Exploit in CoD4 (ddos) ?

[Drakar]

Thank you omnigenus. I will try it.

[peace]

Today I noticed 100% network utilization. I installed your dlls on each server but even after that network utilization was 30-35%. That getstatus packets without full answer to destination IP still flood system very badly.

 

Aslo I noticed that messages "disconnected" are being sent. Is it possible to do not to sent disconnected message? I believe it will reduce utilization 2 times.

 

Is there any chance you can do that IPs are pulled in txt?

[omnigenus]

Ok guys...it's time to do some serious testing.

 

As i said before, i was working on a better solution, 'cause game server's "disconnect" response is quite smaller that the full server status info, but it still gets through to the final target (victim)...and that's a big NO-NO

 

So...i need some serious ppl to help me test my final solution for this flooding problem.

 

My initial test were more then successful and i need you to confirm that it's working on your systems as well, before i release it to public.

 

Send me a message if you wish to participate ... it is for your own good afterall :'>

[peace]

Sent you a message.

[omnigenus]

So, only 2 guys are ready to test the solution which should prevent your Windows boxes with CoD games to become bots for DDoS attacks on fellow hosters?

 

Nice

[ryanb213]

Im really interested in this omni, I cant PM yet as my post count isnt high enough i presume, i'll get back to you when i do.

[omnigenus]

Final testings are in motion...looks promising :'>

[ryanb213]

omni, are their any ways i can contact you outside of tcadmin forums?

 

I'm not sure of the amount of posts i need before i can PM users.

[DougK94]

I'm not sure of the amount of posts i need before i can PM users.

 

PM's are disabled here

[omnigenus]

Just be patient.

 

I rewrote every single line of the code...attacking this stupid problem from a different angle.

 

I decided to block all outgoing communication if game server receives more than 4 getstatus queries inside small amounts of time...like 250ms

 

If that's the case, server will save getstatus sending IP in server's memory and will not respond to new queries for next 10 seconds, thus preventing you to become an attacker.

 

Once i'm sure this works, i'll upload the files here...don't worry

 

patience...i am human after all

[a1164]

First, thanks for all the effort in patching this!

 

Blocking outgoing may not be ideal, all the incoming packets will still task the server process. It could be better to block incoming |FF FF FF FF| hex (all possible commands, including getstatus, getinfo, etc...). Block should be for more than 15-20 packets in 2 seconds. This is what i use at COD4 firewall (Linux).

 

Inside .dll i see you have check for '????getstatus', i think this could work against all commands if you match against '????' only. Other normal packets don't use this byte sequence at start. Matching all command packets will also provide better protection against variants of this exploit. ???? = 0xFFFFFFFF

[omnigenus]

First, thanks for all the effort in patching this!

 

Blocking outgoing may not be ideal, all the incoming packets will still task the server process. It could be better to block incoming |FF FF FF FF| hex (all possible commands, including getstatus, getinfo, etc...). Block should be for more than 15-20 packets in 2 seconds. This is what i use at COD4 firewall (Linux).

 

Inside .dll i see you have check for '????getstatus', i think this could work against all commands if you match against '????' only. Other normal packets don't use this byte sequence at start. Matching all command packets will also provide better protection against variants of this exploit. ???? = 0xFFFFFFFF

Since it's basically the game itself that's checking those packets, makes almost no difference if they get through or not.

 

I can't block out all 0xFFFFFFFF 'cause i'm making some additional checks on our servers...this file here is a "trimmed" version of ours, cause i'm trying to help.

 

Problem doesn't go away, 'cause Windows still sucks bigtime @ serious network filtering, and this is just a small tool that plays with socket on API level. I was playing around with looping through serious flooder ips and putting them to IPSEC block list, but that's just insanely messy and i don't plan to go there again...

 

At the end, incoming packets reach their destination, unless they're stopped at higher network level...my only concern is to try to stop being used as a f**** bot for attacking fellow hosters...

[a1164]

Yes, anything that helps is very welcome because more and more servers are getting high incoming traffic volume, 2x the normal or more. Blocking based on outgoing is effective too, i use this besides fw, as a python script. I agree, it is much harder to make something like that in Windows environment.

