While trivial for someone who knows what they are doing to edit the
code, rebuild and most likely bypass this, the following iptables rule
will drop the exploit as provided for me (tested on a hl2 deathmatch
and cstrike:source server)
# log it
iptables -A INPUT -p udp --dport 27015 -m string --hex-string
"|dc4adc4adc4adc4adc4a|" --algo bm -j LOG --log-level info --log-prefix
"Valve Disconnect DoS :: "
# drop it
iptables -A INPUT -p udp --dport 27015 -m string
--hex-string "|dc4adc4adc4adc4adc4a|" --algo bm -j DROP
If you've got someone being cute and DoS'ing your machine over and over
with the same packets you can use this approach to block it pretty
easily.
If the above isn't working and you suspect the packets are not the
default from the provided website/exploit info, you can find the packet
that matches by starting the server, then running strace against it
until it crashes, then tailing the output file (4225 being an example
pid here)
strace -f -v -s 5000 -o server.strace.txt -xx -p 4225
Once the server crashes, strace should exit (ctrl+C out otherwise) and
look at the last few lines before the segfault:
tail server.strace.txt
You should see something like the following:
649 gettimeofday({1250624185, 558633}, NULL) = 0
649 recvfrom(4,
"\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\xc8\x59\x80\x52\x31\xc6\xf6\x95\xe6\x46\x57\x26\x07\xf7\xe5\x06\x37\x36\x07\x00\x03\x30\xc6\xf6\x95\xe6\x46\x57\x26\x07\xf7\xc6\x16\x46\x57\x06\x10\x03\x30\xc6\xf6\x05\x27\x57\x46\x96\x36\x46\x07\x10\x03\x30\xc6\xf6\x95\xe6\x46\x57\x26\x07\xf7\x25\x17\x46\x97\xf6\x06\x20\x03\x30\xc6\xf6\x45\x57\x16\xd6\x06\x40\x56\x66\x16\x56\xc7\x46\x07\x30\xc6\xf6\x35\xc6\x16\x36\x37\x07\x40\x56\x66\x16\x56\xc7\x46\x07\x50\xe6\x76\xc6\x96\x36\x87\x06\x10\x03\x30\xc6\xf6\x05\x27\x57\x46\x96\x36\x46\x77\x57\x16\x06\xf7\xe6\x36\x07\x10\x03\x30\xc6\xf6\xc5\x16\x76\x36\xf6\xd6\x06\x57\xe6\x36\x17\x46\x97\xf6\xe6\x06\x10\x03\x30\xc6\xf6\x15\x56\x47\xf7\x76\x57\x06\x37\x77\x97\x46\x37\x86\x06\x10\x03\x30\xc6\xf6\x15\x56\x47\xf7\x86\x56\xc6\x06\x07\x10\x03\x30\xc6\xf6\x35\x07\x57\x36\xf6\xd5\xf6\x46\x56\x06\x50\x03\x60\xf7\x96\x36\x56\xf6\xc5\xf6\xf6\x06\x27\x16\x36\xb6\x06\x00\x03\x30\xc6\xf6\x95\xe6\x46\x57\x26\x07\x07\x00\xe3\x02\x23\x03\x30\xc6\xf6\x36\x57\x36\x16\x06\x47\x97\xf6\xe6\x06\x00\x03\x30\xc6\xf6\xc5\x16\xe6\x76\x56\x17\x76\x56\x06\x50\xe6\x76\xc6\x96\x36\x87\x06\x40\x67\xf7\xe5\xf6\x36\x86\x16\x46\x07\x00\x03\x30\xc6\xf6\x55\x07\x47\x16\x46\x57\x26\x17\x46\x57\x06\x10\x03\x03\x03\x30\xc6\xf6\x35\xd6\x46\x26\x17\x46\x57\x06\x10\x03\x03\x03\x20\x17\x46\x57\x06\x20\x03\x03\x03\x03\x03\xe0\x16\xd6\x56\x06\x50\xe7\xe6\x16\xd6\x56\x46\x06\x10\x4a\xe6\x4a\xe6\x4a\xe6\x4a\xe6\x4a\xe6\x4a\xdc\x4a\xdc\x4a\xdc\x4a\xdc\x4a\xdc\x4a\xdc\x00\x00",
96016, 0, {sa_family=AF_INET, sin_port=htons(4966),
sin_addr=inet_addr("12.34.56.78")}, [16]) = 372
649 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
661 +++ killed by SIGSEGV +++
I just chose a little bit from the end of the received bad to match
after verifying it was always the same data.
Hopefully this is fixed soon though since it should be a super easy fix
and this sort of hackery is far from optimal.
~Darren
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux
