Exploit in CoD4 (ddos) ?

[sArAkUzZa]

Hi,

 

 

can you leave some contact so we can go through this. I am ready to work with you about that.

[omnigenus]

Click on my nick and mail me?

[omnigenus]

Thank you very much for sharing Omni

No problem...

 

I have two "guinea pigs" at the moment testing this fix.

If it works for them too, i'll upload everything

[ViolentCrimes]

Sorry I might have miss understood this. But is this for the host server protection or is this for the servers that are getting attacked?

[omnigenus]

Sorry I might have miss understood this. But is this for the host server protection or is this for the servers that are getting attacked?

For the host, of course.

After all this is TCADMIN forum, is it not?

[Bubka3]

Has the fix been released yet?

[peace]

I noticed 100% network usage about one hour ago.

 

I started new traffic capture using Microsoft Network Manager 3.4. I thought it was UDP flood to our server but i was mistaken. There was a huge UDP outgoing traffic from gameservers IP:port sources to different destination IP's with port 80.

 

This was solved by blocking UDP traffic to port 80 from all server IP's. Now its normal 30% network usage.

 

I believe this is what Omnigenus was talking about.

 

UPD: I guess the best practice is to deny all traffic and manually set all rules that are needed for game servers and other services. In Windows its a little more complicated to do but in Iptables in Linux is the perfect solution.

[omnigenus]

@peace

Yep, that's it, but port 80 isn't the only destination port and your game server will process that query anyway.

[sArAkUzZa]

Testing patch with omni...it looks that it is really working!!!

 

Thanks to him.

[omnigenus]

Ok guys, here's a small fix i made...it well help you with this problem.

 

So, what is this all about?

I'll try to keep it short...

 

This fix will allow only one getstatus response per second, per IP.

 

So, if someone sends 100 getstatus queries to your server, in a single second, your CoD4 server will respond with a single serverstatus message.

 

So, if you do the basic math, your server will send just 1 kB/s instead of 100kB/sec...multiply that by the number of affected servers on your machines and by the number of possible simultaneous attacks....yeah

 

 

Now you're able to put a smile on your face

 

 

==================== THE GOOD PART ====================

 

1. Download

 

2. Read the readme file

 

 

ZIP file includes my getstatus flood testing tool...

 

If your servers are vulnerable, like this random german server i tested this on, you'll get something like this:

 

If your server are protected, you'll get something like this:

CoD4_Getstatus_Flood_Fix.zip

[peace]

Does it limit getstatus queries from 1 IP per second or how does it work?

[omnigenus]

Does it limit getstatus queries from 1 IP per second or how does it work?

 

Exactly...limits getstatus queries to 1 query per IP, per second

[peace]

Any chance to get source code?

 

I know how to set this rule in IPTables but on Windows it's more complicated.

[omnigenus]

Sorry, but i'll keep my coding for myself. Nothing personal, i just feel like i did enough already

 

My work on this is done and it's completely free...you can simply take it or leave it.

 

Feel free to look into Luigi Auriemma's Proxocket tool...it's opensource and you'll get the hang of it, if you know c.

If you don't, you wouldn't have any real use of my code anyway.

[peace]

Testing patch with omni...it looks that it is really working!!!

 

Thanks to him.

 

Did it solve the problem? Any issues?

[leetservers]

Works great, thanks omni!

-bobby

[Goran]

tested and solves the problem, gj. to the coder

[wes540]

tested a works, thanks

saves having loads of ipsec rules for outgoing udp traffic

[omnigenus]

Well, as i said, this is a quick fix and it's not the final solution for this problem.

 

It helps a great deal, yes, but it's far from being perfect.

 

I have some new ideas and i'm working on them, but don't want to have gs performance trouble...if i finish it, i'll give you an update

[ViolentCrimes]

What about quake 3 it has the same exploit.

[omnigenus]

What about quake 3 it has the same exploit.

This fix should work on Q3 as well

[gemcneill]

This fix for cod2 only works for a while and then they attack can start again. It lasts for a few min at a time then seems to stop working. Any one have any ideas?

 

George

[Brett]

Thank you for this. Someone had turned one of our COD4 servers into a DDoS bot, so glad to have it resolved.

[Drakar]

Any news about gemcneill comment?

 

Thank you

 

This fix for cod2 only works for a while and then they attack can start again. It lasts for a few min at a time then seems to stop working. Any one have any ideas?

 

George

[omnigenus]

Shouldn't be happening as it has no corelation to time. There are some limitations to the number of IP addresses kept in memory in any given time but still