# Aftermath of DDoS:  State of the Servers Part Deux..



## NikkyVix (Jan 20, 2009)

*UPDATE:*  One last statement about the issue can be found here concerning the specific method of the attack, sources involved, and directions on how other game servers can identify and counter this sort of a breach.

======================================

Hello again, all!

Wow, two TFP updates in the same night.  This may likely be the last one unless we come up with anything else, but things are stable again, quicker than first anticipated.  We have taken steps to provide an additional layer of security to prevent any problems immediately following, though such are not anticipated now that the initial hit is over with.

Dragoneer has even very helpful in providing his experience to help smooth things along as well as aiding us in our investigation.  We've been able to log several distinct IPs of the most likely origins of the attack on our servers (due to highest activity) and recorded in our logs:

71.82.80.206
76.202.216.119
64.94.18.205
67.68.244.125
142.163.133.205
98.226.145.180

http://img213.imageshack.us/img213/8630/ipaddressesup1.png

There are others, but I would rather not spam your window.  I've passed these IPs to some friends to look up..see if we can't track 'em down.  More importantly, we're back and running, no muss, no fuss.  It's probably better that this was an attack hitting us towards the tail end of peak hours when our servers were coming down from full capacity and not as loaded.  Well, we're all pretty much taking this as validation that we're growing as a community and, apparently, doing *something* right here.  We'll keep at it, especially with your continued solicitation of our TF2 and L4D servers.  Have fun all, and thanks for your time!

_-- NikkyVix_
http://www.hiddendisguises.com/hiddendisguises/Forums/index.php

(P.S:  Yes, apologies for the unnecessary wasted thread.  It's 4am.. hang me later? :3 )


----------



## Runefox (Jan 20, 2009)

Er, you might have wanted to reply to your other topic, but interesting, nonetheless. Still, it may not be possible to trace the origin if it was a true DDoS attack (involving bots).


----------



## Dragoneer (Jan 20, 2009)

It really blows, too. TFP is the only place I play anymore. :|


----------



## Finny Fox (Jan 20, 2009)

Odd fact. I traced the first, and most active IP [71.82.80.206] to Kalamazoo, Michigan, United States. That is Cc2's hometown and I believe acting server address. Second one was Chicago, IL, USA. Very odd.

http://www.geobytes.com/IpLocator.htm?GetLocation   <-- Used that site.


----------



## Dragoneer (Jan 20, 2009)

Hey, uhm... Nikky, you may want to check your e-mail. I just noticed something really odd about those IPs.

o___O

Some of those people are FA users.


----------



## Dragoneer (Jan 20, 2009)

Finny Fox said:


> Odd fact. I traced the first, and most active IP [71.82.80.206] to Kalamazoo, Michigan, United States. That is Cc2's hometown and I believe acting server address. Second one was Chicago, IL, USA. Very odd.
> 
> http://www.geobytes.com/IpLocator.htm?GetLocation   <-- Used that site.


Actually, uhm... that one IP *IS* CC2's. And the other is Sake's.


----------



## Witchiebunny (Jan 20, 2009)

Dragoneer said:


> Actually, uhm... that one IP *IS* CC2's. And the other is Sake's.



...wow. 

Just....wow.


----------



## Finny Fox (Jan 20, 2009)

Dragoneer said:


> Actually, uhm... that one IP *IS* CC2's. And the other is Sake's.




But why?


----------



## Dragoneer (Jan 20, 2009)

Witchiebunny said:


> ...wow.
> 
> Just....wow.


I e-mailed Nikky the info. I'm going to have to stay out of this, but... yeah, uhm... 

o____O


----------



## Arcalane (Jan 20, 2009)

Dragoneer said:


> It really blows, too. TFP is the only place I play anymore. :|



Aye, a damn shame. I guess it's just human nature though. Ah well, at least the servers seem to be back in order now.


----------



## Runefox (Jan 20, 2009)

Are you sure you're not including people who were legitimately connected to the server at the time?


----------



## Witchiebunny (Jan 20, 2009)

We're not ruling out that we might be including some innocent IPs in that, and to err is human (furry) and such. 

However....well if the info we have is correct and one is confirmed as CC2's.....I've never seen CC2 playing on our server, so....I dunno. :/


----------



## Runefox (Jan 20, 2009)

Ah, I forgot for a second that CC2 is exclusive from these servers... 5:55 AM. Yeeeah. Awkward.


----------



## Arcalane (Jan 20, 2009)

Given that very few people were able to play on the server (honestly, what's the point in trying when your ping is over the maximum limit the player list can display?), the chances of accidentally targeting innocent folk is very slim, although not impossible if they slipped on during the "downtimes".


----------



## Runefox (Jan 20, 2009)

Well, just by connecting to the server, your IP address gets logged - Therefore, whether or not they were actually able to play, the mere fact that they connected and had a ping pretty much means that if they were there, they are probably included on the log.


----------



## Witchiebunny (Jan 20, 2009)

Runefox said:


> Well, just by connecting to the server, your IP address gets logged - Therefore, whether or not they were actually able to play, the mere fact that they connected and had a ping pretty much means that if they were there, they are probably included on the log.



That doesn't explain IPs showing up on our server belonging to people who don't play on it....

I dunno what to think now. D:


----------



## Ailure (Jan 20, 2009)

Runefox said:


> Are you sure you're not including people who were legitimately connected to the server at the time?


We have logs of who and when people connect to the servers anyway. So false positives can be easily identified. (Edit: And now I just saw the post where you pointed out about the server logs. Yes we have those ).

The two first IP's in above list were the most active (per packet wise at least), and neither one did "connect" to any of the TFP TF2 servers.  Plus they were fairly active when the TF2 servers was taken down so they're not false positives...


----------



## Dragoneer (Jan 20, 2009)

Ailure said:


> The two first IP's in above list were the most active (per packet wise at least), and neither one did "connect" to any of the TFP TF2 servers.  Plus they were fairly active when the TF2 servers was taken down so they're not false positives...


And according to FA, that's CC2 and Sakefox. Their IPs match.

o___O


----------



## Runefox (Jan 20, 2009)

Witchiebunny said:


> That doesn't explain IPs showing up on our server belonging to people who don't play on it....
> 
> I dunno what to think now. D:


Obviously not; It's probably best to remove known user IP addresses from your search to make things easier, unless they occur often at the time of the attack. Honestly, though, if it was truly a DDoS attack, the likelihood of direct participation of any actual user (or even human) is low, unless it was a co-ordinated, non-automated effort, which means a lot of people have a lot of time on their hands.

EDIT: Interesting. I find it very strange that CC2 would be a major contributing part of that kind of attack. Not that I know him, but it's incredibly stupid. He as a server admin should at least have known that his IP address would be readily apparent in the server logs.


----------



## Witchiebunny (Jan 20, 2009)

So we had a very specific attack via the source ports against ONLY the TF2 servers that came from two very specific IPs of two people who do not play on our server....and you're saying it might be a coincidence?

I find it strange too, but IPs don't lie....I don't know why he would contribute, or what we ever did to deserve such an attack, but....well again..IPs just don't lie.


----------



## Runefox (Jan 20, 2009)

Witchiebunny said:


> So we had a very specific attack via the source ports against ONLY the TF2 servers that came from two very specific IPs of two people who do not play on our server....and you're saying it might be a coincidence?


No, not after knowing that the IP's shown above are known to have participated in the attack and are not otherwise legitimate traffic. Just making sure that everything's taken into account.



> I find it strange too, but IPs don't lie....I don't know why he would contribute, or what we ever did to deserve such an attack, but....well again..IPs just don't lie.


No, they don't. Still, again, I find it incredibly stupid of him to leave himself wide open like that. Clearly this was mostly a co-ordinated effort rather than the actions of someone hiding behind a botnet. So... Maybe it is.

Still, bizarre.


----------



## Furlop (Jan 20, 2009)

I'm not here to defend Cc2. I'm not a part of his community or Nikky's (Personally I think the whole drama between TF2 servers is stupid as hell) but I did want to point out that they apparently experienced the same thing.

http://www.cc2iscool.com/forum/viewtopic.php?f=9&t=1073

Just throwing that out there before anyone starts pointing fingers and furthering this whole pathetic drama war.


----------



## Witchiebunny (Jan 20, 2009)

Furlop said:


> I'm not here to defend Cc2. I'm not a part of his community or Nikky's (Personally I think the whole drama between TF2 servers is stupid as hell) but I did want to point out that they apparently experienced the same thing.
> 
> http://www.cc2iscool.com/forum/viewtopic.php?f=9&t=1073
> 
> Just throwing that out there before anyone starts pointing fingers and furthering this whole pathetic drama war.




We're well aware of that, Furlop. We don't know what's going on just yet, but the fact remains....two ips attacked our server that do not match any regular players.

Which is...interesting. Though I do agree, a drama and competition war between two TF2 servers is stupid as we don't consider ourselves in competition with any other server.

Also, Furlop....not a part of his community?

http://i44.tinypic.com/15mo36d.jpg

How interesting.


----------



## Cara Black (Jan 20, 2009)

seems you got told


----------



## Furlop (Jan 20, 2009)

Cara Black said:


> seems you got told





To Witchie: I guess you never actually looked at the steam group, which I left over a week ago. And this is exactly the reason I left, too. *I* do not want to be involved in the ridiculous drama that these two communities create. I've already made enemies (apparently) simply being an admin whose sole job was to try to enforce rules on a server I enjoyed playing on. It's really pretty sad how furries get so worked up over team fortress of all things and that I have to explain myself when all I came in here to do was to try to help diffuse drama.


----------



## Witchiebunny (Jan 20, 2009)

*shrugs* You don't have to explain yourself to me. I didn't say you were lying, just thought it was interesting is all.


----------



## Cc2iscooL (Jan 20, 2009)

Apparently I have to respond to this here, seeing as no one can contact me directly about this rather than pinning blame.

I assure you, SakeFox and myself had nothing to do with your DDoS attack. We use a server monitoring tool called HLSW that would cause you to see our IP addresses with a high number of packets to your servers with no connections.

Here's a screenshot, for your reference.







We monitor all of these servers 24/7 day and night. Both of us never turn off our computers unless we have to, and we both run this program unless we forget to. The only thing this program does is ping the server and retrieve the player listing, current map, rules, and other things of that nature. It does nothing more than say, the Steam server browser querying your server, or an external site like Game-Monitor pinging your servers.

We experienced the problem last night as well, and were able to block the offending IP addresses from our servers virtually as soon as the attack started. I've been in the server and webhosting business for a long time and started learning how to run servers when I was barely 14 years old, and I've had to deal with a lot of these types of attacks, so it's nothing new to me. We also had (attempts) at raiding our Ventrilo and forums from a few individuals, and I got a few phone calls from random numbers I've never heard of (public information sucks ), so I'm guessing it was just some raid called about by 4chan or some kiddies thinking they would try to cause drama.

Pointing fingers isn't going to solve the problem, guys. It's only going to make it worse.

-Cc2iscooL


----------



## Mirri (Jan 20, 2009)

Cc2iscooL said:


> Both of us never turn off our computers unless we have to, and we both run this program unless we forget to.



Clearly a reliable, unbiased source of information.
I guess the fact that you use HLSW, a server monitoring program, on your computers, absolves you entirely. Nevermind all the other evidence that an IP we can confirm belongs to you was sending gigantic amounts of packets at the server. Nothing to see here folks, he's clearly innocent. Move along.


----------



## Cc2iscooL (Jan 20, 2009)

Mirri said:


> Clearly a reliable, unbiased source of information.


So is a list of IP addresses, to be completely fair.


----------



## ferinoch (Jan 20, 2009)

Dragoneer said:


> Actually, uhm... that one IP *IS* CC2's. And the other is Sake's.



Wow... 

It's amusing to see the amazing detective work going on here. Their Ip addresses on a list you provided. That must mean they fomented an attack on you. Just as conclusive and damning as the RIAA's evidence!

Give me a damn break. 

Exactly why would we care to attack you in the first place? Half the people who play on our servers play on yours as well. Why piss off a shared user base? 

As Cc has stated, we experienced and suppressed similar attacks. Even had some pissant hopping into the vent trying to mic spam. 

Given the shared attack, it's not too hard to imagine a few idiot's from a fail chan deciding to attack you all with spoofed IPs. What's better than raiding a furry server after all, than getting furries to blame each other for the attacks. 

Next time try applying some basic logic instead leaping to whatever conclusion fits your own paranoid delusions.


----------



## Runefox (Jan 20, 2009)

Mirri said:


> Clearly a reliable, unbiased source of information.
> I guess the fact that you use HLSW, a server monitoring program, on your computers, absolves you entirely. Nevermind all the other evidence that an IP we can confirm belongs to you was sending gigantic amounts of packets at the server. Nothing to see here folks, he's clearly innocent. Move along.



While sending a gigantic amount of traffic is a little suspicious, this does explain why, exactly, his IP showed up to begin with, whether the source is "reliable" or not. Not that I have anything to do with CC2, but finger-pointing based on one-sided evidence is a little childish. Instead of fingering him after finding out that his IP had some activity, you should have instead just directed your investigation that way instead of coming up with a scapegoat for the whole thing. Even if he did it, you're fingering him based on server logs, and you should note that IP addresses can indeed be spoofed. What you need to ask is _what_ did CC2's computer send to the server, if anything, aside from monitoring packets from HLSW, and if none, should investigation into HLSW's activities when a server is unresponsive be done? Exactly how much data did CC2's IP send? How much was ICMP traffic? How much was HLSW's server traffic? How much traffic does HLSW normally generate? Do the server logs leading up to this attack also show that HLSW traffic from CC2's IP address was being sent?

Only if you can answer those questions and still have doubts can you point fingers, and that's what's bugged me from the start of this, if you read back through this topic.


----------



## Mirri (Jan 20, 2009)

ferinoch said:


> Wow...
> 
> It's amusing to see the amazing detective work going on here. Their Ip addresses on a list you provided. That must mean they fomented an attack on you. Just as conclusive and damning as the RIAA's evidence!
> 
> ...



Half? That's certainly a lofty estimate. Hell, half of your userbase moved exclusively over to TFP servers, for reasons I won't go into here, they've been expressed in several other locations, and there's no reason to bring up bad blood. Do you mean a half of that half that was left?



> As Cc has stated, we experienced and suppressed similar attacks. Even had some pissant hopping into the vent trying to mic spam.
> 
> Given the shared attack, it's not too hard to imagine a few idiot's from a fail chan deciding to attack you all with spoofed IPs. What's better than raiding a furry server after all, than getting furries to blame each other for the attacks.
> 
> Next time try applying some basic logic instead leaping to whatever conclusion fits your own paranoid delusions.



Yeah I'm totally willing to accept that a group of four-chan kiddies, who would know absolutely nothing more than it's a set of servers run by furries, would know enough to go to all the trouble to spoof Sake and CC2's IP addresses (not an easy feat by far, even for somebody who knows what they're doing). 

Personally the way I think it happened is that you guys were attacked, and assuming it was us, you started attacking us in reprisal without finding out exactly who was behind it, for whatever reasons.

Not that I or anybody else would expect CC2 to be but the cowardly, smug ass he is and deny any involvement he had with the situation, and be as condescending as possible in the attempt.



> While sending a gigantic amount of traffic is a little suspicious, this does explain why, exactly, his IP showed up to begin with, whether the source is "reliable" or not. Not that I have anything to do with CC2, but finger-pointing based on one-sided evidence is a little childish. Instead of fingering him after finding out that his IP had some activity, you should have instead just directed your investigation that way instead of coming up with a scapegoat for the whole thing. Even if he did it, you're fingering him based on server logs, and you should note that IP addresses can indeed be spoofed. What you need to ask is what did CC2's computer send to the server, if anything, aside from monitoring packets from HLSW, and if none, should investigation into HLSW's activities when a server is unresponsive be done? Exactly how much data did CC2's IP send? How much was ICMP traffic? How much was HLSW's server traffic? How much traffic does HLSW normally generate? Do the server logs leading up to this attack also show that HLSW traffic from CC2's IP address was being sent?



This HLSW is simply a monitoring program, like CC2 said in his post. It doesn't send huge amounts of packets to a server, certainly not to effect latency. It simply pings the server and gets a header of information that lists the server's name, current users, usercount, latency, current map, etc.

But, you don't freaking USE HLSW to DDOS a server, so him bringing up that he uses HLSW was an attempt to explain away the fact that he had ANY non-connection pings to the server, it doesn't at all explain the fact that he was flagged for sending DDOS-levels of packets to the server. For all we know he didn't even have the TFP servers even plugged in to HLSW to even monitor until the time this popped up on his radar. There's no time or date in the screenshot he provided, and no way to prove or disprove that he was even monitoring TFP servers at the times of attack. They really have nothing to do with eachother.

I'd also like to note that, at the time, all we had was an IP address, we had NO idea that they belonged to Sake or CC2, were were simply reporting a seemingly random string of numbers that we had no idea were even tied to the persons in question. It was later found out that the IPs in questions matched ones that the two people used to connect to FA. They were entirely unlinked until it was pointed out.


----------



## br0nz (Jan 20, 2009)

I'd just like to point out that a server admin has much better things to do with his time and bandwidth than attempting to abuse someone else's connections.

Also, as a matter of it being a _Distributed_ Denial of Service attack, the point (of what does indeed look like further 4chan antics) is to use enough connection requests to overwhelm the server's resources.  Go do a little research on your own before pointing fingers, guys.

I'm glad you made it over here to comment, CC2.  They should have asked you immediately.  As far as "IPs don't lie", everyone, just share the list of offending IPs you guys blocked and the question's solved.


----------



## Mirri (Jan 20, 2009)

br0nz said:


> I'd just like to point out that a server admin has much better things to do with his time and bandwidth than attempting to abuse someone else's connections.
> 
> Also, as a matter of it being a _Distributed_ Denial of Service attack, the point (of what does indeed look like further 4chan antics) is to use enough connection requests to overwhelm the server's resources.  Go do a little research on your own before pointing fingers, guys.
> 
> I'm glad you made it over here to comment, CC2.  They should have asked you immediately. * As far as "IPs don't lie", everyone, just share the list of offending IPs you guys blocked and the question's solved.*



Read the thread.

A single computer couldn't produce an effective DDOS attack, this is true. But somebody with access to many computers (or servers for that matter) could certainly orchestrate one themselves if they used their entire arsenal of computers and connections.


----------



## Runefox (Jan 20, 2009)

Mirri said:


> This HLSW is simply a monitoring program, like CC2 said in his post. It doesn't send huge amounts of packets to a server, certainly not to effect latency. It simply pings the server and gets a header of information that lists the server's name, current users, usercount, latency, current map, etc.


This is what I figured, but the point (and what I meant) is, what does it do if the server is down? How often does it retry? How many packets does it send in an attempt to re-establish the connection?



> But, you don't freaking USE HLSW to DDOS a server, so him bringing up that he uses HLSW was an attempt to explain away the fact that he had ANY non-connection pings to the server, it doesn't at all explain the fact that he was flagged for sending DDOS-levels of packets to the server. For all we know he didn't even have the TFP servers even plugged in to HLSW to even monitor until the time this popped up on his radar. There's no time or date in the screenshot he provided, and no way to prove or disprove that he was even monitoring TFP servers at the times of attack. They really have nothing to do with eachother.


See above. It's possible that when the server failed to respond, HLSW began sending more packets more often to try and re-establish the connection. It's totally within reason that the program's netcode might not be what it could be.



> I'd also like to note that, at the time, all we had was an IP address, we had NO idea that they belonged to Sake or CC2, were were simply reporting a seemingly random string of numbers that we had no idea were even tied to the persons in question. It was later found out that the IPs in questions matched ones that the two people used to connect to FA. They were entirely unlinked until it was pointed out.


Yes, and once it was pointed out, everyone immediately jumped on CC2 without even looking into it further. This is what I'm criticising.



> But somebody with access to many computers (or servers for that matter) could certainly orchestrate one themselves if they used their entire arsenal of computers and connections.


Yes, and it's absolutely stupid to put _your own IP address_ into the mix, not to mention that if he had used his servers to orchestrate this sort of thing, _the *server IP's* would be showing up here, too_. So, uh, yeah.


----------



## Kesteh (Jan 20, 2009)

Hence the first "D" meaning "Distributed"


----------



## Cc2iscooL (Jan 20, 2009)

Runefox said:


> While sending a gigantic amount of traffic is a little suspicious, this does explain why, exactly, his IP showed up to begin with, whether the source is "reliable" or not. Not that I have anything to do with CC2, but finger-pointing based on one-sided evidence is a little childish. Instead of fingering him after finding out that his IP had some activity, you should have instead just directed your investigation that way instead of coming up with a scapegoat for the whole thing. Even if he did it, you're fingering him based on server logs, and you should note that IP addresses can indeed be spoofed. What you need to ask is _what_ did CC2's computer send to the server, if anything, aside from monitoring packets from HLSW, and if none, should investigation into HLSW's activities when a server is unresponsive be done? Exactly how much data did CC2's IP send? How much was ICMP traffic? How much was HLSW's server traffic? How much traffic does HLSW normally generate? Do the server logs leading up to this attack also show that HLSW traffic from CC2's IP address was being sent?
> 
> Only if you can answer those questions and still have doubts can you point fingers, and that's what's bugged me from the start of this, if you read back through this topic.



But I don't like being fingered. 

Anyway, thank you for your support. It's quite easy to spoof IP addresses, especially with the programs coming out today.



Mirri said:


> Half? That's certainly a lofty estimate. Hell, half of your userbase moved exclusively over to TFP servers, for reasons I won't go into here, they've been expressed in several other locations, and there's no reason to bring up bad blood. Do you mean a half of that half that was left?
> 
> 
> 
> ...



We're not discussing server traffic here. I don't understand why you're even fighting about the issue.

We don't retaliate against attacks, we just block them and move on. It happens too often to waste the time and resources to get revenge on people for causing a minor inconvenience.

Gotta love when someone has to call you names to win an argument.

If Endeavour (who runs the servers) had contacted me about the issue I might have been able to help him resolve the issue as we did. We've helped many other furry communities with their problems, as members from Team Furtress could tell you. Unfortunately we choose to point fingers before just talking, so I can see why I have to waste my time here trying to defend myself against something so silly.


----------



## LordBorel (Jan 20, 2009)

Damn, if a random list of IP's is enough to flail wild accusations nowdays, I'm going to use my own random list to show that Bill Gates is guilty of tax fraud. Give me a break. Instead of seeing a random attack as normal people would see it, as you know, a ranom attack, certain people see it as an opportunity to trash other peoples reputation and make drama. Pathetic. What is any of this going to accomplish? Everyone will scream their opinion from the rooftops for a week while everyones still reading Mirris latest post revision, and then everything will be back to normal. Death to Drama.


----------



## Mirri (Jan 20, 2009)

Runefox said:


> This is what I figured, but the point (and what I meant) is, what does it do if the server is down? How often does it retry? How many packets does it send in an attempt to re-establish the connection?
> 
> 
> See above. It's possible that when the server failed to respond, HLSW began sending more packets more often to try and re-establish the connection. It's totally within reason that the program's netcode might not be what it could be.
> ...



It only sends a handful of packets. I can't give you an exact number, but certainly less than would be considered flagging for a DDOS attack, even if it were retrying every 30 seconds for the few short hours the servers were down. I can't say for sure when the logs were taken either as I haven't seen the original logs - they were more than likely frozen and checked very shortly after the servers went down, not afterwards when HLSW would have been "retrying" the server so many times anyway.

It was pointed out, and everybody jumped on CC2 because IPs do not lie. They can be spoofed with (arguably) a lot of effort, but somebody wouldn't go to all that trouble unless they KNEW to frame CC2, especially if it was a roving band of drooling 4chan tards. The chances of it being the case are laughable. We're not saying that they're the only ones that were flagged, they were certainly among them, and...let's say CC2 and his ilk have every motive for attacking our servers, and the *ahem* "modus operandi" fits quite well.



> Damn, if a random list of IP's is enough to flail wild accusations nowdays, I'm going to use my own random list to show that Bill Gates is guilty of tax fraud. Give me a break. Instead of seeing a random attack as normal people would see it, as you know, a ranom attack, certain people see it as an opportunity to trash other peoples reputation and make drama. Pathetic. What is any of this going to accomplish? Everyone will scream their opinion from the rooftops for a week while everyones still reading Mirris latest post revision, and then everything will be back to normal. Death to Drama.



God I love Straw-man Fallacies. They're all over the internets. 

If your website/game server/community was attacked and you had a long-standing rivalry (as much as CC2 will try to deny it to make us out to be the bad guys, as expected of him), and you found your rival's IP among the incoming DDOS attacker's IPs, you'd be sorta damn suspicious and ready to point fingers too.

IPs do not lie.


----------



## Runefox (Jan 20, 2009)

LordBorel said:


> words


Sorry to cut you off, it just seems more efficient. I'd like to point out that both sides of this argument seem to have begun flinging their opinions like chimps fling faeces. CC2's IP showed up in the logs - So it must have been him! But CC2 is monitoring the server - So it must have been a random attack!

ORCHESTRATED!

RANDOM!

ORCHESTRATED!

RANDOM!

Jesus fucking hell, look at the evidence instead, people! And I mean *ALL OF IT*.


----------



## Runefox (Jan 20, 2009)

EDIT: Sorry for the doublepost; My gambit that there would be another post after mine in the time it would take to write this post failed.



Mirri said:


> It only sends a handful of packets. I can't give you an exact number, but certainly less than would be considered flagging for a DDOS attack, even if it were retrying every 30 seconds for the few short hours the servers were down. I can't say for sure when the logs were taken either as I haven't seen the original logs - they were more than likely frozen and checked very shortly after the servers went down, not afterwards when HLSW would have been "retrying" the server so many times anyway.



Every 30 seconds is a little conservative; What if it were to continually send ICMP packets and server packets until receiving a response? It's not unthinkable, even if it were something as silly as a programming error/bug.



> It was pointed out, and everybody jumped on CC2 because IPs do not lie. They can be spoofed with (arguably) a lot of effort, but somebody wouldn't go to all that trouble unless they KNEW to frame CC2, especially if it was a roving band of drooling 4chan tards. The chances of it being the case are laughable. We're not saying that they're the only ones that were flagged, they were certainly among them, and...let's say CC2 and his ilk have every motive for attacking our servers, and the *ahem* "modus operandi" fits quite well.


I don't understand quite why someone running a game server would want to attack another similarly-themed game server. What would his motive be? Can you elaborate? Because honestly, I have a hard time believing that someone would willingly expose his IP address in an attack like this, knowing fully well that it can - and will - be traced back to him. It's stupid, and I'm not entirely sure CC2 is an idiot.

IP's don't often lie, but sometimes there are other reasons.


----------



## Ailure (Jan 20, 2009)

Please explain to me why a monitoring tool would need to send several UDP packets a second. All of them totally empty too.

http://developer.valvesoftware.com/wiki/Server_Queries

None of the UDP packets looked like a proper Server query.


----------



## LordBorel (Jan 20, 2009)

Mirri said:


> It only sends a handful of packets. I can't give you an exact number, but certainly less than would be considered flagging for a DDOS attack, even if it were retrying every 30 seconds for the few short hours the servers were down. I can't say for sure when the logs were taken either as I haven't seen the original logs - they were more than likely frozen and checked very shortly after the servers went down, not afterwards when HLSW would have been "retrying" the server so many times anyway.
> 
> It was pointed out, and everybody jumped on CC2 because IPs do not lie. They can be spoofed with (arguably) a lot of effort, but somebody wouldn't go to all that trouble unless they KNEW to frame CC2, especially if it was a roving band of drooling 4chan tards. The chances of it being the case are laughable. We're not saying that they're the only ones that were flagged, they were certainly among them, and...let's say CC2 and his ilk have every motive for attacking our servers, and the *ahem* "modus operandi" fits quite well.
> 
> ...



