At least its not another hlboom Nephyrin Zey wrote: > It can send any packet of data you tell it to, the key to the attack > is the fact that it spams it over and over. I successfully took down a > test server here after instructing the tool to spam the string "aaaa" > (4141414100) > > - Neph > > On Mon, Apr 28, 2008 at 7:31 PM, Chad Austin <[EMAIL PROTECTED]> wrote: > >> it sends this: >> >> >> 00508d917476000f1f550a6a080045000028000040004006b719c0a80101c0a8016500870cf000000000e556bd8d501400007bbe0000000000000000 >> >> >> >> Bobby35ny wrote: >> > You did the right thing Ian, no worries!! >> > I'm sure AL will take care of it. >> > >> > =bobby >> > >> > >> > >> > -----Original Message----- >> > From: [EMAIL PROTECTED] >> > [mailto:[EMAIL PROTECTED] On Behalf Of Ian Shaffer >> > Sent: Monday, April 28, 2008 10:08 PM >> > To: Half-Life dedicated Win32 server mailing list >> > Subject: Re: [hlds] Critical "Nuke Attack" Exploit within Source engine >> > >> > Well at least Alfred's been notified of the issue. He told me he's >> > investigating the report. >> > >> > Brian D'Arcy wrote: >> > >> >> I'm afraid that this type of attack has been around since the late 90's, >> >> >> > if >> > >> >> not earlier. >> >> >> >> It's basically pounding random UDP data (or maybe now-days more >> structured >> >> data) at raw listen ports. The application listening does what it's >> >> programmed to do, parse the input and use up available resources in order >> >> >> > to >> > >> >> do so. >> >> >> >> There's not a whole lot any individual can do about this. The only thing >> >> >> > I >> > >> >> can see resolving this, assuming it becomes a widespread problem, is >> valve >> >> updating the query/response code to ignore the random data spewed at it >> in >> >> >> > a >> > >> >> much more efficient manner so that the only thing which occurs is a loss >> >> >> > of >> > >> >> some available bandwidth instead of the "melt" effect you see as servers >> >> start to choke out. >> >> >> >> In a nutshell, it's a DDOS tool, minus the distributed part. >> >> >> >> On Mon, Apr 28, 2008 at 6:17 PM, Ian Shaffer >> >> >> > <[EMAIL PROTECTED]> >> > >> >> wrote: >> >> >> >> >> >> >> >>> I just noticed that. Pity my hastiness. >> >>> >> >>> Daron Dodd wrote: >> >>> >> >>> >> >>>> you already did when u told everyone the name of the program in the >> >>>> first email. google is a very powerful tool. >> >>>> >> >>>> On Mon, Apr 28, 2008 at 6:07 PM, Ian Shaffer >> >>>> <[EMAIL PROTECTED]> wrote: >> >>>> >> >>>> >> >>>> >> >>>>> My big problem here is that I do not have root access to any of my >> >>>>> servers. We used to have all our servers on our own dedi, but BECAUSE >> >>>>> >> >>>>> >> >>> of >> >>> >> >>> >> >>>>> these attacks, we decided to scrap the dedi and spread our servers >> >>>>> across different IP ranges by paying per slot in different locations. >> >>>>> Even though we can still be attacked, the attack is limited to one >> >>>>> server at a time. That server is usually our Windows 50 man ZombieMod >> >>>>> server in Chicago. I'm currently working with the host to see if the >> >>>>> attack can be detected and blocked automatically. >> >>>>> >> >>>>> I've had a couple people email me asking for this "Nuker" program, or >> >>>>> the link to where to download it. I've notified Alfred of the issue >> and >> >>>>> sent him the link to the program, however he recommends that I be >> >>>>> careful at how I present my report to the non-moderated HLDS mailing >> >>>>> list. Hence, I will not give this program to ANYBODY unless on >> Alfred's >> >>>>> approval. >> >>>>> >> >>>>> >> >>>>> Chad Austin wrote: >> >>>>> >> >>>>> >> >>>>> >> >>>>>> Post a dump of packets please, or just link to program so it can be >> >>>>>> analyzed. >> >>>>>> >> >>>>>> Ian Shaffer wrote: >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>>> Dear Network Administrator, >> >>>>>>> >> >>>>>>> Over the past few months my servers have been brought to their knees >> >>>>>>> dozens of times through "nuke" style Denial of Service attacks. >> >>>>>>> >> >>>>>>> >> >>> Simple >> >>> >> >>> >> >>>>>>> put, players start teleporting around, pings gradually start >> >>>>>>> >> >>>>>>> >> >>> increasing >> >>> >> >>> >> >>>>>>> for all players and the timer slows down. After a couple minutes of >> >>>>>>> being attacked, you are early frozen from movement and the timer >> >>>>>>> >> >>>>>>> >> >>> takes a >> >>> >> >>> >> >>>>>>> decade to tick down, and pings are skyrocketed. Players then leave >> >>>>>>> >> >>>>>>> >> >>> the >> >>> >> >>> >> >>>>>>> server. >> >>>>>>> >> >>>>>>> Well earlier this week I "interrogated," pardon the pun, a member of >> >>>>>>> >> >>>>>>> >> >>> my >> >>> >> >>> >> >>>>>>> community who had made an exclamation that it would start to get >> real >> >>>>>>> laggy in one of our servers earlier in the day. That server, our >> >>>>>>> >> >>>>>>> >> >>> Zombie >> >>> >> >>> >> >>>>>>> Server, started getting nuked just a couple minutes after. I was >> >>>>>>> >> >>>>>>> >> >>> fairly >> >>> >> >>> >> >>>>>>> certain it was him who started the attack. In the evening, I talked >> >>>>>>> >> >>>>>>> >> >>> to >> >>> >> >>> >> >>>>>>> this guy, his alias is "ST. GEORGE," and explained to him that I >> >>>>>>> believed it was him who was "nuking" our servers. I acted very >> >>>>>>> >> >>>>>>> >> >>> sincere >> >>> >> >>> >> >>>>>>> when I told him that I had logged his IP address and was planning on >> >>>>>>> filing a formal abuse complaint to his ISP, Road Runner. He somewhat >> >>>>>>> panicked at hearing this, and confessed as to what he was doing. >> >>>>>>> >> >>>>>>> He sent me a link to download the same hacking tool he said he was >> >>>>>>> using. Hackers Assistant is the program. I scanned the program for >> >>>>>>> >> >>>>>>> >> >>> any >> >>> >> >>> >> >>>>>>> trojans or viruses it might have, it was clean. I ran it and >> >>>>>>> >> >>>>>>> >> >>> discovered >> >>> >> >>> >> >>>>>>> a feature called "Nuker." In there it prompted for a server IP >> >>>>>>> >> >>>>>>> >> >>> address >> >>> >> >>> >> >>>>>>> and port and a box to input a message. One would simply put a >> >>>>>>> >> >>>>>>> >> >>> server's >> >>> >> >>> >> >>>>>>> info in there, type some random stuff in the message box, and click >> >>>>>>> >> >>>>>>> >> >>> "Nuke." >> >>> >> >>> >> >>>>>>> A former member of our community and admitted nuker "ST. GEORGE" >> >>>>>>> >> >>>>>>> >> >>> tested >> >>> >> >>> >> >>>>>>> the software. I was shocked. It was working, The server was being >> >>>>>>> attacked just as described above. I held a sense of accomplishment >> >>>>>>> knowing that I had found the cause of my problems. I therefore began >> >>>>>>> looking for a way to block this programs abilities. Now I needed to >> >>>>>>> >> >>>>>>> >> >>> know >> >>> >> >>> >> >>>>>>> what types of servers this program could attack. ST. GEORGE then >> >>>>>>> >> >>>>>>> >> >>> showed >> >>> >> >>> >> >>>>>>> off nuke attacks on dozens of popular servers in the US and UK, >> >>>>>>> >> >>>>>>> >> >>> highly >> >>> >> >>> >> >>>>>>> popular servers like 24/7 Office Noob Galore and Zombiemod | >> >>>>>>> XFactorGaming, and the program worked to bring down each and every >> >>>>>>> >> >>>>>>> >> >>> one >> >>> >> >>> >> >>>>>>> of them to their knees. There was only one server he was not able to >> >>>>>>> nuke attack, evidently the #1 CSS server in the United States, >> >>>>>>> CantStopGaming CS:S. >> >>>>>>> >> >>>>>>> This program affects practically every single server in CS:S. The >> >>>>>>> interesting part of it is that this program doesn't advise usage >> >>>>>>> >> >>>>>>> >> >>> towards >> >>> >> >>> >> >>>>>>> any particular genre of online infrastructure. ST. GEORGE tried >> >>>>>>> >> >>>>>>> >> >>> running >> >>> >> >>> >> >>>>>>> this program on CoD servers, BF2 and BF2142 servers, Halo PC >> servers, >> >>>>>>> SA:MP servers, and Quake 4 servers. It didn't work on any of those >> >>>>>>> games. However, it worked on the other popular Source-based game out >> >>>>>>> today, Team Fortress 2. Every TF2 server ST. GEORGE checked was >> >>>>>>> nuke-able, with the same effects felt in-game. This leads me to the >> >>>>>>> conclusion that there must be an exploit in the source engine >> >>>>>>> >> >>>>>>> >> >>> allowing >> >>> >> >>> >> >>>>>>> this program to nuke all servers using the source engine. >> >>>>>>> >> >>>>>>> While our server was getting attacked last time, I gathered critical >> >>>>>>> data. I've determined that the program does not eat up the server's >> >>>>>>> bandwidth. Instead, it seems to flood the server with >> >>>>>>> >> >>>>>>> >> >>> messages/commands, >> >>> >> >>> >> >>>>>>> so much that it tops out CPU usage. Below is a sample of my console >> >>>>>>> >> >>>>>>> >> >>> as >> >>> >> >>> >> >>>>>>> our server was undergoing a recent attack with the program. Midway >> >>>>>>> through the data, the perpetrator aborted the nuke attack. You can >> >>>>>>> >> >>>>>>> >> >>> see >> >>> >> >>> >> >>>>>>> the server recovering as the cpu usage goes down and server FPS >> comes >> >>>>>>> back to normal. This data was gathered with 8 others in-game. >> >>>>>>> >> >>>>>>> =========================================== >> >>>>>>> >> >>>>>>> CPU In Out Uptime Users FPS Players >> >>>>>>> 96.59 16841.92 3909.91 110 4 10.00 9 >> >>>>>>> L 04/27/2008 - 01:23:04: rcon from "72.251.244.233:2020": command >> >>>>>>> >> >>>>>>> >> >>> "stats" >> >>> >> >>> >> >>>>>>> ] rcon stats >> >>>>>>> CPU In Out Uptime Users FPS Players >> >>>>>>> 96.04 17937.41 3958.69 110 4 10.00 9 >> >>>>>>> L 04/27/2008 - 01:23:09: rcon from "72.251.244.233:2020": command >> >>>>>>> >> >>>>>>> >> >>> "stats" >> >>> >> >>> >> >>>>>>> ] rcon stats >> >>>>>>> CPU In Out Uptime Users FPS Players >> >>>>>>> 95.54 17590.70 3970.64 110 >> >>>>>>> ] rcon stats >> >>>>>>> CPU In Out Uptime Users FPS Players >> >>>>>>> 100.00 17354.72 3966.19 110 4 523.25 9 >> >>>>>>> L 04/27/2008 - 01:23:10: rcon from "72.251.244.233:2020": command >> >>>>>>> >> >>>>>>> >> >>> "stats" >> >>> >> >>> >> >>>>>>> ======== HERE THE ATTACK WAS ABORTED ========= >> >>>>>>> >> >>>>>>> ] rcon stats >> >>>>>>> CPU In Out Uptime Users FPS Players >> >>>>>>> 75.57 16933.90 4148.69 110 4 508.36 9 >> >>>>>>> L 04/27/2008 - 01:23:11: rcon from "72.251.244.233:2020": command >> >>>>>>> >> >>>>>>> >> >>> "stats" >> >>> >> >>> >> >>>>>>> ] rcon stats >> >>>>>>> CPU In Out Uptime Users FPS Players >> >>>>>>> 75.57 16750.93 4596.00 110 4 509.13 9 >> >>>>>>> L 04/27/2008 - 01:23:12: rcon from "72.251.244.233:2020": command >> >>>>>>> >> >>>>>>> >> >>> "stats" >> >>> >> >>> >> >>>>>>> ] rcon stats >> >>>>>>> CPU In Out Uptime Users FPS Players >> >>>>>>> 52.55 