Raised This Month: $180 Target: $400
 45% 

[IMPORTANT] A new HLDS engine exploit !!!


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
lickshot
Junior Member
Join Date: Jul 2012
Old 07-19-2012 , 17:08   [IMPORTANT] A new HLDS engine exploit !!!
Reply With Quote #1

I am writing to inform you about a new very dangerous exploit in the HLDS engine. Briefly, the exploit allows the attacker to send packets over every hlds server to a predefined destination. This way all HLDS servers make an unstoppable "botnet" which can attack the destination which is chosen.

The attack originally started a month and a half ago in Bulgaria, and since then many big server chains are attacked and still no solution is found. The attack is so strong that even Internet Service Providers say that it harms the connection of their users near the hlds server location.

Explaination of the attack:
We know that the attack is made through the UDP protocol from hundreds of IPs that are real counter strike 1.6 servers (hlds). It comes from the server port, and almost always hits port 27005.
The most common length of the packets is 1400, but there are also less packets with different length. However, there is no point in dropping the packets with this length because the whole international and inbound channels are filled and the server still cannot be reached.
Also the HEX of the packets contains a part of the server configuration. I've noticed a packet which HEX prints "You have been banned from this server!". This makes me think that some bot connects to a chosen server and makes the server send a UDP packet to the predefined destination.

We've managed to log full information of the attack. I have 15 gigabytes of logs with this attack which are made for only 10 minutes. I will attach a short part of my logs, and some other logs from other server administrators who have experienced the same attack.

One of the server administrators says:
"I am writing to say that I have received the same attack against my machines and since I work as a system administrator in coorporate hosting company, my machines are colocated in the company's server room, with this I want to say that my resources are a lot bigger than my mate @talibana's and I managed to localize the attack or at least I think so.

The flood was directed to UDP port 27005, after a while the enourmous flood managed to fill my international channel and I had to work jointly with our ISP, after I asked them to block port 27005 only 4 ip addresses started to show on my machine, 3 of which were Russian and 1 Greek, which didn't make a lot of traffic or big number of packets, just to say they were "listening" to the final point - my IP address. After I have blocked these IPs from the routing machine (Gateway) the flood totally dissapeared."
And also:
"We talk about a vurnarability in the Engine, which allows the generation of packets from unauthorized people, which are being sent where the 'bad guy' wants."

The above "story" was sent to Valve, with a view of finding a solution to the problem. Since the attack reached its peak we can't just wait, watching our servers getting ruined. I post this topic so that more experienced people can say what they think and to figure out what kind of attack it is together so that a fix could be implemented. You can dowload logs and other things at the end of the post.

I will update this post with the most recent information about the attack.

A small discovery: A system administrator noticed that HLSW is receiving exactly the same packets, as the flooder sends from other HL1 servers to the "victim". This packet cotains information about the server vars and mod information. We think that this is the same packet which can be send to every server to request the info. (A2S_INFO) The question that appears is how the attacker manages to request this information from the infected servers and forward it to a specified ip adress?

Logs and pics:
A very short part of the flood attack (40 mb)
Traffic extreme:
[IMG]http://desmond.**************/Himg228/scaled.php?server=228&filename=udpfloodtraffi cgraphext.jpg&res=landing[/IMG]

BTW: Check the logs for your server's ip and don't get surprised if you see it sending us packets .

Last edited by lickshot; 08-08-2012 at 09:20.
lickshot is offline
Zephyrus
Cool Pig B)
Join Date: Jun 2010
Location: Hungary
Old 07-19-2012 , 17:15   Re: [IMPORTANT] A new HLDS engine exploit !!!
Reply With Quote #2

Quote:
Originally Posted by lickshot View Post
I am writing to inform you about a new very dangerous exploit in the HLDS engine. Briefly, the exploit allows the attacker to send packets over every hlds server to a predefined destination. This way all HLDS servers make an unstoppable "botnet" which can attack the destination which is chosen.

The attack originally started a month and a half ago in Bulgaria, and since then many big server chains are attacked and still no solution is found. The attack is so strong that even Internet Service Providers say that it harms the connection of their users near the hlds server location.

Explaination of the attack:
We know that the attack is made through the UDP protocol from hundreds of IPs that are real counter strike 1.6 servers (hlds). It comes from the server port, and almost always hits port 27005.
The most common length of the packets is 1400, but there are also less packets with different length. However, there is no point in dropping the packets with this length because the whole international and inbound channels are filled and the server still cannot be reached.
Also the HEX of the packets contains a part of the server configuration. I've noticed a packet which HEX prints "You have been banned from this server!". This makes me think that some bot connects to a chosen server and makes the server send a UDP packet to the predefined destination.

We've managed to log full information of the attack. I have 15 gigabytes of logs with this attack which are made for only 10 minutes. I will attach a short part of my logs, and some other logs from other server administrators who have experienced the same attack.

One of the server administrators says:
"I am writing to say that I have received the same attack against my machines and since I work as a system administrator in coorporate hosting company, my machines are colocated in the company's server room, with this I want to say that my resources are a lot bigger than my mate @talibana's and I managed to localize the attack or at least I think so.

The flood was directed to UDP port 27005, after a while the enourmous flood managed to fill my international channel and I had to work jointly with our ISP, after I asked them to block port 27005 only 4 ip addresses started to show on my machine, 3 of which were Russian and 1 Greek, which didn't make a lot of traffic or big number of packets, just to say they were "listening" to the final point - my IP address. After I have blocked these IPs from the routing machine (Gateway) the flood totally dissapeared."
And also:
"We talk about a vurnarability in the Engine, which allows the generation of packets from unauthorized people, which are being sent where the 'bad guy' wants."

The above "story" was sent to Valve, with a view of finding a solution to the problem. Since the attack reached its peak we can't just wait, watching our servers getting ruined. I post this topic so that more experienced people can say what they think and to figure out what kind of attack it is together so that a fix could be implemented. You can dowload logs and other things at the end of the post.

I will update this post with the most recent information about the attack.

A small discovery: A system administrator noticed that HLSW is receiving exactly the same packets, as the flooder sends from other HL1 servers to the "victim". This packet cotains information about the server vars and mod information. We think that this is the same packet which can be send to every server to request the info. (A2S_INFO) The question that appears is how the attacker manages to request this information from the infected servers and forward it to a specified ip adress?

Logs and pics:
A very short part of the flood attack (40 mb) - http://www.multiupload.nl/7ECR925FM2
Traffic extreme:
[IMG]http://desmond.**************/Himg228/scaled.php?server=228&filename=udpfloodtraffi cgraphext.jpg&res=landing[/IMG]

BTW: Check the logs for your server's ip and don't get surprised if you see it sending us packets .
its probably the same attack as the one that happened a few weeks ago to SRCDS servers, its probably a reflected attack with spoofed ip addresses. they spoof the ip address of the UDP packet and requests the server rules from the server and the hlds will simply reply to that spoofed ip address, which is the ip address of the victim

edit: if this is the case, its not an exploit, its a simple reflected DDOS attack and has nothing to do with valve and hlds
__________________
Taking private C++/PHP/SourcePawn requests, PM me.

Last edited by Zephyrus; 07-19-2012 at 17:21.
Zephyrus is offline
lickshot
Junior Member
Join Date: Jul 2012
Old 07-19-2012 , 17:27   Re: [IMPORTANT] A new HLDS engine exploit !!!
Reply With Quote #3

So what could be done to prevent it? Has any solution been found?
lickshot is offline
Zephyrus
Cool Pig B)
Join Date: Jun 2010
Location: Hungary
Old 07-19-2012 , 17:33   Re: [IMPORTANT] A new HLDS engine exploit !!!
Reply With Quote #4

Quote:
Originally Posted by lickshot View Post
So what could be done to prevent it? Has any solution been found?
is there any real solution against ddos? nope
__________________
Taking private C++/PHP/SourcePawn requests, PM me.
Zephyrus is offline
SmashCooler
New Member
Join Date: Jul 2012
Location: Finland
Old 07-19-2012 , 17:48   Re: [IMPORTANT] A new HLDS engine exploit !!!
Reply With Quote #5

I received the same attack two days ago. Exactly the same packets. I haven't seen flood like this before. If there is not any sort of fix, then valve must somehow change the method of requesting this info or this attack will spread and the community will start to fade :S

Last edited by SmashCooler; 07-19-2012 at 17:48.
SmashCooler is offline
p4rp4d30
Veteran Member
Join Date: Mar 2007
Old 07-19-2012 , 18:15   Re: [IMPORTANT] A new HLDS engine exploit !!!
Reply With Quote #6

... enters the server affected and look you CONSOLE case of a flood You should see a user connecting and disconnecting the server quickly.

otherwise we would be talking about DDOS.
p4rp4d30 is offline
Russianeer
SourceMod Donor
Join Date: Feb 2011
Old 07-19-2012 , 18:28   Re: [IMPORTANT] A new HLDS engine exploit !!!
Reply With Quote #7

Only thing I can think of is whoever requests the A2S_INFO packets from all of these servers is simply spoofing the IP of other game-servers to make them share packets between each other at a very fast rate. How to fix it? No idea. You can probably scan your local master list and add the IPs that you query to a black list (you'd obviously need a script for that). Then once you are narrow enough, and don't have as many IPs, you can just start blacklisting the IPs manually in your database.

Last edited by Russianeer; 07-19-2012 at 22:54.
Russianeer is offline
lickshot
Junior Member
Join Date: Jul 2012
Old 07-20-2012 , 03:04   Re: [IMPORTANT] A new HLDS engine exploit !!!
Reply With Quote #8

Quote:
Originally Posted by p4rp4d30 View Post
... enters the server affected and look you CONSOLE case of a flood You should see a user connecting and disconnecting the server quickly.

otherwise we would be talking about DDOS.
Yes we are talking about DDoS.

Quote:
Originally Posted by Russianeer View Post
Only thing I can think of is whoever requests the A2S_INFO packets from all of these servers is simply spoofing the IP of other game-servers to make them share packets between each other at a very fast rate. How to fix it? No idea. You can probably scan your local master list and add the IPs that you query to a black list (you'd obviously need a script for that). Then once you are narrow enough, and don't have as many IPs, you can just start blacklisting the IPs manually in your database.
One of the server administrators managed to "solve" the problem with the 1400 length packets. He told ISP to block port 27005 for him and the flood disappeared. But then a new kind of attack again from existing CS 1.6 servers started against port 27016. The packet length was small but the flood was able to "block" anything again. So he blocked port 27016 from the router in front of the machines and the flood again dissapeared. But this is not a solution because another server administrator experienced the same attack over different port. And this has a big disadvantage - your server which is on the attacked port cannot be reached by players.

Code:
23:15:21.580748 IP 131.18.165.162.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.580757 IP 140.28.179.105.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.580764 IP 86.144.116.87.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.580771 IP 51.6.34.19.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.580779 IP 39.142.142.176.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.580788 IP 108.113.115.94.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.580795 IP 4.165.22.63.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.580803 IP 52.27.51.13.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.580822 IP 89.190.213.199.27016 > 42.169.68.79.27005: UDP, length 6
23:15:21.580838 IP 89.190.213.199.27016 > 23.128.124.169.27005: UDP, length 6
23:15:21.580852 IP 89.190.213.199.27016 > 189.15.58.78.27005: UDP, length 6
23:15:21.580881 IP 89.190.213.199.27016 > 100.111.36.164.27005: UDP, length 6
23:15:21.580914 IP 89.190.213.199.27016 > 57.0.119.13.27005: UDP, length 6
23:15:21.580943 IP 89.190.213.199.27016 > 128.177.132.19.27005: UDP, length 6
23:15:21.580964 IP 89.190.213.199.27016 > 43.97.66.77.27005: UDP, length 6
23:15:21.580980 IP 89.190.213.199.27016 > 107.103.73.193.27005: UDP, length 6
23:15:21.580996 IP 89.190.213.199.27016 > 70.43.17.61.27005: UDP, length 6
23:15:21.581017 IP 199.58.45.162.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.581026 IP 161.74.84.163.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.581034 IP 165.139.189.16.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.581043 IP 38.121.182.15.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585199 IP 89.190.213.199.27016 > 61.51.120.78.27005: UDP, length 6
23:15:21.585221 IP 89.190.213.199.27016 > 110.70.51.117.27005: UDP, length 6
23:15:21.585237 IP 89.190.213.199.27016 > 60.83.114.88.27005: UDP, length 6
23:15:21.585249 IP 89.190.213.199.27016 > 190.199.37.153.27005: UDP, length 6
23:15:21.585260 IP 89.190.213.199.27016 > 148.176.163.12.27005: UDP, length 6
23:15:21.585273 IP 89.190.213.199.27016 > 131.70.159.133.27005: UDP, length 6
23:15:21.585285 IP 89.190.213.199.27016 > 175.26.70.136.27005: UDP, length 6
23:15:21.585297 IP 89.190.213.199.27016 > 30.76.145.89.27005: UDP, length 6
23:15:21.585313 IP 89.190.213.199.27016 > 34.174.134.192.27005: UDP, length 6
23:15:21.585325 IP 89.190.213.199.27016 > 52.195.29.13.27005: UDP, length 6
23:15:21.585337 IP 89.190.213.199.27016 > 11.93.183.109.27005: UDP, length 6
23:15:21.585351 IP 89.190.213.199.27016 > 109.184.100.81.27005: UDP, length 6
23:15:21.585363 IP 89.190.213.199.27016 > 157.113.119.72.27005: UDP, length 6
23:15:21.585374 IP 89.190.213.199.27016 > 198.17.136.122.27005: UDP, length 6
23:15:21.585386 IP 89.190.213.199.27016 > 80.90.122.25.27005: UDP, length 6
23:15:21.585393 IP 176.84.161.21.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585402 IP 165.20.190.63.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585411 IP 109.46.19.2.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585418 IP 147.146.194.141.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585428 IP 20.172.24.75.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585436 IP 116.79.1.61.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585445 IP 2.191.194.130.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585454 IP 17.150.87.110.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585498 IP 89.190.213.199.27016 > 36.28.0.160.27005: UDP, length 6
23:15:21.585528 IP 141.78.189.160.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585538 IP 6.30.30.81.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585551 IP 99.59.7.169.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585560 IP 126.177.72.61.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585568 IP 136.124.80.121.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585577 IP 82.174.180.172.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585585 IP 39.133.147.48.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585593 IP 140.30.67.39.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585609 IP 89.190.213.199.27016 > 134.119.173.88.27005: UDP, length 6
23:15:21.585628 IP 89.190.213.199.27016 > 186.182.182.169.27005: UDP, length 6
23:15:21.585645 IP 89.190.213.199.27016 > 110.127.13.108.27005: UDP, length 6
23:15:21.585663 IP 89.190.213.199.27016 > 63.13.190.58.27005: UDP, length 6
23:15:21.585681 IP 89.190.213.199.27016 > 60.23.188.145.27005: UDP, length 6
23:15:21.585699 IP 89.190.213.199.27016 > 53.44.166.85.27005: UDP, length 6
23:15:21.585717 IP 89.190.213.199.27016 > 13.161.156.48.27005: UDP, length 6
23:15:21.585733 IP 89.190.213.199.27016 > 185.108.94.44.27005: UDP, length 6
23:15:21.585749 IP 89.190.213.199.27016 > 140.45.65.167.27005: UDP, length 6
23:15:21.585759 IP 18.84.98.114.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585769 IP 116.67.111.25.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585779 IP 138.171.28.107.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585788 IP 115.141.126.79.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585796 IP 155.63.109.136.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585807 IP 12.59.146.163.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585817 IP 168.8.188.67.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.585855 IP 89.190.213.199.27016 > 100.101.94.25.27005: UDP, length 6
23:15:21.585873 IP 89.190.213.199.27016 > 170.102.163.113.27005: UDP, length 6
23:15:21.585892 IP 89.190.213.199.27016 > 21.188.91.158.27005: UDP, length 6
23:15:21.585910 IP 89.190.213.199.27016 > 199.97.49.36.27005: UDP, length 6
23:15:21.585923 IP 89.190.213.199.27016 > 41.41.82.140.27005: UDP, length 6
23:15:21.585937 IP 89.190.213.199.27016 > 176.24.126.155.27005: UDP, length 6
23:15:21.585950 IP 89.190.213.199.27016 > 11.71.194.157.27005: UDP, length 6
23:15:21.585964 IP 89.190.213.199.27016 > 72.197.87.2.27005: UDP, length 6
23:15:21.585977 IP 89.190.213.199.27016 > 49.39.157.153.27005: UDP, length 6
23:15:21.585996 IP 125.85.153.129.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586007 IP 150.166.25.115.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586017 IP 123.33.4.88.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586027 IP 84.189.197.5.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586036 IP 148.92.169.113.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586046 IP 105.168.38.2.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586055 IP 147.128.54.187.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586069 IP 89.190.213.199.27016 > 113.101.184.163.27005: UDP, length 6
23:15:21.586086 IP 89.190.213.199.27016 > 69.162.159.102.27005: UDP, length 6
23:15:21.586100 IP 89.190.213.199.27016 > 157.167.164.116.27005: UDP, length 6
23:15:21.586117 IP 174.175.144.92.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586127 IP 13.19.43.179.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586136 IP 100.162.17.137.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586147 IP 34.58.101.181.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586156 IP 165.55.121.132.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586165 IP 94.146.72.137.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586174 IP 65.82.126.88.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586185 IP 34.8.156.12.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586201 IP 89.190.213.199.27016 > 84.86.85.81.27005: UDP, length 6
23:15:21.586221 IP 89.190.213.199.27016 > 87.97.172.54.27005: UDP, length 6
23:15:21.586239 IP 89.190.213.199.27016 > 185.8.179.146.27005: UDP, length 6
23:15:21.586256 IP 89.190.213.199.27016 > 164.151.47.73.27005: UDP, length 6
23:15:21.586274 IP 89.190.213.199.27016 > 55.21.132.18.27005: UDP, length 6
23:15:21.586292 IP 89.190.213.199.27016 > 79.131.142.98.27005: UDP, length 6
23:15:21.586310 IP 89.190.213.199.27016 > 98.81.189.165.27005: UDP, length 6
23:15:21.586328 IP 89.190.213.199.27016 > 135.164.4.127.27005: UDP, length 6
23:15:21.586345 IP 89.190.213.199.27016 > 74.162.186.129.27005: UDP, length 6
23:15:21.586368 IP 89.190.213.199.27016 > 35.17.8.33.27005: UDP, length 6
23:15:21.586382 IP 99.169.143.38.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586394 IP 67.32.43.12.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586403 IP 24.40.49.80.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586415 IP 156.116.10.70.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586424 IP 31.8.75.111.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586432 IP 177.20.84.199.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586444 IP 75.30.58.161.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586453 IP 25.16.12.30.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586462 IP 178.16.115.13.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586479 IP 89.190.213.199.27016 > 71.13.100.55.27005: UDP, length 6
23:15:21.586497 IP 89.190.213.199.27016 > 61.78.17.57.27005: UDP, length 6
23:15:21.586515 IP 89.190.213.199.27016 > 100.90.49.177.27005: UDP, length 6
23:15:21.586530 IP 188.12.59.106.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586541 IP 176.11.9.50.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586551 IP 179.59.35.6.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586560 IP 157.130.65.169.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586571 IP 55.184.104.16.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586581 IP 100.62.181.106.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586589 IP 119.133.134.114.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586598 IP 151.73.0.157.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586617 IP 89.190.213.199.27016 > 199.63.126.157.27005: UDP, length 6
23:15:21.586636 IP 89.190.213.199.27016 > 56.33.58.47.27005: UDP, length 6
23:15:21.586654 IP 89.190.213.199.27016 > 19.80.90.187.27005: UDP, length 6
23:15:21.586671 IP 89.190.213.199.27016 > 47.164.15.195.27005: UDP, length 6
23:15:21.586689 IP 89.190.213.199.27016 > 72.104.127.87.27005: UDP, length 6
23:15:21.586706 IP 89.190.213.199.27016 > 35.56.99.87.27005: UDP, length 6
23:15:21.586722 IP 192.144.124.43.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586732 IP 79.26.25.76.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586743 IP 107.121.19.40.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586753 IP 22.173.134.144.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586763 IP 174.148.70.91.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586775 IP 199.56.56.92.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.586797 IP 89.190.213.199.27016 > 59.95.188.118.27005: UDP, length 6
23:15:21.586813 IP 89.190.213.199.27016 > 100.189.160.139.27005: UDP, length 6
23:15:21.586828 IP 89.190.213.199.27016 > 195.13.110.190.27005: UDP, length 6
23:15:21.586843 IP 89.190.213.199.27016 > 88.128.127.193.27005: UDP, length 6
23:15:21.586859 IP 89.190.213.199.27016 > 77.130.52.58.27005: UDP, length 6
23:15:21.586875 IP 89.190.213.199.27016 > 37.177.60.116.27005: UDP, length 6
23:15:21.586891 IP 89.190.213.199.27016 > 66.50.23.90.27005: UDP, length 6
23:15:21.586907 IP 89.190.213.199.27016 > 56.0.153.195.27005: UDP, length 6
23:15:21.586923 IP 89.190.213.199.27016 > 102.78.90.77.27005: UDP, length 6
23:15:21.586939 IP 89.190.213.199.27016 > 74.36.184.80.27005: UDP, length 6
23:15:21.586955 IP 89.190.213.199.27016 > 99.2.89.115.27005: UDP, length 6
23:15:21.586971 IP 89.190.213.199.27016 > 48.9.36.119.27005: UDP, length 6
23:15:21.586992 IP 181.150.12.57.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.587001 IP 25.43.186.104.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.587010 IP 87.71.185.86.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.587019 IP 2.123.91.150.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.587028 IP 91.166.127.49.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.587037 IP 55.67.2.192.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.587045 IP 89.188.31.11.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.587054 IP 170.193.50.25.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.587061 IP 147.131.70.197.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.587077 IP 89.190.213.199.27016 > 83.161.188.67.27005: UDP, length 6
23:15:21.587094 IP 89.190.213.199.27016 > 178.7.119.31.27005: UDP, length 6
23:15:21.587114 IP 119.137.145.161.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.587123 IP 73.111.34.151.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.587132 IP 67.24.97.26.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.587140 IP 13.87.67.85.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.587152 IP 64.9.103.69.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.587160 IP 177.172.164.72.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.587184 IP 58.16.112.94.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590552 IP 141.190.190.79.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590568 IP 159.102.0.178.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590577 IP 36.93.171.117.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590587 IP 178.185.129.119.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590596 IP 119.118.143.192.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590604 IP 16.1.124.98.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590612 IP 187.179.45.115.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590620 IP 189.54.34.142.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590628 IP 114.124.40.165.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590636 IP 121.169.134.118.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590644 IP 78.19.46.58.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590651 IP 141.80.194.89.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590667 IP 89.190.213.199.27016 > 104.92.120.74.27005: UDP, length 6
23:15:21.590684 IP 89.190.213.199.27016 > 161.7.84.187.27005: UDP, length 6
23:15:21.590700 IP 89.190.213.199.27016 > 143.62.165.151.27005: UDP, length 6
23:15:21.590717 IP 89.190.213.199.27016 > 108.117.139.31.27005: UDP, length 6
23:15:21.590731 IP 133.97.180.194.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590739 IP 108.49.99.181.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590748 IP 28.151.2.93.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590767 IP 91.187.191.1.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590776 IP 171.0.59.95.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590783 IP 69.133.186.119.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590800 IP 89.190.213.199.27016 > 76.59.156.74.27005: UDP, length 6
23:15:21.590817 IP 89.190.213.199.27016 > 52.111.136.175.27005: UDP, length 6
23:15:21.590834 IP 89.190.213.199.27016 > 196.154.172.59.27005: UDP, length 6
23:15:21.590855 IP 89.190.213.199.27016 > 159.41.74.153.27005: UDP, length 6
23:15:21.590868 IP 89.190.213.199.27016 > 60.134.35.6.27005: UDP, length 6
23:15:21.590882 IP 89.190.213.199.27016 > 95.62.3.45.27005: UDP, length 6
23:15:21.590895 IP 89.190.213.199.27016 > 159.172.121.117.27005: UDP, length 6
23:15:21.590903 IP 101.101.31.116.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590912 IP 81.128.180.77.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590922 IP 164.17.4.179.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590932 IP 171.167.48.188.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590943 IP 59.144.82.161.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.590967 IP 89.190.213.199.27016 > 45.55.132.160.27005: UDP, length 6
23:15:21.590985 IP 89.190.213.199.27016 > 114.73.183.199.27005: UDP, length 6
23:15:21.591002 IP 89.190.213.199.27016 > 138.60.19.128.27005: UDP, length 6
23:15:21.591020 IP 89.190.213.199.27016 > 188.187.149.60.27005: UDP, length 6
23:15:21.591042 IP 89.190.213.199.27016 > 56.77.74.152.27005: UDP, length 6
23:15:21.591061 IP 89.190.213.199.27016 > 192.63.88.105.27005: UDP, length 6
23:15:21.591078 IP 89.190.213.199.27016 > 157.181.103.69.27005: UDP, length 6
23:15:21.591095 IP 89.190.213.199.27016 > 197.145.148.142.27005: UDP, length 6
23:15:21.591113 IP 89.190.213.199.27016 > 57.164.0.180.27005: UDP, length 6
23:15:21.591131 IP 89.190.213.199.27016 > 128.31.146.13.27005: UDP, length 6
23:15:21.591152 IP 89.190.213.199.27016 > 8.10.151.42.27005: UDP, length 6
23:15:21.591155 IP 52.123.44.189.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591165 IP 59.195.5.182.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591173 IP 8.22.18.30.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591183 IP 49.52.76.37.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591192 IP 89.182.166.108.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591202 IP 90.126.12.151.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591214 IP 70.68.34.111.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591221 IP 155.100.189.48.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591248 IP 89.190.213.199.27016 > 14.150.47.163.27005: UDP, length 6
23:15:21.591266 IP 89.190.213.199.27016 > 24.144.110.115.27005: UDP, length 6
23:15:21.591283 IP 89.190.213.199.27016 > 168.128.15.91.27005: UDP, length 6
23:15:21.591302 IP 89.190.213.199.27016 > 30.115.142.136.27005: UDP, length 6
23:15:21.591319 IP 89.190.213.199.27016 > 3.33.20.127.27005: UDP, length 6
23:15:21.591332 IP 97.33.182.0.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591343 IP 88.80.104.178.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591352 IP 34.150.188.81.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591361 IP 189.75.1.40.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591369 IP 114.32.104.161.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591377 IP 71.70.107.183.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591397 IP 150.197.34.96.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591409 IP 57.85.108.33.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591433 IP 89.190.213.199.27016 > 141.9.21.140.27005: UDP, length 6
23:15:21.591456 IP 89.190.213.199.27016 > 63.116.24.104.27005: UDP, length 6
23:15:21.591473 IP 89.190.213.199.27016 > 16.51.153.186.27005: UDP, length 6
23:15:21.591487 IP 89.190.213.199.27016 > 158.31.173.71.27005: UDP, length 6
23:15:21.591499 IP 89.190.213.199.27016 > 33.131.146.143.27005: UDP, length 6
23:15:21.591512 IP 89.190.213.199.27016 > 15.105.74.84.27005: UDP, length 6
23:15:21.591526 IP 89.190.213.199.27016 > 11.164.103.154.27005: UDP, length 6
23:15:21.591543 IP 89.190.213.199.27016 > 117.102.154.108.27005: UDP, length 6
23:15:21.591557 IP 89.190.213.199.27016 > 184.50.31.146.27005: UDP, length 6
23:15:21.591571 IP 174.35.56.95.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591581 IP 30.7.18.76.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591591 IP 56.41.175.161.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591600 IP 100.61.55.139.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591608 IP 81.20.112.2.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591615 IP 196.173.63.65.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591624 IP 56.44.150.172.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591632 IP 87.79.153.118.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591652 IP 89.190.213.199.27016 > 140.132.96.55.27005: UDP, length 6
23:15:21.591679 IP 89.190.213.199.27016 > 170.186.59.29.27005: UDP, length 6
23:15:21.591716 IP 58.57.92.171.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591726 IP 22.12.55.17.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591736 IP 132.33.189.43.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591746 IP 32.121.102.23.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591757 IP 113.191.177.103.27005 > 89.190.213.199.27016: UDP, length 7
23:15:21.591772 IP 152.177.7.47.27005 > 89.190.213.199.27016: UDP, length 7
So they are always using the server queries, maybe they change them (different string length) ?
Your idea isn't impossible but I won't achieve anything if I make a blacklist, because the flooder hits us indirectly and also the server database of this thing is enourmously big and it is maybe updated daily.

Another idea was to catch all the traffic when we are flooded from an ip that shows in the logs. Since there are IPs of servers which are also attacked we can watch for info packets and catch the real ip of the flooder. However this won't help against the flood because it all happens indirectly.

I think it is an exploit because everybody who knows a little bit about raw packets and sockets, can implement the flooder and upload it to the public. Then what? We will be watching our servers destroying each other. The current fix for this thing is a nice router to handle the traffic and gigabyte connectivity (which btw was reached when they attacked another server admin).
lickshot is offline
mabaclu
Senior Member
Join Date: Jun 2010
Location: Portugal
Old 07-20-2012 , 04:29   Re: [IMPORTANT] A new HLDS engine exploit !!!
Reply With Quote #9

https://forums.alliedmods.net/showthread.php?t=135543
__________________
mabaclu is offline
lickshot
Junior Member
Join Date: Jul 2012
Old 07-20-2012 , 04:51   Re: [IMPORTANT] A new HLDS engine exploit !!!
Reply With Quote #10

Quote:
Originally Posted by mabaclu View Post
But this is for Source, what about HL1 ? And this also isn't a fix because all servers have to put it to prevent useing them to send packets.
lickshot is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 12:56.


Powered by vBulletin®
Copyright ©2000 - 2018, vBulletin Solutions, Inc.
Theme made by Freecode