POTENTIONAL FIX: etded.x86 getstatus exploit Options

[-sunkist-]

I didn't see any getstatus floods since april 2011! Anyway...

For whom this may be interesting, please have a look at http://www.vollspack.org/ and see the linked script.

With best regards, Sunkist

[$mart]

Still attacks 10/10/11 : http://www.hirntot.org/distribution/viewto...f8577789#p14936
My hoster 87.98.168.156 is down still yesterday ... maybe same reason.
And when I run home-server (windows), after some minutes, my bandwith goes to 100% busy even with no players ...

So no, ddos always present, like hacks, like virus, ... grrrrrrrr


(anyway thanks man to share your script-shell with community)


This post has been edited by $mart: Oct 15 2011, 10:03 AM

[schnoog]

The getstatus exploit is more active than ever.

I talked to some admins and more than 10 000 incoming packets per seconds are not very rare.

OldMan posted a modified version of the q3_getstatus_ddos script here: http://wolffiles.de/index.php?forum-showposts-44-p5#

This one not only spoil plaintext getstatus attacks, it also handles zoneRef getstatus attacks.


That is like it looks after the script finnished his work:

CODE

rx: 6,1 Mbit/s 13862 p/s tx: 12 kbit/s 2 p/s

OldMan integrated some very nice features (delayed unban for example)

Unfortunality I`m not familar with the windows powershell, but there should also be a possibility to do such things.

[-sunkist-]

The getstatus exploit is more active than ever.

I talked to some admins and more than 10 000 incoming packets per seconds are not very rare.

Oh WOW! That's true! Holy shit!

I didn't see any attacks because I didn't list my ET servers in the Masterlist. Since I listed one of my ET servers again, the attacks are back - more then before!

Thank's for the hint!

Now I know where the attackers get the targets from: The Master Browser List!

When you use:

seta sv_master1 ""
seta sv_master2 ""
seta sv_master3 ""
seta sv_master4 ""
seta sv_master5 ""

in your server.cfg, your servers will not get listed in the Master Browser List and therefor they will not get attacked.

[Guest_Dutchman_*]

blabla

this has nothing to do with the topic about a patch for linux servers.
Is there a possibility you communicate in a normal way? thnx.

[-sunkist-]

blabla

this has nothing to do with the topic about a patch for linux servers.
Is there a possibility you communicate in a normal way? thnx.

Well, I regret to communicate in a higher level.

There will be no patch for linux servers from the vendor. But you may use one of the iptables scripts offered by me (http://www.vollspack.org/) or by others. These scripts will block these attacks. But you still will receive the traffic. There is nothing you can do against it.

This post has been edited by -sunkist-: Oct 17 2011, 11:05 PM

[Guest_Dutchman_*]

blabla

this has nothing to do with the topic about a patch for linux servers.
Is there a possibility you communicate in a normal way? thnx.

Well, I regret to communicate in a higher level.

There will be no patch for linux servers from the vendor. But you may use one of the iptables scripts offered by me (http://www.vollspack.org/) or by others. These scripts will block these attacks. But you still will receive the traffic. There is nothing you can do against it.

The fix i posted for linux servers as stated from yada in the readme file if fine.
Your post has nothing to do with solving it if you wan't to get your server(s) listed.

[-sunkist-]

blabla

this has nothing to do with the topic about a patch for linux servers.
Is there a possibility you communicate in a normal way? thnx.

Well, I regret to communicate in a higher level.

There will be no patch for linux servers from the vendor. But you may use one of the iptables scripts offered by me (http://www.vollspack.org/) or by others. These scripts will block these attacks. But you still will receive the traffic. There is nothing you can do against it.

The fix i posted for linux servers as stated from yada in the readme file if fine.
Your post has nothing to do with solving it if you wan't to get your server(s) listed.

Wrong!

The "fix" will not just drop the attackers traffic, it will let the traffic go to your servers ET software (server side) and will cause lag! Iptables will prevent the software from receiving the attackers traffic and will cause much less lag.

The listed cvars will prevent you from receiving the traffic at all!

This post has been edited by -sunkist-: Oct 17 2011, 11:21 PM

[Guest_Dutchman_*]

ok:)

[AmericanPie1979]

good morning :)


i found maybe a solution for this problem ^^

i look for it now :P maybe it works ^^

i was on server to play so it works :)

we dont let us flood :P but why it woks now ??

i used many fixes.....from schnoog........i updated the Kernel and getted flooded again ^^

and now i have cpu usage from 13 % ^^ befor it was 50 % :)



This post has been edited by AmericanPie1979: Oct 18 2011, 08:31 AM

[-sunkist-]

good morning :)


i found maybe a solution for this problem ^^

i look for it now :P maybe it works ^^

i was on server to play so it works :)

we dont let us flood :P but why it woks now ??

i used many fixes.....from schnoog........i updated the Kernel and getted flooded again ^^

and now i have cpu usage from 13 % ^^ befor it was 50 % :)

Kannst Du bitte mal in Deiner Muttersprache sagen, was Du sagen willst? Ich kann zwar Deinen englischen Text uebersetzen, aber dabei kommt irgendwie nichts sinnvolles raus.

[TomDome]

Ich denke es ist rauslesbar was er sagen will und daß er in englisch schreibt ist eher von Vorteil, da dann mehr Leute daran teilhaben können.

[AmericanPie1979]

Ich würde mal sagen wer lesen kann ist klar im Vorteil ^^

ich habe eine gepatchte Gameserver Kernel installiert und noch paar sachen geändert

ist aber bis jetz nur ein test ^^

hab gemerkt das es besser wurde als ich die Masterserver aus der cfg rausgenommen habe.....

sind einige Sachen die ich geändert habe ^^

PS : werde denk ich mal wieder angegriffen.......cpu auslastung steigt wieder stetig.......man wasn kack ey frag mich was die deppen davon haben

32 % cpu usage.....nich soooo viel aber naja man sehen wie es sich entwickelt

This post has been edited by AmericanPie1979: Oct 18 2011, 10:43 PM

[$mart]

Hello

32% CPU => with how many players and/or bots ?

Because when my home-server is "attacked", I don't notice CPU increase. ( I just see, with "NetMeter.exe" my Upload traffic growing to 110-120 kB/s (the maximum!), and confirmation is given by "CommView.exe" )

So are you sure your 32% CPU is due to an "attack", maybe another problem ?

GoodLuck

This post has been edited by $mart: Oct 19 2011, 08:02 AM

[Ligustah]

Hello

32% CPU => with how many players and/or bots ?

Because when my home-server is "attacked", I don't notice CPU increase. ( I just see, with "NetMeter.exe" my Upload traffic growing to 110-120 kB/s (the maximum!), and confirmation is given by "CommView.exe" )

So are you sure your 32% CPU is due to an "attack", maybe another problem ?

GoodLuck

It might be due to the fact the the upload rate of servers is much greater than just 120 kB/s. When the attacks first started on my server it reached
upload rates of up to 80 Mbps, which caused high CPU utilization (mostly due to I/O waits)