16518.30 6391.86 110 4 509.97 9 >> >>>>>>> L 04/27/2008 - 01:23:13: rcon from "72.251.244.233:2020": command >> >>>>>>> >> >>>>>>> >> >>> "stats" >> >>> >> >>> >> >>>>>>> ] rcon stats >> >>>>>>> CPU In Out Uptime Users FPS Players >> >>>>>>> 40.46 16520.83 9229.05 110 4 511.77 9 >> >>>>>>> L 04/27/2008 - 01:23:13: rcon from "72.251.244.233:2020": command >> >>>>>>> >> >>>>>>> >> >>> "stats" >> >>> >> >>> >> >>>>>>> ] rcon stats >> >>>>>>> CPU In Out Uptime Users FPS Players >> >>>>>>> 40.46 16452.49 11473.37 110 4 514.49 9 >> >>>>>>> L 04/27/2008 - 01:23:14: rcon from "72.251.244.233:2020": command >> >>>>>>> >> >>>>>>> >> >>> "stats" >> >>> >> >>> >> >>>>>>> ============================================ >> >>>>>>> >> >>>>>>> >> >>>>>>> I very much hope that this exploit can be stomped out. My community >> >>>>>>> >> >>>>>>> >> >>> has >> >>> >> >>> >> >>>>>>> suffered all too much to the hands of the kiddies that run these >> >>>>>>> >> >>>>>>> >> >>> types >> >>> >> >>> >> >>>>>>> of programs for their own vain pleasure. I speak for server >> operators >> >>>>>>> everywhere when I say, this issue must be fixed! >> >>>>>>> >> >>>>>>> Thank you very much for taking the time to read my post. I hope some >> >>>>>>> good will come out of it! >> >>>>>>> >> >>>>>>> Sincerely, >> >>>>>>> David "Eaglewonj" Gaipa >> >>>>>>> >> >>>>>>> _______________________________________________ >> >>>>>>> To unsubscribe, edit your list preferences, or view the list >> >>>>>>> >> >>>>>>> >> >>> archives, please visit: >> >>> >> >>> >> >>>>>>> http://list.valvesoftware.com/mailman/listinfo/hlds >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>> _______________________________________________ >> >>>>>> To unsubscribe, edit your list preferences, or view the list >> archives, >> >>>>>> >> >>>>>> >> >>> please visit: >> >>> >> >>> >> >>>>>> http://list.valvesoftware.com/mailman/listinfo/hlds >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>> _______________________________________________ >> >>>>> To unsubscribe, edit your list preferences, or view the list archives, >> >>>>> >> >>>>> >> >>> please visit: >> >>> >> >>> >> >>>>> http://list.valvesoftware.com/mailman/listinfo/hlds >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>> _______________________________________________ >> >>>> To unsubscribe, edit your list preferences, or view the list archives, >> >>>> >> >>>> >> >>> please visit: >> >>> >> >>> >> >>>> http://list.valvesoftware.com/mailman/listinfo/hlds >> >>>> >> >>>> >> >>>> >> >>>> >> >>> _______________________________________________ >> >>> To unsubscribe, edit your list preferences, or view the list archives, >> >>> please visit: >> >>> http://list.valvesoftware.com/mailman/listinfo/hlds >> >>> >> >>> >> >>> >> >> _______________________________________________ >> >> To unsubscribe, edit your list preferences, or view the list archives, >> >> >> > please visit: >> > >> >> http://list.valvesoftware.com/mailman/listinfo/hlds >> >> >> >> >> >> >> > >> > _______________________________________________ >> > To unsubscribe, edit your list preferences, or view the list archives, >> > please visit: >> > http://list.valvesoftware.com/mailman/listinfo/hlds >> > >> > >> > _______________________________________________ >> > To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> > http://list.valvesoftware.com/mailman/listinfo/hlds >> > >> > >> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds >> >> > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > >
_______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
