The online racing simulator
Weird simulaneous connection to all of our LFS servers
I noticed this on the console (and in the logfiles as well) on all of our LFS servers tonight:

Aug 13 18:17:39 Accept : 78.128.112.22
Aug 13 18:17:39 Received 47 : 78.128.112.22
Aug 13 18:17:39 Unknown protocol : 78.128.112.22
Aug 13 18:17:39 Unknown protocol : 78.128.112.22

All servers have been contacted at the exact same time.
The IP address traces back to Bulgaria, but that doesn't mean too much these days.
Anyone else had this today and if so (or not), is it something I should be worried about?
Nothing special on my servers, as far i can see.

Looks like someone is scanning the servers of something. Or trying to connect from a faulty/cracked masterserver list / LFS.exe . Shrug

Did you receive any other messages from that IP?

Hope the devs can tell you/us more about those messages.
Quote from Bass-Driver :Did you receive any other messages from that IP?

Not since I restarted our VPS yesterday evening, which cleared the logfiles.
I will keep an eye on it and maybe someone else is able to tell me more about this.
#5 - lucaf
On sunday there was at least several Finnish government servers under Dos attack (was in the news). Who knows what was going about. Maybe was some celebration day for ddossers, they just dossed everywhere for fun?
Ooh, you posted their IP.

Evil thoughts intensifies

Jk
I had the same unknown protocol when i had some servers opened. I also think the IP is the same but that started since the test patches and the new version. (Something to do with masterserver?!?)
#8 - Racon
I have some of that in my serverlogs. Same IP too, but not always. I thought it was people with previous incompatible versions of LFS trying to connect.
I can see the same messages, from two IP addresses.

179.60.146.20
78.128.112.22 (as mentioned above)

I don't know what it is or what someone is trying to do. It doesn't seem to be the size of a known packet for initial connection attempts. I don't feel it's much to worry about at this point.
@Scawen
I don't know if the following is related or relevant, but in redacted a popular server (check edit logs to read thanks), the server was able to be crashed and subsequently poached if a user attempts to connect from the same account from two seperate PCs or seperate IPs at the same time.

It happened pre-update and I think its fixed now and doesn't happen, but this unknown IP thing seems to gel really well with this theory.

Happens real quick too, two same usernames connected appear in the chat and then server instantly crashes. Hm.


Hope its not someone trying to nick servers, lol.
Our servers have been 'visited' three times again today:

Aug 18 08:39:34 Accept : 77.72.83.99
Aug 18 08:39:34 Received 47 : 77.72.83.99
Aug 18 08:39:34 Unknown protocol : 77.72.83.99
Aug 18 08:39:34 Unknown protocol : 77.72.83.99

Aug 18 09:28:06 Accept : 77.72.83.99
Aug 18 09:28:06 Received 47 : 77.72.83.99
Aug 18 09:28:06 Unknown protocol : 77.72.83.99
Aug 18 09:28:06 Unknown protocol : 77.72.83.99

Aug 18 11:25:23 Accept : 5.8.18.70
Aug 18 11:25:23 Received 47 : 5.8.18.70
Aug 18 11:25:23 Unknown protocol : 5.8.18.70
Aug 18 11:25:23 Unknown protocol : 5.8.18.70
I just wonder could it be someone with different version lfs who tries to connect?

Edit: When I click on older servers lfs tells (Host has different game code). But I don't know how it would show in logs.
Another 'visit' last night, only on one server this time:

Aug 21 20:36:10 Accept : 193.238.46.22
Aug 21 20:36:10 Received 43 : 193.238.46.22
Aug 21 20:36:10 Unknown protocol : 193.238.46.22
Aug 21 20:36:10 Unknown protocol : 193.238.46.22
Quote from THE WIZARD DK :maybe scouting LFS servers. but for what purpose

They're coming to take away our resident conspiracy theorists - they must've got close to the truth! Hey, I see a black helicopter outside my offi*transmission interupted*

In all seriousness it's probably like 99.9% of all hacking activity - script kiddies scanning for something they can fiddle with. (And yes, I do see Apaches and/or Chinooks screaming along at treetop level out my window at least one day a week. It's awesome. No Blackhawks though, so far.)
Blackhawk is a helo, SR71 is Blackbird. I think I'd just about explode if I saw a real-life blackbird. Maybe literally if it hadn't warmed up enough to seal the fuel tanks yet, lol Smile
Two new attempts on all of our servers last night:

Aug 24 21:20:59 Received 47 : 5.8.18.70
Aug 24 21:20:59 Unknown protocol : 5.8.18.70
Aug 24 21:20:59 Unknown protocol : 5.8.18.70

Aug 24 22:56:14 Accept : 5.8.18.70
Aug 24 22:56:14 Received 47 : 5.8.18.70
Aug 24 22:56:14 Unknown protocol : 5.8.18.70
Aug 24 22:56:14 Unknown protocol : 5.8.18.70
Yesterday it first happend to my servers same ip.

Onlineracing S3
Aug 24 10:51:35 Received 47 : 5.8.18.70
Aug 24 10:51:35 Unknown protocol : 5.8.18.70
Aug 24 10:51:35 Unknown protocol : 5.8.18.70
Aug 24 12:51:03 Accept : 5.8.18.70
Aug 24 12:51:03 Received 47 : 5.8.18.70
Aug 24 12:51:03 Unknown protocol : 5.8.18.70
Aug 24 12:51:03 Unknown protocol : 5.8.18.70

Blackwood GTi
Aug 24 10:52:05 Accept : 5.8.18.70
Aug 24 10:52:05 Received 47 : 5.8.18.70
Aug 24 10:52:05 Unknown protocol : 5.8.18.70
Aug 24 10:52:05 Unknown protocol : 5.8.18.70
Aug 24 12:51:34 Accept : 5.8.18.70
Aug 24 12:51:34 Received 47 : 5.8.18.70
Aug 24 12:51:34 Unknown protocol : 5.8.18.70
Aug 24 12:51:34 Unknown protocol : 5.8.18.70

Blackwood FBM
Aug 24 13:42:42 Accept : 5.8.18.70
Aug 24 13:42:42 Received 47 : 5.8.18.70
Aug 24 13:42:42 Unknown protocol : 5.8.18.70
Aug 24 13:42:42 Unknown protocol : 5.8.18.70

Rotate GTi
Aug 24 10:59:14 Accept : 5.8.18.70
Aug 24 10:59:14 Received 47 : 5.8.18.70
Aug 24 10:59:14 Unknown protocol : 5.8.18.70
Aug 24 10:59:14 Unknown protocol : 5.8.18.70
Aug 24 12:58:45 Accept : 5.8.18.70
Aug 24 12:58:45 Received 47 : 5.8.18.70
Aug 24 12:58:45 Unknown protocol : 5.8.18.70
Aug 24 12:58:45 Unknown protocol : 5.8.18.70

Rotate TBO
Aug 24 13:36:11 Accept : 5.8.18.70
Aug 24 13:36:11 Received 47 : 5.8.18.70
Aug 24 13:36:11 Unknown protocol : 5.8.18.70
Aug 24 13:36:11 Unknown protocol : 5.8.18.70


Looks like servers stay all okay players don't notice a thing.

But now I also want to know what this is. Tried to connect with different version LFS but that doesn't show up in logs.


Edit: If u just look at the times it looks like someone putting quite a lot time in it Wink
A new attempt at one of our servers:

Aug 26 11:16:48 Accept : 103.89.91.156
Aug 26 11:16:48 Received 47 : 103.89.91.156
Aug 26 11:16:48 Unknown protocol : 103.89.91.156
Aug 26 11:16:48 Unknown protocol : 103.89.91.156

Aug 26 11:36:30 Accept : 103.89.91.156
Aug 26 11:36:30 Received 47 : 103.89.91.156
Aug 26 11:36:30 Unknown protocol : 103.89.91.156
Aug 26 11:36:30 Unknown protocol : 103.89.91.156
Looks like all these ip adresses have history off abuse.
Fact of life; You put stuff on the internet, you will get port scanned. Decent software will attempt to talk to the port if it's open and try to verify what it is.

Unless you've got a reason to think you're being directly targetted I'd be surprised if its more than that.

If you're really bothered by it you can start looking at tools like fail2ban that consume the LFS server log and block the IPs (if you're on windows scripting something up using powershell, a quick regex to filter the logs and calls to create/modify firewall rules should suffice).
Another attempt at our servers:

Aug 30 18:38:39 Accept : 185.141.60.223
Aug 30 18:38:39 Received 47 : 185.141.60.223
Aug 30 18:38:39 Unknown protocol : 185.141.60.223
Aug 30 18:38:39 Unknown protocol : 185.141.60.223

Reported the IP address on abuseIPDB.

https://www.abuseipdb.com/check/185.141.60.223
Any idea what this can be?

Sep 09 18:17:19 Found guest for packet with unknown ephemeral port
That is no problem and it is normal that message may come up sometimes.

More info for interest:

Sometimes a guest's ephemeral port for the UDP packets can change.

This port, originally assigned by the operating system, is normally used by LFS as part of the identification of which guest a UDP position packet comes from. But the port is ephemeral and the operating system (or is it the router - not going to think too hard about this) can change it at any time. If it does change, then LFS does a more thorough check to figure out which guest the packet came from and stores the new ephemeral port.
1

FGED GREDG RDFGDR GSFDG