 

Only way attacks will cease is when most of the servers are patched or with an effective firewall in place. ISPs are useless regarding this, i asked @ 3 hosting providers and they can't do a thing, or don't want to, even when i explained to them there is 100+ DRDoS attacks daily done this way. It seems like a good time to be a hacker, nobody cares much.

[CobbyJUK]

is there any linux protection for cod4 servers? obvoisly the dlls wont work on it.

[a1164]

"getstatus" on Linux:

http://forum.bigbrotherbot.net/cod4/important-pactch-for-cod4-servers/ (patch, still in beta, no idea why it takes so long to release this)

http://www.splashdamage.com/forums/showthread.php/22936-POTENTIONAL-FIX-etded-x86-getstatus-exploit?p=263686&viewfull=1#post263686 (iptables example)

http://icculus.org/pipermail/cod/2011-November/ (discussion)

http://icculus.org/pipermail/cod/2011-August/thread.html#15397 (discussion about the patch)

 

I use Python script from here: http://forum.splatterladder.com/index.php?showtopic=13025&st=0&p=78080entry78080 ... I modified it a bit since original values are too high at 1000 commands per 3 seconds. I use 100 commands per 10 seconds. Most players don't send more than 20 command packets (with 0xFFFFFFFF) in 10 seconds. Why 10 seconds? Sometimes legit player may send more than a few in short bursts, not sure why, either client is trying to connect or there is some other reason. If you scan for low values or slow flooders, then it's best to match exact "getstatus" string, to avoid false positives. For example, legit players send 6 or 7 'stats' packets at connect, for game ranking/stats. Not to be confused with 'getstatus' commands. Scripts which reject all command packets when there is more than say 3 per second, would reject/ban legit player in this case. This is why i prefer 10 sec intervals. For those who flood your server with 100-2000 packets per second it really doesn't matter how you scan, matching 0xFFFFFFFF (all command packets) may be fastest.

 

# iptables string match & recent module:

iptables -I INPUT 1 -i eth0 -p udp -m length --length 0:64 -m recent --set --name getstatus_str
iptables -I INPUT 2 -i eth0 -p udp -m string --algo bm --from 32 --to 64 --string "getstatus" -m recent --update --seconds 2 --hitcount 20 --name getstatus_str -j DROP

-- OR --

 

# iptables u32 '0xFFFFFFFF' match & recent module (faster):

iptables -I INPUT 1 -i eth0 -p udp -m u32 --u32 "0>>22&0x3C@ 8=0xFFFFFFFF" -m recent --set --name getstatus_u32
iptables -I INPUT 2 -i eth0 -p udp -m string --algo bm --from 32 --to 128 --string "getstatus" -m recent --update --seconds 2 --hitcount 20 --name getstatus_u32 -j DROP

 

# some exploits also give attacker option to send SYN floods, so we need to check tcp traffic as well:

iptables -I INPUT 3 -i eth0 -p tcp --syn -m recent --set --name synflood --rsource
iptables -I INPUT 4 -i eth0 -p tcp --syn -m recent --update --seconds 2 --hitcount 20 --name synflood -j DROP

 

- i use 'eth0', some systems may use different interface, ie. eth1 or venet0

- do not use 'limit' module for iptables, because it will deny legit connections (limit is for all connections)

- xt_recent module tracks last 20 packets from 100 ips by default, for higher 'hitcount' you need to increase ip_list_tot and ip_pkt_list_tot values

 

For slow logging (1/s), replace -j DROP with -j LOGDROP and add a new chain like this:

iptables -N LOGDROP
iptables -A LOGDROP -j LOG -m limit --limit 1/s --limit-burst 5 --log-prefix "LOGDROP: " --log-level 7
iptables -A LOGDROP -j DROP

[omnigenus]

Ladies, here we go

 

I've been trying to figure out the solution for our Getstatus DDoS problems and after some brain exhausting work i did it.

 

The solution i'm about to explain prevents your game servers to become a part of someone's botnet, so you don't flood some poor hoster with thousands of server info messages.

 

Please, have in mind: this will not stop your incoming getstatus requests...you need to block that on a higher network level (router...), but it will stop your outgoing packets toward some DDoS victim

 

 

Let's begin.... most of you know what the problem is, so i'll get right to the solution.

