Gnome

Security Report: DDoS (Eng)

Written by Alfian Firmansyah
(Founder of iotnesia.id (http://iotnesia.id), Developer of submit-manuscript.org (http://submit-
manuscript.org), Engineer at tokopedia.com (http://tokopedia.com) and Infra and Site Reliability
Engineer at payment industry)
https://www.linkedin.com/in/alfian-firmansyah/ (https://www.linkedin.com/in/alfian-firmansyah/)

Table of Content

Gnome Security Report: DDoS (Eng)

Table of Content
Intermezzo Gnome Servers
Motivation and events
Report Results and Actor Identification
Simple proposal: empirical evidence
Gather the facts or data
Behavior Result: Defining Attacker Behavior In the context of performance testing
Simple proposal: electronic evidence
There is an action calling for an attack on Gnome servers
There is an action calling for an attack on All servers: Lucius, Celestial, Winter, Diaz,
Aurora.
There is an action calling for an attack on the Diaz server
Conclusion
Material loss
Total Loss
July 2022
August 2022
September 2022
Total material loss
Action Points: Covenants
Final Thoughts

Intermezzo Gnome Servers

Dragon Nest M Gnome (https://web.facebook.com/GnomeDNM) is a private server game that is quite
unique. This server was originally built with the aim of research for the author’s study, namely as
a test-bed in an effort to find out techstack, infrastructure development, and to find out Dragon
Nest M game server security vulnerabilities (systems which are prone to malicious attacks) with
mitigation, as well as prevention used by a game developer from Thailand: SIAM GAME, with
publisher: Shanda (eyedentity).

However, a test bed alone is not enough without players, so we also took the initiative to build a
team and build a supportive community with the aim of improving gameplay balance, because our
goal is to build a strong player mindset to become a real MMORPG player. The Gnome Server
that we built is a server with balanced gameplay properties to make players feel satisfied through
the progress of the player’s character.

The mission that we are performing is to reduce the habit of Instant Gratification Syndrome
(https://www.psychologytoday.com/us/blog/the-modern-brain/201909/the-real-issue-instant-gratification) which always
happens in mobile MMORPG games so that players are more independent to be able to help the
sustainability of the gnome server and its community.
Our motivation is to maintain the existing Dragon Nest M community population to return to feel
the sensation of the game that has been closed by the official developer.

Motivation and events

In bringing these goals and missions, we encountered several obstacles, challenges, and findings.

Lately, there have been several incidents that have shocked the Dragon Nest Private Server
world, namely DDoS or Distributed Denial of Service by certain parties. This is already familiar in
the world of Private Server games. Distributed Denial of Service (DDoS) is a cyber attack in which
the attacker relies on the booter service to control (as a handler) compromised server or device to
perform distributed attacks according to configuration (Method, IP and PORT) to the intended
target, with the aim of paralyzing the traffic and bandwidth of the victim’s machine, so that the
services being run have high latency, overload/hang/lag/crash both during the attack and
afterwards.

Fig. 1.0. DDoS Diagram

In this case, the service that becomes a target is the server from Dragon Nest Private Server. And
attackers sending TCP/IP packets are zombie devices with spoofed IP
(https://www.cloudflare.com/learning/ddos/glossary/ip-spoofing/), so generally attackers cannot be tracked or
easily recognized, considering the attacker’s IP does not come from the attacker’s
computer/device directly.

There are 2 types of DDoS methods that are often used, namely as follows.
a. Layer 7 (Application) with HTTP flooding and PUT flooding methods. In this layer, the target is
the authentication system (with port/path to login, register and website) on version 1.6.59 which
still uses the apache2 or httpd HTTP webserver protocol. The most common example of flooding
that occurs with this method is flooding of the registration field/payload, where the attacker will
automatically use a script to generate a random payload to register continuously until the victim’s
database is full of random accounts and crashes occur.
b. Layer 4 (Transport Layer) has more cases with the SYN Flood (TCP) method with target ports
from several main servers (not mentioned) that are open to the public, so the main server
experiences hangs and crashes and in the end it stops (all players experience mass
disconnection) .
Report Results and Actor Identification

Gnome server has a good level of security in terms of infrastructure and backend. We create
scripts independently to collect IPs and blockers automatically, both layer 7 and layer 4.

Total Collection of Spoofed IPs in the last 2 months

Fig. 1.1. Results of Spoofed IPs coming to Gnome servers for 2 months (August, September)

Total Attacks in the last week of September (23 times):

Fig. 1.2. Incoming network: Result of the number of attacks received by the Gnome server in 1
week (September)

Video explaining how we received the various attacks:

https://youtu.be/VxS70i5f8NA (https://youtu.be/VxS70i5f8NA)

(the data for this result was taken in September only as a sample)

Simple proposal: empirical evidence

Gather the facts or data

There are rumors and reports that there is a private server developer entity that deliberately DDoS
on several servers, so we bring this matter to prove the truth with data and facts.
So, based on the report and also observing the behavior of the discord server reaction, there are
several servers that are in a certain period of time (in September and mid-November) affected by
DDoS attacks:

Gnomes (>20 attacks per week),

Lucius (x attacks per week),
Celestials (x attacks per week),
Aurora (x attacks per week)
Winter (x attacks per week),
Avalon (x attacks per week),
Diaz (x attacks per week),
Argenta (x attacks per week),
Hyper (x attacks per week)

However, there are also a number of servers that have been detected not experiencing DDoS
attacks in the same time period:

Prime
Obelix

Based on information and facts, both have the same developer.

Other datas:

1. Attack occurred during the last 2 - 3 months (August, September, October, November)
2. However, frequent attacks occurred within the last week in September using the TCP method.
3. In October, the method changed completely from DDoS to session kick out (which is not
DDoS, will not be discussed here)
4. We are trying to set targets to Prime and Obelix.

Based on these data, we reinforce that the Performance Testing targets are:

1. Obelix
2. Prime

Performance Test Date: Sep 9th - 11th & 16th, 2022

Duration: 1 - 6 hours high performance test in 3 days.

This action has also been discussed and planned properly with the team, and is only performed
by professionals considering the very high risk. This is for the sake of knowing the reaction
behavior of the suspected server (Prime and Obelix)

Behavior Result: Defining Attacker Behavior In the context of

performance testing
However, the entity/actor who performs DDoS will not be easily tracked by naked eye, considering
as explained in the previous section that the attacker uses a booter with a spoofed IP.

So we use a slightly unique way to identify and observe suspected actors, namely by Behavioral
after performance testing.

Notes: We are aware that performance testing is not justified, but this is only intended to find out
and investigate the facts from behavior, observation and for the sake of professional empirical
evidence. So we only set it for a 3 day period for performance testing and we don’t do it outside
the given period, and also we don’t do it on other excluded servers from our given target server.

Behavior After Performance Testing:

1. Prime and Obelix react to the attack by changing the port as a defense mechanism from the
server
Obelix: 16191 to 26191 to 22107
 Fig. 1.3. Obelix Open Port

Fig. 1.4. Obelix After performance testing: connection timed out.

Fig. 1.5. Game connection retries in Worldboss obelix

Prime: 9548 to 11574

Fig. 1.6. Before performance testing

Fig. 1.7. After performance testing

2. Fake open port to prevent nmap (subject: prime), in this case the subject manipulates open
ports, so the 3 main game ports are not easy to recognize or detect.
3. Subject re-attacked the Gnome server in a relatively short time after performance testing was
performed, based on the Gnome server security report data. So we did a port change, hoping
they would know that we did the same thing (Behavior: Identical Response Cloning) by
looking at our latest port, so they were sure it was a testing coming from Gnome. In simple
terms, “So they find out it’s from the gnome”.

After the actors found out, There were also a few developers who visited our server (gnome), this
was to be expected from the reactions we expected: CelestialDNM and Prime Developer.
(Join And Leave timestamp)

(Asking for stop attacking)

At this point, a clear picture has been formed that the actor knows what we are doing, because we
are doing Identical Response Cloning.
This becomes illogical if we relate it to the DDoS theory, namely IP spoofed. While we cannot
clearly track DDoS actors, without the visibility of Identical Response Cloning, actors will not be
able to confidently visit discord that is attacking their servers.

At this stage, our couplet method worked, and we’ve got some light on it.

5. Reaction on discord. At the beginning we did performance testing, generally a developer from
a server that has become the prima donna DDoS target notifies if the server is being
attacked, but in this state the subject does not receive notification to the player, but only
informs restart or server/reset cache/server is under repair ( Logically, this indicates that the
server rarely experiences DDoS attacks, so there is a time range for developers to
observe/estimate that it is only technical problems from the server).
Fig. 1.9 Server is under repair: Prime (11 September 2022)

But after performance testing on the second day, we did it for a fairly long duration, namely 6 - 7
hours, in this state it was clear that there was a reaction to inform players that this was an attack.

