38
zemaitis
59d

Fucking bruteforce man. Was supposed to go sleep when got few messages from my gameserver players that their accounts have been hacked.

Checked their logs, all of their accounts have been accessed from Russia. Told them to change their passwords and they told me their previous passwords which were easy af to guess.

Digged deeper and found hundreds of thousands failed logins in the last few hours and all of them from different ips.

Since I cant modify gamefiles on client side, the solution for now was to disable in-game registration and force player registration through the website form with captcha and also where each players login name gets appended with a random suffix chosen by player from a random list..

Fuck you bruteforce scriptkiddies, good luck guessing accounts now. At least I can sleep now.

Comments
  • 6
    That blows man, good work on your end.
  • 3
    fail2ban
  • 1
    fail2ban is a godsend. I run it on all my public-facing servers.
  • 1
    As always, captcha saves the day. Funny how just yesterday there were people on hews advocating against the usefulness of captcha
  • 3
    @stix appending random suffix to account name is the hero here. Random account name = useless dictionaries for bruteforcing since it increases uniqueness of account name.
  • 1
    @junon fail2ban is pretty useless when bruteforcer switches his ip address every x connections.
  • 0
    @zemaitis That doesn't happen as often as one would think. Most floods come from a set number of IPs. Only the most malicious use a botnet.
  • 0
    @junon Couldn't I just use rotating residential proxies or something
  • 0
    @stix Not sure what that means.
  • 0
    @junon Constantly changing IPs that indistinguishable from home networks
  • 1
    @stix How do you constantly change to new IPs without an insane amount of working proxies? Sounds like a bunch of broken routes and an angry ISP.
  • 1
    @zemaitis How many different IP addresses were the attacks coming from? It's not exactly easy to change your public IP on a whim, especially not "hundreds of thousands" of times. Were they hitting you with some kind of botnet?

    Even with a botnet or some other distributed attack, they usually have hundreds or even thousands of attempts coming from each IP, so fail2ban remains a viable option. It's astronomically expensive to run the kind of infrastructure you'd need to launch hundreds of thousands of attacks from unique IP addresses.
  • 0
    On some ISP's it happens on every DHCP renew. But botnet is the real solution here. You can build your own botnet with AWS EC2 nano's. It randomly adds an ip if you don't sign an elastic one. So you can just kill/autoscale them.
  • 0
    @hjk101 Dynamic IPs are rarely re-leased on every renew. DHCP servers generally associate a physical and IP address together with a TTL. while not renewing meant your keep the IP, renewing *after the TTL period* would indeed lease you a new IP.

    Nobody is using that to get around brute force obstacles though.
  • 3
    Come to think of it, you mentioned that all the connections came from Russia. If you don't have anybody who legitimately connects from Russia, you can probably get a list of Russia's public IP blocks and deny all of them.
  • 0
    @EmberQuill This is not an uncommon way to deal with this. Russia is oftentimes blocked for this reason (sorry Russians).
  • 0
    @junon that is what DHCPRELEASE is for. In Germany a lot of providers have short leases though and they rotate IP's a lot. Would not be surprised if they respect a release or use PPP that changes IP on every connect.
  • 0
    @junon Endless SSH!
Add Comment