hlds/srcds's handling of packets needs more sanity/rate checks, there
are numerous different types of packet you can flood at the server to
confuse it in different ways.
Also, the length 0 bans can just be done with this firewall rule:
-A INPUT -p udp -m udp --dport 27015 -m length --length 28 -j DROP
that that is a DIFFERENT DoS exploit, this one appears to be spamming
connect packets.
- Neph
On Tue, Mar 24, 2009 at 1:42 PM, Vladimir Osipenko <tiff...@gmail.com> wrote:
> I have an older version of this EXE, it didnt create anything.
>
> So how i did the ban:
> May be not so perfect, but works^:
>
> #!/bin/bash
>
> #Anti-Flooder Script
> while true
> do
> tcpdump port 27015 -n -c 1000 | grep 'length 0' | awk
> '{print $3}' | awk -F\. '{print $1"."$2"."$3"."$4}' | sort -u >
> ban.ban
> cat ban.ban |
> while read line
> do
> # echo "param pam pam $line"
> if !( grep $line ban_now.ban > /dev/null ); then
> echo $line >> ban_now.ban
> iptables -I INPUT -s $line/32 -j DROP
> fi
> done
> sleep 1
> done
>
>
> 2009/3/24 Darren M <dar...@cpanel.net>:
>> Out of morbid curiosity I took a look at this for a few minutes, here's
>> the short version:
>>
>> Binary is infected with a pretty lame trojan, some Dropper variant.
>>
>> serverflooder.exe: Trojan.Dropper-3804 FOUND
>>
>> Running the serverflooder.exe through wine, you find two new exe's show
>> up in windows\temp\ in the wine root:
>>
>> 98304 Mar 24 14:34 Crypted.exe
>> 172032 Mar 24 14:34 ServerFluder.exe
>>
>> ServerFluder.exe is then run and it kind of works as advertised, I ran
>> it against one of my local Halflife cstrike servers bound to 27019 and
>> got the following type of traffic (apologies for poor formatting via
>> email):
>>
>> 14:49:47.847999 IP (tos 0x0, ttl 62, id 26549, offset 0, flags [DF],
>> proto: UDP (17), length: 39) nn.nn.nn.nn.25766 >
>> xx.xx.xx.xx.27019: [udp sum ok] UDP, length 11 0x0000: 4500 0027
>> 67b5 4000 3e11 4223 d04a 7966 E..'g...@.>.B#.Jyf 0x0010: d04a 78f2 64a6
>> 698b 0013 f366 ffff ffff .Jx.d.i....f.... 0x0020: 636f 6e6e 6563 7400
>> 0000 0000 0000 connect.......
>>
>> to which the response was:
>>
>> 14:49:47.857149 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
>> proto: UDP (17), length: 63) xx.xx.xx.xx.27019 >
>> nn.nn.nn.nn.25766: [bad udp cksum d631!] UDP, length 35 0x0000:
>> 4500 003f 0000 4000 4011 a7c0 d04a 78f2 e.....@.@....Jx. 0x0010: d04a
>> 7966 698b 64a6 002b 932a ffff ffff .Jyfi.d..+.*.... 0x0020: 3949 6e73
>> 7566 6669 6369 656e 7420 636f 9Insufficient.co 0x0030: 6e6e 6563 7469
>> 6f6e 2069 6e66 6f0a 00 nnection.info..
>>
>> Pretty simple, nothing special that I could tell, a good candidate for
>> iptables/ipfw/pf/whatever since it's not spoofing the source IP.
>>
>> The Crypted.exe failed to run even though it tried (I don't have
>> msvbvm60.dll installed)
>> : err:module:import_dll Library msvbvm60.dll (which is needed by
>> L"C:\\windows\\temp\\Crypted.exe") not found
>> I'm not sure what it is but it doesn't appear friendly:
>>
>> : strings Crypted.exe |head -n 1
>> !This KrapWare Can Kill Your Syster!!!!.
>>
>>
>> I'm not sure what the Valve devs can do to specifically stop this
>> unless there is magic in the UDP packets that cause the DoS, the UDP
>> traffic in and of itself is something better handled at a higher level,
>> as mentioned with local firewall rules or even at a router.
>>
>> ~darren
>>
>> _______________________________________________
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>>
>
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives, please
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux
