The difference here is that the amount of data this tool is moving is not significant, and certainly not enough to exhaust network resources. Simple data-rate limits on firewalls would negate the attacks if so. The problem is the server software (srcds) is wasting huge amounts of processing power on these invalid packets, when it should be very quickly discarding them and dropping connections that pass certain corruption thresholds. It should also be rejected reconnection-spam so that they can't just reconnect over-and-over. This would make an attack like this worthless.
- Neph On Mon, Apr 28, 2008 at 6:32 PM, Brian D'Arcy <[EMAIL PROTECTED]> wrote: > I'm afraid that this type of attack has been around since the late 90's, if > not earlier. > > It's basically pounding random UDP data (or maybe now-days more structured > data) at raw listen ports. The application listening does what it's > programmed to do, parse the input and use up available resources in order to > do so. > > There's not a whole lot any individual can do about this. The only thing I > can see resolving this, assuming it becomes a widespread problem, is valve > updating the query/response code to ignore the random data spewed at it in a > much more efficient manner so that the only thing which occurs is a loss of > some available bandwidth instead of the "melt" effect you see as servers > start to choke out. > > In a nutshell, it's a DDOS tool, minus the distributed part. > > On Mon, Apr 28, 2008 at 6:17 PM, Ian Shaffer <[EMAIL PROTECTED]> > > > wrote: > > > I just noticed that. Pity my hastiness. > > > > Daron Dodd wrote: > > > you already did when u told everyone the name of the program in the > > > first email. google is a very powerful tool. > > > > > > On Mon, Apr 28, 2008 at 6:07 PM, Ian Shaffer > > > <[EMAIL PROTECTED]> wrote: > > > > > >> My big problem here is that I do not have root access to any of my > > >> servers. We used to have all our servers on our own dedi, but BECAUSE > > of > > >> these attacks, we decided to scrap the dedi and spread our servers > > >> across different IP ranges by paying per slot in different locations. > > >> Even though we can still be attacked, the attack is limited to one > > >> server at a time. That server is usually our Windows 50 man ZombieMod > > >> server in Chicago. I'm currently working with the host to see if the > > >> attack can be detected and blocked automatically. > > >> > > >> I've had a couple people email me asking for this "Nuker" program, or > > >> the link to where to download it. I've notified Alfred of the issue and > > >> sent him the link to the program, however he recommends that I be > > >> careful at how I present my report to the non-moderated HLDS mailing > > >> list. Hence, I will not give this program to ANYBODY unless on Alfred's > > >> approval. > > >> > > >> > > >> Chad Austin wrote: > > >> > > >>> Post a dump of packets please, or just link to program so it can be > > >>> analyzed. > > >>> > > >>> Ian Shaffer wrote: > > >>> > > >>> > > >>>> Dear Network Administrator, > > >>>> > > >>>> Over the past few months my servers have been brought to their knees > > >>>> dozens of times through "nuke" style Denial of Service attacks. > > Simple > > >>>> put, players start teleporting around, pings gradually start > > increasing > > >>>> for all players and the timer slows down. After a couple minutes of > > >>>> being attacked, you are early frozen from movement and the timer > > takes a > > >>>> decade to tick down, and pings are skyrocketed. Players then leave > > the > > >>>> server. > > >>>> > > >>>> Well earlier this week I "interrogated," pardon the pun, a member of > > my > > >>>> community who had made an exclamation that it would start to get real > > >>>> laggy in one of our servers earlier in the day. That server, our > > Zombie > > >>>> Server, started getting nuked just a couple minutes after. I was > > fairly > > >>>> certain it was him who started the attack. In the evening, I talked > > to > > >>>> this guy, his alias is "ST. GEORGE," and explained to him that I > > >>>> believed it was him who was "nuking" our servers. I acted very > > sincere > > >>>> when I told him that I had logged his IP address and was planning on > > >>>> filing a formal abuse complaint to his ISP, Road Runner. He somewhat > > >>>> panicked at hearing this, and confessed as to what he was doing. > > >>>> > > >>>> He sent me a link to download the same hacking tool he said he was > > >>>> using. Hackers Assistant is the program. I scanned the program for > > any > > >>>> trojans or viruses it might have, it was clean. I ran it and > > discovered > > >>>> a feature called "Nuker." In there it prompted for a server IP > > address > > >>>> and port and a box to input a message. One would simply put a > > server's > > >>>> info in there, type some random stuff in the message box, and click > > "Nuke." > > >>>> > > >>>> A former member of our community and admitted nuker "ST. GEORGE" > > tested > > >>>> the software. I was shocked. It was working, The server was being > > >>>> attacked just as described above. I held a sense of accomplishment > > >>>> knowing that I had found the cause of my problems. I therefore began > > >>>> looking for a way to block this programs abilities. Now I needed to > > know > > >>>> what types of servers this program could attack. ST. GEORGE then > > showed > > >>>> off nuke attacks on dozens of popular servers in the US and UK, > > highly > > >>>> popular servers like 24/7 Office Noob Galore and Zombiemod | > > >>>> XFactorGaming, and the program worked to bring down each and every > > one > > >>>> of them to their knees. There was only one server he was not able to > > >>>> nuke attack, evidently the #1 CSS server in the United States, > > >>>> CantStopGaming CS:S. > > >>>> > > >>>> This program affects practically every single server in CS:S. The > > >>>> interesting part of it is that this program doesn't advise usage > > towards > > >>>> any particular genre of online infrastructure. ST. GEORGE tried > > running > > >>>> this program on CoD servers, BF2 and BF2142 servers, Halo PC servers, > > >>>> SA:MP servers, and Quake 4 servers. It didn't work on any of those > > >>>> games. However, it worked on the other popular Source-based game out > > >>>> today, Team Fortress 2. Every TF2 server ST. GEORGE checked was > > >>>> nuke-able, with the same effects felt in-game. This leads me to the > > >>>> conclusion that there must be an exploit in the source engine > > allowing > > >>>> this program to nuke all servers using the source engine. > > >>>> > > >>>> While our server was getting attacked last time, I gathered critical > > >>>> data. I've determined that the program does not eat up the server's > > >>>> bandwidth. Instead, it seems to flood the server with > > messages/commands, > > >>>> so much that it tops out CPU usage. Below is a sample of my console > > as > > >>>> our server was undergoing a recent attack with the program. Midway > > >>>> through the data, the perpetrator aborted the nuke attack. You can > > see > > >>>> the server recovering as the cpu usage goes down and server FPS comes > > >>>> back to normal. This data was gathered with 8 others in-game. > > >>>> > > >>>> =========================================== > > >>>> > > >>>> CPU In Out Uptime Users FPS Players > > >>>> 96.59 16841.92 3909.91 110 4 10.00 9 > > >>>> L 04/27/2008 - 01:23:04: rcon from "72.251.244.233:2020": command > > "stats" > > >>>> ] rcon stats > > >>>> CPU In Out Uptime Users FPS Players > > >>>> 96.04 17937.41 3958.69 110 4 10.00 9 > > >>>> L 04/27/2008 - 01:23:09: rcon from "72.251.244.233:2020": command > > "stats" > > >>>> ] rcon stats > > >>>> CPU In Out Uptime Users FPS Players > > >>>> 95.54 17590.70 3970.64 110 > > >>>> ] rcon stats > > >>>> CPU In Out Uptime Users FPS Players > > >>>> 100.00 17354.72 3966.19 110 4 523.25 9 > > >>>> L 04/27/2008 - 01:23:10: rcon from "72.251.244.233:2020": command > > "stats" > > >>>> > > >>>> ======== HERE THE ATTACK WAS ABORTED ========= > > >>>> > > >>>> ] rcon stats > > >>>> CPU In Out Uptime Users FPS Players > > >>>> 75.57 16933.90 4148.69 110 4 508.36 9 > > >>>> L 04/27/2008 - 01:23:11: rcon from "72.251.244.233:2020": command > > "stats" > > >>>> ] rcon stats > > >>>> CPU In Out Uptime Users FPS Players > > >>>> 75.57 16750.93 4596.00 110 4 509.13 9 > > >>>> L 04/27/2008 - 01:23:12: rcon from "72.251.244.233:2020": command > > "stats" > > >>>> ] rcon stats > > >>>> CPU In Out Uptime Users FPS Players > > >>>> 52.55 16518.30 6391.86 110 4 509.97 9 > > >>>> L 04/27/2008 - 01:23:13: rcon from "72.251.244.233:2020": command > > "stats" > > >>>> ] rcon stats > > >>>> CPU In Out Uptime Users FPS Players > > >>>> 40.46 16520.83 9229.05 110 4 511.77 9 > > >>>> L 04/27/2008 - 01:23:13: rcon from "72.251.244.233:2020": command > > "stats" > > >>>> ] rcon stats > > >>>> CPU In Out Uptime Users FPS Players > > >>>> 40.46 16452.49 11473.37 110 4 514.49 9 > > >>>> L 04/27/2008 - 01:23:14: rcon from "72.251.244.233:2020": command > > "stats" > > >>>> > > >>>> ============================================ > > >>>> > > >>>> > > >>>> I very much hope that this exploit can be stomped out. My community > > has > > >>>> suffered all too much to the hands of the kiddies that run these > > types > > >>>> of programs for their own vain pleasure. I speak for server operators > > >>>> everywhere when I say, this issue must be fixed! > > >>>> > > >>>> Thank you very much for taking the time to read my post. I hope some > > >>>> good will come out of it! > > >>>> > > >>>> Sincerely, > > >>>> David "Eaglewonj" Gaipa > > >>>> > > >>>> _______________________________________________ > > >>>> To unsubscribe, edit your list preferences, or view the list > > archives, please visit: > > >>>> http://list.valvesoftware.com/mailman/listinfo/hlds > > >>>> > > >>>> > > >>>> > > >>>> > > >>> _______________________________________________ > > >>> To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > >>> http://list.valvesoftware.com/mailman/listinfo/hlds > > >>> > > >>> > > >>> > > >> _______________________________________________ > > >> To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > >> http://list.valvesoftware.com/mailman/listinfo/hlds > > >> > > >> > > > > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
