POTENTIONAL FIX: etded.x86 getstatus exploit Options

[Guest_Dutchman_*]

Hi,

since a few months there is a exploit floating around abusing the getstatus requests to launch dos attacks against random targets and as a side effect creating massive lags on clients and the server.
Cause of this Yada from Staatsschutz.org made a patch for linux wich reduces the effectivity of this exploit.

etfix_getstatus 0.2 by yada / staatsschutz.org / jan. 2011
------

This patch will ratelimit etded.x86 2.60b getstatus requests to 1 per IP every
4 seconds. This approach is not ideal as the real fix would be to change the
protocol to require some kind of handshake but this would break compatibility
with existing clients so its not really practical. The worst part is that the
patch is (in theory) vulnerable to a dos where legitimate clients could be
denied access to the getstatus command but i feel this is less of a headache
than kiddies using the server to flood random targets and thereby lagging the
server and pushing bandwith usage through the roof (master server is excluded
from ratelimit so no need to worry about it being denied using spoofed
packets).

Download the file right here.

A readme.txt, the sourcecode and a small howto are included.

Your free to distribute this file.

This post has been edited by Dutchman: Jan 6 2011, 11:33 AM

[Ligustah]

For those running a dedicated server:

i hacked together some tiny script that watches network traffic and uses iptables to ban offending IPs,
thereby stopping the incredible lags and saving bandwidth. It's based on PCAP.

Requires pcapy and Impacket from over here: http://oss.coresecurity.com/

QUELLTEXT

#!/usr/bin/python
# Slightly modified version of this
# script:
# http://oss.coresecurity.com/impacket/sniff.py


import sys
import os
import string
from threading import Thread
import time

import pcapy
from pcapy import findalldevs, open_live
import impacket
from impacket.ImpactDecoder import EthDecoder, LinuxSLLDecoder

class Watcher(Thread):
    def __init__(self, pcapObj):
        # Query the type of the link and instantiate a decoder accordingly.
        datalink = pcapObj.datalink()
        if pcapy.DLT_EN10MB == datalink:
            self.decoder = EthDecoder()
        elif pcapy.DLT_LINUX_SLL == datalink:
            self.decoder = LinuxSLLDecoder()
        else:
            raise Exception("Datalink type not supported: " % datalink)

        self.pcap = pcapObj
        self.tab = {}
        self.lastCheck = time.time()
        Thread.__init__(self)

    def run(self):
        self.pcap.loop(0, self.packetHandler)

    def packetHandler(self, hdr, data):
        #packets are guaranteed to be UDP
        sll = self.decoder.decode(data)
        ip = sll.child()
        udp = ip.child()
        ip_addr = ip.get_ip_dst()
        
        if not self.tab.has_key(ip_addr):
            self.tab[ip_addr] = 0
        self.tab[ip_addr] = self.tab[ip_addr] + 1
        
        if time.time() - self.lastCheck >= 3:
            #uncomment the following line to see the number of packets
            #print self.tab
            self.checkLimits()
            self.lastCheck = time.time()
            self.tab = {}
            
    def checkLimits(self):
        for k in self.tab:
            v = self.tab[k]
            #change the number below to adjust the limit of packets
            if v > 1000:
                print "offending ip %s, packets: %i" % (k, v)
                os.system("iptables -A INPUT -s %s -j DROP" % k)

def main(filter):
    dev = 'any'

    p = open_live(dev, 100, 0, 100)
    p.setfilter(filter)

    print "Listening on %s: net=%s, mask=%s, linktype=%d" % (dev, p.getnet(), p.getmask(), p.datalink())

    #not calling start() here, because it doesn't work well
    Watcher(p).run()

# insert your ip there
filter = "udp and src host 123.456.789.123 and udp[8:4] = 0xFFFFFFFF"

main(filter)

This basically watches the outgoing traffic and counts the packets sent.
If packets sent to a certain IP exceed a specified limit it will issue a ban using iptables.
You might have to tweak the limit to meet your requirements.

For me it checks every three seconds and bans when sending more than 1000 packets in that time.
(they are constantly sending about 2000 packets per second to my servers).

Oh, and it only counts connectionless packets (e.g. getstatus, rcon, getinfo, etc) so it won't trigger on game packets.

[Sickboy]

works nicely Ligustah, thank you ;)