My server was nuked a week ago or so, and there is a thread about the SourceOP servers being attacked similarly.
While this attack doesn't max our bandwidth out, it does use ~3megs/sec while in progress. I have since setup iptables/netfilter in my kernel so I can add rules that restrict traffic to the srcds ports to slightly above sv_maxrate, thus prevent 'extraneous' data from coming in, though this doesn't fix the exploit. I haven't been attacked since so I don'tk now how effective this is. However, the player that attacked our server was connected for the duration of the attack, leading me to believe that it is definitely a server-side exploit and not just a general DDoS. My host also reports no 'DDoS-like' activity at the time of the attack. Please look into this valve. - Neph On Mon, Apr 28, 2008 at 4:57 PM, Chad Austin <[EMAIL PROTECTED]> wrote: > Post a dump of packets please, or just link to program so it can be > analyzed. > > > > Ian Shaffer wrote: > > Dear Network Administrator, > > > > Over the past few months my servers have been brought to their knees > > dozens of times through "nuke" style Denial of Service attacks. Simple > > put, players start teleporting around, pings gradually start increasing > > for all players and the timer slows down. After a couple minutes of > > being attacked, you are early frozen from movement and the timer takes a > > decade to tick down, and pings are skyrocketed. Players then leave the > > server. > > > > Well earlier this week I "interrogated," pardon the pun, a member of my > > community who had made an exclamation that it would start to get real > > laggy in one of our servers earlier in the day. That server, our Zombie > > Server, started getting nuked just a couple minutes after. I was fairly > > certain it was him who started the attack. In the evening, I talked to > > this guy, his alias is "ST. GEORGE," and explained to him that I > > believed it was him who was "nuking" our servers. I acted very sincere > > when I told him that I had logged his IP address and was planning on > > filing a formal abuse complaint to his ISP, Road Runner. He somewhat > > panicked at hearing this, and confessed as to what he was doing. > > > > He sent me a link to download the same hacking tool he said he was > > using. Hackers Assistant is the program. I scanned the program for any > > trojans or viruses it might have, it was clean. I ran it and discovered > > a feature called "Nuker." In there it prompted for a server IP address > > and port and a box to input a message. One would simply put a server's > > info in there, type some random stuff in the message box, and click "Nuke." > > > > A former member of our community and admitted nuker "ST. GEORGE" tested > > the software. I was shocked. It was working, The server was being > > attacked just as described above. I held a sense of accomplishment > > knowing that I had found the cause of my problems. I therefore began > > looking for a way to block this programs abilities. Now I needed to know > > what types of servers this program could attack. ST. GEORGE then showed > > off nuke attacks on dozens of popular servers in the US and UK, highly > > popular servers like 24/7 Office Noob Galore and Zombiemod | > > XFactorGaming, and the program worked to bring down each and every one > > of them to their knees. There was only one server he was not able to > > nuke attack, evidently the #1 CSS server in the United States, > > CantStopGaming CS:S. > > > > This program affects practically every single server in CS:S. The > > interesting part of it is that this program doesn't advise usage towards > > any particular genre of online infrastructure. ST. GEORGE tried running > > this program on CoD servers, BF2 and BF2142 servers, Halo PC servers, > > SA:MP servers, and Quake 4 servers. It didn't work on any of those > > games. However, it worked on the other popular Source-based game out > > today, Team Fortress 2. Every TF2 server ST. GEORGE checked was > > nuke-able, with the same effects felt in-game. This leads me to the > > conclusion that there must be an exploit in the source engine allowing > > this program to nuke all servers using the source engine. > > > > While our server was getting attacked last time, I gathered critical > > data. I've determined that the program does not eat up the server's > > bandwidth. Instead, it seems to flood the server with messages/commands, > > so much that it tops out CPU usage. Below is a sample of my console as > > our server was undergoing a recent attack with the program. Midway > > through the data, the perpetrator aborted the nuke attack. You can see > > the server recovering as the cpu usage goes down and server FPS comes > > back to normal. This data was gathered with 8 others in-game. > > > > =========================================== > > > > CPU In Out Uptime Users FPS Players > > 96.59 16841.92 3909.91 110 4 10.00 9 > > L 04/27/2008 - 01:23:04: rcon from "72.251.244.233:2020": command "stats" > > ] rcon stats > > CPU In Out Uptime Users FPS Players > > 96.04 17937.41 3958.69 110 4 10.00 9 > > L 04/27/2008 - 01:23:09: rcon from "72.251.244.233:2020": command "stats" > > ] rcon stats > > CPU In Out Uptime Users FPS Players > > 95.54 17590.70 3970.64 110 > > ] rcon stats > > CPU In Out Uptime Users FPS Players > > 100.00 17354.72 3966.19 110 4 523.25 9 > > L 04/27/2008 - 01:23:10: rcon from "72.251.244.233:2020": command "stats" > > > > ======== HERE THE ATTACK WAS ABORTED ========= > > > > ] rcon stats > > CPU In Out Uptime Users FPS Players > > 75.57 16933.90 4148.69 110 4 508.36 9 > > L 04/27/2008 - 01:23:11: rcon from "72.251.244.233:2020": command "stats" > > ] rcon stats > > CPU In Out Uptime Users FPS Players > > 75.57 16750.93 4596.00 110 4 509.13 9 > > L 04/27/2008 - 01:23:12: rcon from "72.251.244.233:2020": command "stats" > > ] rcon stats > > CPU In Out Uptime Users FPS Players > > 52.55 16518.30 6391.86 110 4 509.97 9 > > L 04/27/2008 - 01:23:13: rcon from "72.251.244.233:2020": command "stats" > > ] rcon stats > > CPU In Out Uptime Users FPS Players > > 40.46 16520.83 9229.05 110 4 511.77 9 > > L 04/27/2008 - 01:23:13: rcon from "72.251.244.233:2020": command "stats" > > ] rcon stats > > CPU In Out Uptime Users FPS Players > > 40.46 16452.49 11473.37 110 4 514.49 9 > > L 04/27/2008 - 01:23:14: rcon from "72.251.244.233:2020": command "stats" > > > > ============================================ > > > > > > I very much hope that this exploit can be stomped out. My community has > > suffered all too much to the hands of the kiddies that run these types > > of programs for their own vain pleasure. I speak for server operators > > everywhere when I say, this issue must be fixed! > > > > Thank you very much for taking the time to read my post. I hope some > > good will come out of it! > > > > Sincerely, > > David "Eaglewonj" Gaipa > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
