POTENTIONAL FIX: etded.x86 getstatus exploit

Rules / Regeln

- no copy 'n paste, only your own words (quoting is possible)
- please write in English which sounds sense (orthography should be recognizable)
- no rumours, no clan-news (except larger events)
- always with list of reference/originator
- please create compact news, 4-10 lines, colors, bold and cursive fontype is allowed

(*) We decide finally which news will be published or not. Not published news remains here only if it is acceptable.

- kein Copy&Paste, nur eigene Worte (Zitat möglich)
- bitte vernünftiges Deutsch mit erkennbarer Rechtschreibung ;)
- keine Gerüchte, keine Clannews (ausgenommen größere Veranstaltungen)
- immer mit Quellen- oder Urheberangabe
- bitte kompakte News, 4-10 Zeilen, Farbe, fett, kursiv möglich

(*) Wir entscheiden letztlich, welche News veröffentlicht wird und welche nicht. Nicht veröffentlichte News bleiben hier in diesem Forum bestehen, es sei denn sie sind für uns inakzeptabel.

- pas de copier coller, vos propres mots (citations possible)
- lisible et sans fautes ;)
- pas de "on dit", pa de news des clans (sauf les grandes manifs)
- toujours citer les sources
- essaies de faire compact, 4 - 10 lignes, couleur, gras possible

(*) On decide a la fin, laquelle des news va etre publie und laquelle non. News non publies restent dans ce forum, sauf si elle est inacceptable!

POTENTIONAL FIX: etded.x86 getstatus exploit

Options

Guest_Dutchman_*	Jan 6 2011, 11:16 AM Post #1
Guests	Hi, since a few months there is a exploit floating around abusing the getstatus requests to launch dos attacks against random targets and as a side effect creating massive lags on clients and the server. Cause of this Yada from Staatsschutz.org made a patch for linux wich reduces the effectivity of this exploit. QUOTE etfix_getstatus 0.2 by yada / staatsschutz.org / jan. 2011 ------ This patch will ratelimit etded.x86 2.60b getstatus requests to 1 per IP every 4 seconds. This approach is not ideal as the real fix would be to change the protocol to require some kind of handshake but this would break compatibility with existing clients so its not really practical. The worst part is that the patch is (in theory) vulnerable to a dos where legitimate clients could be denied access to the getstatus command but i feel this is less of a headache than kiddies using the server to flood random targets and thereby lagging the server and pushing bandwith usage through the roof (master server is excluded from ratelimit so no need to worry about it being denied using spoofed packets). Download the file right here. A readme.txt, the sourcecode and a small howto are included. Your free to distribute this file. This post has been edited by Dutchman: Jan 6 2011, 11:33 AM

Replies

Old-Owl View Member Profile	Oct 23 2011, 02:03 PM Post #2
Sergeant Group: Members Joined: 6-August 05 From: Italy Member No.: 12451	The scripts against that getstatus exploit works fine. But I don't understand one thing. I give an example: All Attackers are banned through iptables, but they keep to send packets. I can see it through iptraf: CODE â”‚ Incoming rates: 3385.7 kbits/sec â”‚ 6555.2 packets/sec â”‚ IP checksum errors: 0 â”‚ Outgoing rates: 1811.4 kbits/sec â”‚ 581.2 packets/sec Results: My service hosting provider keep to send me alerts about high traffic even the offending Ip's are banned. And when I go to check, the IN traffic is always more (twice) than OUT traffic. I am not sure if that high amounts of incoming packets may spoil the game play; I am afraid that is possible since some players keep to complain about lags. Someone have an idea or explanation of this problem? Thanks :)

Posts in this topic

Dutchman POTENTIONAL FIX: etded.x86 getstatus exploit Jan 6 2011, 11:16 AM

Ligustah For those running a dedicated server: i hacked to... Feb 10 2011, 10:46 PM

Sickboy works nicely Ligustah, thank you ;) Aug 25 2011, 07:50 AM

$mart Hello, does anyone know a Windows version of this ... Aug 25 2011, 09:20 AM

ETc|Jay QUOTE ($mart @ Aug 25 2011, 10:20 AM... Aug 26 2011, 12:11 AM

Ligustah Ugh, programatically banning IPs on Windows is by ... Aug 25 2011, 11:32 PM

Dutchman QUOTE (Ligustah @ Aug 26 2011, 12:32 AM) ... Aug 26 2011, 08:25 AM

$mart Thanks guys, Yes, on Windows, it is difficult to m... Aug 26 2011, 08:30 AM

