Denial of Service attacks are both illegal, and in my opinion, extremely
immature. Security issues are not a joke, and as a long-time former
server operator I sympathize greatly with other server operators who
have to deal with such attacks every day.
On 3/21/2016 18:43 PM, Tom Devonport wrote:
Thanks for the breakdown, nice to have a full explanation, since it
never came up clearly.
Also, it seems a bit counter intuitive to have your website in your
signature while posting here, especially what the site sells. Unless
I'm missing something? But yeah.
On 21 Mar 2016 22:32, "Brendan H" <[email protected]
<mailto:[email protected]>> wrote:
This update patches a crash exploit circulating for CSGO SRCDS.
This affected both official and community servers. Since this
update came with no documentation for server owners, I'd thought
I'd do some documentation myself.
The crash worked by using a malicious client to run the ConCommand
"setinfo" in rapid succession for a period of time. Malicious
commands were in the format "setinfo %d %d" where %d was an
incrementing integer. On low-memory configurations, SRCDS could
run out of heap space, or cause high CPU usage - enough to lag the
server.
This memory and resource exhaustion worked because a) setinfo
iterated every registered ConCommand looking for one with the same
name as the first parameter, which would block, b) if none exists,
a new one is created with the specified name and value on the
heap, and c) each unique run of setinfo would cause step (a) to
take longer, thereby consuming more resources.
Prior to this patch, mitigation was possible with SourceMod
plugins that rate-limited ConVars. SourceMod Anti-Cheat had this
capability, among other plugins. Vanilla servers were doneskies.
*Most servers will be unaffected by this patch.* If your server,
for whatever reason, needs to use setinfo or FCVAR_USERINFO in the
middle of the game, then you must selectively whitelist allowed
userinfo keys by defining the FCVAR_USERINFO ConVar on
connection. This can be done quite easily on SourceMod.
1. Listen for OnClientConnect events.
2. Define a new ConVar with the specified key name with flag
FCVAR_USERINFO (9).
Regards,
Brendan H
Senior Software Engineer
Platinum Digital Group LLC
On 3/21/2016 16:52 PM, Vitaliy Genkin wrote:
An optional server stability update for CS:GO has been released. It is
recommended for server operators to update servers with PatchVersion=1.35.2.9
to the latest build ServerVersion=310.
Community servers that need clients to upload changes to their userinfo
entries during gameplay must set all allowed server-side userinfo setting keys
when processing client connect.
GL HF!
_______________________________________________
Csgo_servers mailing list
[email protected]
<mailto:[email protected]>
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
_______________________________________________
Csgo_servers mailing list
[email protected]
<mailto:[email protected]>
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
_______________________________________________
Csgo_servers mailing list
[email protected]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
_______________________________________________
Csgo_servers mailing list
[email protected]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