Fig. 1.10 Developer admit that the Server is under DDoS attack: Prime (16 September 2022)

The behaviors above confirm that there has been suspicious activity performed by both Prime and
Obelix in the past 2-3 months.

Simple proposal: electronic evidence

As for electronic evidence in the form of short messages that we can collect from witnesses and
sources (unnamed) can support the truth of the empirical evidence itself.

Where we will match chat dates and impact/response discord on each server.

Herewith some electronic evidence is appreciated which shows a WhatsApp conversation with the
name “Loxy” which is the developer of the DNM Private server Prime and Obelix. However, in this
time frame, the more logical developer context is the Prime developer, considering that Prime was
only released on September 9, while Obelix is a server that has not had any development in the
past few months.

There is an action calling for an attack on Gnome servers

 Date: September 18 2022, 15:00 - 16:00 UTC+7
Fig. 1.11. Action to ddos attack gnome server, obtained from witness Whatsapp screenshoot

Actual situation on our discord on September 18, 2022

Fig. 1.12. There are Connection Error attacks and also HTTP Layer 7 at 15:00 - 16:00 UTC+7, but
because our security system is advanced, we can counter it (auto-block) so there is no impact.

By this evidence, the two timestamps are matched and consistent, namely 15:00 - 16:00
UTC+7 on September 18th, 2022

There is an action calling for an attack on All servers: Lucius, Celestial,

Winter, Diaz, Aurora.
Fig. 1.13. Action to ddos attack almost all servers, obtained from witness Whatsapp screenshoot

There is an action calling for an attack on the Diaz server

 September 28 2022, 19:00 - 19:55 UTC+7
Fig. 1.13. Action to ddos attack diaz server, obtained from witness Whatsapp screenshoot
 September 28 2022, 12:00 - 15:00 UTC+7
Actual state of Diaz server on September 28, 2022

(19:00 - 19:55 UTC+7)

 (12:00 - 15:00 UTC+7)

By this given information, the two timestamps are matched and consistent, namely 12:00 -
15:00 WIB on 28 September 2022 and 19:00 - 19:55 WIB on 28 September 2022.

Based on electronic evidence, the match between electronic evidence and discord’s reaction is
consistent with the same time range (date/time), so it is found that the attack was performed
intentionally or intentionally by subject: Prime/Obelix developer. With the motive of hoping to get
more players from the target server.

Conclusion

As the motivation from the Gnome server that was stated in the first chapter is that we want to
maintain a healthy community, not only on the Gnome server, but also the DNM communities
outside.

Based on empirical evidence and electronic evidence, there are deliberate actions by actors:
Developer Prime and Obelix in performing DDoS actions on several servers, including the Gnome
server.

Material loss

Total Loss

July 2022

Normally, the monthly bandwidth for all players logging into the game infrastructure is around 200
- 500 GB.
Gnome Server total loss in July, $50 as data transfer charge from DDoS attack.
August 2022
We are annulled / tolerated.

September 2022
Losses are calculated from SUM GB per week. for SUM 1000+GB.

$100 as data transfer charge from DDoS attack.

Total material loss

Total sum July + September = 150 USD or if in rupiah = IDR 2,355,607.50 (rupiah exchange rate
15,704)

Action Points: Covenants

However, we are trying to avoid this from happening again in the Dragon Nest Mobile community,
therefore we have compiled several points that Prime Developers must and immediately fulfill,
including:

1. Compensate for the total material losses that have been stated
2. Closing the Prime and Obelix servers (along with the discord server) because they are actors
in DDoS cases that often occur on all DNM Private Servers
3. Stop DDoSing all servers, especially the Gnome DNM server.
4. Sign the agreement letter for the three points above on stamp duty which will be attached
(shared via private communication) with an electronic signature.

We can tolerate the 4 points above for the next 2 weeks, starting from the date this article was
published until December 10, 2022.

If these four things are not heeded or it is proven that they have performed several actions calling
for and destroying the community again after the specified time limit, we will be forced to perform
a takedown (server, community and/or social) with the capabilities that we have professionally.

Final Thoughts

The misuse of DDoS is an action that is detrimental both in terms of material and in terms of risk.
Basically DDoS is a feature for performing performance testing, but many parties do it for their
own sake without knowing the implications that will be received.