IPB

Welcome Guest ( Log In | Register )

> Rules / Regeln

- no copy 'n paste, only your own words (quoting is possible)
- please write in English which sounds sense (orthography should be recognizable)
- no rumours, no clan-news (except larger events)
- always with list of reference/originator
- please create compact news, 4-10 lines, colors, bold and cursive fontype is allowed

(*) We decide finally which news will be published or not. Not published news remains here only if it is acceptable.
- kein Copy&Paste, nur eigene Worte (Zitat möglich)
- bitte vernünftiges Deutsch mit erkennbarer Rechtschreibung ;)
- keine Gerüchte, keine Clannews (ausgenommen größere Veranstaltungen)
- immer mit Quellen- oder Urheberangabe
- bitte kompakte News, 4-10 Zeilen, Farbe, fett, kursiv möglich

(*) Wir entscheiden letztlich, welche News veröffentlicht wird und welche nicht. Nicht veröffentlichte News bleiben hier in diesem Forum bestehen, es sei denn sie sind für uns inakzeptabel.
- pas de copier coller, vos propres mots (citations possible)
- lisible et sans fautes ;)
- pas de "on dit", pa de news des clans (sauf les grandes manifs)
- toujours citer les sources
- essaies de faire compact, 4 - 10 lignes, couleur, gras possible

(*) On decide a la fin, laquelle des news va etre publie und laquelle non. News non publies restent dans ce forum, sauf si elle est inacceptable!
> POTENTIONAL FIX: etded.x86 getstatus exploit
Guest_Dutchman_*
post Jan 6 2011, 11:16 AM
Post #1




Guests






Hi,

since a few months there is a exploit floating around abusing the getstatus requests to launch dos attacks against random targets and as a side effect creating massive lags on clients and the server.
Cause of this Yada from Staatsschutz.org made a patch for linux wich reduces the effectivity of this exploit.

QUOTE
etfix_getstatus 0.2 by yada / staatsschutz.org / jan. 2011
------

This patch will ratelimit etded.x86 2.60b getstatus requests to 1 per IP every
4 seconds. This approach is not ideal as the real fix would be to change the
protocol to require some kind of handshake but this would break compatibility
with existing clients so its not really practical. The worst part is that the
patch is (in theory) vulnerable to a dos where legitimate clients could be
denied access to the getstatus command but i feel this is less of a headache
than kiddies using the server to flood random targets and thereby lagging the
server and pushing bandwith usage through the roof (master server is excluded
from ratelimit so no need to worry about it being denied using spoofed
packets).


Download the file right here.

A readme.txt, the sourcecode and a small howto are included.

Your free to distribute this file.

This post has been edited by Dutchman: Jan 6 2011, 11:33 AM
Go to the top of the page
 
+Quote Post
4 Pages V   1 2 3 > »   
Start new topic
Replies (1 - 14)
Ligustah
post Feb 10 2011, 10:46 PM
Post #2


Group Icon Corporal

Group: Members

Joined: 25-December 09
Member No.: 89191



For those running a dedicated server:

i hacked together some tiny script that watches network traffic and uses iptables to ban offending IPs,
thereby stopping the incredible lags and saving bandwidth. It's based on PCAP.

Requires pcapy and Impacket from over here: http://oss.coresecurity.com/

QUELLTEXT
#!/usr/bin/python
# Slightly modified version of this
# script:
# http://oss.coresecurity.com/impacket/sniff.py


import sys
import os
import string
from threading import Thread
import time

import pcapy
from pcapy import findalldevs, open_live
import impacket
from impacket.ImpactDecoder import EthDecoder, LinuxSLLDecoder

class Watcher(Thread):
    def __init__(self, pcapObj):
        # Query the type of the link and instantiate a decoder accordingly.
        datalink = pcapObj.datalink()
        if pcapy.DLT_EN10MB == datalink:
            self.decoder = EthDecoder()
        elif pcapy.DLT_LINUX_SLL == datalink:
            self.decoder = LinuxSLLDecoder()
        else:
            raise Exception("Datalink type not supported: " % datalink)