Not to sound snarky and drama-causing, but could you please number your revisions? Its hard to keep up.


----------



## Runefox (Jan 20, 2009)

Ailure said:


> Please explain to me why a monitoring tool would need to send several UDP packets a second.



Heartbeat? Ping? Server protocol-driven information updates? UDP packets aren't exactly huge (well, no bigger than the MTU, typically 1500 bytes), and multiple per second is actually a small amount for a single client. I'm tempted to go load up HLSW and do a Wireshark on it just to see what it sends over time (and especially to a non-operational server), since nobody else seems to be willing to rule it out.


----------



## Mirri (Jan 20, 2009)

Runefox said:


> EDIT: Sorry for the doublepost; My gambit that there would be another post after mine in the time it would take to write this post failed.
> 
> 
> 
> ...



I'm not going into why CC2 would want to bring us down, it was already briefly discussed upthread. I'll let you dig around in it and draw your own conclusions (it's what we're all doing here in the first place, isn't it?). 30 seconds is a bit conservative. Even every 10 seconds or hell, I'd say even 5 seconds for a retry wouldn't send nearly enough packets to be considered a possible DDOS attack when looking at logs. They send certain TYPES of packets and in certain, set intervals, whereas DDOS attacks send several types of packets, very quickly. 

And saying that somebody wouldn't expose his IP in such a way is like asking why a murderer would leave the murder weapon sticking out of the back of his victim with his finger prints on it.
(NOTE: I don't intend to compare these acts to murder in any way, it's considerably less severe, but it's just an analogy, take it at face value, please.)


----------



## Ailure (Jan 20, 2009)

Runefox said:


> Heartbeat? Ping? Server protocol-driven information updates? UDP packets aren't exactly huge (well, no bigger than the MTU, typically 1500 bytes), and multiple per second is actually a small amount for a single client. I'm tempted to go load up HLSW and do a Wireshark on it just to see what it sends over time (and especially to a non-operational server), since nobody else seems to be willing to rule it out.


I think one packet every 1-5 ms is a bit... overkill for that.


----------



## Runefox (Jan 20, 2009)

Ailure said:


> I think one packet every 1-5 ms is a bit... overkill for that.



Several would be the wrong word, but like I said, looking at HLSW's site, it certainly seems like the program might be capable of doing something like that. I'm downloading it now and will be running packet capture on it.

As for Mirri, I have no interest in responding to that. You're not doing anything but subjectively urging that there can be no other explanation.


----------



## Witchiebunny (Jan 20, 2009)

CC2, what are you and your people doing monitoring TFP like that? You certainly do not need two people monitoring our servers like that, throwing so much at it. Why are you watching us so closely?


----------



## Finny Fox (Jan 20, 2009)

Witchiebunny said:


> CC2, what are you and your people doing monitoring TFP like that? You certainly do not need two people monitoring our servers like that, throwing so much at it. Why are you watching us so closely?



Not only the TFP, but also the PitFurs and Team Furtress, as well as the TFP L4D server. It's getting a bit odd seeing you watch all of them.


----------



## Witchiebunny (Jan 20, 2009)

Finny Fox said:


> Not only the TFP, but also the PitFurs and Team Furtress, as well as the TFP L4D server. It's getting a bit odd seeing you watch all of them.



Exactly...in your own words, CC2 doesn't a server admin have "better things to do"?


----------



## Ailure (Jan 20, 2009)

Runefox said:


> Several would be the wrong word, but like I said, looking at HLSW's site, it certainly seems like the program might be capable of doing something like that. I'm downloading it now and will be running packet capture on it.


Anyway, I attached an picture that might be intresting... (said IP is CC2's and only his as I sorted after IP). All UDP packets from that IP doesn't contain any valid data used by the server query system.

It's like sending a parcel without contents. It doesn't make sense.

And according to the offical documentation, server query packets are not supposed to be empty, in one direction or another.

Edit: IP isn't Sakefox's, my mistake.


----------



## Mirri (Jan 20, 2009)

Ailure said:


> Anyway, I attached an picture that might be intresting... (said IP is Sakefox's and only his as I sorted after IP).
> 
> And according to the offical documentation, server query packets are not supposed to be empty, in one direction or another.



*waits for CC or one of his leeches to come in and claim Photoshoppery*


----------



## Cc2iscooL (Jan 20, 2009)

Witchiebunny said:


> CC2, what are you and your people doing monitoring TFP like that? You certainly do not need two people monitoring our servers like that, throwing so much at it. Why are you watching us so closely?


We watch all sorts of servers to watch trends in playerbase. If you'll note my personal list also includes servers such as Team Furtress and The Pit Furs. I watch where communities are going simply out of interest. For instance, over the past two months I've noticed Team Furtress completely lose it's playerbase to other servers. When Fopsy had their servers still up I watched them to see how their community was doing. I'm a community leader. It's my job to know and understand what communities are cropping up and which ones are growing and which ones are failing in comparison to my own community. It's kind of like, say, back a few years ago, Circuit City watching Best Buy's stocks and profit to see how they were doing compared to Best Buy, or like any other business in the USA.

Also, you have to realize, this program is completely automated. I put in the IP address (which takes about 2 seconds) and it never leaves the list unless I delete it. Hardly "time consuming" really.


----------



## Runefox (Jan 20, 2009)

Ailure said:


> Anyway, I attached an picture that might be intresting... (said IP is Sakefox's and only his as I sorted after IP).


That's actually pretty convincing, I have to say. And to note, claims of photoshopping would pretty much be out of the question if you posted the pcap file. (And no. Modifying a pcap file is not in any way trivial, especially with this many packets). Here's a snippet of the raw text of one that I took on-site while troubleshooting Cisco switches:



> Å¡ â€¦â€°ÃœB E  <  â‚¬ÃšÂ¬Â¬c %\ & abcdefghijklmnopqrstuvwabcdefghiÃ­Ã–?IÃ¶Ãµ J   J    â€¦â€°ÃœB â€¦â€°
> Å¡ E  <4Ã‡  â‚¬  Â¬cÂ¬  -\ & abcdefghijklmnopqrstuvwabcdefghiÃ­Ã–?IÃ¯Â· <   <   â‚¬Ã‚    i~Ã»Ã &BB     â€š i~Ã»Ã€    â€š i~Ã»Ã€â‚¬             Ã®Ã–?IÂ¿	 J   J    â€¦â€°
> Å¡ â€¦â€°ÃœB E  <   â‚¬ÃšÂ¬Â¬c $\ ' abcdefghijklmnopqrstuvwabcdefghiÃ®Ã–?I%Â¿	 J   J    â€¦â€°ÃœB â€¦â€°
> Å¡ E  <4Ãˆ  â‚¬  Â¬cÂ¬  ,\ ' abcdefghijklmnopqrstuvwabcdefghiÃ¯Ã–?IÃÃ„	 J   J    â€¦â€°
> ...



Mmm... Binary format.



> And according to the offical documentation, server query packets are not supposed to be empty, in one direction or another.


Yes, and web browsers are supposed to support the W3C standards.

I have my doubts as to how well-coded HLSW is, especially after attempting to get it to run only to find that not only is the site plastered with ads and poorly-written english, but the user account system seems to be broken, too, which is denying me access to use the program. So I'll hold off on saying that this program is standards-compliant.


----------



## ferinoch (Jan 20, 2009)

Witchiebunny said:


> Exactly...in your own words, CC2 doesn't a server admin have "better things to do"?



To be honest, it makes plenty of sense to see what other servers are doing. It helps us keep track of what players like and dislike. If we can find a new mod or map that people like by looking at other servers, it helps improve our community. Hardly a waste of time.


----------



## Witchiebunny (Jan 20, 2009)

Cc2iscooL said:


> We watch all sorts of servers to watch trends in playerbase. If you'll note my personal list also includes servers such as Team Furtress and The Pit Furs. I watch where communities are going simply out of interest. For instance, over the past two months I've noticed Team Furtress completely lose it's playerbase to other servers. When Fopsy had their servers still up I watched them to see how their community was doing. I'm a community leader. It's my job to know and understand what communities are cropping up and which ones are growing and which ones are failing in comparison to my own community. It's kind of like, say, back a few years ago, Circuit City watching Best Buy's stocks and profit to see how they were doing compared to Best Buy, or like any other business in the USA.
> 
> Also, you have to realize, this program is completely automated. I put in the IP address (which takes about 2 seconds) and it never leaves the list unless I delete it. Hardly "time consuming" really.



Then as head of TFP I respectfully request you take us OFF of your monitoring list. We have nothing to do with you, and we are not in competition with you. There is no reason for you to be watching our servers like that.



ferinoch said:


> To be honest, it makes plenty of sense to see what other servers are doing. It helps us keep track of what players like and dislike. If we can find a new mod or map that people like by looking at other servers, it helps improve our community. Hardly a waste of time.



Funny, we find that keeping in touch with our community and asking them what they like and dislike helps us keep track. Our players come to us with an idea if they have one to make the server better. You should try it.


----------



## LordBorel (Jan 20, 2009)

Witchiebunny said:


> Then as head of TFP I respectfully request you take us OFF of your monitoring list. We have nothing to do with you, and we are not in competition with you. There is no reason for you to be watching our servers like that.



Thats like asking the person in the car next to you to not look at your car because you don't know them and you don't want to race them.


----------



## Ailure (Jan 20, 2009)

Runefox said:


> Yes, and web browsers are supposed to support the W3C standards.
> 
> I have my doubts as to how well-coded HLSW is, especially after attempting to get it to run only to find that not only is the site plastered with ads and poorly-written english, but the user account system seems to be broken, too, which is denying me access to use the program. So I'll hold off on saying that this program is standards-compliant.


I checked with HLSW and Wireshark.

It sends proper UDP packets server query packets (the data field isn't blank).


----------



## Runefox (Jan 20, 2009)

Ailure said:


> I checked with HLSW and Wireshark.
> 
> It sends proper UDP packets where the data field isn't blank.


See, this is what I like. Actually investigating. Thanks! I'm starting to see a clearer picture beginning to form out of this furball, though I'm still not sure what to make of it.

I don't really care for either side of this debate - I care about what actually happened. In that sense, I'd like to know what caused the UDP packet flood from that IP address, if not the actions of the user.


----------



## Witchiebunny (Jan 20, 2009)

LordBorel said:


> Thats like asking the person in the car next to you to not look at your car because you don't know them and you don't want to race them.



Oh I know, but at least I've asked.


----------



## Sakefox (Jan 20, 2009)

Mirri said:


> *waits for CC or one of his leeches to come in and claim Photoshoppery*



anyone to claim photoshop would be a open invitation for more drama. However you might want check your sources before you claim something. According to the picture that you posted the ip address 76.202.216.119 isn't even mine.


```
Tracing route to adsl-76-202-216-119.dsl.emhril.sbcglobal.net [76.202.216.119]
over a maximum of 30 hops:

  1     2 ms    <1 ms    <1 ms  WRT54Gv2.2 [192.168.5.1]
  2     *        *        *     Request timed out.
  3    19 ms     8 ms     9 ms  swc02klmzmi-gbe-1-2.klmz.mi.charter.com[96.34.36.42]
  4     7 ms     9 ms     8 ms  edr01klmzmi-gbe-3-0.klmz.mi.charter.com[96.34.32.54]
  5    12 ms    11 ms    11 ms  96.34.32.32
  6    12 ms     8 ms    10 ms  edr01aldlmi-tge-0-0-1-0.aldl.mi.charter.com[96.34.32.29]
  7    18 ms    17 ms    15 ms  64.127.129.9
  8    18 ms    19 ms    17 ms ex1-g1-0.eqchil.sbcglobal.net[206.223.119.79]
  9    18 ms    24 ms    16 ms  151.164.171.237
 10    31 ms    20 ms    18 ms ex2-p1-0.eqchil.sbcglobal.net[151.164.189.80]
 11    20 ms    18 ms    20 ms  69.220.8.50
 12     *       32 ms    19 ms  dist2g1-1.emhril.sbcglobal.net[151.164.43.85]
 13    18 ms    17 ms    22 ms  se7-g5-1.emhril.sbcglobal.net[68.22.72.120]
 14    29 ms    44 ms    31 ms adsl-76-202-216-119.dsl.emhril.sbcglobal.net [76.202.216.119]
```

I don't have dsl i have cable and my provider is through charter. which i clear by the tracert.

As for HLSW don't be so flattered. I myself have 37 servers in my list.

Also i have to question one thing. You have a picture with ip address and none of them are even ours, but the only thing that you are claming on us is a list that you typed with no hard evidence about it. 
It would be about the same as me saying look this address is attacking me, 66.112.210.126 they are the cause all my down time. Look that ip address is furaffinity they are to blame. (this was just used as a example)

No offence, but really there is no evidence in your posts other then a something that you just typed saying it was and your list doesn't even match the picture that is your hard evidence.


----------



## LordBorel (Jan 20, 2009)

This just in, we all win. We can stop fighting about whatever we were fighting about now.


----------



## Runefox (Jan 20, 2009)

I'd be interested to know what the IP log for sakefox is on the FA forums here, and whether or not what he just said is true (tracert output can be modified); If that's the case, where did you guys come up with that IP being his, to begin with?


----------



## Witchiebunny (Jan 20, 2009)

Sakefox said:


> anyone to claim photoshop would be a open invitation for more drama. However you might want check your sources before you claim something. According to the picture that you posted the ip address 76.202.216.119 isn't even mine.
> 
> 
> ```
> ...



No offense Sakefox, but one of the IPs we traced leads directly back to an IP that has logged into FA under your name. 

How do you explain that?


----------



## Runefox (Jan 20, 2009)

Witchiebunny said:


> No offense Sakefox, but one of the IPs we traced leads directly back to an IP that has logged into FA under your name.
> 
> How do you explain that?



Er... I'm confused now.



> Sakefox
> Nerf Herder
> Join Date: Jan 2009
> Posts: 1



... ? Does he have another name?


----------



## Mirri (Jan 20, 2009)

Runefox said:


> Er... I'm confused now.
> 
> 
> 
> ... ? Does he have another name?



FA, not necessarily the forums.


----------



## Sakefox (Jan 20, 2009)

Witchiebunny said:


> No offense Sakefox, but one of the IPs we traced leads directly back to an IP that has logged into FA under your name.
> 
> How do you explain that?



I would have to say i would like to see what you have that says its coming from my IP address. The only thing you have listed on mine is just a list that you typed and nothing else.

However I thank you for posting the information that you are getting my IP information through FA since that is complete violation of there TOS.



> *Account Privacy*
> FA values your privacy, and is committed to safeguarding your personal information. We will never use, share or distribute personally identifiable information except when such actions are necessary to:
> 
> comply with law enforcement;
> ...



Unfortunately now FA will have to make some announcement on this because this is a open invitation for myself and any other person that was compromised in this action for legal actions.
I run a small business myself and collect this information myself and in so i know the legal actions that can be taken by this action.


----------



## Witchiebunny (Jan 20, 2009)

Runefox said:


> Er... I'm confused now.
> 
> 
> 
> ... ? Does he have another name?




FurAffinity itself.


----------



## Ailure (Jan 20, 2009)

Sakefox said:


> anyone to claim photoshop would be a open invitation for more drama. However you might want check your sources before you claim something. According to the picture that you posted the ip address 76.202.216.119 isn't even mine.


You're right, that IP is CC2's. I mixed up the names here.


----------



## Sakefox (Jan 20, 2009)

Runefox said:


> Er... I'm confused now.
> 
> 
> 
> ... ? Does he have another name?



I do not have another forum account. I don't use these forums since they mainly like this, full of drama. I only use mine to post my funny furry porn art =P


----------



## Runefox (Jan 20, 2009)

Sakefox said:


> OMFG ILLEGAL I WILL SUE YOU



... Uh. IP addresses are logged on _every website you go to, *ever*_. Plus:



> Account Privacy
> FA values your privacy, and is committed to safeguarding your personal information. We will never use, share or distribute personally identifiable information *except when such actions are necessary to*:
> comply with law enforcement;
> protect or defend our legal rights or property;
> *investigate reports of illegal activities*, fraud or situations involving potential risk or endangerment to the physical safety of our users.



So, even if there WERE a legal issue with collecting your IP address (*snrk*), it's justified here because denial of service attacks happen to be _illegal_ and you were, allegedly, part of one.


----------



## Sakefox (Jan 20, 2009)

Runefox said:


> ... Uh. IP addresses are logged on _every website you go to, *ever*_. Plus:
> 
> 
> 
> So, even if there WERE a legal issue with collecting your IP address (*snrk*), it's justified here because denial of service attacks happen to be _illegal_ and you were, allegedly, part of one.



unfortunately these attacks were not done against FA or any subset of FA so the information they obtained according to there TOS was obtained illegally and in violation of there own TOS


----------



## Mirri (Jan 20, 2009)

Sakefox said:


> I would have to say i would like to see what you have that says its coming from my IP address. The only thing you have listed on mine is just a list that you typed and nothing else.
> 
> However I thank you for posting the information that you are getting my IP information through FA since that is complete violation of there TOS.
> 
> ...



I think this falls under "other information" provided when you sign up. It's kind of hard not to collect IP addresses on a server where people connect to it through the internet.

Cool E-Lawyer story, bro.


----------



## Runefox (Jan 20, 2009)

Sakefox said:


> unfortunately these attacks were not done against FA or any subset of FA so the information they obtained according to there TOS was obtained illegally and in violation of there own TOS



You missed the "*investigate reports of illegal activities*" that I underlined for you. In addition, an IP address is *not* legally personally-identifiable information, or else Microsoft wouldn't be able to claim that. You have a username. You have an IP address. When you log in with your username, your IP address is logged, by default, _by the server_, *because that's how the internet works*. In fact, the only way not to log this information would be not to have a server log at all.

You do realize that you're grasping at straws and making yourself look mighty guilty right about now, right? The whole "If I go down, I'm taking you with me, ahahahahaha" thing.

EDIT: I should note that since the reports of illegal activities happens to be against an FA user, this gives FA all the right in the world to release this information in case of a dispute like this. Also, I should note, that your IP address identifies your computer at best, which is why it's not personal information. Combined with your username, however, and it makes for a very nice correlation between events.


----------



## Kesteh (Jan 20, 2009)

The popcorn bowl. It keeps refilling.


----------



## Runefox (Jan 20, 2009)

Kesteh said:


> The popcorn bowl. It keeps refilling.



I do love my popcorn.


----------



## Sakefox (Jan 20, 2009)

Runefox said:


> You missed the "*investigate reports of illegal activities*" that I underlined for you. In addition, an IP address is *not* legally personally-identifiable information, or else Microsoft wouldn't be able to claim that. You have a username. You have an IP address. When you log in with your username, your IP address is logged, by default, _by the server_, *because that's how the internet works*.
> 
> You do realize that you're grasping at straws and making yourself look mighty guilty right about now, right? The whole "If I go down, I'm taking you with me, ahahahahaha" thing.



Just because I am passing information that FA is violating there own TOS doesn't mean i am admitting guilt or anything else.

When it boils down in to this type of drama, which there is no hard proof where these attacks even originated other then a ip address that were hand written. Most people have DHCP address, however i myself have a static ip address although there has been no hard proof that anything originated from my ip address.


----------



## Sakefox (Jan 20, 2009)

Runefox said:


> I do love my popcorn.



extra butter for the win ^^


----------



## DOPR (Jan 20, 2009)

Popcorn, extra butter, and bacon on the side.

D.O.P.R


----------



## Runefox (Jan 20, 2009)

Sakefox said:


> Just because I am passing information that FA is violating there own TOS doesn't mean i am admitting guilt or anything else.


But they aren't, though, and you brought this up out of nowhere, which seems to me like you're trying to redirect attention away from yourself and/or stop this whole thing because it incriminates you or CC2. I mean, I'm not trying to take sides, and if you can give me hard evidence that what they're saying isn't true, then I'm all ears, but right now, it's pointing at you guys pretty steadfastly.

Anyway, I believe the main reason you decided to bring up the whole legality thing was because...



> drama



Indeed.



> which there is no hard proof where these attacks even originated other then a ip address that were hand written


Ethereal/Wireshark pcap files are very difficult to tamper with, and they happen to have them. That's some pretty hard evidence right there.



> Most people have DHCP address, however i myself have a static ip address although there has been no hard proof that anything originated from my ip address.



What are the odds that someone who was assigned a DHCP address that was last assigned to an FA member (and admin for a furry game server) decided to launch an attack against another furry game server? I mean, yes, it COULD happen, but you'd have better luck winning the lottery.

I'm having a tough time answering the "why", but the "who, when, what, where and how" are starting to take a solid form and the evidence is stacking up.


----------



## LordBorel (Jan 20, 2009)

Witchiebunny said:


> No offense Sakefox, but one of the IPs we traced leads directly back to an IP that has logged into FA under your name.
> 
> How do you explain that?



How is it you are privy to peoples IP's that log on to FA? Where is this log? Where is your proof? Where would you even get this kind of information? Its neither wise nor safe to fire off baseless accusations at people simply because you want to.


----------



## Dragoneer (Jan 20, 2009)

Sakefox said:


> unfortunately these attacks were not done against FA or any subset of FA so the information they obtained according to there TOS was obtained illegally and in violation of there own TOS


The Furry Pound and FA are currently working together to make their servers the official FA Team Fortress 2 servers as part of the FA Steam Community, so *YES*, I do consider that a part of FA. So I had no problem cross-referencing the IPs.


----------



## Runefox (Jan 20, 2009)

LordBorel said:


> How is it you are privy to peoples IP's that log on to FA? Where is this log? Where is your proof? Where would you even get this kind of information? Its neither wise nor safe to fire off baseless accusations at people simply because you want to.



I'd imagine the log is on the server, and that Dragoneer surrendered it (as he did earlier in this topic) because of the aforementioned reports of illegal activities involving people who are either users on or have ties to FA.


----------



## Aden (Jan 20, 2009)

ITT: Professional detective work.


----------



## Sakefox (Jan 20, 2009)

Runefox said:


> But they aren't, though, and you brought this up out of nowhere, which seems to me like you're trying to redirect attention away from yourself and/or stop this whole thing because it incriminates you or CC2. I mean, I'm not trying to take sides, and if you can give me hard evidence that what they're saying isn't true, then I'm all ears, but right now, it's pointing at you guys pretty steadfastly.
> 
> Anyway, I believe the main reason you decided to bring up the whole legality thing was because...



It wasn't ment for a redirection and looking back I can see how it can be taken as such. I personally have a hatred for companies that violate there own TOS.

By reading your other posts its clear that you are not taking side on this information. I do have to question why we would have to prove our self innocent of this drama when the only thing that points even our way is something that is hand written. They haven't posted any substantial information that proves that we were the cause of there attack. All the information has just been circumstantial at best.


----------



## Kesteh (Jan 20, 2009)

Aden said:


> ITT: Professional detective work.


Correction;
Insert Internet: Serious Fucking Business_ drama with lawsuits_ slogan here.


----------



## LordBorel (Jan 20, 2009)

Runefox said:


> I'd imagine the log is on the server, and that Dragoneer surrendered it (as he did earlier in this topic) because of the aforementioned reports of illegal activities involving people who are either users on or have ties to FA.



The two servers have nothing to do with eachother. Thats like Steam giving out all of its users email addresses to some nameless tech support place in India just because some underling requisitioned it for personal advancement.


----------



## Runefox (Jan 20, 2009)

Sakefox said:


> It wasn't ment for a redirection and looking back I can see how it can be taken as such. I personally have a hatred for companies that violate there own TOS.



But they _aren't_ violating the TOS. How many times must I point that out?



> I do have to question why we would have to prove our self innocent of this drama when the only thing that points even our way is something that is hand written.


And Wireshark/Ethereal packet logs, which are by no means trivial to forge.



> They haven't posted any substantial information that proves that we were the cause of there attack. All the information has just been circumstantial at best.


Perhaps not the cause, but the packet logs definitely solidly prove that your computers were definitely participants. I like how you worded that, though.

EDIT:



> Insert Internet: Serious Fucking Business drama with lawsuits slogan here.


It is pretty serious business when a server is taken down by a DDoS attack. Drama aside, that IS illegal.



> The two servers have nothing to do with eachother. Thats like Steam giving out all of its users email addresses to some nameless tech support place in India just because some underling requisitioned it for personal advancement.


No, it's nothing like that. It's like Youtube giving up the IP address of someone who posts child pornography on their site to the authorities. Denial of service attacks are patently illegal, and in that vein, this is precisely what any other organization, for-profit or non-profit, would do, and have done. If you don't like that, then perhaps you should lobby to congress that IP addresses are personally-identifiable and that no action taken on the internet should be perceived as illegal in the courts.


----------



## Lost (Jan 20, 2009)

By the sounds of it the shit storms has yet to pass... hmmm MREs


----------



## Ailure (Jan 20, 2009)

IP's are considered private now?

I would had understood the concern, if it was an social security number but...


----------



## Dragoneer (Jan 20, 2009)

Sakefox said:


> I personally have a hatred for companies that violate there own TOS.


And as I said... I didn't violate TOS. With TFP joining FA as the official TF2 servers they will be a part of FA. Rather than open up my own servers and water down the gaming environment even more I went with an established group.


----------



## Jacomus (Jan 20, 2009)

This is all very interesting.


----------



## Runefox (Jan 20, 2009)

Jacomus said:


> This is all very interesting.



Your input is valued and appreciated.


----------



## Jacomus (Jan 20, 2009)

Runefox said:


> Your input is valued and appreciated.



Yes, sorry about the pointless post. I've just been pointed too this and all that is following and I'm just watching what happens. Apologies.


----------



## Zanzer (Jan 20, 2009)

Whats with all the people creating new accounts for this thread.


----------



## Runefox (Jan 20, 2009)

Jacomus said:


> Yes, sorry about the pointless post. I've just been pointed too this and all that is following and I'm just watching what happens. Apologies.



I just meant it to be funny, actually, but the serious tone here is a little too pervasive. And my avatar is perpetually grumpy.



> Whats with all the people creating new accounts for this thread.


FA gets more popular by the minute! =D


----------



## Jacomus (Jan 20, 2009)

Zanzer said:


> Whats with all the people creating new accounts for this thread.


Tried to login on my old details but failed hard, plus I spelt my username wrong when I signed up originally, so I'm happier like this.



Runefox said:


> I just meant it to be funny, actually, but the serious tone here is a little too pervasive. And my avatar is perpetually grumpy.
> 
> 
> FA gets more popular by the minute! =D



I chuckled to myself, dont worry. Like I said, I'm sitting back and watching this unfold.


----------



## Adrianfolf (Jan 20, 2009)

Guys just to be clear I was on CC2's vent and he was making fucking sprays so there I am a witness. So enough of this bullshit you are all inducing drama


----------



## Arcalane (Jan 20, 2009)

Zanzer said:


> Whats with all the people creating new accounts for this thread.



My excuse is I couldn't be arsed to sign up to this hive of scum and villainy until this little incident.



Runefox said:


> I just meant it to be funny, actually, but the serious tone here is a little too pervasive. And my avatar is perpetually grumpy



Srs thread is srs.


