Server Attacks

Need help with SmartFoxServer? You didn't find an answer in our documentation? Please, post your questions here!

Moderators: Lapo, Bax

Minoa
Posts: 5
Joined: 04 Apr 2018, 20:00

Server Attacks

Postby Minoa » 04 Apr 2018, 20:07

Hi, I've been receiving the following error logs for the past few days:

Code: Select all

 java.nio.channels.SocketChannel[connected local=/10.16.0.122:3821 remote=/115.
78.201.230:14239]
[ WARNING ][ SmartFoxServer.dispatchEvent ] Unknown event type: , Disconnecting
 java.nio.channels.SocketChannel[connected local=/10.16.0.122:3821 remote=/110.
4.172.96:46483]
[ WARNING ][ SmartFoxServer.readIncomingMessages ] Malformed input: java.nio.ch
rset.MalformedInputException: Input length = 1. From: /76.67.6.30:58938
[ WARNING ][ SmartFoxServer.readIncomingMessages ] Malformed input: java.nio.ch
rset.MalformedInputException: Input length = 1. From: /76.67.6.30:58938
[ WARNING ][ SmartFoxServer.readIncomingMessages ] Malformed input: java.nio.ch
rset.MalformedInputException: Input length = 1. From: /173.94.138.112:50520
[ WARNING ][ SmartFoxServer.dispatchEvent ] Unknown event type: 29, Disconnecti
g: java.nio.channels.SocketChannel[connected local=/10.16.0.122:3821 remote=/45
33.128.25:10154]
[ WARNING ][ SmartFoxServer.dispatchEvent ] Unknown event type: , Disconnecting
 java.nio.channels.SocketChannel[connected local=/10.16.0.122:3821 remote=/190.
99.87.247:50419]
[ WARNING ][ SmartFoxServer.dispatchEvent ] Unknown event type: true, Disconnec
ing: java.nio.channels.SocketChannel[connected local=/10.16.0.122:3821 remote=/
10.54.172.96:36418]
[ WARNING ][ SmartFoxServer.readIncomingMessages ] Malformed input: java.nio.ch
rset.MalformedInputException: Input length = 1. From: /160.178.208.50:2003
[ WARNING ][ SmartFoxServer.readIncomingMessages ] Malformed input: java.nio.ch
rset.MalformedInputException: Input length = 1. From: /76.67.6.30:58938


I believe it was an attack as I have not changed anything for the past 6 months. However this attack is weird that it's causing the server to get confused. People reported to me that they whispered someone that they didn't intend to send (most likely server gets confused to whom to send it) and people equipping random items and random lag spikes and dropped messages (chat message's not sent).

I have upgraded the server up to "SmartFoxServer Pro 1.6.19 patch" which I believe should've fixed the issue but it's not disconnecting the malformed inputs from what I see, rather only disconnect unknown event types.

I'm using JRE 10 instead of the default java run time that comes with the sfs, and server uses Java while the client uses AS3.
How can I stop this attack?
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Server Attacks

Postby Lapo » 05 Apr 2018, 07:15

Hi,
from the log fragments it looks like something (a web-bot maybe?) is sending data that doesn't conform to the SFS protocol, therefore it gets refused.
However I am not sure that the server "is getting confused", as this data is simply discarded and doesn't interfere with the rest of operations.

Of course if these malformed requests are very frequent and numerous they could waste some of the server's computing power, which is the aim of most DDoS attacks etc...

If this is the case the best way to defend yourself is using a firewall in front of your server(s) and configure it so that the attacking addresses are banned from the get go.

Hope it helps
Lapo
--
gotoAndPlay()
...addicted to flash games
Minoa
Posts: 5
Joined: 04 Apr 2018, 20:00

Re: Server Attacks

Postby Minoa » 05 Apr 2018, 10:46

Hi Lapo
No, in this case, the server really gets confused. For most instance, server sometimes drop packets and then send packets to the wrong clients, and random disconnections. I've also tried to ban those IPs that's sending malformed data but ended up banning myself. Those IPs are actual player IPs, and I have never received these errors before nor I have changed something in the client. Is it possible that a network attack may cause the server to be unable to parse any data (corrupting any inputs) and marking them as "malformed input" even though they are correct?
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Server Attacks

Postby Lapo » 05 Apr 2018, 14:58

Unfortunately I have not enough data to understand what might be going on.

Random disconnections are more likely due to an unstable or congested state of the client connection than anything else. If the DDoS attack is massive it might disrupt your network but this is easily detected by checking your provider's network stats.

You mentioned dropped packets. It is expected some amount of dropped packets for slower clients but without knowing the % of DP is difficult to say if what you're seeing is anomalous or not.
You can take a look at the AdminTool to see the values of dropped in/out packets.

Is it possible that a network attack may cause the server to be unable to parse any data and marking them as "malformed input" even though they are correct?

No. If the attacker is sending malformed data the server will reject it. Otherwise legitimate requests will be executed.
Lapo

--

gotoAndPlay()

...addicted to flash games
Minoa
Posts: 5
Joined: 04 Apr 2018, 20:00

Re: Server Attacks

Postby Minoa » 07 Apr 2018, 12:10

Hey, just an update. For some reason, the tunnel IP is causing this issue. I'm using ddos protection by http://x4b.net and by using the protected IP, the server somehow receives weird request from legitmate clients although most requests are fine.
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Server Attacks

Postby Lapo » 09 Apr 2018, 06:55

Ah, interesting.
I am glad you found the culprit. :)
Lapo

--

gotoAndPlay()

...addicted to flash games

Return to “SmartFoxServer 1.x Discussions and Help”

Who is online

Users browsing this forum: No registered users and 31 guests