Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[WTF] backwards responsible for recent DoS attacks
#1
Some members of the WT-F community are targeting our servers. A few attacks were directly linked to them.

One of the attackers, [WTF] backwards [DEV], made no effort to hide the source of the attack nor his involvement. He sent unspoofed attack traffic from his test server, 199.116.118.27 [IMG], and did so immediately after connecting in-game.


Here is part of a TCPDump showing the attack traffic in question:

19:21:56.397878 IP (tos 0x28, ttl 117, id 23619, offset 0, flags [DF], proto UDP (17), length 38)
   199.116.118.27.59718 > 74.91.113.123.27015: [udp sum ok] UDP, length 10
       0x0000:  4528 0026 5c43 4000 7511 aff5 c774 761b  E(.&\[email protected].
       0x0010:  4a5b 717b e946 6987 0012 92e5 fdff ffff  J[q{.Fi.........
       0x0020:  4c5a 5353 8302                           LZSS..
19:21:56.397881 IP (tos 0x28, ttl 117, id 23620, offset 0, flags [DF], proto UDP (17), length 34)
   199.116.118.27.59718 > 74.91.113.123.27015: [udp sum ok] UDP, length 6
       0x0000:  4528 0022 5c44 4000 7511 aff8 c774 761b  E(."\[email protected].
       0x0010:  4a5b 717b e946 6987 000e 4888 ffff ffff  J[q{.Fi...H.....
       0x0020:  6b15                                     k.
19:21:56.397883 IP (tos 0x28, ttl 117, id 23621, offset 0, flags [DF], proto UDP (17), length 34)
   199.116.118.27.59718 > 74.91.113.123.27015: [udp sum ok] UDP, length 6
       0x0000:  4528 0022 5c45 4000 7511 aff7 c774 761b  E(."\[email protected].
       0x0010:  4a5b 717b e946 6987 000e 4888 ffff ffff  J[q{.Fi...H.....
       0x0020:  6b15                                     k.

Accounts:
STEAM_0:0:16583896 [main acc]
STEAM_0:0:16229287 [vac'd]
STEAM_0:0:17462301 [offering DOS services]

more proof:
  1. detailed series of events
  2. suspicious pattern
  3. busted!!
  4. third alt acct found, check aliases
  5. history on his main account
Steam Wrote: 4:02 PM - George, of the jungle: was out
4:02 PM - George, of the jungle: bison, dude
4:02 PM - Brawl Bashin’ Bison: ???
4:02 PM - George, of the jungle: you're very rude towards alina
4:02 PM - George, of the jungle: how about unbanning her friend?
4:02 PM - George, of the jungle: I mean
4:02 PM - George, of the jungle: it's only gamebanana skins
4:02 PM - Brawl Bashin’ Bison: LOL
4:02 PM - George, of the jungle: ^^
4:02 PM - Brawl Bashin’ Bison: LOLOL
4:02 PM - George, of the jungle: lol
#2
pathetic..
[Image: 76561198017067818.png]
#3
http://www.wt-f.com/forum/index.php?/top...ty-banned/
They were also blamed for ddosing the kill4 servers
IBM PALM @ 1.9MHz, 16-bit
16KB RAM
204KB storage via QIC magnetic tape
Keyboard input
#4
i will cut my hand off if they didnt ddos wL servers back in feb )
#5
(Jan 28 2015, 09:39 PM).dot ` .relaxive Wrote: i will cut my hand off if they didnt ddos wL servers back in feb )
I'm not entirely sure whether they were involved in the larger 40Gbps DDoS attacks. However, it's beginning to look like they were behind most or all of the subsequent smaller attacks we suffered around the time of relocating to Texas and Kansas. At the time, a few people even suggested as much. I guess they were right... backwards' presence on the (wL) servers is tied to dates we were attacked. It looks like he's been at this a while.
Steam Wrote: 4:02 PM - George, of the jungle: was out
4:02 PM - George, of the jungle: bison, dude
4:02 PM - Brawl Bashin’ Bison: ???
4:02 PM - George, of the jungle: you're very rude towards alina
4:02 PM - George, of the jungle: how about unbanning her friend?
4:02 PM - George, of the jungle: I mean
4:02 PM - George, of the jungle: it's only gamebanana skins
4:02 PM - Brawl Bashin’ Bison: LOL
4:02 PM - George, of the jungle: ^^
4:02 PM - Brawl Bashin’ Bison: LOLOL
4:02 PM - George, of the jungle: lol
#6
They're just sad and trying to deny DDoSing us even though you have the proof right there..
#7
Heh and yet they cant man up and admit it lol
#8
They are also kicking people with the wL name tag because it's "advertising". What a bunch of hypocrites.

Edit: I've been told multiple times by a WT-F admin not to wear the wL community tag months before this so just change the kicking to banning. Thanks for pointing that out smartass. Give yourself pat in the back.
IBM PALM @ 1.9MHz, 16-bit
16KB RAM
204KB storage via QIC magnetic tape
Keyboard input
#9
Why WT-F is DDoS-ing US server? I'm from asia and I'm kinda new to warlords. Is there any feud between the two community?
#10
(Jan 29 2015, 08:22 AM)Terminator Wrote: Why WT-F is DDoS-ing US server? I'm from asia and I'm kinda new to warlords. Is there any feud between the two community?

Back in Feb last year, wL was hit with a huge DDoS that took out most of our US servers.. 4 of our mostly populated servers died because of it. Shortly earlier or later (can't remember), WT-F set up a Popular Maps server and most of our regulars moved on to that server. We decided to set up Kill4 as a sub community of wL and now they're being attacked as we populate them. Bison traced it back to the said guy, not sure if he is acting of behalf of WT-F or just himself.

This is what I remember, probably missing some details.

Users browsing this thread: 7 Guest(s)