Exploit in CoD4 (ddos) ?

[Shepsie]

Exactly!!

We subscribe to this thread because its VERY important.

Bringing up a lawsuit is just as silly as my reply.

At 99 cents a slot these days, Won't even buy a lawyer lunch, nevermind hiring a firm to sue a company.

-Bobby

 

My thoughts were to mainly addressing the problem at the source, as I don't host the affected servers (COD, Quake etc). But I'm under attack from the exploits on a regular basis, due to the nature of the childishness of the garrysmod community's.

[peace]

With about 700-800 active slots (~70 servers) on 2xE5620 machine CPU usage is about 50-60% with spikes to 70-75%.

 

Without dlls it was 40-45% without spikes.

[bobcat]

so are you saying that by removing the dlls that the cpu is working better and your getting less lagg?? and that the dlls is causing you lagg??

[peace]

Dlls are using more CPU resources. Without dlls its about 40-45% but with dlls and 20-25Mb\s getstatus flood CPU usage with the same amount of active slots can be 15-20% higher with spikes. When we were using previous versions of dlls where was no ban feature it was better. It doesn't cause any lags because its not 95-100% CPU usage.

[peace]

Well. Now its above 90% CPU usage of 2xE5620 with the same amount of active slots. It seems that CPU usage gets higher when flood is more intensive. I guess we will go back with previous version of dlls.

 

*UPD*: CPU usage for last few minutes was 90-95% with spikes to 100%.

[ECF]

I think the main issue that people here are missing is that the server is taking the brunt of the incoming attacks.

 

Regardless of whether or not you are using the patched .dlls, the system is still processing the flood requests to some degree.

 

The only way I can see to fix this (without IW fixing their code) is to place a hardware firewall in between your servers and the Inet.

[peace]

Yeah, but cost.

[ECF]

Yeah, but cost.

 

Agreed. But what is the cost of losing all your COD clients?

[peace]

It doesn't affect our clients. Yes, we get incoming flood packets but with previous fix version servers don't generate much outgoing traffic. For server where we have a lot of CoD4 game servers we will activate second NIC with 100Mbits and move 1 subnet from first NIC to balance loading.

 

One more problem with firewall is that we have servers in different DCs. So its about purchasing not just 1 firewall.

[CobbyJUK]

this is for linux and people who get UDP floods i know this is already on, this is just away to make it stick use the following commands.

 

first download iptables.up.rules and upload to /etc/

http://www.immortal-servers.com/downloads/utilities/iptables.up.rules

 

then type

 

iptables -L

 

iptables-restore < /etc/iptables.up.rules

 

then we need to make a auto start file type the following which will bring up a screen

 

nano /etc/network/if-pre-up.d/iptables

 

then paste

 

#!/bin/bash

/sbin/iptables-restore < /etc/iptables.up.rules

 

then press CTRL + O to save it then CTRL + X to exit

 

then we need to chmod it

chmod +x /etc/network/if-pre-up.d/iptables

 

and check iptables -L to make sure its all on and working

 

then its all done

[KevinJ]

I think the main issue that people here are missing is that the server is taking the brunt of the incoming attacks.

 

Regardless of whether or not you are using the patched .dlls, the system is still processing the flood requests to some degree.

 

The only way I can see to fix this (without IW fixing their code) is to place a hardware firewall in between your servers and the Inet.

 

What would need to be entered on the hardware Firewall for this fix?

[DieHardServers]

First of all: respect for omnigenus to create this fix!

 

We were already using your last version of the fix for some time.

 

But we noticed (since a week) that the fix doesn't work for these medal of honor versions:

- Allied Assault

- Spearhead

 

The fix also doesn't work for soldier of fortune 2. Suddenly 60 Mbps from 4 gameservers. Not all gameservers started to ddos.

 

So, those games started to send a lot of ddos even with your fix on it.

 

The easy way without a fix on windows = change the port.