----------



## Runefox (Jan 20, 2009)

Adrianfolf said:


> Guys just to be clear I was on CC2's vent and he was making fucking sprays so there I am a witness. So enough of this bullshit you are all inducing drama



You realize that a DDoS attack is a "fire and forget" kind of thing, right? You don't have to monitor it. Once you start it, all you need to really do is stop it when you get bored. So, your computer is totally free to do whatever (or you might be using a different computer using the same connection). So this really doesn't help.


----------



## Ailure (Jan 20, 2009)

Adrianfolf said:


> Guys just to be clear I was on CC2's vent and he was making fucking sprays so there I am a witness. So enough of this bullshit you are all inducing drama


There's something called multitasking on modern computers.


----------



## Runefox (Jan 20, 2009)

Ailure said:


> There's something called multitasking on modern computers.



Sweet, really? =D And here I've been using DOSSHELL all this time, doing one thing at a time. Oops, time to check my e-mail.


----------



## Zanzer (Jan 20, 2009)

Runefox said:


> Sweet, really? =D And here I've been using DOSSHELL all this time, doing one thing at a time. Oops, time to check my e-mail.


FUCKING WINDOWS 98!
Hook me up with some of this DOSSHELL


----------



## Siraj (Jan 20, 2009)

Got directed here from Nuzzlefuzzle's announcement.  I'd left CC2's server group months ago when all my friends (including Witchiebunny up there) were going "holy shit, everything's going down in flames over there".

If this IS a case of CC2 doing what he's accused of doing, I'm damn glad I left when I did.


----------



## Jacomus (Jan 20, 2009)

Siraj said:


> Got directed here from Nuzzlefuzzle's announcement.  I'd left CC2's server group months ago when all my friends (including Witchiebunny up there) were going "holy shit, everything's going down in flames over there".
> 
> If this IS a case of CC2 doing what he's accused of doing, I'm damn glad I left when I did.



One of the many reasons I left and created the Pit Furs was for the same reason...but only one reason.


----------



## Jacob Blakk (Jan 20, 2009)

Siraj said:


> Got directed here from Nuzzlefuzzle's announcement.  I'd left CC2's server group months ago when all my friends (including Witchiebunny up there) were going "holy shit, everything's going down in flames over there".
> 
> If this IS a case of CC2 doing what he's accused of doing, I'm damn glad I left when I did.



Funny, my case was a bit different.

I started off on Furtress and jumped over to TFP a few times, during which the admins/mods/friends would admittedly stack to one side and rape the other team.  When I mentioned this, I was told "This server is for our friends, no ones forcing you to be here, get used to it or get out".

And now its gonna be FAs offical server.  lol.

I jumped to CCs and really haven't had much of a problem since.


----------



## Jacomus (Jan 20, 2009)

Jacob Blakk said:


> Funny, my case was a bit different.
> 
> I started off on Furtress and jumped over to TFP a few times, during which the admins/mods/friends would admittedly stack to one side and rape the other team.  When I mentioned this, I was told "This server is for our friends, no ones forcing you to be here, get used to it or get out".
> 
> ...



There is also our servers if ya looking ;p


----------



## Witchiebunny (Jan 20, 2009)

And Jacob, to each his own. After all, we're hardly the only Furry Gaming community out there and we never ask people to stick around if they're unhappy.


----------



## Jacob Blakk (Jan 20, 2009)

Jacomus said:


> There is also our servers if ya looking ;p



PitFurs?  Its deliciously british, but sadly I ping about 300 on average to it.


----------



## Zanzer (Jan 20, 2009)

I play CC2Cool server havn't had a problem really  but it was boreing really... thats all.


----------



## Jacomus (Jan 20, 2009)

Jacob Blakk said:


> PitFurs?  Its deliciously british, but sadly I ping about 300 on average to it.



Aww shame to hear about that. Never seen anyone with that high ping on O_O;;


----------



## Dragoneer (Jan 20, 2009)

Jacob Blakk said:


> I started off on Furtress and jumped over to TFP a few times, during which the admins/mods/friends would admittedly stack to one side and rape the other team.  When I mentioned this, I was told "This server is for our friends, no ones forcing you to be here, get used to it or get out".
> 
> And now its gonna be FAs offical server.  lol.


Stacking happens at times, especially when friends are playing together (trust me, Shalkaii and I stack all the time, but he's my dedicated buttmedic). On the TFP you can vote for a team scramble with "STT". Anybody can call for a Scramble -vs- waiting for an admin to do it. You have the power to affect change.

And yes, the admins there can be somewhat direct... but I've seen some people come in exceptionally demanding, overbearing. TF is about having fun, and TF2 is *geared* for fun. People with agendas or upset because it's not like another server they're used to tend to complain a lot, and the TFP admins are quick to usher the complainers out so everybody else can enjoy the game.

I've not seen any issues with them.


----------



## Dragoneer (Jan 20, 2009)

Jacomus said:


> Aww shame to hear about that. Never seen anyone with that high ping on O_O;;


I think I used to have about 120 to 150 ping on Pit Furs, and it was entirely playable.


----------



## Jacomus (Jan 20, 2009)

Dragoneer said:


> I think I used to have about 120 to 150 ping on Pit Furs, and it was entirely playable.



Yeah I was gonna say, most USA-ians have that sorta ping when the come on.

Ah well, we're the European correspondants for all you europeans out there


----------



## Jacob Blakk (Jan 20, 2009)

Dragoneer said:


> And yes, the admins there can be somewhat direct... but I've seen some people come in exceptionally demanding, overbearing. TF is about having fun, and TF2 is *geared* for fun. People with agendas or upset because it's not like another server they're used to tend to complain a lot, and the TFP admins are quick to usher the complainers out so everybody else can enjoy the game.
> 
> I've not seen any issues with them.



Yeah, i'm such a bad player for watching the admins use their magical admin powers to all go to the same team (with Doom, of course) and refuse to help the team thats obviously in need of it....and dare SAY something about it!    Not like it matters anymore anyway, I won't touch that server with a 10 foot pole (or even an 11 foot one!) no matter what names on it, and I'm pretty sure I'm not alone in that.  Hope things work well for you, but its not anything I'm interested in.

Also Jacomus, I have a crap connection and ping 100 to servers only 4 hours away from me, so going overseas isn't something my wimpy connection can handle very well.


----------



## Animalous (Jan 20, 2009)

Whoa whoa whoa, let's calm down here. When we have personal issues with members in question, it's hard not to point fingers. Let's take it easy here and resolve this before it gets too far out of hand. If the raid was done by a third party, this kind of thread only fuels their reason to do it again. 

We don't need to be posting private information in a public thread, we need to take a breather here and explain what happened in detail, along with all proof of action. Getting an entire community involved just adds unnecessary voices that don't need to be heard.


----------



## Finny Fox (Jan 20, 2009)

Animalous said:


> Whoa whoa whoa, let's calm down here. When we have personal issues with members in question, it's hard not to point fingers. Let's take it easy here and resolve this before it gets too far out of hand. If the raid was done by a third party, this kind of thread only fuels their reason to do it again.
> 
> We don't need to be posting private information in a public thread, we need to take a breather here and explain what happened in detail, along with all proof of action. Getting an entire community involved just adds unnecessary voices that don't need to be heard.



You're about three pages late.


----------



## Jacomus (Jan 20, 2009)

Jacob Blakk said:


> Also Jacomus, I have a crap connection and ping 100 to servers only 4 hours away from me, so going overseas isn't something my wimpy connection can handle very well.




Like Witchie said, each to their own. We are here for the Europeans and British folk, and any Americans. TF2 is all about fun anyway, so if your not having fun, why play?


----------



## Lux (Jan 20, 2009)

Jacomus said:


> Yeah I was gonna say, most USA-ians have that sorta ping when the come on.
> 
> Ah well, we're the European correspondants for all you europeans out there


I'm here, I'm just refraining from posting because I can't believe the "logic" the OP is using to make these points.

I've played on the Cc servers and TFP servers and found the Cc servers far more enjoyable (and hence why I spend the majority of my TF2 time on them). Never knew about the PitFurs, I will have to give them a try sometime, especially since sniping with a low ping is much more rewarding than sniping with a high ping


----------



## Ailure (Jan 20, 2009)

Jacomus said:


> Yeah I was gonna say, most USA-ians have that sorta ping when the come on.
> 
> Ah well, we're the European correspondants for all you europeans out there


That's the ping I have to most TF2 US servers, and those are fully playable for me. The latency tend to not annoy me as long it's under 200 ms.


----------



## Jacomus (Jan 20, 2009)

Lux said:


> I'm here, I'm just refraining from posting because I can't believe the "logic" the OP is using to make these points.
> 
> I've played on the Cc servers and TFP servers and found the Cc servers far more enjoyable (and hence why I spend the majority of my TF2 time on them). Never knew about the PitFurs, I will have to give them a try sometime, especially since sniping with a low ping is much more rewarding than sniping with a high ping



Ah, if your a sniper you'll have a tough time ;p

Look forward to seeing you on.


----------



## br0nz (Jan 20, 2009)

"I'd just like to point out that a server admin has much better things to do with his time and bandwidth than attempting to abuse someone else's connections."

Hey Witchie, those were my words!  

I didn't mean to take either side (neutral force and all) but simply thought that sharing IP blacklists would facilitate honest and productive discussions that helped everyone.


----------



## STrRedWolf (Jan 20, 2009)

Okay, I just checked here... and short of a thread-only search which turned up only a post with zip for an answer...

Do we know if the two IP's run Windows software and are in desperate need of an update?


----------



## Runefox (Jan 20, 2009)

STrRedWolf said:


> Okay, I just checked here... and short of a thread-only search which turned up only a post with zip for an answer...
> 
> Do we know if the two IP's run Windows software and are in desperate need of an update?



Not possible to determine based on an IP address, though it would be likely that this would have been launched from a *NIX operating system due to Windows networking limitations as of Windows XP to try to crack down on that.


----------



## Ghouly (Jan 20, 2009)

After reading the first few pages of this thread, I don't think myself or any other member of my group of players will ever return to "The Furry Pound". The way the administrators and the admins here at FA (Dragoneer) have handled this issue is completely childish. Instead of handling this in private ways, you've posted everything publicly. 

"Hey, uhm... Nikky, you may want to check your e-mail. I just noticed something really odd about those IPs.

o___O

Some of those people are FA users."

WHAT IS THE POINT OF POSTING THIS HERE? It's as if you're -TRYING- to start drama. This has NOTHING to do with the people who post on FA's forums. This has EVERYTHING to do with the admins and people who spend their money on the servers over at Furry Pound. 

In my eyes? This is an attempt to drag CC2/Sakefox through the mud, so all of their userbase will go to the new "FA" servers... which just happened to merge with TFP? Huh, strange coincidence. Honestly, I hate conspiracy theory type posts on forums that link this kind of nonsense together. But it's entirely too convient that this whole thing happened overnight, and now we're seeing "The Furry Pound" banners on FA. 

Personally? I don't care what you guys do. I think CC2's servers have their own issues that make it completely unenjoyable also; but they aren't on a mudslinging campaign.


----------



## Witchiebunny (Jan 20, 2009)

You're more than welcome to think what you will. We don't ask that every Furry flock to TFP, in fact we prefer that people go where they'll have the most fun, because that's what TF2, and gaming is about: Having fun. 

There was no conspiracy-server admins in general have more important things to do and I know I certainly have more entertaining things to do than sit here, staying up until 7 am MST just to spin a yarn over an event you seem to be doubting occurred. 

If people decide to play on TFP, then they're welcome. If people don't want to play on TFP then they're more than welcome to find a community with which they'll be happy. We're not trying to drag anyone through the mud. I keep saying this, we're not in competition with CC2s and have nothing to gain by dragging his name through the mud for no reason or launching attacks at him. TFP has kept to itself throughout its entire time in existance and that policy isn't changing. We're not here to take players away from anybody-just to provide a fun place to play. That's all.


----------



## Animalous (Jan 20, 2009)

Witchiebunny said:


> TFP has kept to itself throughout its entire time in existence and that policy isn't changing. We're not here to take players away from anybody-just to provide a fun place to play. That's all.




Correct, it was the other TFP that raided Cc's servers and attempted to drag members away upon its creation. 
Come on, I'm all for keeping this civil but that requires a bit of honesty.


----------



## Jacomus (Jan 20, 2009)

Animalous said:


> Correct, it was the other TFP that raided Cc's servers and attemtped to drag members away upon its creation.
> Come on, I'm all for keeping this civil but that requires a bit of honesty.



What other TFP. Or do you mean The Pit Furs?


----------



## Darius (Jan 20, 2009)

Jacomus said:


> What other TFP. Or do you mean The Pit Furs?



He was be sarcastic.  He's saying TFP originally tried to take members from CC when they were just beginning, I think.


----------



## Animalous (Jan 20, 2009)

I was being facetious. TFP attempted to raid Cc2's servers, Witchiebunny included.


----------



## Witchiebunny (Jan 20, 2009)

I Fully admit to being involved in a "raid" on CC2's back when the servers were [FOR] that was just for fun and lulz, and yes I made a comment that the [FOR] servers were more fun. However this was before I was an admin or even before TFP existed and since I got royally reamed out for it anyway, we haven't done anything of the sort since. 

And if I have to take this opportunity to remind everyone that it was a singular idea from me and those who accompanied me and NOT meant in any way to reflect upon [FOR], then I will do so.

I have no problem being completely honest. I should hope, after all, that since I have become official head of TFP that nothing of the sort has happened since and if it has, none of us admins have been made aware of it. There's a difference between being an irresponsible and stupid player doing something stupid and being an irresponsible and stupid admin and doing something stupid. 

Do you have any proof that we've tried to "pull players" from CC2s that's not from 6 months or more ago?


----------



## Jacob Blakk (Jan 20, 2009)

Witchiebunny said:


> Do you have any proof that we've tried to "pull players" from CC2s that's not from 6 months or more ago?



Yeah.  Your comments here.

http://www.furaffinity.net/journal/596033/

Yeah, you're totally not trying to drag CC through the mud.  Nope.  Not at all.


