[deadlyruler]

Before hand I would just like to let you know that I have tried all plugins (kigen, daf, rcon_lock, forlixfloodcheck, smac (and all the plugins that come with it including client protection), zblock, and have even resorted to whitelisting certain ConVars. Although I've tried all that this exploit still has the ability to crash my server and re-crash it on restart.

Here is an example Logging on what this attack looks like -
http://pastebin.com/D9x6FR4A (too big for this post)

Now these bots rejoin over 1000 times in 1 second, they generate random characters, and when I ban an IP address it automatically switches over to a new one.

Not only this, but no steamids show up when the bots rejoin. (I have managed to catch a steamid or two but banning the steamid doesnt help) When the server restarts the bots automatically rejoin once again continually crashing the server.

(Yes I have added css anti-rejoin and other plugins the like) Please help me get this taken care of, I own some pretty popular servers and have run out of ideas on what to do.

If you need more information here is a KAC Log of the attack.
http://pastebin.com/vfmc8hMz

(Please also note that this exploit was created by HaloShadoW)

[psychonic]

https://forums.alliedmods.net/showthread.php?t=171668

[deadlyruler]

Here's is a dump of sm plugins list

30 "SourceMod Anti-Cheat" (0.7.3.0) by GoD-Tony, psychonic

(Please note these plugins are running and my server is still vulnerable)

31 "SMAC Client Protection" (0.7.3.0) by GoD-Tony, psychonic, Kigen
32 "SMAC CS:S Anti-Rejoin" (0.7.3.0) by Kigen

[GoD-Tony]

I have to ask, what is the value of your smac_antispam_connect cvar set to? (SMAC and KAC had this disabled by default)

Quote:

Originally Posted by deadlyruler 32 "SMAC CS:S Anti-Rejoin" (0.7.3.0) by Kigen

This doesn't do what you think it does.

Quote:

Originally Posted by deadlyruler Here is an example Logging on what this attack looks like - http://pastebin.com/D9x6FR4A (too big for this post)

I may be wrong here but this doesn't look like the standard server log.

[deadlyruler]

"smac_antispam_connect" = "1" min. 0.000000
- [smac_client.smx] Seconds to prevent someone from restablishing a connection. (0 = Disabled)

We have our own proprietary plugins for logging, for some reason this attack was not showing up in the normal sm command logs, although we were able to see it in console logs, but recently disabled -condebug because of creation of such large files. I can re-enable it, wait for another attack, and send you the console logs if you want.

[deadlyruler]

honestly if my server keeps getting attacked I would be willing to let you have access to the server and try to patch this exploit. I have just run out of ideas.

[GoD-Tony]

How often is your server getting crashed this way?

Quote:

Originally Posted by deadlyruler but recently disabled -condebug because of creation of such large files. I can re-enable it, wait for another attack, and send you the console logs if you want.

That would really help determine if it's the same attack as the other thread or something different. Log the attack and get back to me with the file and I'll take a look.

Quote:

Originally Posted by deadlyruler "smac_antispam_connect" = "1" min. 0.000000 - [smac_client.smx] Seconds to prevent someone from restablishing a connection. (0 = Disabled)

Update to the latest version of SMAC (only need smac.zip and smac_client.smx), and delete your smac.cfg. I'd like to know if any connection spam bans are logged after the next attack.

[Fearts]

Don't bother banning IP because in my logs they keep changing every so often. But the SteamIDs stay the same.

Code:

