SA-MP Forums

Go Back   SA-MP Forums > SA-MP Server > Server Support

Reply
 
Thread Tools Display Modes
Old 27/10/2018, 07:31 PM   #1
Lorenc_
High-roller
 
Lorenc_'s Avatar
 
Join Date: Jan 2010
Location: Australia
Posts: 3,798
Reputation: 1174
Default Has anyone resolved the bot attack issue (with diff ips)?

I'm talking about these bots ... with different IPs! Flood Control will not help (just a fyi)

Code:
[19:39:19] [warning] dropping a split packet from client
[19:39:19] [join] 64LPqNvCVArqR2Kr has joined the server (36:46.255.216.151)
[19:39:19] [part] 1nSZ1Wkr8XkR2Zga has left the server (30:2)
[19:39:19] [join] TqHe24xNSYNXhEj9 has joined the server (43:168.205.24.3)
[19:39:20] [connection] incoming connection: 123.249.60.102:56792 id: 29
[19:39:20] [connection] incoming connection: 123.249.2.246:56779 id: 35
[19:39:20] [connection] incoming connection: 198.199.123.35:61421 id: 50
[19:39:20] [warning] dropping a split packet from client
[19:39:20] [warning] dropping a split packet from client
[19:39:20] [connection] incoming connection: 200.199.114.236:52796 id: 51
[19:39:20] [connection] incoming connection: 114.6.27.199:64450 id: 52
[19:39:20] [connection] incoming connection: 123.249.60.203:56882 id: 53
[19:39:20] [connection] incoming connection: 123.249.60.186:56902 id: 54
[19:39:20] [warning] dropping a split packet from client
[19:39:20] [part] edGOTENDlFODE4Mx has left the server (33:2)
[19:39:20] [connection] incoming connection: 82.196.10.131:47674 id: 55
[19:39:20] [connection] incoming connection: 91.142.208.125:35523 id: 56
[19:39:21] [warning] dropping a split packet from client
[19:39:21] [join] QU0nUQTQzXeiTrdF has joined the server (50:198.199.123.35)
[19:39:21] [part] QU0nUQTQzXeiTrdF has left the server (50:2)
[19:39:21] [connection] incoming connection: 94.23.214.220:59707 id: 45
[19:39:21] [join] GkqmNM17BIJY82zo has joined the server (55:82.196.10.131)
[19:39:21] [join] ketH4syXyHKXm7ke has joined the server (56:91.142.208.125)
[19:39:21] [connection] incoming connection: 167.99.89.72:41651 id: 52
[19:39:21] [join] 1YCJC4LsU59WctWO has joined the server (44:42.51.194.28)
[19:39:21] [join] QjcYp1cwmQQxA312 has joined the server (46:121.12.92.62)
[19:39:21] [join] 8DKMpKtBSZoyH3gD has joined the server (45:94.23.214.220)
[19:39:21] [connection] incoming connection: 114.55.63.81:46162 id: 57
[19:39:21] [join] mhJmhjwYFMrvZdmF has joined the server (47:121.12.92.59)
[19:39:21] [join] TBXnGifnj52QRlri has joined the server (51:200.199.114.236)
[19:39:22] [join] 4FzfIthOs2xErqW6 has joined the server (52:167.99.89.72)
[19:39:22] [part] 4FzfIthOs2xErqW6 has left the server (52:2)
[19:39:22] [connection] incoming connection: 185.40.31.136:37234 id: 58
[19:39:22] [part] TqHe24xNSYNXhEj9 has left the server (43:2)
[19:39:22] [connection] incoming connection: 42.51.216.10:55266 id: 40
[19:39:22] [connection] incoming connection: 123.249.60.185:56830 id: 59
[19:39:22] [part] Yqcr6byjgIXOlybQ has left the server (41:2)
[19:39:22] [part] 3qeuQdrIR7BKBF7u has left the server (38:2)
[19:39:22] [connection] incoming connection: 123.249.60.76:56953 id: 60
[19:39:22] [connection] incoming connection: 88.99.76.114:58749 id: 61
[19:39:22] [connection] incoming connection: 123.249.60.246:57516 id: 62
[19:39:22] [connection] incoming connection: 42.51.216.11:58107 id: 63
[19:39:22] [join] TN8QD2EXWhnujuYN has joined the server (58:185.40.31.136)
[19:39:22] [part] TN8QD2EXWhnujuYN has left the server (58:2)
[19:39:22] [connection] incoming connection: 123.249.61.135:57989 id: 61
[19:39:23] [connection] incoming connection: 123.249.61.6:58006 id: 64
[19:39:23] [warning] dropping a split packet from client
[19:39:23] [connection] incoming connection: 121.12.92.93:34177 id: 65
[19:39:23] [part] T127iZFoycoop85a has left the server (28:2)
[19:39:23] [warning] dropping a split packet from client
[19:39:23] [part] gtxhXwXCUBEMm9MB has left the server (42:2)
[19:39:23] [connection] incoming connection: 42.51.216.3:50625 id: 57
[19:39:23] [part] 64LPqNvCVArqR2Kr has left the server (36:2)
All my NPCs get kicked when they attack my server - and they artificially add to my player count (none of my intentions).

My server automatically kicks them after like 9 seconds.

I don't know where to get access to this thing to really get an idea of how I can stop the attacks - but if somebody has feedback it will be greatly appreciated.

Tried to search, could not find anything. If I missed a detail, please link me in the thread so that users have a future reference when encountering this attack.

It's annoying as hell!
__________________
Join the best Cops And Robbers in SA-MP, today. svr.sfcnr.com:7777

Lorenc_ is offline   Reply With Quote
Old 27/10/2018, 08:13 PM   #2
RogueDrifter
High-roller
 
RogueDrifter's Avatar
 
Join Date: Dec 2017
Location: SA-MP Drifting world.
Posts: 1,190
Reputation: 406
Default Re: Has anyone resolved the bot attack issue (with diff ips)?

Maybe there's a GPCI ID pattern for them, some of those used to have a blank one.
__________________
Quote:
Originally Posted by Andy
My anti cheat is still relevant *puts shades on* https://github.com/RogueDrifter/Anti_cheat_pack

[Github]:Link [Gists]:Link [Forum]:Link [Server]:Link [Discord]:Link

RogueDrifter is offline   Reply With Quote
Old 28/10/2018, 01:23 PM   #3
niCe
Huge Clucker
 
niCe's Avatar
 
Join Date: Mar 2008
Location: CZ
Posts: 391
Reputation: 424
Default Re: Has anyone resolved the bot attack issue (with diff ips)?

There are multiple methods how to detect them:

- They use same name length, you can kick all players with the same name length, that are not registered/logged
- There are often too many consonants in the row in their names, unlike regular player's name, you can apply some heuristics to detect the bot from its name
- They attempt to connect multiple times with the same IP, calling OnIncomingConnection quickly - regular players don't call this more than twice within 30 seconds.

Besides that, they all use VPN/Proxy. So far I have blocked these ranges, it helped to reduce the attacks a bit:

Code:
95.156.102.* 
192.169.217.* 
31.13.224.* 
95.78.157.* 
138.118.224.* 
103.250.166.* 
177.131.12.*
114.6.27.* 
192.169.188.* 
157.119.207.* 
203.145.179.* 
83.143.31.* 
42.51.216.* 
114.55.63.* 
185.67.93.* 
37.113.191.* 
85.192.154.* 
185.124.86.* 
128.199.*.* 
46.101.*.* 
201.184.*.* 
136.243.*.* 
188.235.*.* 
195.9.*.* 
94.153.*.* 
162.144.*.* 
192.169.140.* 
185.40.31.* 
173.249.29.* 
128.199.36.* 
192.163.207.* 
163.53.209.* 
154.72.75.* 
103.21.163.* 
46.101.240.* 
123.249.*.* 
46.214.146.* 
37.59.8.* 
42.51.*.* 
103.240.161.* 
121.12.92.* 
5.135.20.* 
103.216.82.*
__________________
[ENG] s2.gta-multiplayer.cz:7777 WTLS 2 (Singleplayer Features)
[ENG] s3.gta-multiplayer.cz:7777 WTLS 3 (Singleplayer Features)

- Pool, basketball, golf, Poker Texas Holdem, races and other minigames
- Video game QUB3D
- Roulette, blackjack, slots, video poker and horse-betting
- Stock market BAWSAQ
- Organizations and offices
- Missions from Big Smoke, Sweet, Zero, Cesar or Woozie!
- Gang wars
- More than 30 jobs (police, paramedic, firefighter, burglar, pimp, valet, pizza-boy and more)
- Gyms, strip clubs, clothes shops, hidden packages, oysters, spray tags, horseshoes and more
Watch the TRAILER
Servers are hosted at Evolution Host
niCe is offline   Reply With Quote
Old 28/10/2018, 02:12 PM   #4
Lorenc_
High-roller
 
Lorenc_'s Avatar
 
Join Date: Jan 2010
Location: Australia
Posts: 3,798
Reputation: 1174
Default Re: Has anyone resolved the bot attack issue (with diff ips)?

Quote:
Originally Posted by niCe View Post
There are multiple methods how to detect them:

- They use same name length, you can kick all players with the same name length, that are not registered/logged
- There are often too many consonants in the row in their names, unlike regular player's name, you can apply some heuristics to detect the bot from its name
- They attempt to connect multiple times with the same IP, calling OnIncomingConnection quickly - regular players don't call this more than twice within 30 seconds.

Besides that, they all use VPN/Proxy. So far I have blocked these ranges, it helped to reduce the attacks a bit:

Code:
95.156.102.* 
192.169.217.* 
31.13.224.* 
95.78.157.* 
138.118.224.* 
103.250.166.* 
177.131.12.*
114.6.27.* 
192.169.188.* 
157.119.207.* 
203.145.179.* 
83.143.31.* 
42.51.216.* 
114.55.63.* 
185.67.93.* 
37.113.191.* 
85.192.154.* 
185.124.86.* 
128.199.*.* 
46.101.*.* 
201.184.*.* 
136.243.*.* 
188.235.*.* 
195.9.*.* 
94.153.*.* 
162.144.*.* 
192.169.140.* 
185.40.31.* 
173.249.29.* 
128.199.36.* 
192.163.207.* 
163.53.209.* 
154.72.75.* 
103.21.163.* 
46.101.240.* 
123.249.*.* 
46.214.146.* 
37.59.8.* 
42.51.*.* 
103.240.161.* 
121.12.92.* 
5.135.20.* 
103.216.82.*
You champ! Thanks for that!

The only thing that would have been great is if OnIncomingConnection was able to pull the player's name so that we can do the name checking in that function (since GetPlayerName does not work).

Right now I check the rate in which these bots connect and if there is an anomaly then it will block their IP for 60 seconds. It seems to work a bit, I mean they do connect but they don't stay very long. I'd say maybe 75% reduced in connections alone just by checking the rate of connecting.

Got another check to see if the ID is within range otherwise it will block them (so that my NPCs dont get kicked). Will see how this holds up... Still hasn't went over the limit, yet.

Just gonna leave this info here if by chance Kalcor sees the thread and decides one day to give the issue another tackle.

GPCI is useless by the looks as someone suggested up. Different between every bot.

IncomingConnection:
Code:
[13:53:31] Name:(45)
Version:
IP: / 123.249.60.171:54741
Network Stats:{Network Active: 1
Network State: 6
Messages in Send buffer: 0
Messages sent: 0
Bytes sent: 0
Acks sent: 0
Acks in send buffer: 0
Messages waiting for ack: 0
Messages resent: 0
Bytes resent: 0
Packetloss: -nan%
Messages received: 0
Bytes received: 0
Acks received: 0
Duplicate acks received: 0
Inst. KBits per second: 28.8
KBits per second sent: 0.0
KBits per second received: 0.0
}
Ping:-1
NPC:0
GPCI:
OnPlayerConnect:
Code:
[13:53:30] [join] kKFdGEyGrk9TlTAI has joined the server (68:70.83.106.82)
[13:53:30] Name:kKFdGEyGrk9TlTAI(68)
Version:0.3.7
IP:70.83.106.82
Network Stats:{Network Active: 1
Network State: 8
Messages in Send buffer: 7
Messages sent: 52
Bytes sent: 2596
Acks sent: 6
Acks in send buffer: 3
Messages waiting for ack: 0
Messages resent: 0
Bytes resent: 0
Packetloss: 0.0%
Messages received: 8
Bytes received: 186
Acks received: 0
Duplicate acks received: 0
Inst. KBits per second: 28.8
KBits per second sent: 71.1
KBits per second received: 5.0
}
Ping:65535
NPC:0
GPCI:544E5049485245344C5238504F51584850494734
__________________
Join the best Cops And Robbers in SA-MP, today. svr.sfcnr.com:7777

Lorenc_ is offline   Reply With Quote
Old 28/10/2018, 03:29 PM   #5
RogueDrifter
High-roller
 
RogueDrifter's Avatar
 
Join Date: Dec 2017
Location: SA-MP Drifting world.
Posts: 1,190
Reputation: 406
Default Re: Has anyone resolved the bot attack issue (with diff ips)?

Quote:
Originally Posted by Lorenc_ View Post
GPCI is useless by the looks as someone suggested up. Different between every bot.

IncomingConnection:
Code:
[13:53:31] Name:(45)
..
GPCI:
OnPlayerConnect:
Code:
....
GPCI:544E5049485245344C5238504F51584850494734
They do have a pattern tho, i see over 30 numbers in the GPCI ID, do they all have that pattern? the hashed outcome of that string is usually less than 30 numbers since its 40 characters as a whole.
__________________
Quote:
Originally Posted by Andy
My anti cheat is still relevant *puts shades on* https://github.com/RogueDrifter/Anti_cheat_pack

[Github]:Link [Gists]:Link [Forum]:Link [Server]:Link [Discord]:Link

RogueDrifter is offline   Reply With Quote
Old 28/10/2018, 04:22 PM   #6
J0sh...
Banned
 
Join Date: Aug 2014
Location: Hamburger
Posts: 1,277
Reputation: 461
Default Re: Has anyone resolved the bot attack issue (with diff ips)?

