It can send any packet of data you tell it to, the key to the attack is the fact that it spams it over and over. I successfully took down a test server here after instructing the tool to spam the string "aaaa" (4141414100)
- Neph On Mon, Apr 28, 2008 at 7:31 PM, Chad Austin <[EMAIL PROTECTED]> wrote: > it sends this: > > > 00508d917476000f1f550a6a080045000028000040004006b719c0a80101c0a8016500870cf000000000e556bd8d501400007bbe0000000000000000 > > > > Bobby35ny wrote: > > You did the right thing Ian, no worries!! > > I'm sure AL will take care of it. > > > > =bobby > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ian Shaffer > > Sent: Monday, April 28, 2008 10:08 PM > > To: Half-Life dedicated Win32 server mailing list > > Subject: Re: [hlds] Critical "Nuke Attack" Exploit within Source engine > > > > Well at least Alfred's been notified of the issue. He told me he's > > investigating the report. > > > > Brian D'Arcy wrote: > > > >> I'm afraid that this type of attack has been around since the late 90's, > >> > > if > > > >> not earlier. > >> > >> It's basically pounding random UDP data (or maybe now-days more structured > >> data) at raw listen ports. The application listening does what it's > >> programmed to do, parse the input and use up available resources in order > >> > > to > > > >> do so. > >> > >> There's not a whole lot any individual can do about this. The only thing > >> > > I > > > >> can see resolving this, assuming it becomes a widespread problem, is valve > >> updating the query/response code to ignore the random data spewed at it in > >> > > a > > > >> much more efficient manner so that the only thing which occurs is a loss > >> > > of > > > >> some available bandwidth instead of the "melt" effect you see as servers > >> start to choke out. > >> > >> In a nutshell, it's a DDOS tool, minus the distributed part. > >> > >> On Mon, Apr 28, 2008 at 6:17 PM, Ian Shaffer > >> > > <[EMAIL PROTECTED]> > > > >> wrote: > >> > >> > >> > >>> I just noticed that. Pity my hastiness. > >>> > >>> Daron Dodd wrote: > >>> > >>> > >>>> you already did when u told everyone the name of the program in the > >>>> first email. google is a very powerful tool. > >>>> > >>>> On Mon, Apr 28, 2008 at 6:07 PM, Ian Shaffer > >>>> <[EMAIL PROTECTED]> wrote: > >>>> > >>>> > >>>> > >>>>> My big problem here is that I do not have root access to any of my > >>>>> servers. We used to have all our servers on our own dedi, but BECAUSE > >>>>> > >>>>> > >>> of > >>> > >>> > >>>>> these attacks, we decided to scrap the dedi and spread our servers > >>>>> across different IP ranges by paying per slot in different locations. > >>>>> Even though we can still be attacked, the attack is limited to one > >>>>> server at a time. That server is usually our Windows 50 man ZombieMod > >>>>> server in Chicago. I'm currently working with the host to see if the > >>>>> attack can be detected and blocked automatically. > >>>>> > >>>>> I've had a couple people email me asking for this "Nuker" program, or > >>>>> the link to where to download it. I've notified Alfred of the issue and > >>>>> sent him the link to the program, however he recommends that I be > >>>>> careful at how I present my report to the non-moderated HLDS mailing > >>>>> list. Hence, I will not give this program to ANYBODY unless on Alfred's > >>>>> approval. > >>>>> > >>>>> > >>>>> Chad Austin wrote: > >>>>> > >>>>> > >>>>> > >>>>>> Post a dump of packets please, or just link to program so it can be > >>>>>> analyzed. > >>>>>> > >>>>>> Ian Shaffer wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>> Dear Network Administrator, > >>>>>>> > >>>>>>> Over the past few months my servers have been brought to their knees > >>>>>>> dozens of times through "nuke" style Denial of Service attacks. > >>>>>>> > >>>>>>> > >>> Simple > >>> > >>> > >>>>>>> put, players start teleporting around, pings gradually start > >>>>>>> > >>>>>>> > >>> increasing > >>> > >>> > >>>>>>> for all players and the timer slows down. After a couple minutes of > >>>>>>> being attacked, you are early frozen from movement and the timer > >>>>>>> > >>>>>>> > >>> takes a > >>> > >>> > >>>>>>> decade to tick down, and pings are skyrocketed. Players then leave > >>>>>>> > >>>>>>> > >>> the > >>> > >>> > >>>>>>> server. > >>>>>>> > >>>>>>> Well earlier this week