AlliedModders

AlliedModders (https://forums.alliedmods.net/index.php)
-   General (https://forums.alliedmods.net/forumdisplay.php?f=58)
-   -   RCON Brute-force... WITH A TWIST! (https://forums.alliedmods.net/showthread.php?t=258292)

Skamadix 02-16-2015 08:58
RCON Brute-force... WITH A TWIST!
 
Another community is taking a list of IPs that connect to their servers, and spoofing RCON commands with this list of IP addresses against our servers - causing Sourcemod to automatically ban their IP.

Has anyone ran into this before?

Disabling RCON for us unfortunately is not an option.

JoB2C 02-16-2015 09:18
Re: RCON Brute-force... WITH A TWIST!
 
Is whitelisting by IP an option?

psychonic 02-16-2015 10:02
Re: RCON Brute-force... WITH A TWIST!
 
You can't spoof RCon packet addresses; RCon goes over TCP. Additionally, SourceMod itself does not do any such automatic banning.

It's possible that they are spoofing game traffic (UDP) from those addresses and that the engine or something else is banning them. RCon and game traffic share the same ban list for IP bans.

Zephyrus 02-16-2015 11:27
Re: RCON Brute-force... WITH A TWIST!
 
Quote:
Originally Posted by psychonic (Post 2262903)
You can't spoof RCon packet addresses; RCon goes over TCP. Additionally, SourceMod itself does not do any such automatic banning.

It's possible that they are spoofing game traffic (UDP) from those addresses and that the engine or something else is banning them. RCon and game traffic share the same ban list for IP bans.
they are opening a page in the motd with a websocket to the target server's rcon address and spam that.

asherkin 02-16-2015 11:50
Re: RCON Brute-force... WITH A TWIST!
 
https://forums.alliedmods.net/showpo...1&postcount=11

psychonic 02-16-2015 13:15
Re: RCON Brute-force... WITH A TWIST!
 
Quote:
Originally Posted by Zephyrus (Post 2262934)
Quote:
Originally Posted by psychonic (Post 2262903)
You can't spoof RCon packet addresses; RCon goes over TCP. Additionally, SourceMod itself does not do any such automatic banning.

It's possible that they are spoofing game traffic (UDP) from those addresses and that the engine or something else is banning them. RCon and game traffic share the same ban list for IP bans.
they are opening a page in the motd with a websocket to the target server's rcon address and spam that.
That's not spoofing, nor SM doing the resulting ban. My statement holds.


All times are GMT -4. The time now is 07:15.

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.