Jump to content

Exploit in CoD4 (ddos) ?


sArAkUzZa

Recommended Posts

Exactly!!

We subscribe to this thread because its VERY important.

Bringing up a lawsuit is just as silly as my reply.

At 99 cents a slot these days, Won't even buy a lawyer lunch, nevermind hiring a firm to sue a company.

-Bobby

 

My thoughts were to mainly addressing the problem at the source, as I don't host the affected servers (COD, Quake etc). But I'm under attack from the exploits on a regular basis, due to the nature of the childishness of the garrysmod community's.

Link to comment
Share on other sites

  • Replies 149
  • Created
  • Last Reply

Dlls are using more CPU resources. Without dlls its about 40-45% but with dlls and 20-25Mb\s getstatus flood CPU usage with the same amount of active slots can be 15-20% higher with spikes. When we were using previous versions of dlls where was no ban feature it was better. It doesn't cause any lags because its not 95-100% CPU usage.

Link to comment
Share on other sites

Well. Now its above 90% CPU usage of 2xE5620 with the same amount of active slots. It seems that CPU usage gets higher when flood is more intensive. I guess we will go back with previous version of dlls.

 

*UPD*: CPU usage for last few minutes was 90-95% with spikes to 100%.

Link to comment
Share on other sites

I think the main issue that people here are missing is that the server is taking the brunt of the incoming attacks.

 

Regardless of whether or not you are using the patched .dlls, the system is still processing the flood requests to some degree.

 

The only way I can see to fix this (without IW fixing their code) is to place a hardware firewall in between your servers and the Inet.

Link to comment
Share on other sites

It doesn't affect our clients. Yes, we get incoming flood packets but with previous fix version servers don't generate much outgoing traffic. For server where we have a lot of CoD4 game servers we will activate second NIC with 100Mbits and move 1 subnet from first NIC to balance loading.

 

One more problem with firewall is that we have servers in different DCs. So its about purchasing not just 1 firewall.

Link to comment
Share on other sites

  • 3 weeks later...

this is for linux and people who get UDP floods i know this is already on, this is just away to make it stick use the following commands.

 

first download iptables.up.rules and upload to /etc/

http://www.immortal-servers.com/downloads/utilities/iptables.up.rules

 

then type

 

iptables -L

 

iptables-restore < /etc/iptables.up.rules

 

then we need to make a auto start file type the following which will bring up a screen

 

nano /etc/network/if-pre-up.d/iptables

 

then paste

 

#!/bin/bash

/sbin/iptables-restore < /etc/iptables.up.rules

 

then press CTRL + O to save it then CTRL + X to exit

 

then we need to chmod it

chmod +x /etc/network/if-pre-up.d/iptables

 

and check iptables -L to make sure its all on and working

 

then its all done

Link to comment
Share on other sites

  • 1 month later...
I think the main issue that people here are missing is that the server is taking the brunt of the incoming attacks.

 

Regardless of whether or not you are using the patched .dlls, the system is still processing the flood requests to some degree.

 

The only way I can see to fix this (without IW fixing their code) is to place a hardware firewall in between your servers and the Inet.

 

What would need to be entered on the hardware Firewall for this fix?

Link to comment
Share on other sites

  • 2 weeks later...

First of all: respect for omnigenus to create this fix!

 

We were already using your last version of the fix for some time.

 

But we noticed (since a week) that the fix doesn't work for these medal of honor versions:

- Allied Assault

- Spearhead

 

The fix also doesn't work for soldier of fortune 2. Suddenly 60 Mbps from 4 gameservers. Not all gameservers started to ddos.

 

So, those games started to send a lot of ddos even with your fix on it.

 

The easy way without a fix on windows = change the port.

That will solve the problem for a while.

[Keep in mind: Creating a new server later with the old ddos port and the ddos start within some minutes or hours again.]

 

We don't have any big traffic problems since we use the fix, but we still get abuse complaints of the 0,01% ddos that still get's through.

 

Is there also a possibility that a part of the botnet changed? The botnet just sends less getstatus requests in a longer time and your fix doesn't ban them because of that?

Link to comment
Share on other sites

But we noticed (since a week) that the fix doesn't work for these medal of honor versions:

- Allied Assault

- Spearhead

 

The fix also doesn't work for soldier of fortune 2. Suddenly 60 Mbps from 4 gameservers. Not all gameservers started to ddos.

 

The playerslimitermax you are using of Aluigi his site tells that the mohaa code should be a little bit different? If you look at the packet.dat for the quake code and the moh code then there is a small difference:

 

Quake code: ????getstatus

MOHaa code: ????.getstatus

 

If you would change this little hex code inside your fix than it should work for mohaa too? Or not?

Link to comment
Share on other sites

 

 

iptables-restore < /etc/iptables.up.rules

 

 

Is iptables-restore command working for everyone? When running it, I get an error:

[john@server ~]# iptables-restore < /etc/iptables.up.rules
'ptables-restore v1.3.5: iptables-restore: unable to initializetable 'filter

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Link to comment
Share on other sites

The playerslimitermax you are using of Aluigi his site tells that the mohaa code should be a little bit different? If you look at the packet.dat for the quake code and the moh code then there is a small difference:

 

Quake code: ????getstatus

MOHaa code: ????.getstatus

 

If you would change this little hex code inside your fix than it should work for mohaa too? Or not?

This topic @ the aluigi forum confirms that my solution also should work for MOH (allied assault, spearhead and breakthrough) by only implementing/adding the 02 hex decimal in the current fix!

 

http://aluigi.freeforums.org/post11559.html#p11559

That means that it's enough to add the missing byte (\x02) in the query packet of q3infoboom to test also MOH.

 

This is the only thing that should be changed inside the fix.

Quake code: ????getstatus known as ff ff ff ff 67 65 74 73 74 61 74 75 73

MOHaa code: ????.getstatus known as ff ff ff ff 02 67 65 74 73 74 61 74 75 73

 

I already used the TCadmin forum to send Omnigenus a message and email, like he mentioned before in this topic. But I didn't receive any reaction.

Is there somebody here who has direct contact with him personally? You could show him this post or remind him about this topic to expand the current fix to more quake 3 engine based games.

Link to comment
Share on other sites

Hello, fellow freaks :grin:

 

I'm sorry but i really had no time to get back into this problem.

 

I got quite a few emails from various people asking about this exploit and the possibility to prevent outgoing flood on other games also (MOH etc.) and i'm sorry if some of them went unanswered but i spent almost 3 months programming on our latest commercial project and you can surely understand that was a priority for me. I do need money, i "kinda" have ma own company to make money (duh) and money doesn't tend to fall from the sky for me, so i need to work for it :D

 

At the moment, the biggest problem we're facing is an increase in this getstatus exploit usage and total game admins cluesness, or should i say unawareness of this problem.

 

We're taking "heavy fire", almost regularly, and our incoming traffic is getting critical. Our ACL has over 19.000 IPs, all of them automatically detected by our private version of the plugin which filters all those flood IPs so all of those we're victims of some sort in the last few months.

 

I'll take a look at all the emails you sent me and i'll create a single plugin for multiple games....this weekend.

Link to comment
Share on other sites

Maybe this thread deserves to be open to the public as it's not just a CoD4 problem? What does TCADMIN guru have to say? :p

----------------------------------------------------------------------

 

Guys, here's a new version...PLEASE TEST IT and see if there are any problems with xfire, hlsw and so on...

HLSW is kinda strange as it sometimes sends a burst of getstatus packets per second..dunno why.

 

So, what's up?

 

  • New testing tool enables you to test Quake 3, CoD series, MoH series, Doom 3 and Quake 4
  • Testing tool now send getinfo packages..they have smaller response and work better than getstatus
  • The fix now filters all 4xFF bytes packets, which means it should work on Call of Duty series and MoH as well
  • Also, it should filter Doom 3 getInfo packets (had a request from one Quake 4 hoster)
  • Attacker now gets "banned" after 10 packets in a short time and he's out for 30 seconds...if he keeps flooding, he gets the same treatment again. Reason i went with 10 packets is that all commands sent to the server have those same 4 bytes at the beggining so we don't want to give our users a 30 seconds "ban" just because they use some idiotic commanders for example.
  • While IP is "banned" nothing goes out from your game server to that IP

 

Now a few words and i do apologize for my bluntness

 

You can't stop incoming attacks with this fix

Let me say this again... YOU CAN'T STOP INCOMING ATTACKS BY SIMPLY PLACING THESE FILES TO YOUR GAME SERVER

Get it? YOU CAN'T....really, YOU-CAN-NOT

 

So, please try to understand that this is simply a tool that stops the attacker to use you as a cheap botnet amplifying whore..that's the main purpose of these files.

 

You have to stop the flood before it reaches your server....or at least, if your provider is a dick, block those flooding IPs with your firewall, so your game server doesn't have to use CPU power for sorting through thousands of packets per second. That will drastically reduce your server's hunger for CPU power while under flood.

 

You need to share this and talk about this problem

I almost pulled my hair out when one guy asked me "why would i help my rivals?".

You know what? Skr00 you if you think like that.

As long as DDoS attacks can be amplified using your gameservers, you should be working on trying to prevent it.

 

I don't have enough time for this

Please understand, i'm quite busy.

Please don't send me emails unless you really need something important.

Emails like "Would you make me a CoD 4 mod?" and "Why doesn't this stop incoming traffic?" are starting to piss me off

 

So, to be clear:

  • I don't give a damn about mods
  • I won't set this up for you (copy/paste 2 files...come on)
  • I don't give a rats ass if you don't like this solution (stop whining and make a better one)

 

When you spread this fix through forums and such, please don't change the ZIP file content or the readme...refer ppl to this thread

People can find various information here which can't be found in the ZIP file itself...new versions for example, or possible problems.

 

Leave feedback here... peace out 8)~8-)~<img src=:'>

UDP_flood_fix_V4.zip

Link to comment
Share on other sites

You do great work and ALL of us thank you!!

One thing I would like to know...........

You need to share this and talk about this problem

I almost pulled my hair out when one guy asked me "why would i help my rivals?".

 

This clown needs to be outted for sure, real nice!!

 

-bobby

Link to comment
Share on other sites

  • 1 month later...

With the latest dll files, V4, when using voice chat it seems to create constant connection interrupts for me.

All other versions seem to work fine, I may be doing something wrong. This is with a 1.7 install on Windows 64bit.

Has anyone had similar issues?

Link to comment
Share on other sites

  • 2 weeks later...

Has anyone had similar issues?

 

Hi, yes we have experienced connection issues on cod2 and cod4, only with a handfull of gameservers, these we end up having to downgrade to the older patch which resolves the issue

all on win2003 64bit

Link to comment
Share on other sites

  • 2 weeks later...

Archived

This topic is now archived and is closed to further replies.

  • Who's Online   0 Members, 0 Anonymous, 17 Guests (See full list)

    • There are no registered users currently online

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Terms of Use