Dear Network Administrator, Over the past few months my servers have been brought to their knees dozens of times through "nuke" style Denial of Service attacks. Simple put, players start teleporting around, pings gradually start increasing for all players and the timer slows down. After a couple minutes of being attacked, you are early frozen from movement and the timer takes a decade to tick down, and pings are skyrocketed. Players then leave the server.
Well earlier this week I "interrogated," pardon the pun, a member of my community who had made an exclamation that it would start to get real laggy in one of our servers earlier in the day. That server, our Zombie Server, started getting nuked just a couple minutes after. I was fairly certain it was him who started the attack. In the evening, I talked to this guy, his alias is "ST. GEORGE," and explained to him that I believed it was him who was "nuking" our servers. I acted very sincere when I told him that I had logged his IP address and was planning on filing a formal abuse complaint to his ISP, Road Runner. He somewhat panicked at hearing this, and confessed as to what he was doing. He sent me a link to download the same hacking tool he said he was using. Hackers Assistant is the program. I scanned the program for any trojans or viruses it might have, it was clean. I ran it and discovered a feature called "Nuker." In there it prompted for a server IP address and port and a box to input a message. One would simply put a server's info in there, type some random stuff in the message box, and click "Nuke." A former member of our community and admitted nuker “ST. GEORGE” tested the software. I was shocked. It was working, The server was being attacked just as described above. I held a sense of accomplishment knowing that I had found the cause of my problems. I therefore began looking for a way to block this programs abilities. Now I needed to know what types of servers this program could attack. ST. GEORGE then showed off nuke attacks on dozens of popular servers in the US and UK, highly popular servers like 24/7 Office Noob Galore and Zombiemod | XFactorGaming, and the program worked to bring down each and every one of them to their knees. There was only one server he was not able to nuke attack, evidently the #1 CSS server in the United States, CantStopGaming CS:S. This program affects practically every single server in CS:S. The interesting part of it is that this program doesn't advise usage towards any particular genre of online infrastructure. ST. GEORGE tried running this program on CoD servers, BF2 and BF2142 servers, Halo PC servers, SA:MP servers, and Quake 4 servers. It didn't work on any of those games. However, it worked on the other popular Source-based game out today, Team Fortress 2. Every TF2 server ST. GEORGE checked was nuke-able, with the same effects felt in-game. This leads me to the conclusion that there must be an exploit in the source engine allowing this program to nuke all servers using the source engine. While our server was getting attacked last time, I gathered critical data. I've determined that the program does not eat up the server's bandwidth. Instead, it seems to flood the server with messages/commands, so much that it tops out CPU usage. Below is a sample of my console as our server was undergoing a recent attack with the program. Midway through the data, the perpetrator aborted the nuke attack. You can see the server recovering as the cpu usage goes down and server FPS comes back to normal. This data was gathered with 8 others in-game. =========================================== CPU In Out Uptime Users FPS Players 96.59 16841.92 3909.91 110 4 10.00 9 L 04/27/2008 - 01:23:04: rcon from "72.251.244.233:2020": command "stats" ] rcon stats CPU In Out Uptime Users FPS Players 96.04 17937.41 3958.69 110 4 10.00 9 L 04/27/2008 - 01:23:09: rcon from "72.251.244.233:2020": command "stats" ] rcon stats CPU In Out Uptime Users FPS Players 95.54 17590.70 3970.64 110 ] rcon stats CPU In Out Uptime Users FPS Players 100.00 17354.72 3966.19 110 4 523.25 9 L 04/27/2008 - 01:23:10: rcon from "72.251.244.233:2020": command "stats" ======== HERE THE ATTACK WAS ABORTED ========= ] rcon stats CPU In Out Uptime Users FPS Players 75.57 16933.90 4148.69 110 4 508.36 9 L 04/27/2008 - 01:23:11: rcon from "72.251.244.233:2020": command "stats" ] rcon stats CPU In Out Uptime Users FPS Players 75.57 16750.93 4596.00 110 4 509.13 9 L 04/27/2008 - 01:23:12: rcon from "72.251.244.233:2020": command "stats" ] rcon stats CPU In Out Uptime Users FPS Players 52.55 16518.30 6391.86 110 4 509.97 9 L 04/27/2008 - 01:23:13: rcon from "72.251.244.233:2020": command "stats" ] rcon stats CPU In Out Uptime Users FPS Players 40.46 16520.83 9229.05 110 4 511.77 9 L 04/27/2008 - 01:23:13: rcon from "72.251.244.233:2020": command "stats" ] rcon stats CPU In Out Uptime Users FPS Players 40.46 16452.49 11473.37 110 4 514.49 9 L 04/27/2008 - 01:23:14: rcon from "72.251.244.233:2020": command "stats" ============================================ I very much hope that this exploit can be stomped out. My community has suffered all too much to the hands of the kiddies that run these types of programs for their own vain pleasure. I speak for server operators everywhere when I say, this issue must be fixed! Thank you very much for taking the time to read my post. I hope some good will come out of it! Sincerely, David “Eaglewonj” Gaipa _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
