SickPuppy Posted January 20, 2011 Share Posted January 20, 2011 Something seems to be wrong with the SOF2 Master server. All SOF2 servers are using 3-5% of the bandwidth. You need to check your SOF2 as it will eat up your allocated bandwidth quick. Link to comment Share on other sites More sharing options...
Flightwatch Posted January 20, 2011 Share Posted January 20, 2011 Maybe the same hack as with Wolfenstein: ET ? Link to comment Share on other sites More sharing options...
SickPuppy Posted January 20, 2011 Author Share Posted January 20, 2011 Maybe the same hack as with Wolfenstein: ET ? This seems to be an issue with the Master server going offline. Link to comment Share on other sites More sharing options...
Fragnet Posted January 20, 2011 Share Posted January 20, 2011 The problem is someone spoofing IP and flood SOF2 servers with getstatus command. The SOF2 servers responds with a shitload of traffic, as they respond to each request with a fairly higher amount of data. NFO was one "victim" about a week ago, later on various kinds of hosts. We have had several machines pumping out about 20-25 Mbit/s each. The main problem is that the Q3-engine doesn't have a cvar to limit the amount of responses serversided. Link to comment Share on other sites More sharing options...
Flightwatch Posted January 20, 2011 Share Posted January 20, 2011 So it is the same problem I have with some of my ET servers May I ask how you solved it? I changed the port and it was fine, but that's only a temporaly solution and not a customer friendly one. Link to comment Share on other sites More sharing options...
Fragnet Posted January 20, 2011 Share Posted January 20, 2011 I use a sniffer (Wireshark) to identify the "source" and block it using IP-sec rules. Link to comment Share on other sites More sharing options...
Flightwatch Posted January 20, 2011 Share Posted January 20, 2011 For ET servers there is a fix made, but it's only for Linux. The maker of the fix said: It doesnt hack your server. It exploits a weakness in the network protocol. Changing game files wont help as the problem is in the engine. The weakness is very probably present in all Q3 based games. So maybe this is only the beginning Link to comment Share on other sites More sharing options...
SickPuppy Posted January 23, 2011 Author Share Posted January 23, 2011 As I suspected the master server for SOF2 was down when I switched to a alternate master server the problem went away. I do not believe this was an exploit. Link to comment Share on other sites More sharing options...
proclan Posted January 24, 2011 Share Posted January 24, 2011 Have you tried using this: http://aluigi.altervista.org/adv/q3infoboom-adv.txt Link to comment Share on other sites More sharing options...
gemcneill Posted January 26, 2011 Share Posted January 26, 2011 Sick which server did you change to for the master server? George Link to comment Share on other sites More sharing options...
NTS.Nate Posted January 26, 2011 Share Posted January 26, 2011 /set sv_master2 master.caserun.com Link to comment Share on other sites More sharing options...
gemcneill Posted January 26, 2011 Share Posted January 26, 2011 Thanks for the info, but before I change it I want to make sure what I have is correct. Right now in the server.cfg file I have the following seta sv_master5 "" seta sv_master4 "" seta sv_master3 "207.38.8.34" seta sv_master2 "69.93.209.187" seta sv_master1 "63.146.124.45" Since I do not know what the offending ip is and I do not know that my list is setup the same way yours is, I just can not replace master2. Can you provide what you have set or is this the only thing you have set? George Link to comment Share on other sites More sharing options...
gemcneill Posted February 7, 2011 Share Posted February 7, 2011 Guys I need some help here with this issue. These servers are starting to tear though bandwidth. I can not figure out how to stop it other than block the ip, but then the change the ip and I have to block that one. What is causing this. I have changed all the sv_master1 -5 to point to master.caserun.com and I am still getting this issue. How do I stop this?! Link to comment Share on other sites More sharing options...
dimitrifrom31 Posted February 7, 2011 Share Posted February 7, 2011 use ipsec to block the IP Link to comment Share on other sites More sharing options...
Fragnet Posted February 8, 2011 Share Posted February 8, 2011 As mentioned, the problem is that Q3-engine games responds to each getstatus request - without any limitations. The attacker sends hundreds or even thousands of getstatus requests per second, using a spoofed IP. Each server getting the query will respond with a larger amount of data (all status responses) to the spoofed IP - rendering a lot of traffic being sent to an "innocent" IP. IPSec will help you out, but also means you have to identify each new IP sending the attacks - and YES, they change every other day. Best would be getting a coder that can fix this by setting a max value on getstatus responses. As Q3 is open-source nowadays, it can be done. I had a coder fixing a few other exploits a few years back. I might be interested in this as well, so I could donate towards getting it done. Link to comment Share on other sites More sharing options...
gemcneill Posted February 8, 2011 Share Posted February 8, 2011 Anyone know a coder that can do this? Link to comment Share on other sites More sharing options...
gemcneill Posted February 8, 2011 Share Posted February 8, 2011 Also I found this posted as well which applies to what the issue is here, however it appears to stop working after 2 weeks http://aluigi.freeforums.org/post11828.html Link to comment Share on other sites More sharing options...
gemcneill Posted February 8, 2011 Share Posted February 8, 2011 I also wanted to post this for creating ip bans using ipsec using a script. This makes it easy to ban an ip and then add other ips from the command line. It would be nice to have a script that some how bans that ip if it gets above 1 megbit of traffic being sent to one ip or something like that. George Link to comment Share on other sites More sharing options...
Flightwatch Posted February 8, 2011 Share Posted February 8, 2011 Have the same issue with 2 Wolf:ET servers. Someone made a script to solve this for linux based gameservers but not yet for windows. It's mostly with the Q3-engine of ET and SOF2. Link to comment Share on other sites More sharing options...
CrimsonGT Posted February 9, 2011 Share Posted February 9, 2011 Is there any sort of plugin system for this engine? It is easy for me to fix issues like this for Source games as they already load .dll/.so files as plugins, but I haven't ever messed with actually modifying the core executable. As mentioned, the problem is that Q3-engine games responds to each getstatus request - without any limitations. The attacker sends hundreds or even thousands of getstatus requests per second, using a spoofed IP. Each server getting the query will respond with a larger amount of data (all status responses) to the spoofed IP - rendering a lot of traffic being sent to an "innocent" IP. IPSec will help you out, but also means you have to identify each new IP sending the attacks - and YES, they change every other day. Best would be getting a coder that can fix this by setting a max value on getstatus responses. As Q3 is open-source nowadays, it can be done. I had a coder fixing a few other exploits a few years back. I might be interested in this as well, so I could donate towards getting it done. Link to comment Share on other sites More sharing options...
gemcneill Posted February 9, 2011 Share Posted February 9, 2011 I believe what I posted here is the solution http://aluigi.freeforums.org/post11828.html It appears to work but then it will stop after the server has been running for 2 weeks. If you physically restart the server it will work again. That is not a problem for me since I reboot the physical server once a week on a scheduled task. However I am having a bit of an issue understanding how it works. If you look at these two post from that link above Sounds like it should do the trick. I am not sure I am straight on how to use it though. I renamed the quake3_packet.dat to packet.dat and placed it along with the myproxocket.dll and ws2_32.dll into the folder where the exe file resides. I then restarted the server. Is that it? exactly, now using the default quake3_packet.dat you are filtering the "connect" packet. so if you open packet.dat with a hex editor and remove connect and plage getstatus then you will avoid the sof2 process to handle all these getstatus packets (but you can't avoid the saturation of the line). this is how should look your packet.dat with a hex editor: I understand how to edit the file as well as where to put it, but how does the server know to run the files placed there? If they are just there they will run? Is that the case? George Link to comment Share on other sites More sharing options...
gemcneill Posted February 9, 2011 Share Posted February 9, 2011 I think I have a solution. I have complied the files necessary to prevent excessive data being sent out to attack an ip. I have included the files necessary to work for a windows server. However it does not stop the traffic being sent in. Since the port is open and allows them to send the packets to game server, but the game server will not respond back with info. I tested this on one of my servers. If I removed the ip that I blocked to prevent the excessive data (both inbound and outbound) before the patch, I would jump to 25 megbit traffic. Once I installed the files on all the servers on that box and then restarted them and removed the ban again. it jumped to 2 megbit above what it was at before the ip block. I then added the inbound traffic block on that ip and it went back to normal. So its not a complete fix but it is a start. Also from reading on the site where I got these files, it will only work for about 2 weeks before the physical server has restarted. I have only installed these files on one location at this point. I will check back again tomorrow as they seem to change the ip they attack daily. The one side affect I see so far is that hlsw can no longer be used on these servers. I am assuming it uses the getstatus command to show the server is running. Since it is continuous it eventually is blocked by this patch. To install these file just drop them in the sof2 folder and restart the server. I will let you know what I find out as I do my testing, and please anyone that tests this please post the results back. Georgepatch.zip Link to comment Share on other sites More sharing options...
dimitrifrom31 Posted February 10, 2011 Share Posted February 10, 2011 and the servers get properly listed in game? Link to comment Share on other sites More sharing options...
gemcneill Posted February 10, 2011 Share Posted February 10, 2011 It appears so. Only if there is constant traffic does it block traffic from that ip. HLSW works for a little while then stops. I am assuming the updates per sec on hlsw are to fast. George Link to comment Share on other sites More sharing options...
adamnp Posted February 10, 2011 Share Posted February 10, 2011 It appears so. Only if there is constant traffic does it block traffic from that ip. HLSW works for a little while then stops. I am assuming the updates per sec on hlsw are to fast. George In the 'settings' 'My Games' goto SOF2 and edit it, change the priority to 'idle' from 'normal' Should fix that...I have that issue with vent servers sometimes Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.