Feb 09 2015, 09:56 AM
(Jan 28 2015, 09:18 PM)M. Bison Wrote: Some members of the WT-F community are targeting our servers. A few attacks were directly linked to them.
One of the attackers, [WTF] backwards [DEV], made no effort to hide the source of the attack nor his involvement. He sent unspoofed attack traffic from his test server, 199.116.118.27 [IMG], and did so immediately after connecting in-game.
Here is part of a TCPDump showing the attack traffic in question:
19:21:56.397878 IP (tos 0x28, ttl 117, id 23619, offset 0, flags [DF], proto UDP (17), length 38)
199.116.118.27.59718 > 74.91.113.123.27015: [udp sum ok] UDP, length 10
0x0000: 4528 0026 5c43 4000 7511 aff5 c774 761b E(.&\[email protected].
0x0010: 4a5b 717b e946 6987 0012 92e5 fdff ffff J[q{.Fi.........
0x0020: 4c5a 5353 8302 LZSS..
19:21:56.397881 IP (tos 0x28, ttl 117, id 23620, offset 0, flags [DF], proto UDP (17), length 34)
199.116.118.27.59718 > 74.91.113.123.27015: [udp sum ok] UDP, length 6
0x0000: 4528 0022 5c44 4000 7511 aff8 c774 761b E(."\[email protected].
0x0010: 4a5b 717b e946 6987 000e 4888 ffff ffff J[q{.Fi...H.....
0x0020: 6b15 k.
19:21:56.397883 IP (tos 0x28, ttl 117, id 23621, offset 0, flags [DF], proto UDP (17), length 34)
199.116.118.27.59718 > 74.91.113.123.27015: [udp sum ok] UDP, length 6
0x0000: 4528 0022 5c45 4000 7511 aff7 c774 761b E(."\[email protected].
0x0010: 4a5b 717b e946 6987 000e 4888 ffff ffff J[q{.Fi...H.....
0x0020: 6b15 k.
Accounts:
STEAM_0:0:16583896 [main acc]
STEAM_0:0:16229287 [vac'd]
STEAM_0:0:17462301 [offering DOS services]
more proof:
This thread is very misinforming and I'm disappointed that I have to come to this forum and post a reply to straighten things out. There's thousands of people in this community that hate me and target me because of this thread. The server you claimed I launched an attack on you from (199.116.118.27) is not my server. I did not purchase the server and I do not have access to it. However I do know who owns it, it's a customer of mine. I do not own a server of any kind of have access to one other then WTFs. The reason the server has my name in it is because I gave the guy my test srcds server i run on my computer since he liked my mods. This included the CFG folders with server.cfg and my default hostname. I have not worked on my custom mods for it since 2012. I only host the local server to develop the WTF AntiCheat software and test inside a controlled environment (my srcds on my computer, not the one the one posted in this topic). After I got out of the hospital I heard the story about the kill4 community coming to our server and posting the ip address to kill4. When i was in teamspeak with my customer and told him the story as I saw it on my friends list, I joined it. I explained to him the situation and wanted to see what the pub was like since it had our regulars in it. 30 seconds after joining the server started to lag and I told him in teamspeak and he said he knew because he launched an attack. He said he only did it for 30 minutes tho and couldn't stop it when i told him to stop because i wanted to play in the server. I did not upload any dos mods to his server, he already has his own stuff on his server. As far as i know that was the only event and ever since then I was blamed for it since i joined the server and he did it without even asking me about it. I told him to stop and he did after it timed out. shortly after the WTF server started getting ddos'd from a spoofed attack that sends randomized legit client data to the source engine server and is able to bypass the firewall with a very low bandwidth attacks. It's almost impossible to block without restricting access to legit users the majority of the time. I understand that the WL servers were getting attacked at the same time from this same attack (I saw in the shoutbox players could connect using the IP and not see it from the source query). Since both of our servers are getting attacked in the same way I don't understand why i'd be blamed for this. Why would I attack my own community server? I'm 100% positive the same person is attacking the WL community and the WTF community. I do not know if the WL community is still being attacked or if it's just us, but if its just us then that's the reason I came here mainly. Someone from this community is targeting our servers based off of this thread and also myself. Someone doing the same attack linked it to public profiles i was borrowing and would take down every server I joined every 3 minutes with the same attack. Including servers like GFL or KSF. If i was really the person behind these attacks I would of just used the steamapi and claimed i was in the WL servers so they would attack WL. But I didn't do this, because I'm not the attacker; nor do I have interest in harming he WL community. I saw this thread a week ago but ignored it and thought it was funny to be blamed for something like this. However when people setup bots on accounts I don't even own to try to mess with and target me, then it has gone too far. You supply a lot of circumstantial evidence but its not as clear as you think it is.
