Le Mans Virtual 24 hours was an EMBARRASSMENT for simracing

[Ole Marius Myrvold]

“After an initial investigation, it seems that some race competitors accidentally shared to the public the IP addresses connecting them to the server, which is not supposed to happen.”

Every entrant, driver or team, who was competing in the virtual motorsport event was able to live stream their own perspectives, alongside the main TV, OTT and YouTube broadcast.

It is believed that the information was shared unwittingly, before being capped and shared around Discord servers and social media platforms.

“This put us in a weakened position, and we were subjected to some security breaches which caused the global disconnection of all competitors, “ continued Neveu.

“It should never happen if the IP addresses are well protected.”

Which is fine, if it hadn't been for the fact that all IP adresses of all non-LAN rF2 servers are openly shared on a webpage, even with a "CLICK HERE" join button. Very very easy to write a script to mess up things.

 

[Shovas]

It's frustrating they were relying on hundreds of people to keep IP addresses "secret"

They'll learn for next year: Security through obscurity is a recipe for disaster

In IT there are solutions for all of that

 

[Hal Burns]

e-sports "yawn"

 

[Owen Pyrah]

This was echoed by Executive Producer of the 24 Hours of Le Mans Virtual Gérard Neveu:

“We have asked the rFactor2 platform to launch a full investigation to find out where these problems are coming from and of course, we will look at our processes and guidelines to try and reduce the chance of similar issues taking place in 2024,”

Hopefully this gets patched up for next time then. It shouldn't be possible for attackers to get in by unwittingly seeing IP addresses in a stream. Or at least the fact many drivers are streaming their POV while joining the event should be considered as a possibility and mitigated against. With sim racing in general - and particularly these events - you have to assume that anything a driver is seeing can and probably will be broadcast.

There's been some spam on reddit saying it's all a hoax to save the share price and that the attacks were a lie. Which just baffles anyone who's actually raced rF2 and never seen these server issues. The fact it all happened during this event is really fishy. Whether the attack was malicious or just accidental from thousands of people trying to join to spectate, I'm sure it's fixable. After all, ACC and iRacing no longer have server issues like this so it can be done.

 

[Ruttman98]

I am in hopes that Rennsport or AC2 can pick up on that estafette

I learned a new word!

estafette (plural estafettes)

1. (obsolete) A dispatch rider, especially military; a mounted courier.

And a French vehicle model to boot!:

 

[Dzul]

And a French vehicle model to boot!:

View attachment 632053

Couldn't find a mod of it on RD though

 

[Owen Pyrah]

Couldn't find a mod of it on RD though

Be the change you want to see in the world. Make one!

 

[abecede]

“After an initial investigation, it seems that some race competitors accidentally shared to the public the IP addresses connecting them to the server, which is not supposed to happen.”

Every entrant, driver or team, who was competing in the virtual motorsport event was able to live stream their own perspectives, alongside the main TV, OTT and YouTube broadcast.

It is believed that the information was shared unwittingly, before being capped and shared around Discord servers and social media platforms.

“This put us in a weakened position, and we were subjected to some security breaches which caused the global disconnection of all competitors, “ continued Neveu.

“It should never happen if the IP addresses are well protected.”

If I can trust this screenshot, then the Le Mans server was visible in the publicly available Steam Server list!

(taken from a recent r/simracing thread on Reddit)
So nobody is at fault except the organizers who made the server public and therefore easily accessible by anyone using Steam. I even doubt that there was an organized DDOS attack, but simply lots of people trying to connect to the server using the normal Steam interface.

 

[Owen Pyrah]

If I can trust this screenshot, then the Le Mans server was visible in the publicly available Steam Server list!
View attachment 632101
(taken from a recent r/simracing thread on Reddit)
So nobody is at fault except the organizers who made the server public and therefore easily accessible by anyone using Steam. I even doubt that there was an organized DDOS attack, but simply lots of people trying to connect to the server using the normal Steam interface.

Yeah absolutely. Someone did say that the first server wasn't on that list and that this is the second one they knocked up in a hurry. But the security still shouldn't rely on the public IP being kept secret.

 

[smasha]

Star Citizen says hi come take a seat.

Making cars and tracks faster than the Road Runner but when fixing important parts,a snail is faster.

 

[earthling]

Another nail in the coffin for MotorSports Games as the number 1 driver in the world quits in disgust and even plans on uninstalling rF2 from his PC.

Nah, i think this is a lesson for MoterSports Games and hopefully one they learn from!

What Max said is completely legit, it is not just a game, it is a championship and per car €2.500 is paid to MotorSport Games.

Though we have seen fantastic racing during this championship and during the virtual 24 hours of Le mans, it is abnormal that glitches can deside the outcome of the championship and race win.

If it was just for fun, than yes.. but this is not just for fun, it is a championship in which participating teams pay quite a sum of money in order to compete.
I'm sure something is being done about this, the positive is that the racing is topnotch during this championship.

 

[Ole Marius Myrvold]

If I can trust this screenshot, then the Le Mans server was visible in the publicly available Steam Server list!
View attachment 632101
(taken from a recent r/simracing thread on Reddit)
So nobody is at fault except the organizers who made the server public and therefore easily accessible by anyone using Steam. I even doubt that there was an organized DDOS attack, but simply lots of people trying to connect to the server using the normal Steam interface.

I mean. Unless you are running it as LAN, it will show up in the Steam server-list. More than that, it will show up on the website that are gathering the rF2 server information and putting a "CLICK HERE" to join link for every single server.

Two ways to avoid it. LAN or distributing an own rF2 version for such events, hidden on Steam, only available for the competitors and broadcast.

Also, it doesn't make sense that it will be going down due to people trying to connect - you need a password - and as long as you don't give the correct password, it won't try to connect you to the server.

EDIT: Might be a similar setting to rF1 in some ini-file in terms of matchmaking service that can bypass the normal one when I think of it.