new ddos/flood/exploit attack lags and crashes servers

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

new ddos/flood/exploit attack lags and crashes servers

Kevin
This post has NOT been accepted by the mailing list yet.
This post was updated on .
edit: it is due to this hack https://www.youtube.com/watch?v=Ae7YpRF_ZIQ&feature=youtu.be

there seems to be a new exploit, this lags the server and game service providers don't see it as a flood/ddos attack and it doesn't get filtered

a small section of the log:
 
..
..
..
..
SendNetMsg 99.252.67.138:27005: stream[(null)] buffer overflow (maxsize = 4000)!
SendNetMsg 86.45.82.127:27005: stream[(null)] buffer overflow (maxsize = 4000)!
SendNetMsg 50.125.28.237:27005: stream[(null)] buffer overflow (maxsize = 4000)!
SendNetMsg 62.47.147.187:55049: stream[(null)] buffer overflow (maxsize = 4000)!
SendNetMsg 73.70.75.21:27005: stream[(null)] buffer overflow (maxsize = 4000)!
SendNetMsg 86.168.177.248:27005: stream[(null)] buffer overflow (maxsize = 4000)!
SendNetMsg 31.51.28.219:27005: stream[(null)] buffer overflow (maxsize = 4000)!
SendNetMsg 71.72.141.100:27005: stream[(null)] buffer overflow (maxsize = 4000)!
SendNetMsg 82.29.68.23:27005: stream[(null)] buffer overflow (maxsize = 4000)!
SendNetMsg 216.176.139.224:27005: stream[(null)] buffer overflow (maxsize = 4000)!
SendNetMsg 71.12.35.75:27005: stream[(null)] buffer overflow (maxsize = 4000)!
SendNetMsg 67.186.194.43:27005: stream[(null)] buffer overflow (maxsize = 4000)!
SendNetMsg 71.11.195.113:27005: stream[(null)] buffer overflow (maxsize = 4000)!
SendNetMsg 70.119.216.138:27005: stream[(null)] buffer overflow (maxsize = 4000)!
SendNetMsg 99.252.67.138:27005: stream[(null)] buffer overflow (maxsize = 4000)!
Client "crillo" connected (80.216.201.47:27005).
Dv??ed?™?  [H] 4 Knives: doesnt matter  its rank its not that low of a rank
Agent Decoy: Trading Bayonet Tiger Tooth 122 Keys or more in itemsw
Client "RyDexdArEalk1ng" connected (84.109.64.56:1337).
Out of keyvalue string spaceOut of keyvalue string space
Out of keyvalue string space
Wrote minidump to: /servers/tradesg/csgo/addons/sourcemod/data/dumps/4dd0dc06-b714-f53f-1d999b87-0fa1290b.dmp
./exec_tradesg.run: line 318: 31215 Segmentation fault      (core dumped) $HL_CMD
email debug.log to linux@valvesoftware.com
Sat Mar 19 14:45:36 CDT 2016: Server Quit


MANY communities and servers have been attacked with this
TJ
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: new ddos/flood/exploit attack lags and crashes servers

TJ
This post was updated on .
Our community can also confirm that we are being flooded as well.

Reference post: https://forums.alliedmods.net/showthread.php?t=280545

NeuroToxin said:
"So apparently...

The exploit runs @ 1ms.

And calls client side: setinfo x x

Where x is in a for loop

Sounds like the command executing client side is:

setinfo 1 1
setinfo 2 2
setinfo 3 3 ... ect"

--

Our server is now attempting to block this, but as expected, some attacks are still getting through. It is not an instant attack once in the server, looks like it takes a few minutes, we're still trying to reproduce it. Rumor is aimware, and a few other cheat-providors just added this in a recent update.

A fix would be much appreciated.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: new ddos/flood/exploit attack lags and crashes servers

decor
This post has NOT been accepted by the mailing list yet.
In reply to this post by Kevin
have the same issues since today.
ics
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: new ddos/flood/exploit attack lags and crashes servers

ics
In reply to this post by TJ
Sounds like an old exploit that has resurfaced.

-ics

balon kirjoitti:

> Our community can also confirm that we are being flooded as well.
>
> Reference post: https://forums.alliedmods.net/showthread.php?t=280545
>
> NeutroToxin said:
> "So apparently...
>
> The exploit runs @ 1ms.
>
> And calls client side: setinfo x x
>
> Where x is in a for loop
>
> Sounds like the command executing client side is:
>
> setinfo 1 1
> setinfo 2 2
> setinfo 3 3 ... ect"
>


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: new ddos/flood/exploit attack lags and crashes servers

Nathaniel Theis
From a cursory look, hooking CBaseClient::ProcessSetConVar(
NET_SetConVar *msg ) and rejecting everything but what a legitimate
client sends should fix the underlying issue (a client can fill their
m_ConVars up with as much data as they can send to the server, until
it runs out of memory and dies)

On Sat, Mar 19, 2016 at 1:48 PM, ics <[hidden email]> wrote:

> Sounds like an old exploit that has resurfaced.
>
> -ics
>
> balon kirjoitti:
>>
>> Our community can also confirm that we are being flooded as well.
>>
>> Reference post: https://forums.alliedmods.net/showthread.php?t=280545
>>
>> NeutroToxin said:
>> "So apparently...
>>
>> The exploit runs @ 1ms.
>>
>> And calls client side: setinfo x x
>>
>> Where x is in a for loop
>>
>> Sounds like the command executing client side is:
>>
>> setinfo 1 1
>> setinfo 2 2
>> setinfo 3 3 ... ect"
>>
>
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: new ddos/flood/exploit attack lags and crashes servers

Vinodhkumar Shanmugam

-- 

Vinodhkumar (vinoh) Shanmugam

On 20 March 2016 at 02:27, Nathaniel Theis <[hidden email]> wrote:
From a cursory look, hooking CBaseClient::ProcessSetConVar(
NET_SetConVar *msg ) and rejecting everything but what a legitimate
client sends should fix the underlying issue (a client can fill their
m_ConVars up with as much data as they can send to the server, until
it runs out of memory and dies)

On Sat, Mar 19, 2016 at 1:48 PM, ics <[hidden email]> wrote:
> Sounds like an old exploit that has resurfaced.
>
> -ics
>
> balon kirjoitti:
>>
>> Our community can also confirm that we are being flooded as well.
>>
>> Reference post: https://forums.alliedmods.net/showthread.php?t=280545
>>
>> NeutroToxin said:
>> "So apparently...
>>
>> The exploit runs @ 1ms.
>>
>> And calls client side: setinfo x x
>>
>> Where x is in a for loop
>>
>> Sounds like the command executing client side is:
>>
>> setinfo 1 1
>> setinfo 2 2
>> setinfo 3 3 ... ect"
>>
>
>
> _______________________________________________
> Csgo_servers mailing list
> [hidden email]
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers

_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers


_______________________________________________
Csgo_servers mailing list
[hidden email]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Loading...