–@@Xõ]G{·”²Õ´"<3451><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "L3š·ÒñÐfÏÏ’lÎïUc›‡T*lc
5fÛ!̶<3452><STEAM_0:1:41719390><>" connected, address "60.197.109.24:24373"
L 11/03/2011 - 15:24:56: "L3š·ÒñÐfÏÏ’lÎïUc›‡T*lc
5fÛ!̶<3452><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "!ùú-ÊS’–Qs°Öjbf¸ÄˆEfi®ipøjŸå,<3453><STEAM_0:1:41719390><>" connected, address "60.197.109.24:24373"
L 11/03/2011 - 15:24:56: "!ùú-ÊS’–Qs°Öjbf¸ÄˆEfi®ipøjŸå,<3453><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "ytIÔÂÊŒxè¹GôzFË™åA#v�Ö±G<3454><STEAM_0:1:41719390><>" connected, address "60.197.109.24:24373"
L 11/03/2011 - 15:24:56: "ytIÔÂÊŒxè¹GôzFË™åA#v�Ö±G<3454><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "ñû:O÷8¼Ý¢j:±å�U\¼'a4œ+9ÂÍ¡®<3455><STEAM_0:1:41719390><>" connected, address "60.197.109.24:24373"
L 11/03/2011 - 15:24:56: "ñû:O÷8¼Ý¢j:±å�U\¼'a4œ+9ÂÍ¡®<3455><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "r@?nßwµ²•ÐšOì¿Ÿr©VNc‚\¤m†a´<3456><STEAM_0:1:41719390><>" connected, address "60.197.109.24:24373"
L 11/03/2011 - 15:24:56: "r@?nßwµ²•ÐšOì¿Ÿr©VNc‚\¤m†a´<3456><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "“©ýkÔnl•(eµŠA´ãÝ®�tàåy•¨¬Îõ°<3457><STEAM_0:1:41719390><>" connected, address "60.197.109.24:24373"
L 11/03/2011 - 15:24:56: "“©ýkÔnl•(eµŠA´ãÝ®�tàåy•¨¬Îõ°<3457><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "B¢¥SdYå&9dëlž[¼dI4öâ·bwÞLýå�÷<3458><STEAM_0:1:41719390><>" connected, address "60.197.109.24:24373"
L 11/03/2011 - 15:24:56: "B¢¥SdYå&9dëlž[¼dI4öâ·bwÞLýå�÷<3458><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "å*¿•:úu/r×»i«»}S9»|ýhëa¨©tt<3459><STEAM_0:1:41719390><>" connected, address "60.197.109.24:24373"
L 11/03/2011 - 15:24:56: "å*¿•:úu/r×»i«»}S9»|ýhëa¨©tt<3459><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "¯@

^here what I got don't know if same person but that's his steamid


EDIT:

Code:

L 11/10/2011 - 21:12:24: "“åu�j|‚Ž$q„Ú2ϧP«žÝç(3ç!ä_ñ<917><STEAM_0:1:11902529><>" disconnected (reason "Connection closing")
L 11/10/2011 - 21:12:24: "cÊ.–ñp¸È.lÄÝœ¹lÑò×T"ª    G¸ËÙ<918><STEAM_0:1:11902529><>" connected, address "109.165.130.143:6939"
L 11/10/2011 - 21:12:24: "cÊ.–ñp¸È.lÄÝœ¹lÑò×T"ª    G¸ËÙ<918><STEAM_0:1:11902529><>" disconnected (reason "Connection closing")
L 11/10/2011 - 21:12:24: "†*o4„Úçï=x¸¢9…€¾Ÿyx5*°ÔŒ¹‰!<919><STEAM_0:1:11902529><>" connected, address "109.165.130.143:6939"
L 11/10/2011 - 21:12:24: "†*o4„Úçï=x¸¢9…€¾Ÿyx5*°ÔŒ¹‰!<919><STEAM_0:1:11902529><>" disconnected (reason "Connection closing")
L 11/10/2011 - 21:12:24: "‘2*ÁÊ°œÛ·¸gBì´¿�c]âZXC4‰`Pob<920><STEAM_0:1:11902529><>" connected, address "109.165.130.143:6939"
L 11/10/2011 - 21:12:24: "‘2*ÁÊ°œÛ·¸gBì´¿�c]âZXC4‰`Pob<920><STEAM_0:1:11902529><>" disconnected (reason "Connection closing")
L 11/10/2011 - 21:12:24: "!cZ�Ü44Œ¸|‰…ˆcõ·Ž)“˜¯8šð†#<921><STEAM_0:1:11902529><>" connected, address "109.165.130.143:6939"
L 11/10/2011 - 21:12:24: "!cZ�Ü44Œ¸|‰…ˆcõ·Ž)“˜¯8šð†#<921><STEAM_0:1:11902529><>" disconnected (reason "Connection closing")
L 11/10/2011 - 21:12:24: "=Š¡Œ@åBšŽ*Î8i?*&'¤aß|óOŽŠ+z<922><STEAM_0:1:11902529><>" connected, address "109.165.130.143:6939"
L 11/10/2011 - 21:12:24: "=Š¡Œ@åBšŽ*Î8i?*&'¤aß|óOŽŠ+z<922><STEAM_0:1:11902529><>" disconnected (reason "Connection closing")
L 11/10/2011 - 21:12:24: "(Ó\k“6p’c€R¤>Ñದ'y0—·›,µ-<923><STEAM_0:1:11902529><>" connected, address "109.165.130.143:6939"
L 11/10/2011 - 21:12:24: "(Ó\k“6p’c€R¤>Ñದ'y0—·›,µ-<923><STEAM_0:1:11902529><>" disconnected (reason "Connection closing")
L 11/10/2011 - 21:12:24: "õ·²c×\�<O3wC";±!;±qC-EÉ}ª¶$<924><STEAM_0:1:11902529><>" connected, address "109.165.130.143:6939"
L 11/10/2011 - 21:12:24: "õ·²c×\�<O3wC";±!;±qC-EÉ}ª¶$<924><STEAM_0:1:11902529><>" disconnected (reason "Connection closing")

