[hlds] Known exploit list
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks, updated the article - - Brian "devicenull" Rak -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkp/kwEACgkQdYIfzEQqW+mxswCePKEVY1D/waoTy1xw4+C+u7Da 5b0AoJMD+B9g8jRCrtpGsnmVMmrLvjSa =quB/ -END PGP SIGNATURE- ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Tripwire website down?
The Tripwire Interactive web server was down for a while this weekend. I'm not sure what happened yet, but we had contacted our hosting company and it took a while to get it back online. Everything should be up and running now, and hopefully we can find out what happened tommorow. Joh Gibson President Tripwire Interactive Sent from my iPhone On Aug 9, 2009, at 1:40 AM, Anthal wrote: > http://www.tripwireinteractive.com/ > > The makers of Red Orchestra > > Alex wrote: >> Assuming you mean tripwire.com, it works fine. >> >> Hutch wrote: >> >>> is their site down for you folks as well? >>> hutch >>> >>> >>> >>> ___ >>> To unsubscribe, edit your list preferences, or view the list >>> archives, please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds >>> >>> >>> >>> >>> __ Information from ESET Smart Security, version of virus >>> signature database 4318 (20090808) __ >>> >>> The message was checked by ESET Smart Security. >>> >>> http://www.eset.com >>> >>> >>> >>> >> >> >> >> __ Information from ESET Smart Security, version of virus >> signature database 4318 (20090808) __ >> >> The message was checked by ESET Smart Security. >> >> http://www.eset.com >> >> >> >> ___ >> To unsubscribe, edit your list preferences, or view the list >> archives, please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds >> > > > ___ > To unsubscribe, edit your list preferences, or view the list > archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] TF2 Crashes (Alec Sanger)
http://www.google.com/search?q=STEAM_0:1:18382821 He has been active... thanks. On Thu, Aug 6, 2009 at 11:12 PM, Kyle Sanderson wrote: > I installed that new RconLock and my server is still going strong. If you > don't want all the features that come with it, download the source like I > did and strip it down. > > RconLock: https://forums.alliedmods.net/showthread.php?t=93934 > The kid who was crashing my server a month ago / exploit: > http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html > > Kyle > > On Thu, Aug 6, 2009 at 8:32 AM, Tony Paloma wrote: > >> Ya attack has been ongoing for a couple hours now on my server. >> >> -Original Message- >> From: hlds-boun...@list.valvesoftware.com >> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of 1nsane >> Sent: Thursday, August 06, 2009 8:00 AM >> To: Half-Life dedicated Win32 server mailing list >> Subject: Re: [hlds] TF2 Crashes (Alec Sanger) >> >> Oh fun, some of my servers are empty. >> >> Guess it was only a matter of time until some shitface figured it out. >> >> On Wed, Aug 5, 2009 at 3:57 AM, Tony Paloma >> wrote: >> >> > It is an attack. It's A2S_INFO query spam on spoofed IP addresses and >> it's >> > happening to tons of servers. I think some community is trying to fill >> > their >> > servers by emptying out a ton of others. >> > >> > -Original Message- >> > From: hlds-boun...@list.valvesoftware.com >> > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Kenny Loggins >> > Sent: Wednesday, August 05, 2009 12:24 AM >> > To: 'Half-Life dedicated Win32 server mailing list' >> > Subject: Re: [hlds] TF2 Crashes (Alec Sanger) >> > >> > This is some attack for sure I have not had any issues myself but >> > everything >> > points to a person doing it server by server. The network traffic meter >> > shows a slow steady drop in traffic. After looking in the logs I notice >> > people talking about it a few other times today any remember noticing a >> > server drop out and come back up quick (I didn't have time to look more >> > into >> > it) no problems at all before the exploit was pointed out today. Not >> saying >> > that's bad I just hope they can be remedy this quick as I'm sure it's not >> > going to stop with just our servers. >> > >> > I was on my forums at the time and didn't even notice this was going on >> no >> > network issues at all. >> > >> > >> > >> > ___ >> > To unsubscribe, edit your list preferences, or view the list archives, >> > please visit: >> > http://list.valvesoftware.com/mailman/listinfo/hlds >> > ___ >> > To unsubscribe, edit your list preferences, or view the list archives, >> > please visit: >> > http://list.valvesoftware.com/mailman/listinfo/hlds >> > >> ___ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds >> ___ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds >> > ___ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Known exploit list
