I wish there was. :( Rodge Stumbaugh wrote: > Is there a moderated list? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ian Shaffer > Sent: Monday, April 28, 2008 9:08 PM > To: Half-Life dedicated Win32 server mailing list > Subject: Re: [hlds] Critical "Nuke Attack" Exploit within Source engine > > My big problem here is that I do not have root access to any of my > servers. We used to have all our servers on our own dedi, but BECAUSE of > these attacks, we decided to scrap the dedi and spread our servers > across different IP ranges by paying per slot in different locations. > Even though we can still be attacked, the attack is limited to one > server at a time. That server is usually our Windows 50 man ZombieMod > server in Chicago. I'm currently working with the host to see if the > attack can be detected and blocked automatically. > > I've had a couple people email me asking for this "Nuker" program, or > the link to where to download it. I've notified Alfred of the issue and > sent him the link to the program, however he recommends that I be > careful at how I present my report to the non-moderated HLDS mailing > list. Hence, I will not give this program to ANYBODY unless on Alfred's > approval. > > Chad Austin wrote: > >> Post a dump of packets please, or just link to program so it can be >> analyzed. >> >> Ian Shaffer wrote: >> >> >>> Dear Network Administrator, >>> >>> Over the past few months my servers have been brought to their knees >>> dozens of times through "nuke" style Denial of Service attacks. Simple >>> put, players start teleporting around, pings gradually start increasing >>> for all players and the timer slows down. After a couple minutes of >>> being attacked, you are early frozen from movement and the timer takes a >>> decade to tick down, and pings are skyrocketed. Players then leave the >>> server. >>> >>> Well earlier this week I "interrogated," pardon the pun, a member of my >>> community who had made an exclamation that it would start to get real >>> laggy in one of our servers earlier in the day. That server, our Zombie >>> Server, started getting nuked just a couple minutes after. I was fairly >>> certain it was him who started the attack. In the evening, I talked to >>> this guy, his alias is "ST. GEORGE," and explained to him that I >>> believed it was him who was "nuking" our servers. I acted very sincere >>> when I told him that I had logged his IP address and was planning on >>> filing a formal abuse complaint to his ISP, Road Runner. He somewhat >>> panicked at hearing this, and confessed as to what he was doing. >>> >>> He sent me a link to download the same hacking tool he said he was >>> using. Hackers Assistant is the program. I scanned the program for any >>> trojans or viruses it might have, it was clean. I ran it and discovered >>> a feature called "Nuker." In there it prompted for a server IP address >>> and port and a box to input a message. One would simply put a server's >>> info in there, type some random stuff in the message box, and click >>> > "Nuke." > >>> A former member of our community and admitted nuker "ST. GEORGE" tested >>> the software. I was shocked. It was working, The server was being >>> attacked just as described above. I held a sense of accomplishment >>> knowing that I had found the cause of my problems. I therefore began >>> looking for a way to block this programs abilities. Now I needed to know >>> what types of servers this program could attack. ST. GEORGE then showed >>> off nuke attacks on dozens of popular servers in the US and UK, highly >>> popular servers like 24/7 Office Noob Galore and Zombiemod | >>> XFactorGaming, and the program worked to bring down each and every one >>> of them to their knees. There was only one server he was not able to >>> nuke attack, evidently the #1 CSS server in the United States, >>> CantStopGaming CS:S. >>> >>> This program affects practically every single server in CS:S. The >>> interesting part of it is that this program doesn't advise usage towards >>> any particular genre of online infrastructure. ST. GEORGE tried running >>> this program on CoD servers, BF2 and BF2142 servers, Halo PC servers, >>> SA:MP servers, and Quake 4 servers. It didn't work on any of those >>> games. However, it worked on the other popular Source-based game out >>> today, Team Fortress 2. Every TF2 server ST. GEORGE checked was >>> nuke-able, with the same effects felt in-game. This leads me to the >>> conclusion that there must be an exploit in the source engine allowing >>> this program to nuke all servers using the source engine. >>> >>> While our server was getting attacked last time, I gathered critical >>> data. I've determined that the program does not eat up the server's >>> bandwidth. Instead, it seems to flood the server with messages/commands, >>> so much that it tops out CPU usage. Below is a sample of my console as >>> our server was undergoing a recent attack with the program. Midway >>> through the data, the perpetrator aborted the nuke attack. You can see >>> the server recovering as the cpu usage goes down and server FPS comes >>> back to normal. This data was gathered with 8 others in-game. >>> >>> =========================================== >>> >>> CPU In Out Uptime Users FPS Players >>> 96.59 16841.92 3909.91 110 4 10.00 9 >>> L 04/27/2008 - 01:23:04: rcon from "72.251.244.233:2020": command "stats" >>> ] rcon stats >>> CPU In Out Uptime Users FPS Players >>> 96.04 17937.41 3958.69 110 4 10.00 9 >>> L 04/27/2008 - 01:23:09: rcon from "72.251.244.233:2020": command "stats" >>> ] rcon stats >>> CPU In Out Uptime Users FPS Players >>> 95.54 17590.70 3970.64 110 >>> ] rcon stats >>> CPU In Out Uptime Users FPS Players >>> 100.00 17354.72 3966.19 110 4 523.25 9 >>> L 04/27/2008 - 01:23:10: rcon from "72.251.244.233:2020": command "stats" >>> >>> ======== HERE THE ATTACK WAS ABORTED ========= >>> >>> ] rcon stats >>> CPU In Out Uptime Users FPS Players >>> 75.57 16933.90 4148.69 110 4 508.36 9 >>> L 04/27/2008 - 01:23:11: rcon from "72.251.244.233:2020": command "stats" >>> ] rcon stats >>> CPU In Out Uptime Users FPS Players >>> 75.57 16750.93 4596.00 110 4 509.13 9 >>> L 04/27/2008 - 01:23:12: rcon from "72.251.244.233:2020": command "stats" >>> ] rcon stats >>> CPU In Out Uptime Users FPS Players >>> 52.55 16518.30 6391.86 110 4 509.97 9 >>> L 04/27/2008 - 01:23:13: rcon from "72.251.244.233:2020": command "stats" >>> ] rcon stats >>> CPU In Out Uptime Users FPS Players >>> 40.46 16520.83 9229.05 110 4 511.77 9 >>> L 04/27/2008 - 01:23:13: rcon from "72.251.244.233:2020": command "stats" >>> ] rcon stats >>> CPU In Out Uptime Users FPS Players >>> 40.46 16452.49 11473.37 110 4 514.49 9 >>> L 04/27/2008 - 01:23:14: rcon from "72.251.244.233:2020": command "stats" >>> >>> ============================================ >>> >>> >>> I very much hope that this exploit can be stomped out. My community has >>> suffered all too much to the hands of the kiddies that run these types >>> of programs for their own vain pleasure. I speak for server operators >>> everywhere when I say, this issue must be fixed! >>> >>> Thank you very much for taking the time to read my post. I hope some >>> good will come out of it! >>> >>> Sincerely, >>> David "Eaglewonj" Gaipa >>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> > please visit: > >>> http://list.valvesoftware.com/mailman/listinfo/hlds >>> >>> >>> >>> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> > please visit: > >> http://list.valvesoftware.com/mailman/listinfo/hlds >> >> >> > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > >
_______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