        self.pcap = pcapObj
        self.tab = {}
        self.lastCheck = time.time()
        Thread.__init__(self)

    def run(self):
        self.pcap.loop(0, self.packetHandler)

    def packetHandler(self, hdr, data):
        #packets are guaranteed to be UDP
        sll = self.decoder.decode(data)
        ip = sll.child()
        udp = ip.child()
        ip_addr = ip.get_ip_dst()
        
        if not self.tab.has_key(ip_addr):
            self.tab[ip_addr] = 0
        self.tab[ip_addr] = self.tab[ip_addr] + 1
        
        if time.time() - self.lastCheck >= 3:
            #uncomment the following line to see the number of packets
            #print self.tab
            self.checkLimits()
            self.lastCheck = time.time()
            self.tab = {}
            
    def checkLimits(self):
        for k in self.tab:
            v = self.tab[k]
            #change the number below to adjust the limit of packets
            if v > 1000:
                print "offending ip %s, packets: %i" % (k, v)
                os.system("iptables -A INPUT -s %s -j DROP" % k)

def main(filter):
    dev = 'any'

    p = open_live(dev, 100, 0, 100)
    p.setfilter(filter)

    print "Listening on %s: net=%s, mask=%s, linktype=%d" % (dev, p.getnet(), p.getmask(), p.datalink())

    #not calling start() here, because it doesn't work well
    Watcher(p).run()

# insert your ip there
filter = "udp and src host 123.456.789.123 and udp[8:4] = 0xFFFFFFFF"

main(filter)


This basically watches the outgoing traffic and counts the packets sent.
If packets sent to a certain IP exceed a specified limit it will issue a ban using iptables.
You might have to tweak the limit to meet your requirements.

For me it checks every three seconds and bans when sending more than 1000 packets in that time.
(they are constantly sending about 2000 packets per second to my servers).

Oh, and it only counts connectionless packets (e.g. getstatus, rcon, getinfo, etc) so it won't trigger on game packets.
Go to the top of the page
 
+Quote Post
Sickboy
post Aug 25 2011, 07:50 AM
Post #3


Private

Group: Members

Joined: 5-March 08
Member No.: 68457



works nicely Ligustah, thank you ;)
Go to the top of the page
 
+Quote Post
$mart
post Aug 25 2011, 09:20 AM
Post #4


Group Icon Major

Group: Members

Joined: 19-September 07
From: South of France xDDDDD
Member No.: 59683



Hello, does anyone know a Windows version of this script please ?
My home server, with no human playing, has 900 kbps in upload stream !
Thx in advance


--------------------
Go to the top of the page
 
+Quote Post
Ligustah
post Aug 25 2011, 11:32 PM
Post #5


Group Icon Corporal

Group: Members

Joined: 25-December 09
Member No.: 89191



Ugh, programatically banning IPs on Windows is by far not as trivial (at least it was not for us, when we used a Windows server some years ago).
I'm afraid you will have to try finding a solution like the one posted by Dutchman. Maybe ask the creator of that patch if it can be applied to
the Windows version of the server as well, though i'd rather doubt that.

This post has been edited by Ligustah: Aug 25 2011, 11:32 PM
Go to the top of the page
 
+Quote Post
ETc|Jay
post Aug 26 2011, 12:11 AM
Post #6


Group Icon Major General

Group: Members

Joined: 21-November 05
From: etclan.de:27960
Member No.: 18126



QUOTE ($mart @ Aug 25 2011, 10:20 AM) *
Hello, does anyone know a Windows version of this script please ?
My home server, with no human playing, has 900 kbps in upload stream !
Thx in advance


maybe install commview. there you see all traffic

here a pic:




--------------------



Go to the top of the page
 
+Quote Post
Guest_Dutchman_*
post Aug 26 2011, 08:25 AM
Post #7




Guests






QUOTE (Ligustah @ Aug 26 2011, 12:32 AM) *
Ugh, programatically banning IPs on Windows is by far not as trivial (at least it was not for us, when we used a Windows server some years ago).
I'm afraid you will have to try finding a solution like the one posted by Dutchman. Maybe ask the creator of that patch if it can be applied to
the Windows version of the server as well, though i'd rather doubt that.


