Well at least Alfred's been notified of the issue. He told me he's investigating the report.
Brian D'Arcy wrote: > I'm afraid that this type of attack has been around since the late 90's, if > not earlier. > > It's basically pounding random UDP data (or maybe now-days more structured > data) at raw listen ports. The application listening does what it's > programmed to do, parse the input and use up available resources in order to > do so. > > There's not a whole lot any individual can do about this. The only thing I > can see resolving this, assuming it becomes a widespread problem, is valve > updating the query/response code to ignore the random data spewed at it in a > much more efficient manner so that the only thing which occurs is a loss of > some available bandwidth instead of the "melt" effect you see as servers > start to choke out. > > In a nutshell, it's a DDOS tool, minus the distributed part. > > On Mon, Apr 28, 2008 at 6:17 PM, Ian Shaffer <[EMAIL PROTECTED]> > wrote: > > >> I just noticed that. Pity my hastiness. >> >> Daron Dodd wrote: >> >>> you already did when u told everyone the name of the program in the >>> first email. google is a very powerful tool. >>> >>> On Mon, Apr 28, 2008 at 6:07 PM, Ian Shaffer >>> <[EMAIL PROTECTED]> wrote: >>> >>> >>>> My big problem here is that I do not have root access to any of my >>>> servers. We used to have all our servers on our own dedi, but BECAUSE >>>> >> of >> >>>> these attacks, we decided to scrap the dedi and spread our servers >>>> across different IP ranges by paying per slot in different locations. >>>> Even though we can still be attacked, the attack is limited to one >>>> server at a time. That server is usually our Windows 50 man ZombieMod >>>> server in Chicago. I'm currently working with the host to see if the >>>> attack can be detected and blocked automatically. >>>> >>>> I've had a couple people email me asking for this "Nuker" program, or >>>> the link to where to download it. I've notified Alfred of the issue and >>>> sent him the link to the program, however he recommends that I be >>>> careful at how I present my report to the non-moderated HLDS mailing >>>> list. Hence, I will not give this program to ANYBODY unless on Alfred's >>>> approval. >>>> >>>> >>>> Chad Austin wrote: >>>> >>>> >>>>> Post a dump of packets please, or just link to program so it can be >>>>> analyzed. >>>>> >>>>> Ian Shaffer wrote: >>>>> >>>>> >>>>> >>>>>> Dear Network Administrator, >>>>>> >>>>>> Over the past few months my servers have been brought to their knees >>>>>> dozens of times through "nuke" style Denial of Service attacks. >>>>>> >> Simple >> >>>>>> put, players start teleporting around, pings gradually start >>>>>> >> increasing >> >>>>>> for all players and the timer slows down. After a couple minutes of >>>>>> being attacked, you are early frozen from movement and the timer >>>>>> >> takes a >> >>>>>> decade to tick down, and pings are skyrocketed. Players then leave >>>>>> >> the >> >>>>>> server. >>>>>> >>>>>> Well earlier this week I "interrogated," pardon the pun, a member of >>>>>> >> my >> >>>>>> community who had made an exclamation that it would start to get real >>>>>> laggy in one of our servers earlier in the day. That server, our >>>>>> >> Zombie >> >>>>>> Server, started getting nuked just a couple minutes after. I was >>>>>> >> fairly >> >>>>>> certain it was him who started the attack. In the evening, I talked >>>>>> >> to >> >>>>>> this guy, his alias is "ST. GEORGE," and explained to him that I >>>>>> believed it was him who was "nuking" our servers. I acted very >>>>>> >> sincere >> >>>>>> when I told him that I had logged his IP address and was planning on >>>>>> filing a formal abuse complaint to his ISP, Road Runner. He somewhat >>>>>> panicked at hearing this, and confessed as to what he was doing. >>>>>> >>>>>> He sent me a link to download the same hacking tool he said he was >>>>>> using. Hackers Assistant is the program. I scanned the program for >>>>>> >> any >> >>>>>> trojans or viruses it might have, it was clean. I ran it and >>>>>> >> discovered >> >>>>>> a feature called "Nuker." In there it prompted for a server IP >>>>>> >> address >> >>>>>> and port and a box to input a message. One would simply put a >>>>>> >> server's >> >>>>>> info in there, type some random stuff in the message box, and click >>>>>> >> "Nuke." >> >>>>>> A former member of our community and admitted nuker "ST. GEORGE" >>>>>> >> tested >> >>>>>> the software. I was shocked. It was working, The server was being >>>>>> attacked just as described above. I held a sense of accomplishment >>>>>> knowing that I had found the cause of my problems. I therefore began >>>>>> looking for a way to block this programs abilities. Now I needed to >>>>>> >> know >> >>>>>> what types of servers this program could attack. ST. GEORGE then >>>>>> >> showed >> >>>>>> off nuke attacks on dozens of popular servers