POTENTIONAL FIX: etded.x86 getstatus exploit Options

[Guest_Dutchman_*]

Hi,

since a few months there is a exploit floating around abusing the getstatus requests to launch dos attacks against random targets and as a side effect creating massive lags on clients and the server.
Cause of this Yada from Staatsschutz.org made a patch for linux wich reduces the effectivity of this exploit.

etfix_getstatus 0.2 by yada / staatsschutz.org / jan. 2011
------

This patch will ratelimit etded.x86 2.60b getstatus requests to 1 per IP every
4 seconds. This approach is not ideal as the real fix would be to change the
protocol to require some kind of handshake but this would break compatibility
with existing clients so its not really practical. The worst part is that the
patch is (in theory) vulnerable to a dos where legitimate clients could be
denied access to the getstatus command but i feel this is less of a headache
than kiddies using the server to flood random targets and thereby lagging the
server and pushing bandwith usage through the roof (master server is excluded
from ratelimit so no need to worry about it being denied using spoofed
packets).

Download the file right here.

A readme.txt, the sourcecode and a small howto are included.

Your free to distribute this file.

This post has been edited by Dutchman: Jan 6 2011, 11:33 AM

[Ligustah]

For those running a dedicated server:

i hacked together some tiny script that watches network traffic and uses iptables to ban offending IPs,
thereby stopping the incredible lags and saving bandwidth. It's based on PCAP.

Requires pcapy and Impacket from over here: http://oss.coresecurity.com/

QUELLTEXT

#!/usr/bin/python
# Slightly modified version of this
# script:
# http://oss.coresecurity.com/impacket/sniff.py


import sys
import os
import string
from threading import Thread
import time

import pcapy
from pcapy import findalldevs, open_live
import impacket
from impacket.ImpactDecoder import EthDecoder, LinuxSLLDecoder

class Watcher(Thread):
    def __init__(self, pcapObj):
        # Query the type of the link and instantiate a decoder accordingly.
        datalink = pcapObj.datalink()
        if pcapy.DLT_EN10MB == datalink:
            self.decoder = EthDecoder()
        elif pcapy.DLT_LINUX_SLL == datalink:
            self.decoder = LinuxSLLDecoder()
        else:
            raise Exception("Datalink type not supported: " % datalink)

        self.pcap = pcapObj
        self.tab = {}
        self.lastCheck = time.time()
        Thread.__init__(self)

    def run(self):
        self.pcap.loop(0, self.packetHandler)

    def packetHandler(self, hdr, data):
        #packets are guaranteed to be UDP
        sll = self.decoder.decode(data)
        ip = sll.child()
        udp = ip.child()
        ip_addr = ip.get_ip_dst()
        
        if not self.tab.has_key(ip_addr):
            self.tab[ip_addr] = 0
        self.tab[ip_addr] = self.tab[ip_addr] + 1
        
        if time.time() - self.lastCheck >= 3:
            #uncomment the following line to see the number of packets
            #print self.tab
            self.checkLimits()
            self.lastCheck = time.time()
            self.tab = {}
            
    def checkLimits(self):
        for k in self.tab:
            v = self.tab[k]
            #change the number below to adjust the limit of packets
            if v > 1000:
                print "offending ip %s, packets: %i" % (k, v)
                os.system("iptables -A INPUT -s %s -j DROP" % k)

def main(filter):
    dev = 'any'

    p = open_live(dev, 100, 0, 100)
    p.setfilter(filter)

    print "Listening on %s: net=%s, mask=%s, linktype=%d" % (dev, p.getnet(), p.getmask(), p.datalink())

    #not calling start() here, because it doesn't work well
    Watcher(p).run()

# insert your ip there
filter = "udp and src host 123.456.789.123 and udp[8:4] = 0xFFFFFFFF"

main(filter)

This basically watches the outgoing traffic and counts the packets sent.
If packets sent to a certain IP exceed a specified limit it will issue a ban using iptables.
You might have to tweak the limit to meet your requirements.

For me it checks every three seconds and bans when sending more than 1000 packets in that time.
(they are constantly sending about 2000 packets per second to my servers).

Oh, and it only counts connectionless packets (e.g. getstatus, rcon, getinfo, etc) so it won't trigger on game packets.

[Sickboy]

works nicely Ligustah, thank you ;)

[$mart]

Hello, does anyone know a Windows version of this script please ?
My home server, with no human playing, has 900 kbps in upload stream !
Thx in advance

[Ligustah]

Ugh, programatically banning IPs on Windows is by far not as trivial (at least it was not for us, when we used a Windows server some years ago).
I'm afraid you will have to try finding a solution like the one posted by Dutchman. Maybe ask the creator of that patch if it can be applied to
the Windows version of the server as well, though i'd rather doubt that.

This post has been edited by Ligustah: Aug 25 2011, 11:32 PM

[ETc|Jay]

Hello, does anyone know a Windows version of this script please ?
My home server, with no human playing, has 900 kbps in upload stream !
Thx in advance

maybe install commview. there you see all traffic

here a pic:

[Guest_Dutchman_*]

Ugh, programatically banning IPs on Windows is by far not as trivial (at least it was not for us, when we used a Windows server some years ago).
I'm afraid you will have to try finding a solution like the one posted by Dutchman. Maybe ask the creator of that patch if it can be applied to
the Windows version of the server as well, though i'd rather doubt that.