Quote:
Originally Posted by RogueDrifter View Post
They do have a pattern tho, i see over 30 numbers in the GPCI ID, do they all have that pattern? the hashed outcome of that string is usually less than 30 numbers since its 40 characters as a whole.
stop it
ill get bigeti
J0sh... is offline   Reply With Quote
Old 28/10/2018, 04:38 PM   #7
BigETI
Banned
 
Join Date: Mar 2010
Location: Germany
Posts: 1,047
Reputation: 359
Default Re: Has anyone resolved the bot attack issue (with diff ips)?

But GPCI is a number with 40 hexadecimal digits...
There is indeed a low probability (not very low though) of having only decimal digits inside a hexadecimally represented number, but there is a very high probabibility for players that are falsely tagged as bots according to your logic. Your logic extends to that you should count base 5 digits out of a octal represented number. That makes absolutely no sense. I want that you should plot a distribution of GPCIs by using your hilarious counting method, so we can do an end at your logic for good.
BigETI is offline   Reply With Quote
Old 28/10/2018, 05:18 PM   #8
v1k1nG
Huge Clucker
 
v1k1nG's Avatar
 
Join Date: Feb 2018
Posts: 435
Reputation: 31
Default Re: Has anyone resolved the bot attack issue (with diff ips)?

I'd try simply to password the server anytime it gets attacked.
Or is it useless?
v1k1nG is offline   Reply With Quote
Old 28/10/2018, 05:59 PM   #9
RogueDrifter
High-roller
 
RogueDrifter's Avatar
 
Join Date: Dec 2017
Location: SA-MP Drifting world.
Posts: 1,190
Reputation: 406
Default Re: Has anyone resolved the bot attack issue (with diff ips)?

Pfft i never said itís a permanent solution nor did i say it was a 100% accurate, it can still be used to push away the attacker then you can take it off afterwards.

If it was so inaccurate i wouldnít have used it or recommended it but Iíve used it for a long period of time and it rarely kicked the innocent people, the ones that were detected were usually players with edited clients that set their GPCI ID to be spoofed every time they connect to ban evade which lead it to be a gay 40 characters string with more numbers than letters.

Just set it to kick the players with >=30 numbers or if it wasnít equal to 40 characters until the attacker goes away then remove it.

Code:
bool:IsPlayerBot(playerid)
{  
    if(IsPlayerNPC(playerid)) return false;
    new TempId[40+1], TempNumb;  
    gpci(playerid, TempId, sizeof(TempId)); 
    for(new i; i < strlen(TempId); i++)  
    {  
        if(TempId[i] >= '0' && TempId[i] <= '9')  TempNumb++;  
    }  
    return (TempNumb >= 30 || strlen(TempId) != 40);
}
__________________
Quote:
Originally Posted by Andy
My anti cheat is still relevant *puts shades on* https://github.com/RogueDrifter/Anti_cheat_pack

[Github]:Link [Gists]:Link [Forum]:Link [Server]:Link [Discord]:Link

RogueDrifter is offline   Reply With Quote
Old 28/10/2018, 07:02 PM   #10
RogueDrifter
High-roller
 
RogueDrifter's Avatar
 
Join Date: Dec 2017
Location: SA-MP Drifting world.
Posts: 1,190
Reputation: 406
Default Re: Has anyone resolved the bot attack issue (with diff ips)?

Aah I've already said my piece on this, i realize normal players could have those specs, that's why i said it rarely kicked normal ones, but clients which spoof your GPCI info always come up with a string that has those specs as well except for one spoofer i saw that does it the same and i don't think the attacks happening above include that.

If you're not going to take the risk of kicking that normal small percentage of players to stop the spoof of hundreds it's totally up to you, i just provided a resolution that may not be very accurate but could stop it til it goes away, then you can remove that piece of code or set a command to disable it afterwards. Again it's up to you.
__________________
Quote:
Originally Posted by Andy
My anti cheat is still relevant *puts shades on* https://github.com/RogueDrifter/Anti_cheat_pack

[Github]:Link [Gists]:Link [Forum]:Link [Server]:Link [Discord]:Link

RogueDrifter is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
CreateObject Vs CreateDynamicObject [ Diff. ] Mandooz Scripting Help 7 20/07/2016 05:17 AM
SSCANF Issue - Still un-resolved (+ rep) Dokins Scripting Help 2 30/01/2012 11:49 PM
Help please....SSCANF issue - Still not resolved. Dokins Scripting Help 10 25/01/2012 07:34 PM
player getting diff stats THE_KNOWN Help Archive 1 01/02/2011 08:55 AM
whats the diff? StrickenKid Help Archive 2 28/02/2009 04:56 PM


All times are GMT. The time now is 04:23 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.