We tried SMAC, with no luck.
I forgot to say that we algo tried to block the status answer handling
with a plugin, and also blocked it by flagging it as a cheat command:
those two moves actually soften the impact of the attack, but dont stop
it at all, the server will overflow anyways.
Thank you for the suggestion :)
El 12/06/2012 23:24, Erik-jan Riemers escribió:
Doesn't SMAC (sourcemod plugin) or something similar stop these kinds of
things?
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Alvaro
Gutierrez Lorenzo
Sent: dinsdag 12 juni 2012 22:15
To: [email protected]
Subject: [hlds_linux] Overflow attack to Source servers
Hello everyone,
I'm a TF2 dedicated server owner and administrator, from Spain, and I'd
like to bring and ask at the same time some information.
Servers over Spain have been these last months victim of an overflow
attack. The way this attack works is very simple, the attacker enters the
server as a normal player then, binding some keys to a couple .cfg files
containing of hundreds of lines with just "status" writen, succeeds at
overflowing the server making it process thousands and thousands of
"status" commands. Simple as hell, and very effective.
The root of the problem is that the status command for some reason is read
and executed as if it came from the console, so the attacker cannot be
tracked nor identified as an usual command spammer. The way we've learned
to fight back is just by guessing who is the spammer among the online
players and kicking it, check if the spam stopped, and if it worked,
SteamID ban, IP ban... This works during a couple minutes, until dynamic
IP and free Steam junk accounts make their magic.
Another way is to automatically monitor the keys pressed with some plugin,
but this wont work either because the attacker may just bind these files
to 5, 10 keys, or even just bind it to the whole keyboard and then make
some fancy faceroll all over it, this way the plugin wont trigger.
What I wanted to ask is if there is at present some workaround for this:
it just looks as simple to my eyes that I can't figure out why we have
reached this situation. Is really this particular attack unknown? I've
heard of command overflow involved with commands provided by plugins
(nextmap, etc...) , but the status command which is, as I believe, native
of of the Source engine, being handled like that seems weird to me (and
insecure, as proven). I dont know if we Spaniards are actually unaware of
some obvious thing that solves all this, like some way to prevent clients
from executing any kind of cfg files, or how to track the player injecting
all these commands. We have been looking for those as a Holy Grail.
We've been able to test it on some other Source games, and CS GO has
revealed to be specially vulnerable to it. Nevertheless, games out of the
Free-to-Play scheme can be considered safe from this issue, administrators
just have to guess one time who is the attacker, ban it's ID and never
seen again, but on TF2 this has become a real pain.
Thank you, I hope I'm bothering nobody with this maybe obvious issue, but
I can assure lots of people will be very grateful I we could find here
some advice or assistance on this.
Thank you again!
Rugnor
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