Sorry, it's a Linux only patch.

[$mart]

Thanks guys,
Yes, on Windows, it is difficult to make such a script, maybe the new PowerShell could do it ..
Thanks JAY your graphical tool will fit my needs, I'm gonna download it, but for the moment, Upstream is normal: 2 kbps (just my remote access RDP) when server is empty (... and often empty lol grrr... nobody wants to test chaos mod ??).

If I suspect any new spoofing, I will try to find IP and will update this post.

Good frags for all xD
V55

This post has been edited by $mart: Aug 26 2011, 08:36 AM

[Ligustah]

As for the CommView program, i see two problems with that.

1. price = 200€ at least
2. no packet filter (as in dropping unwated traffic)

You can of course use that program to find out which IPs are being used on your server, but then you will have to manually ban them
(you can find out how to manually ban IPs with a quick Google search: http://lmgtfy.com/?q=how+to+block+an+ip+on+windows).

Yes, on Windows, it is difficult to make such a script, maybe the new PowerShell could do it ..

The problem would not be getting the script to run on Windows (there are even pre-built binaries of the libraries used by the script i posted), but getting the IP banned. It does not seem to be very common to have automated firewalls on Windows systems. It seems to be possible via the netsh (net shell) provided by Windows. Something along the line:

QUELLTEXT

netsh advfirewall firewall add rule .......

Read up on the manual of that program, if you type the command above (without the dots of course) it will prints lots of useful information.

QUELLTEXT

os.system("iptables -A INPUT -s %s -j DROP" % k)

If you have found the command line that will do the trick for you simply replace it in the script i posted

If I suspect any new spoofing, I will try to find IP and will update this post.

There is no point in posting IPs. You will only see the IPs of the victims getting DDoS'd, besides, at least on my machine I record about 30 to 50 different IPs per day (that is why i strongly advise looking into automated solutions).

Hope this helps.

This post has been edited by Ligustah: Aug 26 2011, 10:31 AM

[Dookie7]

ty guys :P

[daredevil]

You can also try netlimiter. In windows 2008 R2 Enterprise, you can see all IP's connected to your server live. I think it's same for standard edition also.





it's 30$.

This post has been edited by daredevil: Aug 28 2011, 04:21 PM

[Sickboy]

i've noticed on our server a few slower attacks packetting us just below our threshold. yesterday i reduced the threshold too low and legitimate game clients were dropped upon connecting. what i decided to do was run a second instance with a longer check time (10 mins) and higher packet #. seems to be working well along with the 3 sec script. wouldn't it be possible to write an iptables rule to only allow those packets from specific ips? ie legitimate trackers: et master server, trackbase, splatterladder, etc? the downside being that game clients couldn't do a /serverstatus, but i think its a small price to pay until theres a permanent solution.

[Ligustah]

It is certainly possible to make iptable rules that work like the script i posted. I actually experimented with that for quite a while,
though i can't remember why i went for the script in the end.

Blocking getstatus alltogether might not be a good idea. Game trackers are not the only ones who send getstatus requests.
Programs like XFire, HLSW or RCON Unlimited all rely on getstatus and will probably show the server offline if you block them.
You might however apply the script i posted above only to getstatus packets. At the moment it will count all connectionless packets (getinfo, rcon, getchallenge, etc).

QUELLTEXT

filter = "udp and src host 123.456.789.123 and udp[8:4] = 0xFFFFFFFF"

The last part of the filter checks the next 4 bytes at offset 8. You can change that to check for a longer byte sequence so as to catch getstatus only. I never bothered doing that.


I have been using a limit of 300 packets for quite a while now and it seems to work out very smoothly, haven't heard of legit clients getting dropped or being unable to connect. You will however have to adapt that limit depending on the number of game servers you run on your machine.

This post has been edited by Ligustah: Aug 29 2011, 09:36 AM

[Old-Owl]

Thanks Ligustah for you nice script that seems very fast and efficient.
I tried it since I like the idea of real time bans and after some inconvenient attepts,
(script banned the server from itself due to another script that use a connector)
I changed this part to avoid it:

CODE

            if k == "ServerIPhere":
                        print "own IP not banned %s, packets %i" % (k, v)
            elif v > 150:
                        print "offending ip %s, packets: %i" % (k, v)
                        os.system("iptables -A INPUT -s %s -j DROP" % k)

Now I run it in a screen session, I like it, but I would log in a text file the banned IP's and the packets they produce.
The main reason is to debug why the script from time to time ban one of my admins that run two clients and HLSW
in the same time. If I can understand the threshold I have to set then I can sleep good. :)

Last thing is that I don't understand the "filter" how it have to be set to catch the 'getstatus' requests, or maybe
I don't have to modify that line except put there the server IP address .

Thanks for your support.
Owl

[Ligustah]

I am actually using a simple wrapper about my iptables, which will log the ip and number of packets.
http://85.214.159.249/banip.txt

Just save that file somewhere on your machine and make it executable.

QUELLTEXT

os.system("banip %s automatically banned, %i packets" % (k, v))

That's how i call it from my script.

To change the filter line, you need to get a HEX representation of getstatus and add that to the number in the filter line, also increase the length that is checked.