in the US and UK, >>>>>> >> highly >> >>>>>> popular servers like 24/7 Office Noob Galore and Zombiemod | >>>>>> XFactorGaming, and the program worked to bring down each and every >>>>>> >> one >> >>>>>> of them to their knees. There was only one server he was not able to >>>>>> nuke attack, evidently the #1 CSS server in the United States, >>>>>> CantStopGaming CS:S. >>>>>> >>>>>> This program affects practically every single server in CS:S. The >>>>>> interesting part of it is that this program doesn't advise usage >>>>>> >> towards >> >>>>>> any particular genre of online infrastructure. ST. GEORGE tried >>>>>> >> running >> >>>>>> this program on CoD servers, BF2 and BF2142 servers, Halo PC servers, >>>>>> SA:MP servers, and Quake 4 servers. It didn't work on any of those >>>>>> games. However, it worked on the other popular Source-based game out >>>>>> today, Team Fortress 2. Every TF2 server ST. GEORGE checked was >>>>>> nuke-able, with the same effects felt in-game. This leads me to the >>>>>> conclusion that there must be an exploit in the source engine >>>>>> >> allowing >> >>>>>> this program to nuke all servers using the source engine. >>>>>> >>>>>> While our server was getting attacked last time, I gathered critical >>>>>> data. I've determined that the program does not eat up the server's >>>>>> bandwidth. Instead, it seems to flood the server with >>>>>> >> messages/commands, >> >>>>>> so much that it tops out CPU usage. Below is a sample of my console >>>>>> >> as >> >>>>>> our server was undergoing a recent attack with the program. Midway >>>>>> through the data, the perpetrator aborted the nuke attack. You can >>>>>> >> see >> >>>>>> the server recovering as the cpu usage goes down and server FPS comes >>>>>> back to normal. This data was gathered with 8 others in-game. >>>>>> >>>>>> =========================================== >>>>>> >>>>>> CPU In Out Uptime Users FPS Players >>>>>> 96.59 16841.92 3909.91 110 4 10.00 9 >>>>>> L 04/27/2008 - 01:23:04: rcon from "72.251.244.233:2020": command >>>>>> >> "stats" >> >>>>>> ] rcon stats >>>>>> CPU In Out Uptime Users FPS Players >>>>>> 96.04 17937.41 3958.69 110 4 10.00 9 >>>>>> L 04/27/2008 - 01:23:09: rcon from "72.251.244.233:2020": command >>>>>> >> "stats" >> >>>>>> ] rcon stats >>>>>> CPU In Out Uptime Users FPS Players >>>>>> 95.54 17590.70 3970.64 110 >>>>>> ] rcon stats >>>>>> CPU In Out Uptime Users FPS Players >>>>>> 100.00 17354.72 3966.19 110 4 523.25 9 >>>>>> L 04/27/2008 - 01:23:10: rcon from "72.251.244.233:2020": command >>>>>> >> "stats" >> >>>>>> ======== HERE THE ATTACK WAS ABORTED ========= >>>>>> >>>>>> ] rcon stats >>>>>> CPU In Out Uptime Users FPS Players >>>>>> 75.57 16933.90 4148.69 110 4 508.36 9 >>>>>> L 04/27/2008 - 01:23:11: rcon from "72.251.244.233:2020": command >>>>>> >> "stats" >> >>>>>> ] rcon stats >>>>>> CPU In Out Uptime Users FPS Players >>>>>> 75.57 16750.93 4596.00 110 4 509.13 9 >>>>>> L 04/27/2008 - 01:23:12: rcon from "72.251.244.233:2020": command >>>>>> >> "stats" >> >>>>>> ] rcon stats >>>>>> CPU In Out Uptime Users FPS Players >>>>>> 52.55 16518.30 6391.86 110 4 509.97 9 >>>>>> L 04/27/2008 - 01:23:13: rcon from "72.251.244.233:2020": command >>>>>> >> "stats" >> >>>>>> ] rcon stats >>>>>> CPU In Out Uptime Users FPS Players >>>>>> 40.46 16520.83 9229.05 110 4 511.77 9 >>>>>> L 04/27/2008 - 01:23:13: rcon from "72.251.244.233:2020": command >>>>>> >> "stats" >> >>>>>> ] rcon stats >>>>>> CPU In Out Uptime Users FPS Players >>>>>> 40.46 16452.49 11473.37 110 4 514.49 9 >>>>>> L 04/27/2008 - 01:23:14: rcon from "72.251.244.233:2020": command >>>>>> >> "stats" >> >>>>>> ============================================ >>>>>> >>>>>> >>>>>> I very much hope that this exploit can be stomped out. My community >>>>>> >> has >> >>>>>> suffered all too much to the hands of the kiddies that run these >>>>>> >> types >> >>>>>> of programs for their own vain pleasure. I speak for server operators >>>>>> everywhere when I say, this issue must be fixed! >>>>>> >>>>>> Thank you very much for taking the time to read my post. I hope some >>>>>> good will come out of it! >>>>>> >>>>>> Sincerely, >>>>>> David "Eaglewonj" Gaipa >>>>>> >>>>>> _______________________________________________ >>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>> >> archives, please visit: >> >>>>>> http://list.valvesoftware.com/mailman/listinfo/hlds >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>> >> please visit: >> >>>>> http://list.valvesoftware.com/mailman/listinfo/hlds >>>>> >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> >> please visit: >> >>>> http://list.valvesoftware.com/mailman/listinfo/hlds >>>> >>>> >>>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> >> please visit: >> >>> http://list.valvesoftware.com/mailman/listinfo/hlds >>> >>> >>> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds >> >> > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
