IPB

Welcome Guest ( Log In | Register )

> Rules / Regeln

- no copy 'n paste, only your own words (quoting is possible)
- please write in English which sounds sense (orthography should be recognizable)
- no rumours, no clan-news (except larger events)
- always with list of reference/originator
- please create compact news, 4-10 lines, colors, bold and cursive fontype is allowed

(*) We decide finally which news will be published or not. Not published news remains here only if it is acceptable.		 - kein Copy&Paste, nur eigene Worte (Zitat möglich)
- bitte vernünftiges Deutsch mit erkennbarer Rechtschreibung ;)
- keine Gerüchte, keine Clannews (ausgenommen größere Veranstaltungen)
- immer mit Quellen- oder Urheberangabe
- bitte kompakte News, 4-10 Zeilen, Farbe, fett, kursiv möglich

(*) Wir entscheiden letztlich, welche News veröffentlicht wird und welche nicht. Nicht veröffentlichte News bleiben hier in diesem Forum bestehen, es sei denn sie sind für uns inakzeptabel.		 - pas de copier coller, vos propres mots (citations possible)
- lisible et sans fautes ;)
- pas de "on dit", pa de news des clans (sauf les grandes manifs)
- toujours citer les sources
- essaies de faire compact, 4 - 10 lignes, couleur, gras possible

(*) On decide a la fin, laquelle des news va etre publie und laquelle non. News non publies restent dans ce forum, sauf si elle est inacceptable!
> POTENTIONAL FIX: etded.x86 getstatus exploit
Guest_Dutchman_*
post Jan 6 2011, 11:16 AM
Post #1




Guests
Hi,

since a few months there is a exploit floating around abusing the getstatus requests to launch dos attacks against random targets and as a side effect creating massive lags on clients and the server.
Cause of this Yada from Staatsschutz.org made a patch for linux wich reduces the effectivity of this exploit.

QUOTE
etfix_getstatus 0.2 by yada / staatsschutz.org / jan. 2011
------

This patch will ratelimit etded.x86 2.60b getstatus requests to 1 per IP every
4 seconds. This approach is not ideal as the real fix would be to change the
protocol to require some kind of handshake but this would break compatibility
with existing clients so its not really practical. The worst part is that the
patch is (in theory) vulnerable to a dos where legitimate clients could be
denied access to the getstatus command but i feel this is less of a headache
than kiddies using the server to flood random targets and thereby lagging the
server and pushing bandwith usage through the roof (master server is excluded
from ratelimit so no need to worry about it being denied using spoofed
packets).


Download the file right here.

A readme.txt, the sourcecode and a small howto are included.

Your free to distribute this file.

This post has been edited by Dutchman: Jan 6 2011, 11:33 AM
Go to the top of the page
 
+Quote Post
 
 Start new topic
Replies
Ligustah
post Aug 26 2011, 10:30 AM
Post #2


Group Icon Corporal

Group: Members

Joined: 25-December 09
Member No.: 89191
As for the CommView program, i see two problems with that.
  1. price = 200€ at least
  2. no packet filter (as in dropping unwated traffic)


You can of course use that program to find out which IPs are being used on your server, but then you will have to manually ban them
(you can find out how to manually ban IPs with a quick Google search: http://lmgtfy.com/?q=how+to+block+an+ip+on+windows).

ZITAT($mart @ Aug 26 2011, 09:30 AM) *
Yes, on Windows, it is difficult to make such a script, maybe the new PowerShell could do it ..

The problem would not be getting the script to run on Windows (there are even pre-built binaries of the libraries used by the script i posted), but getting the IP banned. It does not seem to be very common to have automated firewalls on Windows systems. It seems to be possible via the netsh (net shell) provided by Windows. Something along the line:
QUELLTEXT
netsh advfirewall firewall add rule .......

Read up on the manual of that program, if you type the command above (without the dots of course) it will prints lots of useful information.
QUELLTEXT
os.system("iptables -A INPUT -s %s -j DROP" % k)


If you have found the command line that will do the trick for you simply replace it in the script i posted

ZITAT($mart @ Aug 26 2011, 09:30 AM) *
If I suspect any new spoofing, I will try to find IP and will update this post.

There is no point in posting IPs. You will only see the IPs of the victims getting DDoS'd, besides, at least on my machine I record about 30 to 50 different IPs per day (that is why i strongly advise looking into automated solutions).

Hope this helps.

This post has been edited by Ligustah: Aug 26 2011, 10:31 AM
Go to the top of the page
 