I "interrogated," pardon the pun, a member of > >>>>>>> > >>>>>>> > >>> my > >>> > >>> > >>>>>>> community who had made an exclamation that it would start to get real > >>>>>>> laggy in one of our servers earlier in the day. That server, our > >>>>>>> > >>>>>>> > >>> Zombie > >>> > >>> > >>>>>>> Server, started getting nuked just a couple minutes after. I was > >>>>>>> > >>>>>>> > >>> fairly > >>> > >>> > >>>>>>> certain it was him who started the attack. In the evening, I talked > >>>>>>> > >>>>>>> > >>> to > >>> > >>> > >>>>>>> this guy, his alias is "ST. GEORGE," and explained to him that I > >>>>>>> believed it was him who was "nuking" our servers. I acted very > >>>>>>> > >>>>>>> > >>> sincere > >>> > >>> > >>>>>>> when I told him that I had logged his IP address and was planning on > >>>>>>> filing a formal abuse complaint to his ISP, Road Runner. He somewhat > >>>>>>> panicked at hearing this, and confessed as to what he was doing. > >>>>>>> > >>>>>>> He sent me a link to download the same hacking tool he said he was > >>>>>>> using. Hackers Assistant is the program. I scanned the program for > >>>>>>> > >>>>>>> > >>> any > >>> > >>> > >>>>>>> trojans or viruses it might have, it was clean. I ran it and > >>>>>>> > >>>>>>> > >>> discovered > >>> > >>> > >>>>>>> a feature called "Nuker." In there it prompted for a server IP > >>>>>>> > >>>>>>> > >>> address > >>> > >>> > >>>>>>> and port and a box to input a message. One would simply put a > >>>>>>> > >>>>>>> > >>> server's > >>> > >>> > >>>>>>> info in there, type some random stuff in the message box, and click > >>>>>>> > >>>>>>> > >>> "Nuke." > >>> > >>> > >>>>>>> A former member of our community and admitted nuker "ST. GEORGE" > >>>>>>> > >>>>>>> > >>> tested > >>> > >>> > >>>>>>> the software. I was shocked. It was working, The server was being > >>>>>>> attacked just as described above. I held a sense of accomplishment > >>>>>>> knowing that I had found the cause of my problems. I therefore began > >>>>>>> looking for a way to block this programs abilities. Now I needed to > >>>>>>> > >>>>>>> > >>> know > >>> > >>> > >>>>>>> what types of servers this program could attack. ST. GEORGE then > >>>>>>> > >>>>>>> > >>> showed > >>> > >>> > >>>>>>> off nuke attacks on dozens of popular servers in the US and UK, > >>>>>>> > >>>>>>> > >>> highly > >>> > >>> > >>>>>>> popular servers like 24/7 Office Noob Galore and Zombiemod | > >>>>>>> XFactorGaming, and the program worked to bring down each and every > >>>>>>> > >>>>>>> > >>> one > >>> > >>> > >>>>>>> of them to their knees. There was only one server he was not able to > >>>>>>> nuke attack, evidently the #1 CSS server in the United States, > >>>>>>> CantStopGaming CS:S. > >>>>>>> > >>>>>>> This program affects practically every single server in CS:S. The > >>>>>>> interesting part of it is that this program doesn't advise usage > >>>>>>> > >>>>>>> > >>> towards > >>> > >>> > >>>>>>> any particular genre of online infrastructure. ST. GEORGE tried > >>>>>>> > >>>>>>> > >>> running > >>> > >>> > >>>>>>> this program on CoD servers, BF2 and BF2142 servers, Halo PC servers, > >>>>>>> SA:MP servers, and Quake 4 servers. It didn't work on any of those > >>>>>>> games. However, it worked on the other popular Source-based game out > >>>>>>> today, Team Fortress 2. Every TF2 server ST. GEORGE checked was > >>>>>>> nuke-able, with the same effects felt in-game. This leads me to the > >>>>>>> conclusion that there must be an exploit in the source engine > >>>>>>> > >>>>>>> > >>> allowing > >>> > >>> > >>>>>>> this program to nuke all servers using the source engine. > >>>>>>> > >>>>>>> While our server was getting attacked last time, I gathered critical > >>>>>>> data. I've determined that the program does not eat up the server's > >>>>>>> bandwidth. Instead, it seems to flood the server with > >>>>>>> > >>>>>>> > >>> messages/commands, > >>> > >>> > >>>>>>> so much that it tops out CPU usage. Below is a sample of my console > >>>>>>> > >>>>>>> > >>> as > >>> > >>> > >>>>>>> our server was undergoing a recent attack with the program. Midway > >>>>>>> through the data, the perpetrator aborted the nuke attack. You can > >>>>>>> > >>>>>>> > >>> see > >>> > >>> > >>>>>>> the server recovering as the cpu usage goes down and server FPS comes > >>>>>>> back to normal. This data was gathered with 8 others in-game. > >>>>>>> > >>>>>>> =========================================== > >>>>>>> > >>>>>>> CPU In Out Uptime Users FPS Players > >>>>>>> 96.59 16841.92 3909.91 110 4 10.00 9 > >>>>>>> L 04/27/2008 - 01:23:04: rcon from "72.251.244.233:2020": command > >>>>>>> > >>>>>>> > >>> "stats" > >>> > >>> > >>>>>>> ] rcon stats > >>>>>>> CPU In Out Uptime Users FPS Players > >>>>>>> 96.04 17937.41 3958.69 110 4 10.00 9 > >>>>>>> L 04/27/2008 - 01:23:09: rcon from "72.251.244.233:2020": command > >>>>>>> > >>>>>>> > >>> "stats" > >>> > >>> > >>>>>>> ] rcon stats > >>>>>>> CPU In Out Uptime Users FPS Players > >>>>>>> 95.54 17590.70 3970.64 110 > >>>>>>> ] rcon stats > >>>>>>> CPU In Out Uptime Users FPS Players > >>>>>>> 100.00 17354.72 3966.19 110 4 523.25 9 > >>>>>>> L 04/27/2008 - 01:23:10: rcon from "72.251.244.233:2020": command > >>>>>>> > >>>>>>> > >>> "stats" > >>> > >>> > >>>>>>> ======== HERE THE ATTACK WAS ABORTED ========= > >>>>>>> > >>>>>>> ] rcon stats > >>>>>>> CPU In Out Uptime Users FPS Players > >>>>>>> 75.57 16933.90 4148.69 110 4 508.36 9 > >>>>>>> L 04/27/2008 - 01:23:11: rcon from "72.251.244.233:2020": command > >>>>>>> > >>>>>>> > >>> "stats" > >>> > >>> > >>>>>>> ] rcon stats > >>>>>>> CPU In Out Uptime Users FPS Players > >>>>>>> 75.57 16750.93 4596.00 110 4 509.13 9 > >>>>>>> L 04/27/2008 - 01:23:12: rcon from "72.251.244.233:2020": command > >>>>>>> > >>>>>>> > >>> "stats" > >>> > >>> > >>>>>>> ] rcon stats > >>>>>>> CPU In Out Uptime Users FPS Players > >>>>>>> 52.55 16518.30 6391.86 110 4 509.97 9 > >>>>>>> L 04/27/2008 - 01:23:13: rcon from "72.251.244.233:2020": command > >>>>>>> > >>>>>>> > >>> "stats" > >>> > >>> > >>>>>>> ] rcon stats > >>>>>>> CPU In Out Uptime Users FPS Players > >>>>>>> 40.46 16520.83 9229.05 110 4 511.77 9 > >>>>>>> L 04/27/2008 - 01:23:13: rcon from "72.251.244.233:2020": command > >>>>>>> > >>>>>>> > >>> "stats" > >>> > >>> > >>>>>>> ] rcon stats > >>>>>>> CPU In Out Uptime Users FPS Players > >>>>>>> 40.46 16452.49 11473.37 110 4 514.49 9 > >>>>>>> L 04/27/2008 - 01:23:14: rcon from "72.251.244.233:2020": command > >>>>>>> > >>>>>>> > >>> "stats" > >>> > >>> > >>>>>>> ============================================ > >>>>>>> > >>>>>>> > >>>>>>> I very much hope that this exploit can be stomped out. My community > >>>>>>> > >>>>>>> > >>> has > >>> > >>> > >>>>>>> suffered all too much to the hands of the kiddies that run these > >>>>>>> > >>>>>>> > >>> types > >>> > >>> > >>>>>>> of programs for their own vain pleasure. I speak for server operators > >>>>>>> everywhere when I say, this issue must be fixed! > >>>>>>> > >>>>>>> Thank you very much for taking the time to read my post. I hope some > >>>>>>> good will come out of it! > >>>>>>> > >>>>>>> Sincerely, > >>>>>>> David "Eaglewonj" Gaipa > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> To unsubscribe, edit your list preferences, or view the list > >>>>>>> > >>>>>>> > >>> archives, please visit: > >>> > >>> > >>>>>>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> _______________________________________________ > >>>>>> To unsubscribe, edit your list preferences, or view the list archives, > >>>>>> > >>>>>> > >>> please visit: > >>> > >>> > >>>>>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>> _______________________________________________ > >>>>> To unsubscribe, edit your list preferences, or view the list archives, > >>>>> > >>>>> > >>> please visit: > >>> > >>> > >>>>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>>>> > >>>>> > >>>>> > >>>>> > >>>> _______________________________________________ > >>>> To unsubscribe, edit your list preferences, or view the list archives, > >>>> > >>>> > >>> please visit: > >>> > >>> > >>>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>>> > >>>> > >>>> > >>>> > >>> _______________________________________________ > >>> To unsubscribe, edit your list preferences, or view the list archives, > >>> please visit: > >>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>> > >>> > >>> > >> _______________________________________________ > >> To unsubscribe, edit your list preferences, or view the list archives, > >> > > please visit: > > > >> http://list.valvesoftware.com/mailman/listinfo/hlds > >> > >> > >> > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
