Jump to content

SOF2 High Bandwidth


SickPuppy

Recommended Posts

The problem is someone spoofing IP and flood SOF2 servers with getstatus command. The SOF2 servers responds with a shitload of traffic, as they respond to each request with a fairly higher amount of data.

NFO was one "victim" about a week ago, later on various kinds of hosts. We have had several machines pumping out about 20-25 Mbit/s each.

The main problem is that the Q3-engine doesn't have a cvar to limit the amount of responses serversided.

Link to comment
Share on other sites

For ET servers there is a fix made, but it's only for Linux.

 

The maker of the fix said:

 

It doesnt hack your server. It exploits a weakness in the network protocol. Changing game files wont help as the problem is in the engine. The weakness is very probably present in all Q3 based games.

 

So maybe this is only the beginning :~

Link to comment
Share on other sites

Thanks for the info, but before I change it I want to make sure what I have is correct. Right now in the server.cfg file I have the following

 

seta sv_master5 ""

seta sv_master4 ""

seta sv_master3 "207.38.8.34"

seta sv_master2 "69.93.209.187"

seta sv_master1 "63.146.124.45"

 

Since I do not know what the offending ip is and I do not know that my list is setup the same way yours is, I just can not replace master2. Can you provide what you have set or is this the only thing you have set?

 

George

Link to comment
Share on other sites

  • 2 weeks later...

Guys I need some help here with this issue. These servers are starting to tear though bandwidth. I can not figure out how to stop it other than block the ip, but then the change the ip and I have to block that one. What is causing this. I have changed all the sv_master1 -5 to point to master.caserun.com and I am still getting this issue. How do I stop this?!

Link to comment
Share on other sites

As mentioned, the problem is that Q3-engine games responds to each getstatus request - without any limitations.

 

The attacker sends hundreds or even thousands of getstatus requests per second, using a spoofed IP.

Each server getting the query will respond with a larger amount of data (all status responses) to the spoofed IP - rendering a lot of traffic being sent to an "innocent" IP.

 

IPSec will help you out, but also means you have to identify each new IP sending the attacks - and YES, they change every other day.

 

Best would be getting a coder that can fix this by setting a max value on getstatus responses. As Q3 is open-source nowadays, it can be done. I had a coder fixing a few other exploits a few years back.

I might be interested in this as well, so I could donate towards getting it done.

Link to comment
Share on other sites

I also wanted to post this for creating ip bans using ipsec using a script. This makes it easy to ban an ip and then add other ips from the command line. It would be nice to have a script that some how bans that ip if it gets above 1 megbit of traffic being sent to one ip or something like that.

 

George

Link to comment
Share on other sites

Is there any sort of plugin system for this engine? It is easy for me to fix issues like this for Source games as they already load .dll/.so files as plugins, but I haven't ever messed with actually modifying the core executable.

 

As mentioned, the problem is that Q3-engine games responds to each getstatus request - without any limitations.

 

The attacker sends hundreds or even thousands of getstatus requests per second, using a spoofed IP.

Each server getting the query will respond with a larger amount of data (all status responses) to the spoofed IP - rendering a lot of traffic being sent to an "innocent" IP.

 

IPSec will help you out, but also means you have to identify each new IP sending the attacks - and YES, they change every other day.

 

Best would be getting a coder that can fix this by setting a max value on getstatus responses. As Q3 is open-source nowadays, it can be done. I had a coder fixing a few other exploits a few years back.

I might be interested in this as well, so I could donate towards getting it done.

Link to comment
Share on other sites

I believe what I posted here is the solution

 

http://aluigi.freeforums.org/post11828.html

 

It appears to work but then it will stop after the server has been running for 2 weeks. If you physically restart the server it will work again. That is not a problem for me since I reboot the physical server once a week on a scheduled task. However I am having a bit of an issue understanding how it works. If you look at these two post from that link above

 

Sounds like it should do the trick. I am not sure I am straight on how to use it though.

 

I renamed the quake3_packet.dat to packet.dat and placed it along with the myproxocket.dll and ws2_32.dll into the folder where the exe file resides. I then restarted the server. Is that it?

 

exactly, now using the default quake3_packet.dat you are filtering the "connect" packet.

so if you open packet.dat with a hex editor and remove connect and plage getstatus then you will avoid the sof2 process to handle all these getstatus packets (but you can't avoid the saturation of the line).

 

this is how should look your packet.dat with a hex editor:

 

I understand how to edit the file as well as where to put it, but how does the server know to run the files placed there? If they are just there they will run? Is that the case?

 

George

Link to comment
Share on other sites

I think I have a solution. I have complied the files necessary to prevent excessive data being sent out to attack an ip. I have included the files necessary to work for a windows server. However it does not stop the traffic being sent in. Since the port is open and allows them to send the packets to game server, but the game server will not respond back with info. I tested this on one of my servers. If I removed the ip that I blocked to prevent the excessive data (both inbound and outbound) before the patch, I would jump to 25 megbit traffic. Once I installed the files on all the servers on that box and then restarted them and removed the ban again. it jumped to 2 megbit above what it was at before the ip block. I then added the inbound traffic block on that ip and it went back to normal. So its not a complete fix but it is a start. Also from reading on the site where I got these files, it will only work for about 2 weeks before the physical server has restarted. I have only installed these files on one location at this point. I will check back again tomorrow as they seem to change the ip they attack daily. The one side affect I see so far is that hlsw can no longer be used on these servers. I am assuming it uses the getstatus command to show the server is running. Since it is continuous it eventually is blocked by this patch. To install these file just drop them in the sof2 folder and restart the server. I will let you know what I find out as I do my testing, and please anyone that tests this please post the results back.

 

George

patch.zip

Link to comment
Share on other sites

It appears so. Only if there is constant traffic does it block traffic from that ip. HLSW works for a little while then stops. I am assuming the updates per sec on hlsw are to fast.

 

George

 

In the 'settings' 'My Games' goto SOF2 and edit it, change the priority to 'idle' from 'normal'

 

Should fix that...I have that issue with vent servers sometimes :p

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Who's Online   0 Members, 0 Anonymous, 16 Guests (See full list)

    • There are no registered users currently online
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Terms of Use