I am writing to inform you about a new very dangerous exploit in the HLDS engine. Briefly, the exploit allows the attacker to send packets over every hlds server to a predefined destination. This way all HLDS servers make an unstoppable "botnet" which can attack the destination which is chosen.
The attack originally started a month and a half ago in Bulgaria, and since then many big server chains are attacked and still no solution is found. The attack is so strong that even Internet Service Providers say that it harms the connection of their users near the hlds server location.
Explaination of the attack:
We know that the attack is made through the
UDP protocol from
hundreds of IPs that are real counter strike 1.6 servers (hlds). It comes from the server port, and almost always hits port
27005.
The most common length of the packets is 1400, but there are also less packets with different length. However, there is no point in dropping the packets with this length because the whole international and inbound channels are filled and the server still cannot be reached.
Also the HEX of the packets contains a part of the server configuration. I've noticed a packet which HEX prints "You have been banned from this server!". This makes me think that some bot connects to a chosen server and makes the server send a UDP packet to the predefined destination.
We've managed to log full information of the attack. I have 15 gigabytes of logs with this attack which are made for only 10 minutes. I will attach a short part of my logs, and some other logs from other server administrators who have experienced the same attack.
One of the server administrators says:
"I am writing to say that I have received the same attack against my machines and since I work as a system administrator in coorporate hosting company, my machines are colocated in the company's server room, with this I want to say that my resources are a lot bigger than my mate @talibana's and I managed to localize the attack or at least I think so.
The flood was directed to UDP port 27005, after a while the enourmous flood managed to fill my international channel and I had to work jointly with our ISP, after I asked them to block port 27005 only 4 ip addresses started to show on my machine, 3 of which were Russian and 1 Greek, which didn't make a lot of traffic or big number of packets, just to say they were "listening" to the final point - my IP address. After I have blocked these IPs from the routing machine (Gateway) the flood totally dissapeared."
And also:
"We talk about a vurnarability in the Engine, which allows the generation of packets from unauthorized people, which are being sent where the 'bad guy' wants."
The above "story" was sent to Valve, with a view of finding a solution to the problem. Since the attack reached its peak we can't just wait, watching our servers getting ruined. I post this topic so that more experienced people can say what they think and to figure out what kind of attack it is together so that a fix could be implemented. You can dowload logs and other things at the end of the post.
I will update this post with the most recent information about the attack.
A small discovery: A system administrator noticed that HLSW is receiving exactly the same packets, as the flooder sends from other HL1 servers to the "victim". This packet cotains information about the server vars and mod information. We think that this is the same packet which can be send to every server to request the info. (
A2S_INFO) The question that appears is how the attacker manages to request this information from the infected servers and forward it to a specified ip adress?
Logs and pics:
A very short part of the flood attack (40 mb)
Traffic extreme:
[IMG]http://desmond.**************/Himg228/scaled.php?server=228&filename=udpfloodtraffi cgraphext.jpg&res=landing[/IMG]
BTW: Check the logs for your server's ip and don't get surprised if you see it sending us packets
.
Threaded Mode