Ligustah As for the CommView program, i see two problems wi... Aug 26 2011, 10:30 AM

MwgWolf ty guys :P Aug 28 2011, 10:28 AM

daredevil You can also try netlimiter. In windows 2008 R2 E... Aug 28 2011, 04:20 PM

Sickboy i've noticed on our server a few slower attack... Aug 29 2011, 12:33 AM

Ligustah It is certainly possible to make iptable rules tha... Aug 29 2011, 09:35 AM

Old-Owl Thanks Ligustah for you nice script that seems ver... Aug 30 2011, 10:49 PM

Ligustah I am actually using a simple wrapper about my ipta... Aug 30 2011, 11:45 PM

-sunkist- I didn't see any getstatus floods since april ... Oct 15 2011, 02:45 AM

$mart Still attacks 10/10/11 : http://www.hirntot.org/di... Oct 15 2011, 10:02 AM

schnoog The getstatus exploit is more active than ever. I... Oct 15 2011, 10:24 AM

-sunkist- QUOTE (schnoog @ Oct 15 2011, 11:24 AM) T... Oct 17 2011, 06:51 PM

Dutchman QUOTE (-sunkist- @ Oct 17 2011, 07... Oct 17 2011, 10:52 PM

-sunkist- QUOTE (Dutchman @ Oct 17 2011, 11:52 PM) ... Oct 17 2011, 11:03 PM

Dutchman QUOTE (-sunkist- @ Oct 18 2011, 12... Oct 17 2011, 11:16 PM

-sunkist- QUOTE (Dutchman @ Oct 18 2011, 12:16 AM) ... Oct 17 2011, 11:21 PM

Dutchman ok:) Oct 17 2011, 11:50 PM

AmericanPie1979 good morning :) i found maybe a solution for thi... Oct 18 2011, 08:21 AM

-sunkist- QUOTE (AmericanPie1979 @ Oct 18 2011, 09... Oct 18 2011, 08:49 PM

TomDome Ich denke es ist rauslesbar was er sagen will und ... Oct 18 2011, 09:44 PM

AmericanPie1979 Ich würde mal sagen wer lesen kann ist klar im Vo... Oct 18 2011, 10:29 PM

$mart Hello 32% CPU => with how many players and/or ... Oct 19 2011, 08:01 AM

Ligustah ZITAT($mart @ Oct 19 2011, 09:01 AM)... Oct 19 2011, 08:23 AM

AmericanPie1979 i have 16 bots now i disabled the master server... Oct 19 2011, 09:38 AM

Ligustah ZITAT(AmericanPie1979 @ Oct 19 2011, 10:3... Oct 19 2011, 10:42 AM

AmericanPie1979 hab gesehen das es auf 3 roots die gleichen flood ... Oct 19 2011, 10:52 AM

schnoog Das Problem ist doch, dass die Angreiffer IP gespo... Oct 19 2011, 12:36 PM

Dutchman American, i see you are running your game on a lin... Oct 19 2011, 01:31 PM

AmericanPie1979 Dutchman :) thx for info but i have 2.55+ so all p... Oct 19 2011, 03:27 PM

Dutchman I don't know wich etded.x86 version you have ... Oct 19 2011, 03:36 PM

AmericanPie1979 it says unknown etded.x86 version can you send m... Oct 19 2011, 03:45 PM

daredevil English please so others having same issue can und... Oct 19 2011, 04:12 PM

AmericanPie1979 i am writing english but sry its little bad :P TH... Oct 19 2011, 04:17 PM

Dutchman QUOTE (AmericanPie1979 @ Oct 19 2011, 05... Oct 19 2011, 05:58 PM

AmericanPie1979 cpu is on 21 - 22 % network is now ok rx: 1... Oct 19 2011, 06:25 PM

Dutchman QUOTE (AmericanPie1979 @ Oct 19 2011, 07... Oct 19 2011, 06:43 PM

AmericanPie1979 they are both on my Teamspeak ^^ Opa and Mörder ;... Oct 19 2011, 06:46 PM

Old-Owl The scripts against that getstatus exploit works f... Oct 23 2011, 02:03 PM

schnoog There`s nothing you can do against the incomin... Oct 23 2011, 02:25 PM

Ligustah I just recently had to answer that question to som... Oct 23 2011, 05:39 PM

« Next Oldest · --> REPORT NEWS HERE <-- · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members: