thegrb93
commented
8 years ago They already know about this and they will not fix it. Just remove pac from your server.
Closed BytewaveMLP closed 8 years ago
thegrb93
commented
8 years ago They already know about this and they will not fix it. Just remove pac from your server.
BytewaveMLP
commented
8 years ago @thegrb93 I would hope they wouldn't ignore it. I'm going to leave the ticket open anyway. The more attention drawn to it, the better. It might convince them. This is a serious issue, and it should not go ignored.
thegrb93
commented
8 years ago BytewaveMLP
commented
8 years ago Wow. That's hilarious.
This is a major issue, and if the devs aren't willing to fix this, shame on them.
CapsAdmin
commented
8 years ago It's most likely what you think it is. But if not that's definitely one way to do it.
I could add a way for the server to manage what servers are accepted. I kinda see your point but it's not really the root cause and most likely it will make people find other ways to get your ip. Temporarily you could disable (i think) or remove pac3.
At the moment I can't play gmod since I left windows and it just keeps crashing on linux but I would probably accept patches. Reading off a config file is probably sufficient.
CapsAdmin
commented
8 years ago Also note that I don't really have anything to do with the metastruct branch of pac3. I can't control what they want to do with their version of pac3.
BytewaveMLP
commented
8 years ago I'll look for a way to implement that some time soon, then. Hopefully you get Garry's Mod working.
I'll keep PAC3 disabled for now, and update my community on the situation, as well as search for an implement a fix. Sorry for the confusion with devs there; didn't really look at the fork I was looking at.
Python1320
commented
8 years ago It's not a PAC3 issue really, it's more a generic issue of what content should be allowed from where. Mostly you could just have a generic helper addon ( Starting now: https://github.com/Metastruct/gurl ), which detours http.Fetch and others along with providing API to query for whitelist URLs so that PAC can ask if it can visit a URL or not.
CapsAdmin
commented
8 years ago That sounds like a better solution.
Cynosphere
commented
8 years ago So are we gonna have gURL implimented into PAC or a requirement where it won't run without? (which might piss people off)
Python1320
commented
8 years ago PAC could run without gurl, but just
CapsAdmin
commented
8 years ago I'd rather have people who care about this install gurl instead of adding it to pac. I can probably promote it through pac3.
Hey there,
It's come to my attention recently that a fair number of users that have recently played on my server are seeing large (D)DoS attacks directed at them after about 10 minutes of playtime on my server. At first, I attributed this to ISPs being ISPs, but recently I've started receiving threats from anonymous users and the request to shut down my server or face the consequences. I've done some digging as to how anyone could be doing this, as the anonymous user(s) claim to have automated the process, and that clients are being "infected" by a "virus" on the server. Of course, I found that highly unlikely, and even after a complete server purge, the issue was still occurring. I've started running proper tests recently, using candidates that haven't played on the server in a while if at all. What I've found is that these users are (seemingly) unaffected, while users with recent play time are being attacked. This leads me to believe the "attacker" has some sort of database of our IP addresses, and is just waiting for when we're online to hit one of them. Using Source queries, this is entirely possible, and quite likely. I can't confirm anything yet, but my suspicions are that PAC3 is being used in this exploit in some way. Perhaps the "attacker" set up a rogue web server to log request IP addresses, and was using PAC to serve otherwise normal content from that webserver. It's the only way I could think of for IP addresses to be grabbed without compromising either Gfycat, Imgur, YouTube, or my website itself (which is on shared hosting). Seeing as PAC3 has no whitelist, my suggestion would be to implement one if PAC3 is in fact the cause of this. It would be harder to make PACs, I know, but most PACs only pull from Dropbox, puu.sh, and the occasional DerpyGamers PAC. I can't confirm anything yet, but this is just my findings so far. I'll update this ticket with anything useful, but these are my proposed suggestions anyway in case something like this does happen.
EDIT: I intend to conduct more testing using other candidates to confirm my findings.