POTENTIONAL FIX: etded.x86 getstatus exploit

Rules / Regeln

- no copy 'n paste, only your own words (quoting is possible)
- please write in English which sounds sense (orthography should be recognizable)
- no rumours, no clan-news (except larger events)
- always with list of reference/originator
- please create compact news, 4-10 lines, colors, bold and cursive fontype is allowed

(*) We decide finally which news will be published or not. Not published news remains here only if it is acceptable.

- kein Copy&Paste, nur eigene Worte (Zitat möglich)
- bitte vernünftiges Deutsch mit erkennbarer Rechtschreibung ;)
- keine Gerüchte, keine Clannews (ausgenommen größere Veranstaltungen)
- immer mit Quellen- oder Urheberangabe
- bitte kompakte News, 4-10 Zeilen, Farbe, fett, kursiv möglich

(*) Wir entscheiden letztlich, welche News veröffentlicht wird und welche nicht. Nicht veröffentlichte News bleiben hier in diesem Forum bestehen, es sei denn sie sind für uns inakzeptabel.

- pas de copier coller, vos propres mots (citations possible)
- lisible et sans fautes ;)
- pas de "on dit", pa de news des clans (sauf les grandes manifs)
- toujours citer les sources
- essaies de faire compact, 4 - 10 lignes, couleur, gras possible

(*) On decide a la fin, laquelle des news va etre publie und laquelle non. News non publies restent dans ce forum, sauf si elle est inacceptable!

POTENTIONAL FIX: etded.x86 getstatus exploit

Options

Guest_Dutchman_*	Jan 6 2011, 11:16 AM Post #1
Guests	Hi, since a few months there is a exploit floating around abusing the getstatus requests to launch dos attacks against random targets and as a side effect creating massive lags on clients and the server. Cause of this Yada from Staatsschutz.org made a patch for linux wich reduces the effectivity of this exploit. QUOTE etfix_getstatus 0.2 by yada / staatsschutz.org / jan. 2011 ------ This patch will ratelimit etded.x86 2.60b getstatus requests to 1 per IP every 4 seconds. This approach is not ideal as the real fix would be to change the protocol to require some kind of handshake but this would break compatibility with existing clients so its not really practical. The worst part is that the patch is (in theory) vulnerable to a dos where legitimate clients could be denied access to the getstatus command but i feel this is less of a headache than kiddies using the server to flood random targets and thereby lagging the server and pushing bandwith usage through the roof (master server is excluded from ratelimit so no need to worry about it being denied using spoofed packets). Download the file right here. A readme.txt, the sourcecode and a small howto are included. Your free to distribute this file. This post has been edited by Dutchman: Jan 6 2011, 11:33 AM

Replies

schnoog View Member Profile	Oct 15 2011, 10:24 AM Post #2
Master of Desaster Group: Management Joined: 7-March 06 From: Wehr Member No.: 23716	The getstatus exploit is more active than ever. I talked to some admins and more than 10 000 incoming packets per seconds are not very rare. OldMan posted a modified version of the q3_getstatus_ddos script here: http://wolffiles.de/index.php?forum-showposts-44-p5# This one not only spoil plaintext getstatus attacks, it also handles zoneRef getstatus attacks. That is like it looks after the script finnished his work: CODE rx: 6,1 Mbit/s 13862 p/s tx: 12 kbit/s 2 p/s OldMan integrated some very nice features (delayed unban for example) Unfortunality I`m not familar with the windows powershell, but there should also be a possibility to do such things. --------------------

-sunkist- View Member Profile	Oct 17 2011, 06:51 PM Post #3
Sergeant Group: Members Joined: 21-September 07 Member No.: 59775	QUOTE (schnoog @ Oct 15 2011, 11:24 AM) The getstatus exploit is more active than ever. I talked to some admins and more than 10 000 incoming packets per seconds are not very rare. Oh WOW! That's true! Holy shit! I didn't see any attacks because I didn't list my ET servers in the Masterlist. Since I listed one of my ET servers again, the attacks are back - more then before! Thank's for the hint! Now I know where the attackers get the targets from: The Master Browser List! When you use: seta sv_master1 "" seta sv_master2 "" seta sv_master3 "" seta sv_master4 "" seta sv_master5 "" in your server.cfg, your servers will not get listed in the Master Browser List and therefor they will not get attacked.

Guest_Dutchman_*	Oct 17 2011, 10:52 PM Post #4
Guests	QUOTE (-sunkist- @ Oct 17 2011, 07:51 PM) blabla this has nothing to do with the topic about a patch for linux servers. Is there a possibility you communicate in a normal way? thnx.

-sunkist- View Member Profile	Oct 17 2011, 11:03 PM Post #5
Sergeant Group: Members Joined: 21-September 07 Member No.: 59775	QUOTE (Dutchman @ Oct 17 2011, 11:52 PM) QUOTE (-sunkist- @ Oct 17 2011, 07:51 PM) blabla this has nothing to do with the topic about a patch for linux servers. Is there a possibility you communicate in a normal way? thnx. Well, I regret to communicate in a higher level. There will be no patch for linux servers from the vendor. But you may use one of the iptables scripts offered by me (http://www.vollspack.org/) or by others. These scripts will block these attacks. But you still will receive the traffic. There is nothing you can do against it. This post has been edited by -sunkist-: Oct 17 2011, 11:05 PM

Guest_Dutchman_*	Oct 17 2011, 11:16 PM Post #6
Guests	QUOTE (-sunkist- @ Oct 18 2011, 12:03 AM) QUOTE (Dutchman @ Oct 17 2011, 11:52 PM) QUOTE (-sunkist- @ Oct 17 2011, 07:51 PM) blabla this has nothing to do with the topic about a patch for linux servers. Is there a possibility you communicate in a normal way? thnx. Well, I regret to communicate in a higher level. There will be no patch for linux servers from the vendor. But you may use one of the iptables scripts offered by me (http://www.vollspack.org/) or by others. These scripts will block these attacks. But you still will receive the traffic. There is nothing you can do against it. The fix i posted for linux servers as stated from yada in the readme file if fine. Your post has nothing to do with solving it if you wan't to get your server(s) listed.