+Quote Post

Posts in this topic
- Dutchman   POTENTIONAL FIX: etded.x86 getstatus exploit   Jan 6 2011, 11:16 AM
- - Ligustah   For those running a dedicated server: i hacked to...   Feb 10 2011, 10:46 PM
|- - Sickboy   works nicely Ligustah, thank you ;)   Aug 25 2011, 07:50 AM
- - $mart   Hello, does anyone know a Windows version of this ...   Aug 25 2011, 09:20 AM
|- - ETc|Jay   QUOTE ($mart @ Aug 25 2011, 10:20 AM...   Aug 26 2011, 12:11 AM
- - Ligustah   Ugh, programatically banning IPs on Windows is by ...   Aug 25 2011, 11:32 PM
|- - Dutchman   QUOTE (Ligustah @ Aug 26 2011, 12:32 AM) ...   Aug 26 2011, 08:25 AM
- - $mart   Thanks guys, Yes, on Windows, it is difficult to m...   Aug 26 2011, 08:30 AM
- - Ligustah   As for the CommView program, i see two problems wi...   Aug 26 2011, 10:30 AM
- - MwgWolf   ty guys :P   Aug 28 2011, 10:28 AM
- - daredevil   You can also try netlimiter. In windows 2008 R2 E...   Aug 28 2011, 04:20 PM
- - Sickboy   i've noticed on our server a few slower attack...   Aug 29 2011, 12:33 AM
- - Ligustah   It is certainly possible to make iptable rules tha...   Aug 29 2011, 09:35 AM
|- - Old-Owl   Thanks Ligustah for you nice script that seems ver...   Aug 30 2011, 10:49 PM
- - Ligustah   I am actually using a simple wrapper about my ipta...   Aug 30 2011, 11:45 PM
|- - -sunkist-   I didn't see any getstatus floods since april ...   Oct 15 2011, 02:45 AM
- - $mart   Still attacks 10/10/11 : http://www.hirntot.org/di...   Oct 15 2011, 10:02 AM
- - schnoog   The getstatus exploit is more active than ever. I...   Oct 15 2011, 10:24 AM
|- - -sunkist-   QUOTE (schnoog @ Oct 15 2011, 11:24 AM) T...   Oct 17 2011, 06:51 PM
|- - Dutchman   QUOTE (-sunkist- @ Oct 17 2011, 07...   Oct 17 2011, 10:52 PM
|- - -sunkist-   QUOTE (Dutchman @ Oct 17 2011, 11:52 PM) ...   Oct 17 2011, 11:03 PM
|- - Dutchman   QUOTE (-sunkist- @ Oct 18 2011, 12...   Oct 17 2011, 11:16 PM
|- - -sunkist-   QUOTE (Dutchman @ Oct 18 2011, 12:16 AM) ...   Oct 17 2011, 11:21 PM
- - Dutchman   ok:)   Oct 17 2011, 11:50 PM
- - AmericanPie1979   good morning :) i found maybe a solution for thi...   Oct 18 2011, 08:21 AM
|- - -sunkist-   QUOTE (AmericanPie1979 @ Oct 18 2011, 09...   Oct 18 2011, 08:49 PM
|- - TomDome   Ich denke es ist rauslesbar was er sagen will und ...   Oct 18 2011, 09:44 PM
- - AmericanPie1979   Ich würde mal sagen wer lesen kann ist klar im Vo...   Oct 18 2011, 10:29 PM
- - $mart   Hello 32% CPU => with how many players and/or ...   Oct 19 2011, 08:01 AM
- - Ligustah   ZITAT($mart @ Oct 19 2011, 09:01 AM)...   Oct 19 2011, 08:23 AM
- - AmericanPie1979   i have 16 bots now i disabled the master server...   Oct 19 2011, 09:38 AM
- - Ligustah   ZITAT(AmericanPie1979 @ Oct 19 2011, 10:3...   Oct 19 2011, 10:42 AM
- - AmericanPie1979   hab gesehen das es auf 3 roots die gleichen flood ...   Oct 19 2011, 10:52 AM
- - schnoog   Das Problem ist doch, dass die Angreiffer IP gespo...   Oct 19 2011, 12:36 PM
|- - Dutchman   American, i see you are running your game on a lin...   Oct 19 2011, 01:31 PM
- - AmericanPie1979   Dutchman :) thx for info but i have 2.55+ so all p...   Oct 19 2011, 03:27 PM
|- - Dutchman   I don't know wich etded.x86 version you have ...   Oct 19 2011, 03:36 PM
- - AmericanPie1979   it says unknown etded.x86 version can you send m...   Oct 19 2011, 03:45 PM
- - daredevil   English please so others having same issue can und...   Oct 19 2011, 04:12 PM
- - AmericanPie1979   i am writing english but sry its little bad :P TH...   Oct 19 2011, 04:17 PM
|- - Dutchman   QUOTE (AmericanPie1979 @ Oct 19 2011, 05...   Oct 19 2011, 05:58 PM
- - AmericanPie1979   cpu is on 21 - 22 % network is now ok rx: 1...   Oct 19 2011, 06:25 PM
|- - Dutchman   QUOTE (AmericanPie1979 @ Oct 19 2011, 07...   Oct 19 2011, 06:43 PM
- - AmericanPie1979   they are both on my Teamspeak ^^ Opa and Mörder ;...   Oct 19 2011, 06:46 PM
- - Old-Owl   The scripts against that getstatus exploit works f...   Oct 23 2011, 02:03 PM
- - schnoog   There`s nothing you can do against the incomin...   Oct 23 2011, 02:25 PM
- - Ligustah   I just recently had to answer that question to som...   Oct 23 2011, 05:39 PM

« Next Oldest · --> REPORT NEWS HERE <-- · Next Newest »
 

Reply to this topicStart new topic
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:

 

Display Mode: Switch to: Standard · Switch to: Linear+ · Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

RSS Lo-Fi Version Time is now: 1st July 2025 - 11:02 AM
Powered By IP.Board © 2025  IPS, Inc.
Licensed to: www.splatterladder.com