Hello, I have been an administrator of the Ukader Network (TheUrbanCity RP) community game server for a few months.
I will tell you about an administrative situation that has happened to us:
In the last week before publishing this content, we were affected by multiple crashes (cyberattacks) towards our servers. Initially, we reinforced with our service provider the mitigation security of all incoming traffic. It is worth it that our data center is located in Chile and our community is the same.
After many attempts to tune into the mitigation service, we realized that these attacks were only on the FiveM service and not on the server itself. Investigating through the magic of the internet, we found the problem.
Thanks to the fact that FiveM opens web services, such as (IP: PORT / info.json) or (IP: PORT / players.json) our ‘attackers’ carry out layer 7 attacks on web services. One of the first options as a programmer and server administrator for years was to compile one of the FiveM libraries. (Deleting the affected web services). Although we have not tested in production and really do not know the impact that this can generate, I make the report to:
Allow administrators to block web services generated with the server.
(or) allow to change the port of those services.
We believe the servers are having these issues due to those affected services, I will leave the found videos of ‘Penetration Test Services’ doing exactly what we have mentioned.
Videos:
Note: We are not responsible for any of these videos, and they are only added to corroborate the information we have described.
Just removing endpoints from the server doesn’t actually solve the root cause of the problem. /players.json, /info.json etc. are not the only endpoints on the HTTP server, there are others that are more important and can’t be removed. If you remove an endpoint, they’ll just attack another one. HTTP endpoints are literally part of the protocol, so allowing administrators to block it or change the port is completely impractical.
Hello @Jamelele1 !
It is understood, but I clarify that my server DOES NOT FALL from the application. The server (game service) loses the connection completely, as it overloads the connections but, for example, the connections of other game servers like ‘Rust’ do not drop and remain without problems.
If you mention that there are certain “important” endpoints, why not do some form of server-side protection so it’s not so easy to access them and manage to attack a server?
Why not allow administrators to choose the port of those services to avoid interfering with the game server in case of an attack like the one mentioned above?
I must understand that if those endpoints are of utmost importance, what will they do if malicious users actually access the server through those links to carry out this type of attack?
When a server is attacked, it doesn’t matter if the endpoints are of “utmost importance” to certain systems, because if they achieve their goal, nothing will matter.
If you are being subjected to cyber attacks, you are the victim of a crime in most countries.
I will freely admit that I don’t know the relevant laws of Chile, but it’s worth looking into making a police report.
@Demonen
It is correct, our laws are prohibiting these attacks, but if that had a ‘real’ solution we would clearly report this case. However, all attacks are from outside Chilean territory, at least the ip of the servers attacks.
Thanks!
And what makes you think that attackers won’t just find this different port (which their client will be using to communicate with the server) and target that instead?
My point was, these endpoints are important, therefore the idea of allowing administrators to block them is absurd.
Some useful information to provide for this to actually be fixed would be pcaps, dumps, steps to reproduce it, or just anything other than ‘remove these endpoints’, so many people say this and if it were really that easy then it would have already been done.
I have more gaming services on the same virtual server. It would be a very strange coincidence that when these malicious people notify us ONLY THE FIVEM SERVER goes down. What I am commenting on is based on three weeks of trial and error with our service provider.
Sure, it’s absurd. Anyway, an offline server is also absurd when the cause of this is the same absurd point that I comment on. I think it is a bit illogical to discuss “the absurdity of things”. Maybe yes, it is not the best solution according to what you tell me, but there must be an alternative to avoid this from the FiveM service.
But what is important about the ‘players.json’ or similars?
Well, we have a packet driver, thanks to it we have managed to capture the vast majority of negative traffic and remove it, but unfortunately it does not capture all Layer 7 traffic, even so, even leaving the server offline. (Only the Fivem server)
I understand that certain end points if they are of importance I do not question the totality of these facts. I’d just like to know if it’s a real FiveM security issue or not. Clearly, I have not been the only Chilean server affected.
Yes, it’s called providing more useful information so that it can be fixed. Every attack is different, there’s no blanket solution for this. They need reproducible issues to be able to fix it.
Best thing to do to avoid that is capture packets from the players you ussualy have, send them to your hosting provider and tell them to apply those to the VAC filter, if packets are different dismiss them.