Professional Documents
Culture Documents
Table of Content
However, a test bed alone is not enough without players, so we also took the initiative to build a
team and build a supportive community with the aim of improving gameplay balance, because our
goal is to build a strong player mindset to become a real MMORPG player. The Gnome Server
that we built is a server with balanced gameplay properties to make players feel satisfied through
the progress of the player’s character.
The mission that we are performing is to reduce the habit of Instant Gratification Syndrome
(https://www.psychologytoday.com/us/blog/the-modern-brain/201909/the-real-issue-instant-gratification) which always
happens in mobile MMORPG games so that players are more independent to be able to help the
sustainability of the gnome server and its community.
Our motivation is to maintain the existing Dragon Nest M community population to return to feel
the sensation of the game that has been closed by the official developer.
In bringing these goals and missions, we encountered several obstacles, challenges, and findings.
Lately, there have been several incidents that have shocked the Dragon Nest Private Server
world, namely DDoS or Distributed Denial of Service by certain parties. This is already familiar in
the world of Private Server games. Distributed Denial of Service (DDoS) is a cyber attack in which
the attacker relies on the booter service to control (as a handler) compromised server or device to
perform distributed attacks according to configuration (Method, IP and PORT) to the intended
target, with the aim of paralyzing the traffic and bandwidth of the victim’s machine, so that the
services being run have high latency, overload/hang/lag/crash both during the attack and
afterwards.
In this case, the service that becomes a target is the server from Dragon Nest Private Server. And
attackers sending TCP/IP packets are zombie devices with spoofed IP
(https://www.cloudflare.com/learning/ddos/glossary/ip-spoofing/), so generally attackers cannot be tracked or
easily recognized, considering the attacker’s IP does not come from the attacker’s
computer/device directly.
There are 2 types of DDoS methods that are often used, namely as follows.
a. Layer 7 (Application) with HTTP flooding and PUT flooding methods. In this layer, the target is
the authentication system (with port/path to login, register and website) on version 1.6.59 which
still uses the apache2 or httpd HTTP webserver protocol. The most common example of flooding
that occurs with this method is flooding of the registration field/payload, where the attacker will
automatically use a script to generate a random payload to register continuously until the victim’s
database is full of random accounts and crashes occur.
b. Layer 4 (Transport Layer) has more cases with the SYN Flood (TCP) method with target ports
from several main servers (not mentioned) that are open to the public, so the main server
experiences hangs and crashes and in the end it stops (all players experience mass
disconnection) .
Report Results and Actor Identification
Gnome server has a good level of security in terms of infrastructure and backend. We create
scripts independently to collect IPs and blockers automatically, both layer 7 and layer 4.
Fig. 1.1. Results of Spoofed IPs coming to Gnome servers for 2 months (August, September)
Fig. 1.2. Incoming network: Result of the number of attacks received by the Gnome server in 1
week (September)
(the data for this result was taken in September only as a sample)
However, there are also a number of servers that have been detected not experiencing DDoS
attacks in the same time period:
Prime
Obelix
Other datas:
1. Attack occurred during the last 2 - 3 months (August, September, October, November)
2. However, frequent attacks occurred within the last week in September using the TCP method.
3. In October, the method changed completely from DDoS to session kick out (which is not
DDoS, will not be discussed here)
4. We are trying to set targets to Prime and Obelix.
Based on these data, we reinforce that the Performance Testing targets are:
1. Obelix
2. Prime
This action has also been discussed and planned properly with the team, and is only performed
by professionals considering the very high risk. This is for the sake of knowing the reaction
behavior of the suspected server (Prime and Obelix)
So we use a slightly unique way to identify and observe suspected actors, namely by Behavioral
after performance testing.
Notes: We are aware that performance testing is not justified, but this is only intended to find out
and investigate the facts from behavior, observation and for the sake of professional empirical
evidence. So we only set it for a 3 day period for performance testing and we don’t do it outside
the given period, and also we don’t do it on other excluded servers from our given target server.
1. Prime and Obelix react to the attack by changing the port as a defense mechanism from the
server
Obelix: 16191 to 26191 to 22107
Fig. 1.3. Obelix Open Port
2. Fake open port to prevent nmap (subject: prime), in this case the subject manipulates open
ports, so the 3 main game ports are not easy to recognize or detect.
