hlds/srcds's handling of packets needs more sanity/rate checks, there are numerous different types of packet you can flood at the server to confuse it in different ways.
Also, the length 0 bans can just be done with this firewall rule: -A INPUT -p udp -m udp --dport 27015 -m length --length 28 -j DROP that that is a DIFFERENT DoS exploit, this one appears to be spamming connect packets. - Neph On Tue, Mar 24, 2009 at 1:42 PM, Vladimir Osipenko <tiff...@gmail.com> wrote: > I have an older version of this EXE, it didnt create anything. > > So how i did the ban: > May be not so perfect, but works^: > > #!/bin/bash > > #Anti-Flooder Script > while true > do > tcpdump port 27015 -n -c 1000 | grep 'length 0' | awk > '{print $3}' | awk -F\. '{print $1"."$2"."$3"."$4}' | sort -u > > ban.ban > cat ban.ban | > while read line > do > # echo "param pam pam $line" > if !( grep $line ban_now.ban > /dev/null ); then > echo $line >> ban_now.ban > iptables -I INPUT -s $line/32 -j DROP > fi > done > sleep 1 > done > > > 2009/3/24 Darren M <dar...@cpanel.net>: >> Out of morbid curiosity I took a look at this for a few minutes, here's >> the short version: >> >> Binary is infected with a pretty lame trojan, some Dropper variant. >> >> serverflooder.exe: Trojan.Dropper-3804 FOUND >> >> Running the serverflooder.exe through wine, you find two new exe's show >> up in windows\temp\ in the wine root: >> >> 98304 Mar 24 14:34 Crypted.exe >> 172032 Mar 24 14:34 ServerFluder.exe >> >> ServerFluder.exe is then run and it kind of works as advertised, I ran >> it against one of my local Halflife cstrike servers bound to 27019 and >> got the following type of traffic (apologies for poor formatting via >> email): >> >> 14:49:47.847999 IP (tos 0x0, ttl 62, id 26549, offset 0, flags [DF], >> proto: UDP (17), length: 39) nn.nn.nn.nn.25766 > >> xx.xx.xx.xx.27019: [udp sum ok] UDP, length 11 0x0000: 4500 0027 >> 67b5 4000 3e11 4223 d04a 7966 E..'g...@.>.B#.Jyf 0x0010: d04a 78f2 64a6 >> 698b 0013 f366 ffff ffff .Jx.d.i....f.... 0x0020: 636f 6e6e 6563 7400 >> 0000 0000 0000 connect....... >> >> to which the response was: >> >> 14:49:47.857149 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], >> proto: UDP (17), length: 63) xx.xx.xx.xx.27019 > >> nn.nn.nn.nn.25766: [bad udp cksum d631!] UDP, length 35 0x0000: >> 4500 003f 0000 4000 4011 a7c0 d04a 78f2 e.....@.@....Jx. 0x0010: d04a >> 7966 698b 64a6 002b 932a ffff ffff .Jyfi.d..+.*.... 0x0020: 3949 6e73 >> 7566 6669 6369 656e 7420 636f 9Insufficient.co 0x0030: 6e6e 6563 7469 >> 6f6e 2069 6e66 6f0a 00 nnection.info.. >> >> Pretty simple, nothing special that I could tell, a good candidate for >> iptables/ipfw/pf/whatever since it's not spoofing the source IP. >> >> The Crypted.exe failed to run even though it tried (I don't have >> msvbvm60.dll installed) >> : err:module:import_dll Library msvbvm60.dll (which is needed by >> L"C:\\windows\\temp\\Crypted.exe") not found >> I'm not sure what it is but it doesn't appear friendly: >> >> : strings Crypted.exe |head -n 1 >> !This KrapWare Can Kill Your Syster!!!!. >> >> >> I'm not sure what the Valve devs can do to specifically stop this >> unless there is magic in the UDP packets that cause the DoS, the UDP >> traffic in and of itself is something better handled at a higher level, >> as mentioned with local firewall rules or even at a router. >> >> ~darren >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux