[thesixhalcon]

Hi community!

At the moment I have some servers of TF2 with SourceMod and they have proper plugins to protect themselves as "forlix floodcheck", etc. (Properly configured)

I was convinced that they were protected from command spam attacks, but some days ago I have noticed that someone is spamming one server with this:

Code:

Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status
Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status
Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status
Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status
Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status
Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status
Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status
Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status
Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status
Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status
Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status
Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status
Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status
Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status
Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status
Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status
Thu Apr  5 17:16:49 2012: Console<0><Console><Console> executes: status

Reaching a 2661 "status" per second and 175441 "status" per minute (avg).

Is there a way to protect a TF2 server of this spamming attacks?

Thanks

[ReFlexPoison]

What command is the player using?
sm_status
or just
status
?

[Powerlord]

Quote:

Originally Posted by thesixhalcon Hi community! At the moment I have some servers of TF2 with SourceMod and they have proper plugins to protect themselves as "forlix floodcheck", etc. (Properly configured) I was convinced that they were protected from command spam attacks, but some days ago I have noticed that someone is spamming one server with this: Code: Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Thu Apr 5 17:16:49 2012: Console<0><Console><Console> executes: status Reaching a 2661 "status" per second and 175441 "status" per minute (avg). Is there a way to protect a TF2 server of this spamming attacks? Thanks

If this is being sent via rcon, that will show up in the logs as well, looking like this:

Code:

rcon from "173.212.246.230:54441": command "status"

(that's my HLStatsX daemon querying my server's status)

Since it isn't, that points to a local source (possibly a script).

Quote:

Originally Posted by ReFlexPoison What command is the player using? sm_status or just status ?

I assume status, otherwise the command name would show up as sm_status, iirc.

[ReFlexPoison]

Either I'm missing something, but, when I type status in the in-game console while in my server, nothing appears in the actual server console. I could spam the status requests a hundred times and nothing would happen.

Do you have rcon_password in your server.cfg or server start command line?

[thesixhalcon]

Thanks for the fast replies.

The command that is sent to the server is only status, as logs show. There's no HLxStats or similars connected to the server. On the other hand, rcon port is blocked, so no one can send rcon commands.

I realized that someone connects to the server, and launch a bind or some script to send all status commands by the in-game console. I ban that player (the player who is supposed to be the attacker) but he/she connects another time with a different IP/SteamID.

Is there a way to block it server-side?
Thanks again

EDIT:
And of course, I have a rcon_password (Generated with GRC Shield Up) in my server.cfg.

[TnTSCS]

Quote:

Originally Posted by ReFlexPoison Either I'm missing something, but, when I type status in the in-game console while in my server, nothing appears in the actual server console. I could spam the status requests a hundred times and nothing would happen. Do you have rcon_password in your server.cfg or server start command line?

when you type status, you should get a list of players with some info for all people connected

[thesixhalcon]

Quote:

Originally Posted by TnTSCS when you type status, you should get a list of players with some info for all people connected

And thats what cause that lag into the server, all those requests saturate the server because there are too many responses to send in a very short period of time. Its a ddos-like attack, but with a script in-game.

[ReFlexPoison]

I'd just say continue to ban the IP of the player. Imma say it, even though I prolly can't, but douche bags jerks like this are all over. Best thing you can do is
1) continue the bans and wait for the attacker to stop
or
2) stop the server and let your attacker go elsewhere.

[Powerlord]

Quote:

Originally Posted by ReFlexPoison Either I'm missing something, but, when I type status in the in-game console while in my server, nothing appears in the actual server console. I could spam the status requests a hundred times and nothing would happen.

I assume it's appearing because he has Forlix Floodchecker.

Quote:

Originally Posted by TnTSCS when you type status, you should get a list of players with some info for all people connected

He meant that when he types it in on his client, nothing shows in the server's console or log.

[thesixhalcon]

Quote:

Originally Posted by ReFlexPoison I'd just say continue to ban the IP of the player. Imma say it, even though I prolly can't, but douche bags jerks like this are all over. Best thing you can do is 1) continue the bans and wait for the attacker to stop or 2) stop the server and let your attacker go elsewhere.

It seems to be a known attacker and he will persist until our servers are dead so the unique way is protecting our servers.