----------



## Witchiebunny (Jan 20, 2009)

That looks like a comment on evidence we have to me. *shrugs* People see things differently though.


----------



## Rixxster (Jan 20, 2009)

Let me first apologise for my absence.
I only come here to read and like Jacomus has stated "watch this unfold" and mainly to answer to this comment:



Ghouly said:


> After reading the first few pages of this thread, I don't think myself or any other member of my group of players will ever return to "The Furry Pound". The way the administrators and the admins here at FA (Dragoneer) have handled this issue is completely childish. Instead of handling this in private ways, you've posted everything publicly.
> 
> "Hey, uhm... Nikky, you may want to check your e-mail. I just noticed something really odd about those IPs.
> 
> ...



Well I am quite great full this information has been posted publicly as now we know something is a foot now and well as an Admin and Moderator i feel concerned that our server and community might be at risk. Were not here to point fingers but to see what happens and hopefully figure out who and why there doing it and if it can be prevented in future times.

whether my comment means anything to anyone I'm just replying to the comment of "Ghouly", that its new to other community's and that some one maybe be planning attacks on servers and it feels more like "heads up" topic.


----------



## Kitsune_86 (Jan 20, 2009)

I play whichever has an active population without being full. 

I try to support TFP and CC2, as I play on both.


----------



## Pi (Jan 20, 2009)

Computer forensics and DDoS specialists itt

oh wait


----------



## Kesteh (Jan 20, 2009)

Let's change the subject and start bitching about "I'm leaving to CC because this was posted on the forum"...totally relevant. Not like posted evidence hurts the consumer in any way, it only makes people scream "TOS VIOLAET!"
The server vs server drama, you are adding to it.


----------



## Kaizen (Jan 20, 2009)

Honestly, who the fuck cares who did it. It's not like someone killed your kid. And no permanent damage was done. Both servers are bad in their own way. One is stacked 24/7 not that I care, sense I like helping out the losing team, and the other is just full of mindless banter and micspam which results in me muting over half the server. 

I really don't know the admins of TFP, but I do know CC2, more then he knows me... Hurf. Anyway, I doubt CC2 would care enough to DDoS your servers because first of all... it's really not worth it. No offence to TFP. In my eyes, this whole thing is like the business world. The smaller business in this case TFP, would try to sabatoge the more sucessful one (CC2) in order to "Convert" some of CC2's players to join the TFP. Not the other way around. Sense we all know most furries love to play with their "Kind" and not just join a random server and have a chance of getting flamed for their super gay unicorn pissing out a rainbow spray.

I'm not trying to defend CC2 in anyway... for those that know me... I'd do anything but that... Anyway, I'm just showing you all that this is really pointless because nothing was lost. But hey, who knows this could just be a clever ruse just to gain publicity for both parties.

Edit: After reading people talking about sniping with a high ping.... Oh yeah... like you really need a low ping to snipe. I should know, I just do fine with 100+ ping on CC2.


----------



## Ghouly (Jan 20, 2009)

Witchiebunny said:


> There was no conspiracy-server admins in general have more important things to do and I know I certainly have more entertaining things to do than sit here, staying up until 7 am MST just to spin a yarn over an event you seem to be doubting occurred.



Oh, no. I bet the servers were DDoS'd. However, the real question is _who_ did it. You guys seem to think 110% it was CC2 and Sake. My question is, what do they gain? SakeFox is a server administrator. You think he doesn't understand the cookie crumb trails left behind when you do something like that? If the point was to take down your servers, wouldn't they do more damage to do it during peak hours? Especially if they are keeping tabs on your servers. 4am in the morning doesn't exactly sound very busy to me... especially since I play during that time, usually. 

I am mostly upset in the manner in which Dragoneer and Nikki are handling this. Instead of keeping it to PM's and E-Mail, they publicly post about it.  Nikki is posting in his journal bragging about how they just got DDoS'd, like it is some badge of honor. However, a post made in their journal is pointing out the same thing I am. 

_*
Zjildon posted in Nikki's journal: 

On top of that, someone tried (read: failed) to raid the Ventrilo, but only managed to give us all a good laugh. I think it probably took them an hour before they realized they couldn't broadcast any sounds. They tried switching IP addresses, names, spamming connect/disconnect, etc.. nothing made a sound. Cc and Sake certainly know how to keep a Vent server secure*_




Kesteh said:


> Let's change the subject and start bitching about "I'm leaving to CC because this was posted on the forum"...totally relevant. Not like posted evidence hurts the consumer in any way, it only makes people scream "TOS VIOLAET!"
> The server vs server drama, you are adding to it.



No, I'm not adding to anything. I'm pointing out glaring problems with the different posts in the thread. Adding to it would be insulting people involved. 



Rixxster said:


> Well I am quite great full this information has been posted publicly as now we know something is a foot now and well as an Admin and Moderator i feel concerned that our server and community might be at risk. Were not here to point fingers but to see what happens and hopefully figure out who and why there doing it and if it can be prevented in future times.
> 
> whether my comment means anything to anyone I'm just replying to the comment of "Ghouly", that its new to other community's and that some one maybe be planning attacks on servers and it feels more like "heads up" topic.



What is "a foot" now? And why should we care if it gets attacked again? It doesn't have anything to do with ANY player on their server, except the people who take care of the servers. There is nothing to discuss here. Nikki just wants to parade around his first spoofed DDoS. "Were not here to point fingers"? What was the point of the posts if it WASN'T to point fingers? 

I'm curious to hear what someone who knows what they are talking about could figure out on this entire scenario...


----------



## kamunt (Jan 21, 2009)

I wish I could play on those JP servers more often. It's too bad that they have a ping cap and I get kicked after being on for two minutes, going all Rambo on those Japanese players is really bloody funny. I'm not that awesome of a player, but I'm awesome enough, heheh.

Some of you may wonder why I decided to make this post. I made it because that's just how little I care. EDIT: lol @ 34 people viewing this thread. I fucking hate furries so God damn much.


----------



## Runefox (Jan 21, 2009)

Pi said:


> Computer forensics and DDoS specialists itt
> 
> oh wait



With all due respect, piss off, Pi. You aren't helping.



			
				Kaizen said:
			
		

> Honestly, who the fuck cares who did it. It's not like someone killed your kid. And no permanent damage was done.


People pay for these servers, directly or indirectly, and when they get taken offline, it tends to be a situation where people would like to know who did it. It's not like someone killed someone or anything like that, but it IS an illegal action, and it's a deliberate action. It's not like it was a prank or something, and even if it was, it's still something that I, personally, think should be punished. Whether that's with excess drama, the loss of a person's good name, or even legal action doesn't particularly matter.



> words


That's nice. You really haven't done anything to change anything here, and you haven't really brought any evidence to the table aside from personal anecdotes about how CC2 wouldn't do such a thing and how nobody should care. I love it when people say stuff like "Who cares who did it?", because it really makes them look like both an idiot and also adds suspicion to them. Especially when this is the first and in all likelihood only post they'll make on this forum.


----------



## Kaizen (Jan 21, 2009)

Runefox said:


> People pay for these servers, directly or indirectly, and when they get taken offline, it tends to be a situation where people would like to know who did it. It's not like someone killed someone or anything like that, but it IS an illegal action, and it's a deliberate action. It's not like it was a prank or something, and even if it was, it's still something that I, personally, think should be punished. Whether that's with excess drama, the loss of a person's good name, or even legal action doesn't particularly matter.
> 
> 
> That's nice. You really haven't done anything to change anything here, and you haven't really brought any evidence to the table aside from personal anecdotes about how CC2 wouldn't do such a thing and how nobody should care. I love it when people say stuff like "Who cares who did it?", because it really makes them look like both an idiot and also adds suspicion to them. Especially when this is the first and in all likelihood only post they'll make on this forum.



Oh yeah... you really hurt me, deep. I think I got some internal bleeding here. 

First of all, the only thing that needs to be said, the sure fire thing that would protect him from this whole ordeal would be... What would he gain from this? His epenis growing in size knowing that he has the power of knowledge in the field of networking? Mmm... epenis. It's not like after the DDoS attack, TFP will be considered HIV+ and no one will touch it. So stop acting like it is before I slap you. That's right, a slap. Bitch. 

Also... _"it's a deliberate action. It's not like it was a prank or something"_
Wat? Isn't a prank a deliberate action used to get a cretin reaction out of people?

As for the punishment part (Yes, I will dissect every part of your post fgt), how are you gonna punish them? Call the FBI and give them the IP? Ya right. It's not like you can do anything that will harm them, and if they were smart, they could use proxies to mask their ip. My point being there's really nothing you can do to "Teach them a lesson" other then to move on and make sure it doesn't happen again. 

Anyway, the whole point of a DDoS is simple, to grief. And obviously... you guys are acting the way these kids want you to act. Starting a thread and bawwwing about what happened. Instead you should just move on be thankful that it wasn't a legitimate attack and just a DDoS. As for your "I love people who only post once and won't come back again to rip my post apart and show me just how much of an idiot I am" post... Well... You sir, need to use that organ that's encased in your skull.

tl;dr: Bitch needs to shut his dirty whore mouth.


----------



## Pathia (Jan 21, 2009)

The more I look at this, I suspect an external source like 4chan.  Most are college students and many just got back to school.

Why?

I'm guessing someone spoofed CC2 and Sake's IP's if those really are theirs, it's not that hard to spoof, particularly when it comes to college campuses.  Why do I think it's a spoof?  CC2 and Sake are not stupid, I'm pretty sure if they *DID* do a DDoS, we wouldn't find their IP in the server logs.   (And I'm not saying they did, I'm just stating that they're technical enough to do it)

Someone used those IP's on purpose.

No one besides 4chan and the like would bother to spoof THAT particular IP, because you know they love to cause drama.  They also enjoy raiding Vent and our servers in general.


----------



## Runefox (Jan 21, 2009)

Kaizen said:


> First of all, the only thing that needs to be said, the sure fire thing that would protect him from this whole ordeal would be... What would he gain from this?


I'm pretty sure this is the only thing I CAN'T answer.



> So stop acting like it is before I slap you. That's right, a slap. Bitch.


Real mature.



> Also... _"it's a deliberate action. It's not like it was a prank or something"_
> Wat? Isn't a prank a deliberate action used to get a cretin reaction out of people?


You missed the first part about the illegal bit.



> As for the punishment part (Yes, I will dissect every part of your post fgt), how are you gonna punish them? Call the FBI and give them the IP? Ya right. It's not like you can do anything that will harm them


It's illegal. I'm sure there are things that can be done.



> and if they were smart, they could use proxies to mask their ip.


Which is why I don't understand why his IP comes up as bombarding the server. But there it is. You can't really argue with that.



> Anyway, the whole point of a DDoS is simple, to grief.


And it's illegal. I really shouldn't have to keep pointing this out to you.



> And obviously... you guys are acting the way these kids want you to act. Starting a thread and bawwwing about what happened. Instead you should just move on be thankful that it wasn't a legitimate attack and just a DDoS.


What would a "legitimate attack" do? Blow the server to bits? It was already run off the internet (which likely caused a connection outage wherever the server was hosted).



> As for your "I love people who only post once and won't come back again to rip my post apart and show me just how much of an idiot I am" post... Well... You sir, need to use that organ that's encased in your skull.


I have one. It's called a brain. I love it so. It tells me when people are talking from their mouths and when they're talking from their anuses.



> tl;dr: Bitch needs to shut his dirty whore mouth.


Ooh, dem's fightin' werdz. Heh. Wow, I'm surprised that you even said something like this. I mean, wow.

EDIT:



> The more I look at this, I suspect an external source like 4chan. Most are college students and many just got back to school.
> 
> Why?
> 
> I'm guessing someone spoofed CC2 and Sake's IP's if those really are theirs, it's not that hard to spoof, particularly when it comes to college campuses. Why do I think it's a spoof? CC2 and Sake are not stupid, I'm pretty sure if they *DID* do a DDoS, we wouldn't find their IP in the server logs. (And I'm not saying they did, I'm just stating that they're technical enough to do it)



It's not exactly that trivial to spoof that many packets, and I doubt that 4chan kids are exactly technically savvy enough to pull that off, though collectively they have enough spare time to research just about anything.



> Someone used those IP's on purpose.
> 
> No one besides 4chan and the like would bother to spoof THAT particular IP, because you know they love to cause drama. They also enjoy raiding Vent and our servers in general.


But the question lies in this: How did they find CC2 and Sakefox's current IP addresses? Where is this information public (aside from here, now)? Did they enter a server and wait for both of them to show up and log the IP's they were connected to? It seems to be a little coincidental. If it was a spoof, it wouldn't have been a third party so far removed from the community.


----------



## lilEmber (Jan 21, 2009)

Kaizen said:
			
		

> Oh yeah... you really hurt me, deep. I think I got some internal bleeding here.


At first I was like: "Hmmm"



			
				Kaizen said:
			
		

> So stop acting like it is before I slap you. That's right, a slap. Bitch.


Then I was like: "Okay..."



			
				Kaizen said:
			
		

> tl;dr: Bitch needs to shut his dirty whore mouth.


Then I lawled.

Seriously, grow up, grow a pair, get into a knife fight downtown, please.
No, seriously, you're not a tough guy, you're not intellectual, and you certainly couldn't beat runefox in brains or brawn.





Pathia said:


> The more I look at this, I suspect an external source like 4chan.  Most are college students and many just got back to school.
> 
> Why?
> 
> ...


My thoughts, exactly.


----------



## kamunt (Jan 21, 2009)

Runefox said:


> I love it when people say stuff like "Who cares who did it?", because it really makes them look like both an idiot and also adds suspicion to them.



Who cares who did it? I mean, really, it's over and done with. Damage done. *opens his IP scrambler*


----------



## lilEmber (Jan 21, 2009)

Kaizen said:
			
		

> First of all, fuck your quotes. Reading it gives me ADD.