The 2 extra accounts and SDOS bot:
The SDOS bot and Vac banned account are not mine, i was on the vac banned account before it was banned tho. As George points out in a picture, I did in fact make the "SDOS BOT", 4 years ago. I only programmed it as a project to mess with the steamapi. It has lots of features on it not all relating to DDOSing people, that was added later on a request from people i used to sell legit services too from the bot. The bot was originally setup to just reply using cleverbot which i released the source code to and public a few years ago. I sold this bot to a guy named YoungTriggerBot (the guy i was in TeamSpeak with and the guy that attacked the server for 30 minutes). I was on that account to setup the bot permissions for him, he decided to sell services for it and market it as a DDOS bot. It's an account he cheats on so that's why it got vac banned. I also logged into that account to monitor inside our server for a few minutes and that's why George spotted it and decided to post info about it here. I do own many accounts tho, and some are vac banned from me making projects in the past, not all cheat related but a lot are. I'm not worried about trying to hide that the account was mine because it was vacced or something, no i don't care about that. I have many accounts and a lot are vacced like i said before. I setup the bot and that was it, I don't have access to it anymore. Young owns his own server he attacks from and its not a spoofable server, and the attack type was an old exploit I found and tested on my own server only (years ago). This can't be the source of the attacks because I've monitored the packets from the attack on our server and they are in no way related to my exploit.
History of my account:
The three posts you linked to are all wrong. The first one was a joke in the titanclan server, I play there all the time and the server was getting ddos'd so i just typed that in chat.
The second post isn't true, he just said possible attacker without any evidence. The thing after that said multi-hack, I've never cheated on this account before. I have other accounts I can cheat on.
Third post on esea. Yes I did mass player connect messages to all ESEA servers with players in the server. This didn't lag the server at all tho, it was controlled at 5 packets per second. This was another exploit i found and used on the esea servers to get someone that was being offensive and rude in-game banned from esea. I would use the esea username of the person and mass connect to all sessions, everyone in-game would "-Karma Player name", because they thought it was that person spamming. The target would be banned from all pugs and have extremely low karma. They can't join pugs where 2 people blocked them, and only can join pugs where 1 person blocked them if it was the last slot 9/10, at the time. That person's account never was used again.
Just because you have the resources to do things doesn't mean you are responsible. I have the resources to make any kind of hack i'd like and cheat in-games 24/7, but I don't. I have the resources to destroy servers in many many ways thru various exploits I've found. but i don't. I do it for research purposes.
"I would be surprised if backwards has more experience in SourcePawn."
I don't know sourcepawn very well bison, I program all my mods in c/c++ and reverse the game's asm to find everything I need without depending on a slow scripting language that limits you in many ways. I did not write the sourcemod plugins on the WTF server. Only the anti-cheat and a few other mini feature plugins.
to the attackers:
Attacking the WTF server won't effect me in any way if you are targeting me or believe i am responsible for the attacks on WL.(I don't even play in the servers)
to Bison:
I would like to work with you to stop the attacks on both of our communitys, I have written a plugin that should stop the burst attacks of any type without impacting the current players in the server. There are some setbacks but i'll discuss them with you later if you choose to work with me and WTF. I'm doing this to show that I have no interest in harming your servers and would be happy if all the attacks stopped for both of our communitys.
![[-]](https://war-lords.net/forum/images/collapse.png)