Are you sure that the command is executed by "console"? I did a simple test and you can intercept it using SourceMod in both cases (sent by a client or from server's console). If you're not sure then try SMAC, has a plugin for blocking exploits like this (http://forums.alliedmods.net/showthread.php?p=1577705#post1577705), but works only if the command is from a client, not from server.
Also are you sure that is the "status" command? Because the engine already has protection for this (a client can execute a status command only once every few seconds). Change you RCON password (but I assume that the attacker would use a simple "quit" instead spamming with commands). -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Alvaro Gutierrez Lorenzo Sent: Tuesday, June 12, 2012 11:15 PM To: [email protected] Subject: [hlds_linux] Overflow attack to Source servers Hello everyone, I'm a TF2 dedicated server owner and administrator, from Spain, and I'd like to bring and ask at the same time some information. Servers over Spain have been these last months victim of an overflow attack. The way this attack works is very simple, the attacker enters the server as a normal player then, binding some keys to a couple .cfg files containing of hundreds of lines with just "status" writen, succeeds at overflowing the server making it process thousands and thousands of "status" commands. Simple as hell, and very effective. The root of the problem is that the status command for some reason is read and executed as if it came from the console, so the attacker cannot be tracked nor identified as an usual command spammer. The way we've learned to fight back is just by guessing who is the spammer among the online players and kicking it, check if the spam stopped, and if it worked, SteamID ban, IP ban... This works during a couple minutes, until dynamic IP and free Steam junk accounts make their magic. Another way is to automatically monitor the keys pressed with some plugin, but this wont work either because the attacker may just bind these files to 5, 10 keys, or even just bind it to the whole keyboard and then make some fancy faceroll all over it, this way the plugin wont trigger. What I wanted to ask is if there is at present some workaround for this: it just looks as simple to my eyes that I can't figure out why we have reached this situation. Is really this particular attack unknown? I've heard of command overflow involved with commands provided by plugins (nextmap, etc...) , but the status command which is, as I believe, native of of the Source engine, being handled like that seems weird to me (and insecure, as proven). I dont know if we Spaniards are actually unaware of some obvious thing that solves all this, like some way to prevent clients from executing any kind of cfg files, or how to track the player injecting all these commands. We have been looking for those as a Holy Grail. We've been able to test it on some other Source games, and CS GO has revealed to be specially vulnerable to it. Nevertheless, games out of the Free-to-Play scheme can be considered safe from this issue, administrators just have to guess one time who is the attacker, ban it's ID and never seen again, but on TF2 this has become a real pain. Thank you, I hope I'm bothering nobody with this maybe obvious issue, but I can assure lots of people will be very grateful I we could find here some advice or assistance on this. Thank you again! Rugnor _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