Only fixed for TF2, however. Thanks, - Saul. 2009/8/9 Tony Paloma > The teleport exploit was fixed July 15th. > "Fixed "sensitivity" ConVar not capping the upper value which sometimes > caused a server crash." > > -Original Message- > From: hlds-boun...@list.valvesoftware.com > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Brian Rak > Sent: Sunday, August 09, 2009 12:48 PM > To: hlds_li...@list.valvesoftware.com; hlds@list.valvesoftware.com > Subject: [hlds] Known exploit list > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > I've compiled a list of all the known exploits in srcds that valve > hasn't gotten around to fixing. For most of them, I've posted some > workarounds, though some remain unfixed. All of this information is > already known to the various people who would use it to crash your > server, so I see no harm in posting it here. > > The list (as well as some common-sense security tips) can be found at > http://code.devicenull.org/index.php?title=Misc:HL2_Exploits > > If you have any new exploits you would like me to look into fixing, > please email me off-list (I tend to not check these lists often). > > Note: crossposted to hlds and hlds_linux > > - - Brian "devicenull" Rak > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkp/J9wACgkQdYIfzEQqW+l3bACeI6Aacb/UB+b85MnNUBRo+lbn > SYMAn3LpYPs2c6ZO47CFD3A6rAMjHmJO > =Yulz > -END PGP SIGNATURE- > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > ___ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Known exploit list
The teleport exploit was fixed July 15th. "Fixed "sensitivity" ConVar not capping the upper value which sometimes caused a server crash." -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Brian Rak Sent: Sunday, August 09, 2009 12:48 PM To: hlds_li...@list.valvesoftware.com; hlds@list.valvesoftware.com Subject: [hlds] Known exploit list -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've compiled a list of all the known exploits in srcds that valve hasn't gotten around to fixing. For most of them, I've posted some workarounds, though some remain unfixed. All of this information is already known to the various people who would use it to crash your server, so I see no harm in posting it here. The list (as well as some common-sense security tips) can be found at http://code.devicenull.org/index.php?title=Misc:HL2_Exploits If you have any new exploits you would like me to look into fixing, please email me off-list (I tend to not check these lists often). Note: crossposted to hlds and hlds_linux - - Brian "devicenull" Rak -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkp/J9wACgkQdYIfzEQqW+l3bACeI6Aacb/UB+b85MnNUBRo+lbn SYMAn3LpYPs2c6ZO47CFD3A6rAMjHmJO =Yulz -END PGP SIGNATURE- ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
[hlds] Known exploit list
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've compiled a list of all the known exploits in srcds that valve hasn't gotten around to fixing. For most of them, I've posted some workarounds, though some remain unfixed. All of this information is already known to the various people who would use it to crash your server, so I see no harm in posting it here. The list (as well as some common-sense security tips) can be found at http://code.devicenull.org/index.php?title=Misc:HL2_Exploits If you have any new exploits you would like me to look into fixing, please email me off-list (I tend to not check these lists often). Note: crossposted to hlds and hlds_linux - - Brian "devicenull" Rak -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkp/J9wACgkQdYIfzEQqW+l3bACeI6Aacb/UB+b85MnNUBRo+lbn SYMAn3LpYPs2c6ZO47CFD3A6rAMjHmJO =Yulz -END PGP SIGNATURE- ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] TF2 Crashes (Alec Sanger)
Set a rate limit based on length per destination IP. Something like 10 or 15/second will do. -A INPUT -p udp -m udp --dport 27015:27016 -m length --length 53 -m hashlimit --hashlimit 15/sec --hashlimit-burst 30 --hashlimit-mode dstip,dstport --hashlimit-name a2sspam -j ACCEPT -A INPUT -p udp -m udp --dport 27015:27016 -m length --length 53 -j DROP -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Kyle Sanderson Sent: Saturday, August 08, 2009 10:59 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] TF2 Crashes (Alec Sanger) How would you block this using iptables? if it means people cannot see the server during an attack but it doesn't kick out players who are already playing that is fine by me... Kyle. On Sat, Aug 8, 2009 at 2:13 PM, Tony Paloma wrote: > You'd be blocking any new players from seeing your server. Also, if you're > using iptables you'd want to list the IPs you want to allow first and then > deny all others. Iptable rules are applied in order. > > -Original Message- > From: hlds-boun...@list.valvesoftware.com > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Matt Stanton > Sent: Saturday, August 08, 2009 12:33 PM > To: Half-Life dedicated Win32 server mailing list > Subject: Re: [hlds] TF2 Crashes (Alec Sanger) > > This may be a completely stupid idea, but keep in mind I do not know the > capabilities of SQL or of the linux kernel firewall. Would it be > feasable to DENY all UDP, then add ALLOWs for each ip address in a > HLStatsX database? I know we have roughly 100,000 players logged by > HLStatsX, so it seems like this would be far too many ips to have in a > firewall to get any sort of quick response, and would likely jack > latency up to a very extreme amount. If everything *is* fast enough to > handle that amount of information, then you could institute an DENY all > rule when an attack is detected, quickly add the ips of everyone who is > currently on the server to the ALLOW rules, then start adding ips in the > HLStatsX database to the ALLOW rules. You may also consider only adding > ips with a certain threshold of time spent on the servers. Once the > attack has died down, you could just go back to the normal firewall rules. > > It would be a nasty big coding job, but someone on this list is bound to > be able to do it if it's feasable. > > > > Kyle Sanderson wrote: > > Sorry for my previous negligence this just started with my server 2 > nights > > ago, I didn't realise it until now but it is the exact same thing that is > > happening with was was mentioned previously (Extremely high pings, > players > > ingame start skipping all over the place, etc.) > > > > If anyone has anymore information on how to block this attack please do > not > > hesitate to email me, > > Kyle. > > On Thu, Aug 6, 2009 at 4:35 PM, Tony Paloma > wrote: > > > > > >> It's different IPs. Random IPs. Like I said, it's spoofed. Changing the > max > >> queries cvar will only change when source engine decides to stop giving > >> replies but doesn't seem to help the lag. An iptables rule will prevent > >> server lag but still have the same no-reply problem which prevents > players > >> from seeing your server. > >> > >> -Original Message- > >> From: hlds-boun...@list.valvesoftware.com > >> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Kenny Loggins > >> Sent: Thursday, August 06, 2009 4:22 PM > >> To: Half-Life dedicated Win32 server mailing list > >> Subject: Re: [hlds] TF2 Crashes (Alec Sanger) > >> > >> Is it the same IP or does it change? Would changing sv_max_queries_max > >> do anything? > >> > >> > >> On Aug 6, 2009, at 6:04 PM, "Tony Paloma" > >> wrote: > >> > >> > >>> Not with any currently available utilities. You can limit the number > >>> of > >>> queries allowed per second using an iptables rule, but it will also > >>> prevent > >>> regular players from seeing your server during an attack. > >>> > >>> -Original Message- > >>> From: hlds-boun...@list.valvesoftware.com > >>> [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Kenny > >>> Loggins > >>> Sent: Thursday, August 06, 2009 3:57 PM > >>> To: Half-Life dedicated Win32 server mailing list > >>> Subject: Re: [hlds] TF2 Crashes (Alec Sanger) > >>> > >>> So it's not possible to block this? > >>> > >>> ClanAO.com > >>> > >>> On Aug 6, 2009, at 5:34 PM, "Tony Paloma" > >>> wrote: > >>> > >>> > From earlier in the thread: > It's A2S_INFO query spam on spoofed IP addresses > > -Original Message- > From: hlds-boun...@list.valvesoftware.com > [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Kenny > Loggins > Sent: Thursday, August 06, 2009 3:17 PM > To: Half-Life dedicated Win32 server mailing list > Subject: Re: [hlds] TF2 Crashes (Alec Sanger) > > Cam you give us more info on this? What type of attack is this? > >>
Re: [hlds] Tripwire website down?
Ah, thanks for the clarification. I assumed the other site could have been what you were referring to as it had to do with servers... Richard Eid wrote: > http://www.tripwireinteractive.com/ > > -Richard Eid > > > On Sun, Aug 9, 2009 at 1:38 AM, Alex wrote: > > >> Assuming you mean tripwire.com, it works fine. >> >> Hutch wrote: >> >>> is their site down for you folks as well? >>> hutch >>> >>> >>> >>> ___ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> >> please visit: >> >>> http://list.valvesoftware.com/mailman/listinfo/hlds >>> >>> >>> >>> >>> __ Information from ESET Smart Security, version of virus >>> >> signature database 4318 (20090808) __ >> >>> The message was checked by ESET Smart Security. >>> >>> http://www.eset.com >>> >>> >>> >>> >> >> __ Information from ESET Smart Security, version of virus signature >> database 4318 (20090808) __ >> >> The message was checked by ESET Smart Security. >> >> http://www.eset.com >> >> >> >> ___ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds >> >> > ___ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > __ Information from ESET Smart Security, version of virus signature > database 4319 (20090809) __ > > The message was checked by ESET Smart Security. > > http://www.eset.com > > > __ Information from ESET Smart Security, version of virus signature database 4319 (20090809) __ The message was checked by ESET Smart Security. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