3. Subject re-attacked the Gnome server in a relatively short time after performance testing was
performed, based on the Gnome server security report data. So we did a port change, hoping
they would know that we did the same thing (Behavior: Identical Response Cloning) by
looking at our latest port, so they were sure it was a testing coming from Gnome. In simple
terms, “So they find out it’s from the gnome”.
After the actors found out, There were also a few developers who visited our server (gnome), this
was to be expected from the reactions we expected: CelestialDNM and Prime Developer.
(Join And Leave timestamp)
At this point, a clear picture has been formed that the actor knows what we are doing, because we
are doing Identical Response Cloning.
This becomes illogical if we relate it to the DDoS theory, namely IP spoofed. While we cannot
clearly track DDoS actors, without the visibility of Identical Response Cloning, actors will not be
able to confidently visit discord that is attacking their servers.
At this stage, our couplet method worked, and we’ve got some light on it.
5. Reaction on discord. At the beginning we did performance testing, generally a developer from
a server that has become the prima donna DDoS target notifies if the server is being
attacked, but in this state the subject does not receive notification to the player, but only
informs restart or server/reset cache/server is under repair ( Logically, this indicates that the
server rarely experiences DDoS attacks, so there is a time range for developers to
observe/estimate that it is only technical problems from the server).
Fig. 1.9 Server is under repair: Prime (11 September 2022)
But after performance testing on the second day, we did it for a fairly long duration, namely 6 - 7
hours, in this state it was clear that there was a reaction to inform players that this was an attack.
Fig. 1.10 Developer admit that the Server is under DDoS attack: Prime (16 September 2022)
The behaviors above confirm that there has been suspicious activity performed by both Prime and
Obelix in the past 2-3 months.
Where we will match chat dates and impact/response discord on each server.
Herewith some electronic evidence is appreciated which shows a WhatsApp conversation with the
name “Loxy” which is the developer of the DNM Private server Prime and Obelix. However, in this
time frame, the more logical developer context is the Prime developer, considering that Prime was
only released on September 9, while Obelix is a server that has not had any development in the
past few months.
By this evidence, the two timestamps are matched and consistent, namely 15:00 - 16:00
UTC+7 on September 18th, 2022
By this given information, the two timestamps are matched and consistent, namely 12:00 -
15:00 WIB on 28 September 2022 and 19:00 - 19:55 WIB on 28 September 2022.
Based on electronic evidence, the match between electronic evidence and discord’s reaction is
consistent with the same time range (date/time), so it is found that the attack was performed
intentionally or intentionally by subject: Prime/Obelix developer. With the motive of hoping to get
more players from the target server.
Conclusion
As the motivation from the Gnome server that was stated in the first chapter is that we want to
maintain a healthy community, not only on the Gnome server, but also the DNM communities
outside.
Based on empirical evidence and electronic evidence, there are deliberate actions by actors:
Developer Prime and Obelix in performing DDoS actions on several servers, including the Gnome
server.
Material loss
Total Loss
July 2022
Normally, the monthly bandwidth for all players logging into the game infrastructure is around 200
- 500 GB.
Gnome Server total loss in July, $50 as data transfer charge from DDoS attack.
August 2022
We are annulled / tolerated.
September 2022
Losses are calculated from SUM GB per week. for SUM 1000+GB.
1. Compensate for the total material losses that have been stated
2. Closing the Prime and Obelix servers (along with the discord server) because they are actors
in DDoS cases that often occur on all DNM Private Servers
3. Stop DDoSing all servers, especially the Gnome DNM server.
4. Sign the agreement letter for the three points above on stamp duty which will be attached
(shared via private communication) with an electronic signature.
We can tolerate the 4 points above for the next 2 weeks, starting from the date this article was
published until December 10, 2022.
If these four things are not heeded or it is proven that they have performed several actions calling
for and destroying the community again after the specified time limit, we will be forced to perform
a takedown (server, community and/or social) with the capabilities that we have professionally.
Final Thoughts
The misuse of DDoS is an action that is detrimental both in terms of material and in terms of risk.
Basically DDoS is a feature for performing performance testing, but many parties do it for their
own sake without knowing the implications that will be received.