Hello everyone,
I'm a TF2 dedicated server owner and administrator, from Spain, and I'd
like to bring and ask at the same time some information.
Servers over Spain have been these last months victim of an overflow
attack. The way this attack works is very simple, the attacker enters
the server as a normal player then, binding some keys to a couple .cfg
files containing of hundreds of lines with just "status" writen,
succeeds at overflowing the server making it process thousands and
thousands of "status" commands. Simple as hell, and very effective.
The root of the problem is that the status command for some reason is
read and executed as if it came from the console, so the attacker cannot
be tracked nor identified as an usual command spammer. The way we've
learned to fight back is just by guessing who is the spammer among the
online players and kicking it, check if the spam stopped, and if it
worked, SteamID ban, IP ban... This works during a couple minutes, until
dynamic IP and free Steam junk accounts make their magic.
Another way is to automatically monitor the keys pressed with some
plugin, but this wont work either because the attacker may just bind
these files to 5, 10 keys, or even just bind it to the whole keyboard
and then make some fancy faceroll all over it, this way the plugin wont
trigger.
What I wanted to ask is if there is at present some workaround for this:
it just looks as simple to my eyes that I can't figure out why we have
reached this situation. Is really this particular attack unknown? I've
heard of command overflow involved with commands provided by plugins
(nextmap, etc...) , but the status command which is, as I believe,
native of of the Source engine, being handled like that seems weird to
me (and insecure, as proven). I dont know if we Spaniards are actually
unaware of some obvious thing that solves all this, like some way to
prevent clients from executing any kind of cfg files, or how to track
the player injecting all these commands. We have been looking for those
as a Holy Grail.
We've been able to test it on some other Source games, and CS GO has
revealed to be specially vulnerable to it. Nevertheless, games out of
the Free-to-Play scheme can be considered safe from this issue,
administrators just have to guess one time who is the attacker, ban it's
ID and never seen again, but on TF2 this has become a real pain.
Thank you, I hope I'm bothering nobody with this maybe obvious issue,
but I can assure lots of people will be very grateful I we could find
here some advice or assistance on this.
Thank you again!
Rugnor
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