You can gain a disorder from reading? It's the written English language with generic BBcode quotes, it's quite easy to follow.



			
				Kaizen said:
			
		

> That's right, you can't answer it. The reason being? Because he has NOTHING to GAIN. Now if it was TFP accused of doing the DDoSing to CC2, then I can understand that they might gain some of CC2's players.


So, if you have no idea why somebody committed murder, and they don't admit to it, they get to go free regardless what the evidence says, correct?



			
				Kaizen said:
			
		

> Second: Lighten up?


You tossed out the slap you part and etc....



			
				Kaizen said:
			
		

> Third: Pranks can be legal, they also can be illegal. This being the internet, there is nothing, I repeat, NOTHING you can do that will hurt them in anyway.


Most pranks I know are illegal, and I know there's many ways to hurt somebody over the internet, from sharing personal information to destroying data from server loss.



			
				Kaizen said:
			
		

> Fourth: I think the post above yours answers this.


Not even sure what the hell you're talking about, learn some BBCode and use quotes, please.



			
				Kaizen said:
			
		

> Fifth: Even tho it's illegal, THERE IS NOTHING YOU CAN DO. Why must I keep telling you this? Also, go ahead, call the FBI. Here's what you can tell them, "That your favorite TF2 furry server, "The Furry Pound" got DDoSed, and we suspect a rival furry server "CC2" of doing the DDoSing them. I demand you do something about this!" They'll either hang up on you, or just laugh until they pass out because of how stupid the whole situation is.


There's lots you can do, it being illegal means a lot of things. We're not dealing with made up interwebz laws, but actual law.



			
				Kaizen said:
			
		

> Sixth: Well if you knew anything about real networking or just hacking in general they could of used the server as a hub to collect the players IP's then connect to them and crack their firewall if they even have one up, then DDoS them or just send your files from your computer back to theirs. Tho it's not like furries would have anything worth stealing... lol porn. And I'd also like to point out that being a furry is just like painting a giant target on yourself.


Learn how to type the word though, please.
Also, it's not that easy, and the more packets the harder it gets.



			
				Kaizen said:
			
		

> Seventh: I didn't say you didn't have a brain. Maybe you should get your checked out for defects.


Yes Mr. Gaining ADD from being unable to read quotes, can't spell though at all, uses txt lingo mid-sentence, and in the middle of telling somebody to get their brain checked for a defect, you say "your" instead of what you should of said, "yours".



			
				Kaizen said:
			
		

> Eighth: Yeah, I said it. I'm tired of people like you who thinks they're a higher being just because they have a higher post count then the guy they're trying to mock.


Wat?
No, seriously at this point I'm guessing you're attempting to troll, and if you haven't noticed we here choose not to believe trolls exist, but merely people really are as stupid as they present themselves.

Go away, kid. Take your tough-guy, dumb ass opinion away, too.



			
				Kaizen said:
			
		

> lolwut
> 
> A knife fight downtown? Eh, I've heard better. But while you're down their, why don't you trim his gooch hair.


lolwut?
I said how about you go downtown and get into a knife fight, I'm sure with your attitude and wit it should be easy to accomplish, video-record it too.

I'm actually surprised he was able to count to eight, though he did technically forget one.


----------



## Kesteh (Jan 21, 2009)

I'm going to say it's a troll.


----------



## HyenaIsSpider (Jan 21, 2009)

Aside from all the silly bickerings and whatnot~
The furry pound servers are going to be owned by furaffinity/dragoneer?


----------



## Dragoneer (Jan 21, 2009)

HyenaIsSpider said:


> The furry pound servers are going to be owned by furaffinity/dragoneer?


No. Essentially, my idea is that you have the FA Gamers group on Steam that connects you to a bunch of other gaming servers and groups. Rather than host all the stuff ourselves it'd be better to let dedicated people host them and we help connect gamers to them.

Make sense?


----------



## Tikki (Jan 21, 2009)

Pathia said:


> I'm guessing someone spoofed CC2 and Sake's IP's if those really are theirs, it's not that hard to spoof, particularly when it comes to college campuses.  Why do I think it's a spoof?  CC2 and Sake are not stupid, I'm pretty sure if they *DID* do a DDoS, we wouldn't find their IP in the server logs.   (And I'm not saying they did, I'm just stating that they're technical enough to do it)
> 
> Someone used those IP's on purpose.
> 
> No one besides 4chan and the like would bother to spoof THAT particular IP, because you know they love to cause drama.  They also enjoy raiding Vent and our servers in general.



This.

Also http://en.wikipedia.org/wiki/IP_address_spoofing

You see, IPs can lie, don't try to tell yourself or anyone else otherwise. But as the article states, there are ways to protect yourself from it. If any if this is applicable in this case? I have no idea!


----------



## nobuyuki (Jan 21, 2009)

I love the smell of drama in the morning.

And now back to your regularly scheduled gaming sessions


----------



## Loarx12 (Jan 21, 2009)

very odd from what i under stand is that cc2 owns a number of tf2 furry servers, i have also noticed a very slight tension between the furs who play regurlay on cc's servers they seem to dislike the TFP i get that this isnt some thing i should worry about but TFP is some thing that i would get my hands dirty for. is it possable that cc wants to be the only one with tf2 fur servers. this is almost like the 360 version of tf2 with all the clans fighting over who discoverd glitchs and the dev consle... I will stand by the TFP, you guys have my support and services.


----------



## Vandell (Jan 21, 2009)

My problem with this whole thing is that, _of course_, you guys point to the most convoluted, drama-induced reasoning possible, rather than thinking that coincidences happen and, in all likelihood, some #chan trolls or something else decided to run some script-kiddy programs (at the very least), or an experienced griefer spoofed some IPs (at the very most). I mean, Cc2's servers were attacked as well. What person, in any state of mind, would make a knee-jerk reaction to attack another server in response? For no reason? _At the exact same time_?

"My servers, they are being lagged to death! RAAAR, THIS MUST BE THE WORK OF THE FURRY POUND!! COUNTERATTACK!!" There is some major disconnect in the flow of logic. You'd have to be messed up to come to this kind of immediate conclusion. Cc2, while a dick, is anything but passionate, fiery and/or spiteful. There would be nothing to gain from this, even if his IPs _weren't_ traced. It's not like a single DDOS attack would make everyone suddenly run from The Furry Pound and back to Cc2's servers.

Grow up and stop pointing so many fingers. :/


----------



## Slayth (Jan 21, 2009)

*after eating his bowl of popcorn he finally speaks*

I'm just gonna say what I have to say and move on.

I don't personally care who DDoS'd who, who did this, who did what anymore.  All I know there is a bunch of furs here that are trying to fight this like a case.  Yes, DDoS'ing is illegal I understand that, but why don't we just move on?  Even if CC2 and Sake wanted to DDoS, they wouldn't leave the trails behind like someone did.

*skip this part, 4chan /b/ inc*

4chan's /b/ HATES furries.  I see furry hate threads ALL the time on there.  To whoever said 4chan kids most likely couldn't do this, they hacked youtube, a MAC website, and have crashed many servers before, so you are saying they can't DDoS and leave breadcrumbs to a pair of innocent furs?  You guys might have known Boxxy on youtube (I didn't care for her personally), but her account was hacked by someone on /b/, and the person posted a screenshot, etc yadayadayada, deleted all her videos, and put one up about how they were tired of her shit and what affect it had on /b/.

tl;dr  Just quit arguing, move on


----------



## Miriafox (Jan 21, 2009)

Vandell said:


> My problem with this whole thing is that, _of course_, you guys point to the most convoluted, drama-induced reasoning possible, rather than thinking that coincidences happen and, in all likelihood, some #chan trolls or something else decided to run some script-kiddy programs (at the very least), or an experienced griefer spoofed some IPs (at the very most). I mean, Cc2's servers were attacked as well. What person, in any state of mind, would make a knee-jerk reaction to attack another server in response? For no reason? _At the exact same time_?
> 
> "My servers, they are being lagged to death! RAAAR, THIS MUST BE THE WORK OF THE FURRY POUND!! COUNTERATTACK!!" There is some major disconnect in the flow of logic. You'd have to be messed up to come to this kind of immediate conclusion. Cc2, while a dick, is anything but passionate, fiery and/or spiteful. There would be nothing to gain from this, even if his IPs _weren't_ traced. It's not like a single DDOS attack would make everyone suddenly run from The Furry Pound and back to Cc2's servers.
> 
> Grow up and stop pointing so many fingers. :/


This. 
I used to play regularly on Cc2's, and I spent a lot of time in the ventrillo, and Cc2 hates raiding and DDoS attacks with a passion (the servers have been attacked by /b/ and /v/ several times, way before most other furry communities/servers existed). He and Sake may be dicks, but they're not the kind of dicks that would do that, especially after suffering so much grief and annoyance with attacks that did way more damage then slowing a server down off peak times (the forum was wiped and the website taken down at least once).

Occam's Razor. Which makes more sense? Cc2's DDoS' their OWN server at the same time as TFP in a thinly veiled attempt to make people come to their community, or 4chan, which has done this for ages to most furry websites, including FA, and has people who frequent furry websites and know about the drama, did the attack? Seriously, college just started back up, most of their user base is back in the saddle. I think the answer is obvious.

The immediate finger pointing was kinda childishly lame, though.


----------



## Slayth (Jan 21, 2009)

Sorry for the double post, but I had to post this, cause I just laughed my ass off at this.

http://www.cc2iscool.com/nidhogg/?id=5


----------



## Kesteh (Jan 21, 2009)

ITT: People jump in and add networking 101 "detail" without knowing what it actually is.



Slayth said:


> http://www.cc2iscool.com/nidhogg/?id=5


Because we all know that drawing out something over more places than intended (this topic for example) is a way to "drop it".


If the raid was done by 4chan or anyone related, you're likely to see an ED article reverted edit of some newfag trying to record the deed for generations to come.


----------



## Slayth (Jan 21, 2009)

Miriafox said:


> This.
> I used to play regularly on Cc2's, and I spent a lot of time in the ventrillo, and Cc2 hates raiding and DDoS attacks with a passion (the servers have been attacked by /b/ and /v/ several times, way before most other furry communities/servers existed). He and Sake may be dicks, but they're not the kind of dicks that would do that, especially after suffering so much grief and annoyance with attacks that did way more damage then slowing a server down off peak times (the forum was wiped and the website taken down at least once).
> 
> Occam's Razor. Which makes more sense? Cc2's DDoS' their OWN server at the same time as TFP in a thinly veiled attempt to make people come to their community, or 4chan, which has done this for ages to most furry websites, including FA, and has people who frequent furry websites and know about the drama, did the attack? Seriously, college just started back up, most of their user base is back in the saddle. I think the answer is obvious.
> ...



I sir, tip my hat at you


----------



## Slayth (Jan 21, 2009)

Kesteh said:


> ITT: People jump in and add networking 101 "detail" without knowing what it actually is.
> 
> 
> Because we all know that drawing out something over more places than intended (this topic for example) is a way to "drop it".
> ...




notice at the end it says "We all lose"?  I didn't mean read the article under it, I just wanted you guys to look at the comic, because it doesen't have just CC's side ^^


----------



## Finny Fox (Jan 21, 2009)

kamunt said:


> Who cares you did it? I mean, really, it's over and done with. Damage done. *opens his IP scrambler*



Then why don't you just leave it alone? Some of us are still working on it, people like you are just watching.


----------



## Runefox (Jan 21, 2009)

In response to everyone who keeps posting the same thing over and over again, while what I think doesn't matter any more than what you think in this issue (Read: None / OH MY GOD MY OPINION DOESN'T MATTER?!) the evidence points a certain way, and I find it highly unlikely that a *chan group managed to locate and forge that specific IP address. So, I'm finding it much easier to relate to the TFP side of this whole mess. I mean, if that's what happened, I should probably go out and buy a lotto ticket.

There hasn't really been anything to refute what's been brought to the table except the whole "MAYBE *CHAN DID IT HUH" thing (which without any specific activity from a *chan is a cop-out), and the actions and reactions of the CC2 camp seem to be extremely weird (and I should mention that a good number of them have signed up specifically to troll/flame here). And again - I would like to point out that I would be happy to defend CC2 if the evidence here could convince me of that. Unlike most of the people posting in this topic, I don't particularly have an axe to grind.


----------



## Miriafox (Jan 21, 2009)

Kesteh said:


> ITT: People jump in and add networking 101 "detail" without knowing what it actually is.
> 
> 
> Because we all know that drawing out something over more places than intended (this topic for example) is a way to "drop it".
> ...



Eh, not really. The /v/ raid done on Cc2's isn't mentioned or acknowledged anywhere I know of. It wasn't very successful, but it did happen. You just come to sort of expect the shit nowadays, wait till they get bored, then move on.


----------



## Animalous (Jan 21, 2009)

Runefox said:


> There hasn't really been anything to refute what's been brought to the table except the whole "MAYBE *CHAN DID IT HUH" thing (which without any specific activity from a *chan is a cop-out), and the actions and reactions of the CC2 camp seem to be extremely weird (and I should mention that a good number of them have signed up specifically to troll/flame here). And again - I would like to point out that I would be happy to defend CC2 if the evidence here could convince me of that. Unlike most of the people posting in this topic, I don't particularly have an axe to grind.



Heh, well when pressing for proof, I found TFP lacked anything near a link between Cc's IP and the raid. While there was an IP address that originated in Chicago Illinois, Cc2 does not even live in the city. The IP's listed in the post vary greatly from the IPs in the screenshot. While I don't want to start conspiracy, members of TFP and Dragoneer seem to spite Cc2, and it seems just as likely to me that this raid was just a well-placed convenience for the two parties to blame Cc2 and gain support by merging with the monopoly of a furry art hub. As you have seen, Cc2 has shown very little interest in making accusations towards "rival" server communities because he doesn't care. Whether or not TFP or any other furry server is affecting his community population is irrelevant because the community is still growing and any attempts to stop the growth of the community, whether it be in the form of accusations or raids have all been halted and the same goes for this incident. TFP made the mistake of reacting dramatically to the attacks and just fueled the raid. Cc2 quickly hindered any attempts to spam the servers, cleared the forums of vulgar spam posted by one, "JESUS_CHRIST" and mocked the same trouble maker in ventrilo by disabling guest permissions to the point that the only thing the raider could do was sit in silence and constantly change his name as everyone got a good laugh.