Here's another from my other server

EDIT2:

And another:

Code:

L 11/01/2011 - 14:28:08: "»Õ|*É‹8Õ‚– Aîaéäg÷¢:mblønŸ<6214><STEAM_0:1:21620883><>" connected, address "88.2.225.59:27005"
L 11/01/2011 - 14:28:08: "»Õ|*É‹8Õ‚– Aîaéäg÷¢:mblønŸ<6214><STEAM_0:1:21620883><>" disconnected (reason "Connection closing")
L 11/01/2011 - 14:28:08: "Iu}<bÖœÇù•|Ö}¦œÿwäÿVêN €<6215><STEAM_0:1:21620883><>" connected, address "88.2.225.59:27005"
L 11/01/2011 - 14:28:08: "Iu}<bÖœÇù•|Ö}¦œÿwäÿVêN €<6215><STEAM_0:1:21620883><>" disconnected (reason "Connection closing")
L 11/01/2011 - 14:28:08: "ÇDŒýLOæˆç;‘ORÜ05ÇØñÃËYiÅÇ8ùª<6216><STEAM_0:1:21620883><>" connected, address "88.2.225.59:27005"
L 11/01/2011 - 14:28:08: "ÇDŒýLOæˆç;‘ORÜ05ÇØñÃËYiÅÇ8ùª<6216><STEAM_0:1:21620883><>" disconnected (reason "Connection closing")
L 11/01/2011 - 14:28:08: "îéz©Nâêlª‰B·—y©åv5“½Ñ=\Åa�ì¾<6217><STEAM_0:1:21620883><>" connected, address "88.2.225.59:27005"
L 11/01/2011 - 14:28:08: "îéz©Nâêlª‰B·—y©åv5“½Ñ=\Åa�ì¾<6217><STEAM_0:1:21620883><>" disconnected (reason "Connection closing")
L 11/01/2011 - 14:28:08: "–�B“µ��VIÀRÉÛêí    ÜO^¬áäfš<6218><STEAM_0:1:21620883><>" connected, address "88.2.225.59:27005"
L 11/01/2011 - 14:28:08: "–�B“µ��VIÀRÉÛêí    ÜO^¬áäfš<6218><STEAM_0:1:21620883><>" disconnected (reason "Connection closing")
L 11/01/2011 - 14:28:08: "#Ê»]ú©K:,ʘix2�ÄÂ3/çuçþXç<6219><STEAM_0:1:21620883><>" connected, address "88.2.225.59:27005"
L 11/01/2011 - 14:28:08: "#Ê»]ú©K:,ʘix2�ÄÂ3/çuçþXç<6219><STEAM_0:1:21620883><>" disconnected (reason "Connection closing")
L 11/01/2011 - 14:28:08: "À[A¥3jW4ÜP4¦V^‡ã‹ç«ºÇ?ièX…ï<6220><STEAM_0:1:21620883><>" connected, address "88.2.225.59:27005"
L 11/01/2011 - 14:28:08: "À[A¥3jW4ÜP4¦V^‡ã‹ç«ºÇ?ièX…ï<6220><STEAM_0:1:21620883><>" disconnected (reason "Connection closing")
L 11/01/2011 - 14:28:08: "Ƕ°DûÅÀ0 <‘„ÜÅ#¶8›®'•| *¶ 
ð<6221><STEAM_0:1:21620883><>" connected, address "88.2.225.59:27005"
L 11/01/2011 - 14:28:08: "Ƕ°DûÅÀ0 <‘„ÜÅ#¶8›®'•| *¶ 
ð<6221><STEAM_0:1:21620883><>" disconnected (reason "Connection closing")

Also these are a little old from 11/3/11 and up. I am not sure if I had anti connection spam loaded or if it even crashed the server at all.

Anyone who want to ban them type this into console:

Code:

sm_rcon banid 0 STEAM_0:1:21620883; sm_rcon banid 0 STEAM_0:1:11902529; sm_rcon banid 0 STEAM_0:1:41719390; sm_rcon writeid

[GoD-Tony]

Quote:

Originally Posted by Fearts Don't bother banning IP because in my logs they keep changing every so often. But the SteamIDs stay the same. Also these are a little old from 11/3/11 and up. I am not sure if I had anti connection spam loaded or if it even crashed the server at all.

Your log spam looks like the issue discussed over here. Especially with the SteamID and no crashes. Following the instructions there should help block it.

[Fearts]

Yea I have since then. I don't see what is different about this guys issue though (except for the fact player steamids don't show, which could be a server side issue).