac address, something does a reverse lookup on the ip, and bans based on the who owns the ip?

Yes... quake itself doesn't support hostmask-based banning, so I added it to wallfly.

So wallfly does the reverse lookup and matches the hostname against a ban list composed of regular expressions, like:

Dial.*Seattle.*Level3.net
72-225.*rochester.res.rr.com
lsanca.dsl-w.verizon.net

etc.


Regards,

[QwazyWabbit]

Is there an advantage to that vs. just doing a block of xxx.xxx.xxx.000/24 or xxx.xxx.000.000/16? I suppose you don't end up chasing every block he appears on but grabbing whole groups like that could grab some collateral innocents, yes?

[console]

Is there an advantage to that vs. just doing a block of xxx.xxx.xxx.000/24 or xxx.xxx.000.000/16?

Numerous ISP's have insanely dynamic IPs these days.  All four octets change.  Even though technically there's some subnet mask involved, it's rarely obvious to me what it is.

Here's, for example, about one month's worth of IPs from ca.comcast.net:

24.10.12.206
24.130.118.218
24.130.126.181
24.23.253.23
24.4.23.175
24.4.37.251
24.4.92.134
24.5.135.135
24.5.164.52
24.5.213.153
24.5.227.240
24.5.4.232
24.6.96.219
24.7.17.234
24.7.173.43
67.160.238.113
67.161.50.45
67.161.51.198
67.164.40.67
67.166.146.88
67.172.177.77
67.172.186.45
67.180.169.99
67.181.176.29
67.181.176.50
67.182.181.214
67.182.39.59
67.187.172.70
67.188.116.39
69.181.110.209
69.181.128.115
69.181.228.2
71.202.135.140
71.202.176.162
71.202.177.175
71.202.220.60
76.102.176.63
76.102.197.82
76.105.7.53
76.126.87.212
76.20.71.186
98.207.251.94
98.210.102.178
98.210.188.141
98.210.189.193
98.210.38.233
98.210.92.137
98.224.89.45
98.234.116.39

There are actually a couple dozen legit players from that ISP.  But their IPs don't stick to any particular subnet... When a given player's IP changes it might go from 24.130.118.218 one day to 98.210.189.193 the next.

And it's not just comcast... seems an increasing number of ISPs are getting crazy dynamic like that... telesp.net.br, tampabay.res.rr.com, etc....

It was becoming a nightmare.  You'd have to block huge swaths of IP subnets, keeping out numerous legit players, just to try to keep one persistent bastard out.

I suppose you don't end up chasing every block he appears on but grabbing whole groups like that could grab some collateral innocents, yes?

wallfly has a way to make exceptions for legit players, once they contact us... I won't go into the details here (consider for example, a custom cvar in their autoexec.cfg...)


Regards,

quadz

[reaper]

I wonder if it sends the reverse lookup dns request and waits for a response before processing the first packet.  Because I believe some of the attacks involve only a packet or two.  Like send a udp packet containing rcon commands sourced with ip x.

[Pr0c3550r]

NOT A CODER , yet

After a quick read of this thread, this comes to mind.

Could it be several individuals using the same nic? Working together ?

Just using the KISS principal here.

Also, reading the input on a solution to this issue was an education.