Just because TFP decided to post on an already hazy forum with the support of a -very- biased administrator does not mean the contrary proof isn't there. You simply aren't interested in looking.


----------



## Jacob Blakk (Jan 21, 2009)

Jesus people, no one spoofed CCs IP.  Hes already said he monitors the server with HLSW, if you look into a non-DDoSed servers (or even the servers going right now) that hes watching you'd likely see his IP just as many times.

What everyone should be more concerned about is the fact the head admin of this site doesn't seem to mind stepping around his own ToS to make his friends look better.

Copy/paste fron Nidhoggs comic page:



> In section Account Privacy - Data Collection, it clearly states that FA "does not engage in active data collection of its users" and "will not be resold and/or distributed to external organizations."



I don't give a shit how affilated they are, they are still an external organization.  Even when you put the FA name on them, 'Neer said himself they will still be a seperate group.  The ToS doesn't say "data except IP addresses", data is data and he went against his own rules.  And even *IF* the ToS covered that, that doesn't even touch the fact it was posted publicly.

Guess I should change what I have on FA just incase 'Neer gets pissed at me.  Good way to mod a site.


----------



## Adrianfolf (Jan 21, 2009)

Animalous said:


> Heh, well when pressing for proof, I found TFP lacked anything near a link between Cc's IP and the raid. While there was an IP address that originated in Chicago Illinois, Cc2 does not even live in the city. The IP's listed in the post vary greatly from the IPs in the screenshot. While I don't want to start conspiracy, members of TFP and Dragoneer seem to spite Cc2, and it seems just as likley to me that this raid was just a well-placed convenience for the two parties to blame Cc2 and gain support by merging with the monopoly of a furry art hub. As you have seen, Cc2 has shown very little interest in making accusations towards "rival" server communities because he doesn't care. Whether or not TFP or any other furry server is affecting his community population is irrelevant because the community is still growing and any attempts to stop the growth of the community, whether it be in the form of accusations or raids have all been halted and the same goes for this incedent. TFP made the mistake of reacting dramatically to the attacks and just fueled the raid. Cc2 quickly hindered any attempts to spam the servers, cleared the forums of vulgar spam posted by one, "JESUS_CHRIST" and mocked the same trouble maker in ventrilo by disabling guest permissions to the point that the only thing the raider could do was sit in silence and constantly change his name as everyone got a good laugh.
> 
> Just because TFP decided to post on an already hazy forum with the supporty of a -very- biased administrator does not mean the contrary proof isn't there. You simply aren't interested in looking.



I agree with you. I'm being not biased I have played on TFP server its nice in quility but yeah. Its done and over with even TFP's admins said it so what ever Runefox or anyone else says is now irrelvent. (Please forgive my crappy spelling I never was good)


----------



## Vandell (Jan 21, 2009)

Runefox said:


> In response to everyone who keeps posting the same thing over and over again, while what I think doesn't matter any more than what you think in this issue (Read: None / OH MY GOD MY OPINION DOESN'T MATTER?!) the evidence points a certain way, and I find it highly unlikely that a *chan group managed to locate and forge that specific IP address. So, I'm finding it much easier to relate to the TFP side of this whole mess. I mean, if that's what happened, I should probably go out and buy a lotto ticket.
> 
> There hasn't really been anything to refute what's been brought to the table except the whole "MAYBE *CHAN DID IT HUH" thing (which without any specific activity from a *chan is a cop-out), and the actions and reactions of the CC2 camp seem to be extremely weird (and I should mention that a good number of them have signed up specifically to troll/flame here). And again - I would like to point out that I would be happy to defend CC2 if the evidence here could convince me of that. Unlike most of the people posting in this topic, I don't particularly have an axe to grind.



Gosh, trying to defend their position is just _so_ darn suspicious!

Of course they're going to make accounts to talk here, because this is where the discussion has led to.


----------



## Witchiebunny (Jan 21, 2009)

This is our final statement on the matter:

The attack started at about 1 am EST, or Midnight Server time. Server Admin Nikkyvix was messaged about it 15-30 minutes into the attack by Server Admin Ailure, and all Admins online and active were summoned together.[1]

The final packets were recieved at 3:05:45.24745 EST on US #1, and 4:59:13.037554 on US #2. Those IPs that have been confirmed as attacking the server were 76.202.216.119 and 75.57.176.21, of which the former was most active, and the second was least, having been used towards the end of the attack, from 4:59:11.1967500 to 4:59:13.03841500. The servers were attacked twice, with a break approximately an hour long in between the attacks.

Our investigation has revealed exactly how the servers were attacked. (Long version here, see below for the tl;dr version)

The attack used a very specific exploit present in the Source Engine. Datagrams (UDP Packets) with with zero data and 8 bytes in total length are sent via a source port into a server and the server, in turn freezes its network activity.[2] 

The data field here is non-existant, and the length field is set to 8 which is just enough to tell the incoming server that the information being sent is a packet, but is also enough for the packet to contain no data.[3]

tl;dr:
The attacking IPs spammed invalid server query packets into the TF2 server, causing it to freeze it's network activity.



Our admin team was able to recreate this attack against both our US and EU servers by creating a java program to send packets containing no information against said servers. 


The attack was done by someone with a very good knowledge of how the Source Engine works and the knowledge of an as-yet-unencountered vulnerability in Source.  The attack was directed very specifically against our source ports, with the (assumed) single intent of knocking out the Team Fortress 2 Servers. We have reported it to Valve and hope to have a patch out soon, however we hope that Server Owners will be on the lookout for such attacks in the future, and hopefully the info here will help other Server Owners in securing their own servers.

1. Please see "flood.png" attached here.
2. Please see http://en.wikipedia.org/wiki/User_Datagram_Protocol#Packet_structure for technical reference of datagrams
3. Please see http://developer.valvesoftware.com/wiki/Server_Queries to see what proper server query is supposed to look like, or look at the attached image.


----------



## FourLetterWord (Jan 21, 2009)

good luck tracking down the attackers

and hey, look on the upside: the is completely normal game server drama, not furry-specific drama

i still have fond memories of the soap opera that was XWIS

edit: also lol i had no idea TFP was based out of furaffinity, thats what i get for not clicking the game forum


----------



## Jacob Blakk (Jan 21, 2009)

Good, thats settled.  I believe an apology is in order.


----------



## kamunt (Jan 21, 2009)

EDIT: Let's lay this very hideous, fat, ugly whore to sleep now, please. lol @ 24 people viewing this thread.



Finny Fox said:


> Then why don't you just leave it alone? Some of us are still working on it, people like you are just watching.



I'm not going to spam this thread with your pointless bickering, so all I'll say is this--butthurt much? 



Slayth said:


> http://www.cc2iscool.com/nidhogg/?id=5



Nidhogg hit the nail dead on the head. I laughed so hard when my BF linked me to this.


----------



## Demowulf (Jan 21, 2009)

kamunt said:


> EDIT: Let's lay this very hideous, fat, ugly whore to sleep now, please. lol @ 24 people viewing this thread.
> 
> 
> 
> ...




I hate you. And I'm pretty sure you can guess who I am.


----------



## STrRedWolf (Jan 21, 2009)

Excuse me while I kill some drama here.

First of all, Nikky did the right thing in saying quite calmly "Yes, we were DDoS'ed, we're investigating it right now and getting things back up."  Informing the public first hand is always the right thing to do because you gain good PR out of it.  IBM got burned when their Deskstar line started failing and they kept mum about it -- their HD line is now owned by Hitachi. Seagate, on the flip side, actually came out and said "We have firmware problems on our drives, here's a list, we're pushing out new firmware and are offering free recovery services to bricked drives."

List of those Seagate drives here

Second, while folks here were sniping and performing SWAG research (Stupid Wild Ass Guessing), the cause of the problem was found and Witchy posted the reason -- Source engined game servers have a critical bug Valve better patch soon.

Yes.  A bug that slipped through QA and Valve didn't patch yet.

If I were the Heavy, I'd say "Babies make too much drama!  I thought we were fighting MEN! Whu... What's that sandvich?  Kill them all?  Ha ha hah... good idea."


----------



## Runefox (Jan 21, 2009)

> Good, thats settled. I believe an apology is in order.


I don't see why anyone should apologize to anyone here. I don't recall anything being cleared up as to who did it, so honestly, in my opinion, there's no need to apologize. I'm glad we have differing opinions, though, because I really like you people who signed up to troll the topic here and cry "FURRY DRAMA OMFG".



STrRedWolf said:


> Second, while folks here were sniping and performing SWAG research (Stupid Wild Ass Guessing), the cause of the problem was found and Witchy posted the reason -- Source engined game servers have a critical bug Valve better patch soon.


Uh.



> Yes.  A bug that slipped through QA and Valve didn't patch yet.


So the server was taken down by a bug? That's what you take out of "The attack was done by someone with a very good knowledge of how the Source Engine works and the knowledge of an as-yet-unencountered vulnerability in Source"? I believe that if that's the case, then any attack on any Windows-based PC is caused by a "bug" in Windows and not someone on the other end of a packet stream randomly firing off corrupted server packets and zero-data UDP packets. I'm sorry, but to add to the drama, you really failed pretty bad here.


----------



## Jacob Blakk (Jan 21, 2009)

Runefox said:


> I don't see why anyone should apologize to anyone here. I don't recall anything being cleared up as to who did it, so honestly, in my opinion, there's no need to apologize. I'm glad we have differing opinions, though, because I really like you people who signed up to troll the topic here and cry "FURRY DRAMA OMFG".



At what point in this thread have I ever spoke to you?  And what makes you think I was?  And if you knew I wasn't, why bother replying to that other then to start more crap?  Cut it.  I was addressing witchiebunny for spreading crap and not-so-subtly telling everyone "OMG CC2 AND SAKE DDOSED US".

...and do you even know what a troll is?


----------



## Runefox (Jan 21, 2009)

Jacob Blakk: If you were addressing Witchiebunny, then you should have taken it to PM. There's no reason to demand an unnecessary public apology except to start more crap, much less to post it in the open and then get angry when someone calls you on it or even addresses your post.

As far as I'm concerned, nothing has been conclusively proven or disproven involving CC2's involvement in the attack, and in the meantime, a lot of evidence surely points to an affirmative answer to it. Until someone gets to the bottom of it, the shit-slinging is going to continue and there isn't going to be any reason for an apology except for in the case of a lot of the flames that have occurred over the past two days, and honestly? Looking through the topic, the most flames and trolling that has gone on here has been from a lot of new accounts spouting off about so-and-so is wrong and that the whole thing is bullshit and so on. Yes, they pointed fingers early, and that pissed me off, too; But not only did I not decide to flame them for pointing fingers like many of the people who signed up solely to respond here have done, they also came up with information and evidence that backed up their claims. Whether or not it truly was CC2, the point is that for all intents and purposes, it wasn't obvious that he wasn't at least involved in it, and the violent reactions are rather telling.

Anyway, TFP have made their final statement regarding the issue, so whatever we talk about from here on doesn't really make any difference. People can take from it what they will.


----------



## lilEmber (Jan 21, 2009)

Yeah I agree with runfox, all these new accounts created to argue this topic alone is kinda fishy too, I kinda believe this should be locked, just because it's not going anywhere and all it's turned into is ruckus and flaming, false accusations without any statements from TFP or Cc2 themselves, so knock it off and give it up.


----------



## Loarx12 (Jan 21, 2009)

Ok, Ok this is enough, look at this it has been nothing but most you people spewing this garbage at each other, CC has stated his side and the admins of TFP said they are working on it. Just wait till a full answer is drawn, Untill then we should just wait and keep this to our selves, keep in mind there are several answers here and i am not about to go into detail so i will say this, a few suspects have been drawn and many rejected those claims while others agreed so lets just wait for a FULL answer, i dont care how much evedance points to who, think of the community, will two of the populor servers and there visters continue to fight over this and push the community deeper in to this pile of crap that has started. if this does continue into a massive flame war (or even bigger) then for the sake of the community dont ban, kick or abuse the people who dont want anything but to have fun wheather they are TFP regulur or CC2 regulur, unless they come in kicking and screaming CC2 or TFP rules and causeing trouble, dont be offened over small chat about it eathier, i can easly tell that there might be some conversations about this in game, so i am asking both sides to take the commuinty that you love into consideration.


----------



## Kesteh (Jan 21, 2009)

/r/equesting lock.
Resolved, final statement, etc.


----------



## Jacob Blakk (Jan 21, 2009)

> hurr durr new accounts



My account wasn't created for this thread, I've had it for about 4-5 months or more prior.  I just usually have very little to say as I'm not an FA addict.  I only jumped into this thread because I'm a regular at CC2s and a former wanted-to-be regular at TFP.  Plus, anyone, no matter how old their account, are allowed to laugh at 'Neer for breaking his own ToS.



Runefox said:


> should have taken it to PM.



Spoiler: This entire thread could have been avoided using that neat little feature.  Why aren't you yelling at them about it?


----------



## Kesteh (Jan 21, 2009)

Who's to say the PMs would be kept to PMs?
Both servers have their own forum, so they can easily say "Hay look at this shit lol"


----------



## kamunt (Jan 22, 2009)

Demowulf said:


> I hate you. And I'm pretty sure you can guess who I am.



FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

To all of you furiously pushing F5 while viewing this thread--why? If you haven't gotten it by now...


----------



## Grimfang (Jan 22, 2009)

Looks like the issue is about as figured out as it will be for now, and everyone got their final words in (I hope).


----------

