sl.Home | sl.Search | sl.Forum | sl.Settings | sl.Serverlist | sl.Maplist | sl.Team | sl.Wiki |
- no copy 'n paste, only your own words (quoting is possible) - please write in English which sounds sense (orthography should be recognizable) - no rumours, no clan-news (except larger events) - always with list of reference/originator - please create compact news, 4-10 lines, colors, bold and cursive fontype is allowed (*) We decide finally which news will be published or not. Not published news remains here only if it is acceptable. |
- kein Copy&Paste, nur eigene Worte (Zitat möglich) - bitte vernünftiges Deutsch mit erkennbarer Rechtschreibung ;) - keine Gerüchte, keine Clannews (ausgenommen größere Veranstaltungen) - immer mit Quellen- oder Urheberangabe - bitte kompakte News, 4-10 Zeilen, Farbe, fett, kursiv möglich (*) Wir entscheiden letztlich, welche News veröffentlicht wird und welche nicht. Nicht veröffentlichte News bleiben hier in diesem Forum bestehen, es sei denn sie sind für uns inakzeptabel. |
- pas de copier coller, vos propres mots (citations possible) - lisible et sans fautes ;) - pas de "on dit", pa de news des clans (sauf les grandes manifs) - toujours citer les sources - essaies de faire compact, 4 - 10 lignes, couleur, gras possible (*) On decide a la fin, laquelle des news va etre publie und laquelle non. News non publies restent dans ce forum, sauf si elle est inacceptable! |
POTENTIONAL FIX: etded.x86 getstatus exploit |
Guest_Dutchman_* |
Jan 6 2011, 11:16 AM
Post
#1
|
Guests |
Hi,
since a few months there is a exploit floating around abusing the getstatus requests to launch dos attacks against random targets and as a side effect creating massive lags on clients and the server. Cause of this Yada from Staatsschutz.org made a patch for linux wich reduces the effectivity of this exploit. QUOTE etfix_getstatus 0.2 by yada / staatsschutz.org / jan. 2011 ------ This patch will ratelimit etded.x86 2.60b getstatus requests to 1 per IP every 4 seconds. This approach is not ideal as the real fix would be to change the protocol to require some kind of handshake but this would break compatibility with existing clients so its not really practical. The worst part is that the patch is (in theory) vulnerable to a dos where legitimate clients could be denied access to the getstatus command but i feel this is less of a headache than kiddies using the server to flood random targets and thereby lagging the server and pushing bandwith usage through the roof (master server is excluded from ratelimit so no need to worry about it being denied using spoofed packets). Download the file right here. A readme.txt, the sourcecode and a small howto are included. Your free to distribute this file. This post has been edited by Dutchman: Jan 6 2011, 11:33 AM |
|
|
Feb 10 2011, 10:46 PM
Post
#2
|
|
Corporal Group: Members Joined: 25-December 09 Member No.: 89191 |
For those running a dedicated server:
i hacked together some tiny script that watches network traffic and uses iptables to ban offending IPs, thereby stopping the incredible lags and saving bandwidth. It's based on PCAP. Requires pcapy and Impacket from over here: http://oss.coresecurity.com/ QUELLTEXT #!/usr/bin/python # Slightly modified version of this # script: # http://oss.coresecurity.com/impacket/sniff.py import sys import os import string from threading import Thread import time import pcapy from pcapy import findalldevs, open_live import impacket from impacket.ImpactDecoder import EthDecoder, LinuxSLLDecoder class Watcher(Thread): def __init__(self, pcapObj): # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj self.tab = {} self.lastCheck = time.time() Thread.__init__(self) def run(self): self.pcap.loop(0, self.packetHandler) def packetHandler(self, hdr, data): #packets are guaranteed to be UDP sll = self.decoder.decode(data) ip = sll.child() udp = ip.child() ip_addr = ip.get_ip_dst() if not self.tab.has_key(ip_addr): self.tab[ip_addr] = 0 self.tab[ip_addr] = self.tab[ip_addr] + 1 if time.time() - self.lastCheck >= 3: #uncomment the following line to see the number of packets #print self.tab self.checkLimits() self.lastCheck = time.time() self.tab = {} def checkLimits(self): for k in self.tab: v = self.tab[k] #change the number below to adjust the limit of packets if v > 1000: print "offending ip %s, packets: %i" % (k, v) os.system("iptables -A INPUT -s %s -j DROP" % k) def main(filter): dev = 'any' p = open_live(dev, 100, 0, 100) p.setfilter(filter) print "Listening on %s: net=%s, mask=%s, linktype=%d" % (dev, p.getnet(), p.getmask(), p.datalink()) #not calling start() here, because it doesn't work well Watcher(p).run() # insert your ip there filter = "udp and src host 123.456.789.123 and udp[8:4] = 0xFFFFFFFF" main(filter) This basically watches the outgoing traffic and counts the packets sent. If packets sent to a certain IP exceed a specified limit it will issue a ban using iptables. You might have to tweak the limit to meet your requirements. For me it checks every three seconds and bans when sending more than 1000 packets in that time. (they are constantly sending about 2000 packets per second to my servers). Oh, and it only counts connectionless packets (e.g. getstatus, rcon, getinfo, etc) so it won't trigger on game packets. |
|
|
Aug 25 2011, 07:50 AM
Post
#3
|
|
Private Group: Members Joined: 5-March 08 Member No.: 68457 |
works nicely Ligustah, thank you ;)
|
|
|
Aug 25 2011, 09:20 AM
Post
#4
|
|
Major Group: Members Joined: 19-September 07 From: South of France xDDDDD Member No.: 59683 |
Hello, does anyone know a Windows version of this script please ?
My home server, with no human playing, has 900 kbps in upload stream ! Thx in advance -------------------- |
|
|
Aug 25 2011, 11:32 PM
Post
#5
|
|
Corporal Group: Members Joined: 25-December 09 Member No.: 89191 |
Ugh, programatically banning IPs on Windows is by far not as trivial (at least it was not for us, when we used a Windows server some years ago).
I'm afraid you will have to try finding a solution like the one posted by Dutchman. Maybe ask the creator of that patch if it can be applied to the Windows version of the server as well, though i'd rather doubt that. This post has been edited by Ligustah: Aug 25 2011, 11:32 PM |
|
|
Aug 26 2011, 12:11 AM
Post
#6
|
|
Major General Group: Members Joined: 21-November 05 From: etclan.de:27960 Member No.: 18126 |
Hello, does anyone know a Windows version of this script please ? My home server, with no human playing, has 900 kbps in upload stream ! Thx in advance maybe install commview. there you see all traffic here a pic: -------------------- |
|
|
Guest_Dutchman_* |
Aug 26 2011, 08:25 AM
Post
#7
|
Guests |
Ugh, programatically banning IPs on Windows is by far not as trivial (at least it was not for us, when we used a Windows server some years ago). I'm afraid you will have to try finding a solution like the one posted by Dutchman. Maybe ask the creator of that patch if it can be applied to the Windows version of the server as well, though i'd rather doubt that. Sorry, it's a Linux only patch. |
|
|
Aug 26 2011, 08:30 AM
Post
#8
|
|
Major Group: Members Joined: 19-September 07 From: South of France xDDDDD Member No.: 59683 |
Thanks guys,
Yes, on Windows, it is difficult to make such a script, maybe the new PowerShell could do it .. Thanks JAY your graphical tool will fit my needs, I'm gonna download it, but for the moment, Upstream is normal: 2 kbps (just my remote access RDP) when server is empty (... and often empty lol grrr... nobody wants to test chaos mod ??). If I suspect any new spoofing, I will try to find IP and will update this post. Good frags for all xD V55 This post has been edited by $mart: Aug 26 2011, 08:36 AM -------------------- |
|
|
Aug 26 2011, 10:30 AM
Post
#9
|
|
Corporal Group: Members Joined: 25-December 09 Member No.: 89191 |
As for the CommView program, i see two problems with that.
You can of course use that program to find out which IPs are being used on your server, but then you will have to manually ban them (you can find out how to manually ban IPs with a quick Google search: http://lmgtfy.com/?q=how+to+block+an+ip+on+windows). Yes, on Windows, it is difficult to make such a script, maybe the new PowerShell could do it .. The problem would not be getting the script to run on Windows (there are even pre-built binaries of the libraries used by the script i posted), but getting the IP banned. It does not seem to be very common to have automated firewalls on Windows systems. It seems to be possible via the netsh (net shell) provided by Windows. Something along the line: QUELLTEXT netsh advfirewall firewall add rule ....... Read up on the manual of that program, if you type the command above (without the dots of course) it will prints lots of useful information. QUELLTEXT os.system("iptables -A INPUT -s %s -j DROP" % k) If you have found the command line that will do the trick for you simply replace it in the script i posted If I suspect any new spoofing, I will try to find IP and will update this post. There is no point in posting IPs. You will only see the IPs of the victims getting DDoS'd, besides, at least on my machine I record about 30 to 50 different IPs per day (that is why i strongly advise looking into automated solutions). Hope this helps. This post has been edited by Ligustah: Aug 26 2011, 10:31 AM |
|
|
Aug 28 2011, 10:28 AM
Post
#10
|
|
Master Sergeant Group: Members Joined: 31-October 07 From: Croatia Member No.: 61826 |
ty guys :P
-------------------- |
|
|
Aug 28 2011, 04:20 PM
Post
#11
|
|
Second Lieutenant Group: Members Joined: 10-November 08 From: US Member No.: 78526 |
You can also try netlimiter. In windows 2008 R2 Enterprise, you can see all IP's connected to your server live. I think it's same for standard edition also.
