I'm looking at the tool now. The attack is stupid simple: It opens a TCP connection and sends bogus data over and over as fast as it can. The server wastes frames processing these packets and quickly chokes and dies. The server makes no attempt to close this bogus connection either.
What are the normal constraits for valid packets/second you can expect from a player? I'd like to put together a firewall rule to block this attack in the meantime... - Neph On Mon, Apr 28, 2008 at 6:17 PM, Ian Shaffer <[EMAIL PROTECTED]> wrote: > I just noticed that. Pity my hastiness. > > > > Daron Dodd wrote: > > you already did when u told everyone the name of the program in the > > first email. google is a very powerful tool. > > > > On Mon, Apr 28, 2008 at 6:07 PM, Ian Shaffer > > <[EMAIL PROTECTED]> wrote: > > > >> My big problem here is that I do not have root access to any of my > >> servers. We used to have all our servers on our own dedi, but BECAUSE of > >> these attacks, we decided to scrap the dedi and spread our servers > >> across different IP ranges by paying per slot in different locations. > >> Even though we can still be attacked, the attack is limited to one > >> server at a time. That server is usually our Windows 50 man ZombieMod > >> server in Chicago. I'm currently working with the host to see if the > >> attack can be detected and blocked automatically. > >> > >> I've had a couple people email me asking for this "Nuker" program, or > >> the link to where to download it. I've notified Alfred of the issue and > >> sent him the link to the program, however he recommends that I be > >> careful at how I present my report to the non-moderated HLDS mailing > >> list. Hence, I will not give this program to ANYBODY unless on Alfred's > >> approval. > >> > >> > >> Chad Austin wrote: > >> > >>> Post a dump of packets please, or just link to program so it can be > >>> analyzed. > >>> > >>> Ian Shaffer wrote: > >>> > >>> > >>>> Dear Network Administrator, > >>>> > >>>> Over the past few months my servers have been brought to their knees > >>>> dozens of times through "nuke" style Denial of Service attacks. Simple > >>>> put, players start teleporting around, pings gradually start increasing > >>>> for all players and the timer slows down. After a couple minutes of > >>>> being attacked, you are early frozen from movement and the timer takes a > >>>> decade to tick down, and pings are skyrocketed. Players then leave the > >>>> server. > >>>> > >>>> Well earlier this week I "interrogated," pardon the pun, a member of my > >>>> community who had made an exclamation that it would start to get real > >>>> laggy in one of our servers earlier in the day. That server, our Zombie > >>>> Server, started getting nuked just a couple minutes after. I was fairly > >>>> certain it was him who started the attack. In the evening, I talked to > >>>> this guy, his alias is "ST. GEORGE," and explained to him that I > >>>> believed it was him who was "nuking" our servers. I acted very sincere > >>>> when I told him that I had logged his IP address and was planning on > >>>> filing a formal abuse complaint to his ISP, Road Runner. He somewhat > >>>> panicked at hearing this, and confessed as to what he was doing. > >>>> > >>>> He sent me a link to download the same hacking tool he said he was > >>>> using. Hackers Assistant is the program. I scanned the program for any > >>>> trojans or viruses it might have, it was clean. I ran it and discovered > >>>> a feature called "Nuker." In there it prompted for a server IP address > >>>> and port and a box to input a message. One would simply put a server's > >>>> info in there, type some random stuff in the message box, and click > "Nuke." > >>>> > >>>> A former member of our community and admitted nuker "ST. GEORGE" tested > >>>> the software. I was shocked. It was working, The server was being > >>>> attacked just as described above. I held a sense of accomplishment > >>>> knowing that I had found the cause of my problems. I therefore began > >>>> looking for a way to block this programs abilities. Now I needed to know > >>>> what types of servers this program could attack. ST. GEORGE then showed > >>>> off nuke attacks on dozens of popular servers in the US and UK, highly > >>>> popular servers like 24/7 Office Noob Galore and Zombiemod | > >>>> XFactorGaming, and the program worked to bring down each and every one > >>>> of them to their knees. There was only one server he was