Sorry, it's a Linux only patch.
Go to the top of the page
 
+Quote Post
$mart
post Aug 26 2011, 08:30 AM
Post #8


Group Icon Major

Group: Members

Joined: 19-September 07
From: South of France xDDDDD
Member No.: 59683



Thanks guys,
Yes, on Windows, it is difficult to make such a script, maybe the new PowerShell could do it ..
Thanks JAY your graphical tool will fit my needs, I'm gonna download it, but for the moment, Upstream is normal: 2 kbps (just my remote access RDP) when server is empty (... and often empty lol grrr... nobody wants to test chaos mod ??).

If I suspect any new spoofing, I will try to find IP and will update this post.

Good frags for all xD
V55

This post has been edited by $mart: Aug 26 2011, 08:36 AM


--------------------
Go to the top of the page
 
+Quote Post
Ligustah
post Aug 26 2011, 10:30 AM
Post #9


Group Icon Corporal

Group: Members

Joined: 25-December 09
Member No.: 89191



As for the CommView program, i see two problems with that.
  1. price = 200€ at least
  2. no packet filter (as in dropping unwated traffic)


You can of course use that program to find out which IPs are being used on your server, but then you will have to manually ban them
(you can find out how to manually ban IPs with a quick Google search: http://lmgtfy.com/?q=how+to+block+an+ip+on+windows).

ZITAT($mart @ Aug 26 2011, 09:30 AM) *
Yes, on Windows, it is difficult to make such a script, maybe the new PowerShell could do it ..

The problem would not be getting the script to run on Windows (there are even pre-built binaries of the libraries used by the script i posted), but getting the IP banned. It does not seem to be very common to have automated firewalls on Windows systems. It seems to be possible via the netsh (net shell) provided by Windows. Something along the line:
QUELLTEXT
netsh advfirewall firewall add rule .......

Read up on the manual of that program, if you type the command above (without the dots of course) it will prints lots of useful information.
QUELLTEXT
os.system("iptables -A INPUT -s %s -j DROP" % k)


If you have found the command line that will do the trick for you simply replace it in the script i posted

ZITAT($mart @ Aug 26 2011, 09:30 AM) *
If I suspect any new spoofing, I will try to find IP and will update this post.

There is no point in posting IPs. You will only see the IPs of the victims getting DDoS'd, besides, at least on my machine I record about 30 to 50 different IPs per day (that is why i strongly advise looking into automated solutions).

Hope this helps.

This post has been edited by Ligustah: Aug 26 2011, 10:31 AM
Go to the top of the page
 
+Quote Post
Dookie7
post Aug 28 2011, 10:28 AM
Post #10


Group Icon Master Sergeant

Group: Members

Joined: 31-October 07
From: Croatia
Member No.: 61826



ty guys :P


--------------------
Go to the top of the page
 
+Quote Post
daredevil
post Aug 28 2011, 04:20 PM
Post #11


Group Icon Second Lieutenant

Group: Members

Joined: 10-November 08
From: US
Member No.: 78526



You can also try netlimiter. In windows 2008 R2 Enterprise, you can see all IP's connected to your server live. I think it's same for standard edition also.





it's 30$.

This post has been edited by daredevil: Aug 28 2011, 04:21 PM


--------------------
Fearless Assassins Multi Gaming Community running servers for W:ET, COD4, BF3, CS:S, TF2, Minecraft and Teamspeak

Go to the top of the page
 
+Quote Post
Sickboy
post Aug 29 2011, 12:33 AM
Post #12


Private

Group: Members

Joined: 5-March 08
Member No.: 68457



i've noticed on our server a few slower attacks packetting us just below our threshold. yesterday i reduced the threshold too low and legitimate game clients were dropped upon connecting. what i decided to do was run a second instance with a longer check time (10 mins) and higher packet #. seems to be working well along with the 3 sec script. wouldn't it be possible to write an iptables rule to only allow those packets from specific ips? ie legitimate trackers: et master server, trackbase, splatterladder, etc? the downside being that game clients couldn't do a /serverstatus, but i think its a small price to pay until theres a permanent solution.
Go to the top of the page
 
+Quote Post
Ligustah
post Aug 29 2011, 09:35 AM
Post #13


Group Icon Corporal

Group: Members

Joined: 25-December 09
Member No.: 89191



It is certainly possible to make iptable rules that work like the script i posted. I actually experimented with that for quite a while,
though i can't remember why i went for the script in the end.

Blocking getstatus alltogether might not be a good idea. Game trackers are not the only ones who send getstatus requests.
Programs like XFire, HLSW or RCON Unlimited all rely on getstatus and will probably show the server offline if you block them.
You might however apply the script i posted above only to getstatus packets. At the moment it will count all connectionless packets (getinfo, rcon, getchallenge, etc).

QUELLTEXT
filter = "udp and src host 123.456.789.123 and udp[8:4] = 0xFFFFFFFF"


The last part of the filter checks the next 4 bytes at offset 8. You can change that to check for a longer byte sequence so as to catch getstatus only. I never bothered doing that.


I have been using a limit of 300 packets for quite a while now and it seems to work out very smoothly, haven't heard of legit clients getting dropped or being unable to connect. You will however have to adapt that limit depending on the number of game servers you run on your machine.

This post has been edited by Ligustah: Aug 29 2011, 09:36 AM
Go to the top of the page
 
+Quote Post
Old-Owl
post Aug 30 2011, 10:49 PM
Post #14


Group Icon Sergeant

Group: Members

Joined: 6-August 05
From: Italy
Member No.: 12451



Thanks Ligustah for you nice script that seems very fast and efficient.
I tried it since I like the idea of real time bans and after some inconvenient attepts,
(script banned the server from itself due to another script that use a connector)
I changed this part to avoid it:

CODE
            if k == "ServerIPhere":
                        print "own IP not banned %s, packets %i" % (k, v)
            elif v > 150:
                        print "offending ip %s, packets: %i" % (k, v)
                        os.system("iptables -A INPUT -s %s -j DROP" % k)


Now I run it in a screen session, I like it, but I would log in a text file the banned IP's and the packets they produce.
The main reason is to debug why the script from time to time ban one of my admins that run two clients and HLSW
in the same time. If I can understand the threshold I have to set then I can sleep good. :)

Last thing is that I don't understand the "filter" how it have to be set to catch the 'getstatus' requests, or maybe
I don't have to modify that line except put there the server IP address .

Thanks for your support.
Owl
Go to the top of the page
 
+Quote Post
Ligustah
post Aug 30 2011, 11:45 PM
Post #15


Group Icon Corporal

Group: Members

Joined: 25-December 09
Member No.: 89191



I am actually using a simple wrapper about my iptables, which will log the ip and number of packets.
http://85.214.159.249/banip.txt

Just save that file somewhere on your machine and make it executable.

QUELLTEXT
os.system("banip %s automatically banned, %i packets" % (k, v))

That's how i call it from my script.

To change the filter line, you need to get a HEX representation of getstatus and add that to the number in the filter line, also increase the length that is checked.
Go to the top of the page
 
+Quote Post

4 Pages V   1 2 3 > » 
Reply to this topicStart new topic
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 15th November 2024 - 07:47 PM