 

In the attached file, you'll find my flood testing tool, just like the last time, but this is a newer version and you can now check any cod/2/4/q3 server.

 

I've created a new cod4 server so i can test my solution on it... this image shows all of the responses i got from an unprotected server...and it's a loooooot of f**ing responses...all 500 of getstatus requests were returned.

 

Every unprotected cod/2/4/q3 server will give you something like this...500 times:

 

Then i applied my fix and tried again.

Server responded to 11 getstatus queries and then stopped sending UDP packets to my IP address.

While programming, i was thinking to myself "what would be the best solution for this?" and i decided to use a sort of "ban time" for every IP that sends too much requests over a small period of time.

 

So, if someone floods your game server with getstatus messages, server will count those requests and compare them with the current time.

If too many requests are received in a short time, the IP address sending those queries gets a kind of a temp ban...10 seconds to be exact.

 

After 10th query, server decided i should be "temp banned" for 10 seconds:

 

 

But...since flooding is a continuous "effort" i made a small "trap" which will ensure that the flooder's IP doesn't get removed from the "temp ban list" for as long as the flooding is active.

 

Basically... if you flood your server, you'll get a 10 seconds "cooling period"...every time you flood the server again in that 10 seconds, even tho you don't get any responses from the server, your ban time will be prolonged for 10 more seconds, thus preventing you to get any responses until you stop flooding the server for at least 10 seconds.

Like me here:

 

 

 

Test it, use it, share it

 

Notes:

- i've decided to allow 10(+1) responses before the "ban time" because some users send up to 5-6 getstatus queries at once...for example, HLSW sometimes does this...this way, your users shouldn't have any problems.

 

- my testing shows that server performance shouldn't be affected much. I guess that will depend on your hardware.

 

- please leave your comments in this thread so other users can read your thoughts

CoD_Getstatus_UDP_Flood_Solution.zip

[ECF]

Thanks for sharing with our users Omni

[Bravo17]

Once again thank you for coding this.

 

One question - I have found that some of the incoming queries have changed to 'getinfo', does this new tool filter them out as well?

 

We also seem to be getting some RDP packets, both Audio and Video (according to the Microsoft network monitor anyway).

[ryanb213]

Hey omni, is it possible that i could get the source to the old version? I'd like to use it in combination with another plugin that i wrote for myproxocket a while ago. (Or the new one if your extra kind?)

[omnigenus]

Thanks for sharing with our users Omni

No problem, this affects us all

 

Once again thank you for coding this.

One question - I have found that some of the incoming queries have changed to 'getinfo', does this new tool filter them out as well?

We also seem to be getting some RDP packets, both Audio and Video (according to the Microsoft network monitor anyway).

Getinfo shouldn't be a problem...are you getting many of those (flood) toward a single IP/port?.

 

Hey omni, is it possible that i could get the source to the old version? I'd like to use it in combination with another plugin that i wrote for myproxocket a while ago. (Or the new one if your extra kind?)

yep, just send me an email

[Bravo17]

Getinfo shouldn't be a problem...are you getting many of those (flood) toward a single IP/port?.

 

We were yesterday when I did a test capture, today not so much, but it still seems to produce over 200 bytes as a response.

 

However today I am seeing some IPs that seem to be able to bypass your solution, with up to 3 request/responses per second over the 20 second or so capture that I just tried.

[omnigenus]

3 req./sec will not activate it...that's not enough and could easily be activated by a user constantly refreshing server status in hlsw or xfire

[zelatech]

thanks, we got a server down for a week because of DRDoS, this is insane, activition should really come out with an official patch!

[ryanb213]

thanks, we got a server down for a week because of DRDoS, this is insane, activition should really come out with an official patch!

 

Anyone who knows the appropriate hex values to change could do it easily, similarly to aluigi's many patches.

 

Im sure that would be a better alternative than using this, but its a lot better than nothing.

[integrapynoy]

I've had this fix for a while now, just haven't been on the forums recently.

 

But here's a fix.

 

just upload the 2 files to the root directory of the cod4 folder.

 

Your welcome

CoD4FloodFix.zip