it's 30$. This post has been edited by daredevil: Aug 28 2011, 04:21 PM -------------------- |
|
|
Aug 29 2011, 12:33 AM
Post
#12
|
|
Private Group: Members Joined: 5-March 08 Member No.: 68457 |
i've noticed on our server a few slower attacks packetting us just below our threshold. yesterday i reduced the threshold too low and legitimate game clients were dropped upon connecting. what i decided to do was run a second instance with a longer check time (10 mins) and higher packet #. seems to be working well along with the 3 sec script. wouldn't it be possible to write an iptables rule to only allow those packets from specific ips? ie legitimate trackers: et master server, trackbase, splatterladder, etc? the downside being that game clients couldn't do a /serverstatus, but i think its a small price to pay until theres a permanent solution.
|
|
|
Aug 29 2011, 09:35 AM
Post
#13
|
|
Corporal Group: Members Joined: 25-December 09 Member No.: 89191 |
It is certainly possible to make iptable rules that work like the script i posted. I actually experimented with that for quite a while,
though i can't remember why i went for the script in the end. Blocking getstatus alltogether might not be a good idea. Game trackers are not the only ones who send getstatus requests. Programs like XFire, HLSW or RCON Unlimited all rely on getstatus and will probably show the server offline if you block them. You might however apply the script i posted above only to getstatus packets. At the moment it will count all connectionless packets (getinfo, rcon, getchallenge, etc). QUELLTEXT filter = "udp and src host 123.456.789.123 and udp[8:4] = 0xFFFFFFFF" The last part of the filter checks the next 4 bytes at offset 8. You can change that to check for a longer byte sequence so as to catch getstatus only. I never bothered doing that. I have been using a limit of 300 packets for quite a while now and it seems to work out very smoothly, haven't heard of legit clients getting dropped or being unable to connect. You will however have to adapt that limit depending on the number of game servers you run on your machine. This post has been edited by Ligustah: Aug 29 2011, 09:36 AM |
|
|
Aug 30 2011, 10:49 PM
Post
#14
|
|
Sergeant Group: Members Joined: 6-August 05 From: Italy Member No.: 12451 |
Thanks Ligustah for you nice script that seems very fast and efficient.
I tried it since I like the idea of real time bans and after some inconvenient attepts, (script banned the server from itself due to another script that use a connector) I changed this part to avoid it: CODE if k == "ServerIPhere": print "own IP not banned %s, packets %i" % (k, v) elif v > 150: print "offending ip %s, packets: %i" % (k, v) os.system("iptables -A INPUT -s %s -j DROP" % k) Now I run it in a screen session, I like it, but I would log in a text file the banned IP's and the packets they produce. The main reason is to debug why the script from time to time ban one of my admins that run two clients and HLSW in the same time. If I can understand the threshold I have to set then I can sleep good. :) Last thing is that I don't understand the "filter" how it have to be set to catch the 'getstatus' requests, or maybe I don't have to modify that line except put there the server IP address . Thanks for your support. Owl |
|
|
Aug 30 2011, 11:45 PM
Post
#15
|
|
Corporal Group: Members Joined: 25-December 09 Member No.: 89191 |
I am actually using a simple wrapper about my iptables, which will log the ip and number of packets.
http://85.214.159.249/banip.txt Just save that file somewhere on your machine and make it executable. QUELLTEXT os.system("banip %s automatically banned, %i packets" % (k, v)) That's how i call it from my script. To change the filter line, you need to get a HEX representation of getstatus and add that to the number in the filter line, also increase the length that is checked. |
|
|
Lo-Fi Version | Time is now: 15th November 2024 - 07:47 PM |