not able to > >>>> nuke attack, evidently the #1 CSS server in the United States, > >>>> CantStopGaming CS:S. > >>>> > >>>> This program affects practically every single server in CS:S. The > >>>> interesting part of it is that this program doesn't advise usage towards > >>>> any particular genre of online infrastructure. ST. GEORGE tried running > >>>> this program on CoD servers, BF2 and BF2142 servers, Halo PC servers, > >>>> SA:MP servers, and Quake 4 servers. It didn't work on any of those > >>>> games. However, it worked on the other popular Source-based game out > >>>> today, Team Fortress 2. Every TF2 server ST. GEORGE checked was > >>>> nuke-able, with the same effects felt in-game. This leads me to the > >>>> conclusion that there must be an exploit in the source engine allowing > >>>> this program to nuke all servers using the source engine. > >>>> > >>>> While our server was getting attacked last time, I gathered critical > >>>> data. I've determined that the program does not eat up the server's > >>>> bandwidth. Instead, it seems to flood the server with messages/commands, > >>>> so much that it tops out CPU usage. Below is a sample of my console as > >>>> our server was undergoing a recent attack with the program. Midway > >>>> through the data, the perpetrator aborted the nuke attack. You can see > >>>> the server recovering as the cpu usage goes down and server FPS comes > >>>> back to normal. This data was gathered with 8 others in-game. > >>>> > >>>> =========================================== > >>>> > >>>> CPU In Out Uptime Users FPS Players > >>>> 96.59 16841.92 3909.91 110 4 10.00 9 > >>>> L 04/27/2008 - 01:23:04: rcon from "72.251.244.233:2020": command > "stats" > >>>> ] rcon stats > >>>> CPU In Out Uptime Users FPS Players > >>>> 96.04 17937.41 3958.69 110 4 10.00 9 > >>>> L 04/27/2008 - 01:23:09: rcon from "72.251.244.233:2020": command > "stats" > >>>> ] rcon stats > >>>> CPU In Out Uptime Users FPS Players > >>>> 95.54 17590.70 3970.64 110 > >>>> ] rcon stats > >>>> CPU In Out Uptime Users FPS Players > >>>> 100.00 17354.72 3966.19 110 4 523.25 9 > >>>> L 04/27/2008 - 01:23:10: rcon from "72.251.244.233:2020": command > "stats" > >>>> > >>>> ======== HERE THE ATTACK WAS ABORTED ========= > >>>> > >>>> ] rcon stats > >>>> CPU In Out Uptime Users FPS Players > >>>> 75.57 16933.90 4148.69 110 4 508.36 9 > >>>> L 04/27/2008 - 01:23:11: rcon from "72.251.244.233:2020": command > "stats" > >>>> ] rcon stats > >>>> CPU In Out Uptime Users FPS Players > >>>> 75.57 16750.93 4596.00 110 4 509.13 9 > >>>> L 04/27/2008 - 01:23:12: rcon from "72.251.244.233:2020": command > "stats" > >>>> ] rcon stats > >>>> CPU In Out Uptime Users FPS Players > >>>> 52.55 16518.30 6391.86 110 4 509.97 9 > >>>> L 04/27/2008 - 01:23:13: rcon from "72.251.244.233:2020": command > "stats" > >>>> ] rcon stats > >>>> CPU In Out Uptime Users FPS Players > >>>> 40.46 16520.83 9229.05 110 4 511.77 9 > >>>> L 04/27/2008 - 01:23:13: rcon from "72.251.244.233:2020": command > "stats" > >>>> ] rcon stats > >>>> CPU In Out Uptime Users FPS Players > >>>> 40.46 16452.49 11473.37 110 4 514.49 9 > >>>> L 04/27/2008 - 01:23:14: rcon from "72.251.244.233:2020": command > "stats" > >>>> > >>>> ============================================ > >>>> > >>>> > >>>> I very much hope that this exploit can be stomped out. My community has > >>>> suffered all too much to the hands of the kiddies that run these types > >>>> of programs for their own vain pleasure. I speak for server operators > >>>> everywhere when I say, this issue must be fixed! > >>>> > >>>> Thank you very much for taking the time to read my post. I hope some > >>>> good will come out of it! > >>>> > >>>> Sincerely, > >>>> David "Eaglewonj" Gaipa > >>>> > >>>> _______________________________________________ > >>>> To unsubscribe, edit your list preferences, or view the list archives, > please visit: > >>>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>>> > >>>> > >>>> > >>>> > >>> _______________________________________________ > >>> To unsubscribe, edit your list preferences, or view the list archives, > please visit: > >>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>> > >>> > >>> > >> _______________________________________________ > >> To unsubscribe, edit your list preferences, or view the list archives, > please visit: > >> http://list.valvesoftware.com/mailman/listinfo/hlds > >> > >> > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
