taiwi · @taiwics

2nd Apr 2021 from TwitLonger

Important information on recent DDOS attacks

Disclaimer I'm not a certified expert. I'm speaking based on my experiences and what I know and my opinions. ‚ÄčI talked with most of the players/teams that got DDOS'd.

Fact #1: Your IP was leaked at some point
Fact #2: They could not ddos you if you used a different connection, like playing at ur friends house or using your neighbors wifi etc.
Fact #3. You can use your PC with that different connection.

I'm gonna explain what I did to stop getting ddos'd. Wrote down my IP from whatismyipaddress.com (particularly IPV4 address, not IPV6), bought a new hard drive and set the old one aside, changed my IP by unplugging my modem for 5-15 mins (if you have a direct fiber line, that's your "ONT box" installed generally outside of your house, in ur garage or somewhere like that), confirmed my IP was changed by visiting the website again, changed the ip multiple times before the match, used a different ethernet port. The reason I reformatted my drive just in case is because I considered the possibility of something on our end feeding them our IP, particularly after people claimed that they changed their IP and still got hit. First time I got ddos'd was on train against Big chillin. We rescheduled the second map for another day while I did the steps mentioned above. They couldn't ddos me on that second map or any of the following maps since then. I also played on my "original hard drive" that was potentially "infected" against PDHM and still wasn't ddos'd so I dont think it's something on our drive.

My thoughts/opinions:
A)IP was primarly leaked from a scrim server, not teamspeak or DM's or ESEA.
-If you consider the pattern that all the starters + coach were the players hit and NOT subs, this indicates it's something all 5 starters + coach were exposed to together. My coach doesn't even play csgo. Doesn't DM, doesn't play hubs/fplc so how is he ddos'd along with us but not my subs? The pattern here is your entire team got exposed at the same time, not individual players. IMO our IPs were initially grabbed by a scrim server that we all were exposed to. This is not to say that they can't get your IP from teamspeak, they surely can.

B)What if ESEA was compromised, the ddoser has an insider or access to ESEA or it's ESEA themselves?
-Very unlikely. If this was the case, changing your connection would NOT stop the ddos. Ontop of that, your subs can get ddos'd too.

C)Players said they tried changing their IP, used VPns but still got hit, theory is they have a way of finding your "new ip".
-This is the strange thing about this situation. Normally when you get ddos'd, you just change your IP, don't get your IP from being leaked for example skype used to have vulnerabilities and some games as well and you're good. So how did people who changed their IP and still got hit? Perhaps people aren't properly changing their IP or confirming it's changed or their ISP support are dumb or they got picked up from a DM / teamspeak. Also It has to be your external, not internal IP. IDK exactly but I changed my IP successfully and it worked.

D)Something on our PC is giving them our IP
-Based on players saying they changed their IP and still got hit, I thought maybe something on our side was feeding them the IP. But if that was the case, changing your connection to a friends house wouldn't work because they'd just get that new IP as well. Also I played with my "potential infected" PC and they didn't ddos me. So in my case properly changing my IP was all it took.

E)How do I change my IP?
First thing is take a screenshot of your current IP, just google what is my ip. Next you can try is unplugging your MODEM (not router, unless you use a modem+router combo) for anywhere from 5 minutes up to 24 hours and then plugging it back in. Check if ur IP changed. In my case, it takes me 5-15 mins to fetch a new IP. For some people, it never changes. They need to call their ISP or get a new modem to get another IP. For some, their IPV4 does not change and only IPV6 does. It has to be IPV4 I believe.

F)So now what?
You should write down your IP and check it periodically to see if it ever changes, if you dont wanna go through the process of calling ur ISP or buying a new modem. Sometimes it takes a few days or even weeks for ur ISP to assign a new one to you. Try leaving ur modem not powered for many hours. Also ESEA keeps a record of your IPs in your manage account page. You can look there to get an idea of how often you get a new IP. This is important because if your IP doesn't ever change, u can assume that they still have ur IP and can fuck with you whenever they feel like. In fplc, tournaments, next season, pugs, etc they can technically still ddos you.

G) So who grabbed our IP? Note whoever grabbed it is not necessarily the ddoser. They could pass our IP to someone else who wants them
-Assuming it's from a scrim server and with some logical thinking and cross examination we can round down some suspects.
1.) It's a team you have scrimmed against on their server, if you've never scrimmed them it's probably not that team and you can take them off the suspect list
2.) It's not a team that got ddos'd
3.) In our situation, we are generally picky with who we wanna scrim, we don't scrim main teams or low adv teams so thats out of the question. It's probably not from a team in playoffs based on the fact that infinity would have ddos'd us, we've never scrimmed against BC or PDHM PAIN so its not them that grabbed it or any of the teams that got DDOS'd
4.)If you go through your discord messages and you didn't close them, u can see all the teams uve messaged to scrim and joined and narrow it down.

Conclusion: Write your IP down, change it, confirm the change, wipe your hard drive if you wanna be extra extra safe. Don't join other servers to scrim or random teamspeaks in the future unless you trust them, play on ur server or esea only. I think it's as simple as them grabbing your IP and ddosing that IP & people aren't properly having their IP changed by their ISP or getting picked off again perhaps DMing or joining public teamspeaks.

Reply · Report Post