That will solve the problem for a while.

[Keep in mind: Creating a new server later with the old ddos port and the ddos start within some minutes or hours again.]

 

We don't have any big traffic problems since we use the fix, but we still get abuse complaints of the 0,01% ddos that still get's through.

 

Is there also a possibility that a part of the botnet changed? The botnet just sends less getstatus requests in a longer time and your fix doesn't ban them because of that?

[DieHardServers]

But we noticed (since a week) that the fix doesn't work for these medal of honor versions:

- Allied Assault

- Spearhead

 

The fix also doesn't work for soldier of fortune 2. Suddenly 60 Mbps from 4 gameservers. Not all gameservers started to ddos.

 

The playerslimitermax you are using of Aluigi his site tells that the mohaa code should be a little bit different? If you look at the packet.dat for the quake code and the moh code then there is a small difference:

 

Quake code: ????getstatus

MOHaa code: ????.getstatus

 

If you would change this little hex code inside your fix than it should work for mohaa too? Or not?

[dobledosis]

superomnigenus rescue us one more time!

[KevinJ]

I started noticed some near empty TF2 servers are sending several small packets to various IPs.

Has anyone else noticed this?

[revivedguy]

 

 

iptables-restore < /etc/iptables.up.rules

 

 

Is iptables-restore command working for everyone? When running it, I get an error:

[john@server ~]# iptables-restore < /etc/iptables.up.rules
'ptables-restore v1.3.5: iptables-restore: unable to initializetable 'filter

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

[KevinJ]

Has anyone else had similar issues to this on TF2 servers?

I've got several of them affected currently with no known fix.

[DieHardServers]

The playerslimitermax you are using of Aluigi his site tells that the mohaa code should be a little bit different? If you look at the packet.dat for the quake code and the moh code then there is a small difference:

 

Quake code: ????getstatus

MOHaa code: ????.getstatus

 

If you would change this little hex code inside your fix than it should work for mohaa too? Or not?

This topic @ the aluigi forum confirms that my solution also should work for MOH (allied assault, spearhead and breakthrough) by only implementing/adding the 02 hex decimal in the current fix!

 

http://aluigi.freeforums.org/post11559.html#p11559

That means that it's enough to add the missing byte (\x02) in the query packet of q3infoboom to test also MOH.

 

This is the only thing that should be changed inside the fix.

Quake code: ????getstatus known as ff ff ff ff 67 65 74 73 74 61 74 75 73

MOHaa code: ????.getstatus known as ff ff ff ff 02 67 65 74 73 74 61 74 75 73

 

I already used the TCadmin forum to send Omnigenus a message and email, like he mentioned before in this topic. But I didn't receive any reaction.

Is there somebody here who has direct contact with him personally? You could show him this post or remind him about this topic to expand the current fix to more quake 3 engine based games.

[omnigenus]

Hello, fellow freaks

 

I'm sorry but i really had no time to get back into this problem.

 

I got quite a few emails from various people asking about this exploit and the possibility to prevent outgoing flood on other games also (MOH etc.) and i'm sorry if some of them went unanswered but i spent almost 3 months programming on our latest commercial project and you can surely understand that was a priority for me. I do need money, i "kinda" have ma own company to make money (duh) and money doesn't tend to fall from the sky for me, so i need to work for it

 

At the moment, the biggest problem we're facing is an increase in this getstatus exploit usage and total game admins cluesness, or should i say unawareness of this problem.

 

We're taking "heavy fire", almost regularly, and our incoming traffic is getting critical. Our ACL has over 19.000 IPs, all of them automatically detected by our private version of the plugin which filters all those flood IPs so all of those we're victims of some sort in the last few months.

 

I'll take a look at all the emails you sent me and i'll create a single plugin for multiple games....this weekend.

[DieHardServers]

Sure, no problem omnigenus! Thought you weren't active on the forum anymore.

 

We are very happy that you used your personal time to create this fix!

 

If you need somebody to test the fix for MOH (or other games), we can.

[omnigenus]

Maybe this thread deserves to be open to the public as it's not just a CoD4 problem? What does TCADMIN guru have to say?

----------------------------------------------------------------------

 

Guys, here's a new version...PLEASE TEST IT and see if there are any problems with xfire, hlsw and so on...

HLSW is kinda strange as it sometimes sends a burst of getstatus packets per second..dunno why.

 

So, what's up?

 

• New testing tool enables you to test Quake 3, CoD series, MoH series, Doom 3 and Quake 4
  
• Testing tool now send getinfo packages..they have smaller response and work better than getstatus
  
• The fix now filters all 4xFF bytes packets, which means it should work on Call of Duty series and MoH as well
  
• Also, it should filter Doom 3 getInfo packets (had a request from one Quake 4 hoster)
  
• Attacker now gets "banned" after 10 packets in a short time and he's out for 30 seconds...if he keeps flooding, he gets the same treatment again. Reason i went with 10 packets is that all commands sent to the server have those same 4 bytes at the beggining so we don't want to give our users a 30 seconds "ban" just because they use some idiotic commanders for example.
  
• While IP is "banned" nothing goes out from your game server to that IP
  

 

Now a few words and i do apologize for my bluntness

 

You can't stop incoming attacks with this fix

Let me say this again... YOU CAN'T STOP INCOMING ATTACKS BY SIMPLY PLACING THESE FILES TO YOUR GAME SERVER

Get it? YOU CAN'T....really, YOU-CAN-NOT

 

So, please try to understand that this is simply a tool that stops the attacker to use you as a cheap botnet amplifying whore..that's the main purpose of these files.

 

You have to stop the flood before it reaches your server....or at least, if your provider is a dick, block those flooding IPs with your firewall, so your game server doesn't have to use CPU power for sorting through thousands of packets per second. That will drastically reduce your server's hunger for CPU power while under flood.

 

You need to share this and talk about this problem

I almost pulled my hair out when one guy asked me "why would i help my rivals?".

You know what? Skr00 you if you think like that.

As long as DDoS attacks can be amplified using your gameservers, you should be working on trying to prevent it.

 

I don't have enough time for this

Please understand, i'm quite busy.

Please don't send me emails unless you really need something important.

Emails like "Would you make me a CoD 4 mod?" and "Why doesn't this stop incoming traffic?" are starting to piss me off

 

So, to be clear:

• I don't give a damn about mods
  
• I won't set this up for you (copy/paste 2 files...come on)
  
• I don't give a rats ass if you don't like this solution (stop whining and make a better one)
  

 

When you spread this fix through forums and such, please don't change the ZIP file content or the readme...refer ppl to this thread

People can find various information here which can't be found in the ZIP file itself...new versions for example, or possible problems.

 

Leave feedback here... peace out :'>

UDP_flood_fix_V4.zip

[leetservers]

You do great work and ALL of us thank you!!

One thing I would like to know...........

You need to share this and talk about this problem

I almost pulled my hair out when one guy asked me "why would i help my rivals?".

 

This clown needs to be outted for sure, real nice!!

 

-bobby

[KevinJ]

With the latest dll files, V4, when using voice chat it seems to create constant connection interrupts for me.

All other versions seem to work fine, I may be doing something wrong. This is with a 1.7 install on Windows 64bit.

Has anyone had similar issues?

[wes540]

Has anyone had similar issues?

 

Hi, yes we have experienced connection issues on cod2 and cod4, only with a handfull of gameservers, these we end up having to downgrade to the older patch which resolves the issue

all on win2003 64bit

[dobledosis]

Hi, yes we have experienced connection issues on cod2 and cod4, only with a handfull of gameservers, these we end up having to downgrade to the older patch which resolves the issue

all on win2003 64bit

 

Same here! But works great with MOHAA