Posts in this topic

Dutchman POTENTIONAL FIX: etded.x86 getstatus exploit Jan 6 2011, 11:16 AM

Ligustah For those running a dedicated server: i hacked to... Feb 10 2011, 10:46 PM

Sickboy works nicely Ligustah, thank you ;) Aug 25 2011, 07:50 AM

$mart Hello, does anyone know a Windows version of this ... Aug 25 2011, 09:20 AM

ETc|Jay QUOTE ($mart @ Aug 25 2011, 10:20 AM... Aug 26 2011, 12:11 AM

Ligustah Ugh, programatically banning IPs on Windows is by ... Aug 25 2011, 11:32 PM

Dutchman QUOTE (Ligustah @ Aug 26 2011, 12:32 AM) ... Aug 26 2011, 08:25 AM

$mart Thanks guys, Yes, on Windows, it is difficult to m... Aug 26 2011, 08:30 AM

Ligustah As for the CommView program, i see two problems wi... Aug 26 2011, 10:30 AM

MwgWolf ty guys :P Aug 28 2011, 10:28 AM

daredevil You can also try netlimiter. In windows 2008 R2 E... Aug 28 2011, 04:20 PM

Sickboy i've noticed on our server a few slower attack... Aug 29 2011, 12:33 AM

Ligustah It is certainly possible to make iptable rules tha... Aug 29 2011, 09:35 AM

Old-Owl Thanks Ligustah for you nice script that seems ver... Aug 30 2011, 10:49 PM

Ligustah I am actually using a simple wrapper about my ipta... Aug 30 2011, 11:45 PM

-sunkist- I didn't see any getstatus floods since april ... Oct 15 2011, 02:45 AM

$mart Still attacks 10/10/11 : http://www.hirntot.org/di... Oct 15 2011, 10:02 AM

schnoog The getstatus exploit is more active than ever. I... Oct 15 2011, 10:24 AM

-sunkist- QUOTE (schnoog @ Oct 15 2011, 11:24 AM) T... Oct 17 2011, 06:51 PM

Dutchman QUOTE (-sunkist- @ Oct 17 2011, 07... Oct 17 2011, 10:52 PM

-sunkist- QUOTE (Dutchman @ Oct 17 2011, 11:52 PM) ... Oct 17 2011, 11:03 PM

Dutchman QUOTE (-sunkist- @ Oct 18 2011, 12... Oct 17 2011, 11:16 PM

-sunkist- QUOTE (Dutchman @ Oct 18 2011, 12:16 AM) ... Oct 17 2011, 11:21 PM

Dutchman ok:) Oct 17 2011, 11:50 PM

AmericanPie1979 good morning :) i found maybe a solution for thi... Oct 18 2011, 08:21 AM

-sunkist- QUOTE (AmericanPie1979 @ Oct 18 2011, 09... Oct 18 2011, 08:49 PM

TomDome Ich denke es ist rauslesbar was er sagen will und ... Oct 18 2011, 09:44 PM

AmericanPie1979 Ich würde mal sagen wer lesen kann ist klar im Vo... Oct 18 2011, 10:29 PM

$mart Hello 32% CPU => with how many players and/or ... Oct 19 2011, 08:01 AM

Ligustah ZITAT($mart @ Oct 19 2011, 09:01 AM)... Oct 19 2011, 08:23 AM

AmericanPie1979 i have 16 bots now i disabled the master server... Oct 19 2011, 09:38 AM

Ligustah ZITAT(AmericanPie1979 @ Oct 19 2011, 10:3... Oct 19 2011, 10:42 AM

AmericanPie1979 hab gesehen das es auf 3 roots die gleichen flood ... Oct 19 2011, 10:52 AM

schnoog Das Problem ist doch, dass die Angreiffer IP gespo... Oct 19 2011, 12:36 PM

Dutchman American, i see you are running your game on a lin... Oct 19 2011, 01:31 PM

AmericanPie1979 Dutchman :) thx for info but i have 2.55+ so all p... Oct 19 2011, 03:27 PM

Dutchman I don't know wich etded.x86 version you have ... Oct 19 2011, 03:36 PM

AmericanPie1979 it says unknown etded.x86 version can you send m... Oct 19 2011, 03:45 PM

daredevil English please so others having same issue can und... Oct 19 2011, 04:12 PM

AmericanPie1979 i am writing english but sry its little bad :P TH... Oct 19 2011, 04:17 PM

Dutchman QUOTE (AmericanPie1979 @ Oct 19 2011, 05... Oct 19 2011, 05:58 PM

AmericanPie1979 cpu is on 21 - 22 % network is now ok rx: 1... Oct 19 2011, 06:25 PM

Dutchman QUOTE (AmericanPie1979 @ Oct 19 2011, 07... Oct 19 2011, 06:43 PM

AmericanPie1979 they are both on my Teamspeak ^^ Opa and Mörder ;... Oct 19 2011, 06:46 PM

Old-Owl The scripts against that getstatus exploit works f... Oct 23 2011, 02:03 PM

schnoog There`s nothing you can do against the incomin... Oct 23 2011, 02:25 PM

Ligustah I just recently had to answer that question to som... Oct 23 2011, 05:39 PM

« Next Oldest · --> REPORT NEWS HERE <-- · Next Newest »

3 User(s) are reading this topic (3 Guests and 0 Anonymous Users)

0 Members: