DDoS attack from Wolfenstein ET Servers. Developers, please fix the exploit.

Mateos · 2012-02-06 16:53:53 UTC

Maybe PB will not like this modified EXE file it does not know… I don’t have enough knowledge to answer, but I think PB will not like it

zbzero · 2012-02-06 16:59:47 UTC

[QUOTE=BigBear;392566]Hi!

Do you think it is normal to got those amount of attacks in just a week ?

http://www.eurobunkerarena.com/listofban.zip

I think we need new version of ETDED ! Compatible 2.55 and 26X and too that display in Server List to client the Both protocols : it mean all 2.55 and all 2.6X servers version should appear in any version of client (and if servers names appear in double it is not a problem). The 2.55+ servers do not appear in 2.6X client !
Please free the server of using ETfacade and things like that !

Have not someone already use their own Reengineered EDED 2.55+ version they keep for their own usage ?
If yes, please open your ETDED version.

For me WET servers require an all included improved security

The problem is really serious and it is really annoying !

Thank you to all for your future Help keeping WET alive and Open to all fair play players : without barriers or chains ![/QUOTE]

For sure its normal, and i think this year the attacks are less them 2011, if you look at my banlist of my servers you not will believe, sometimes i saw moret them 2000 requests per second.

tjimboo · 2012-02-06 17:25:20 UTC

PB will not work with modified ET

Nitrox1 · 2012-02-06 17:46:26 UTC

That’s right, ET GPL source code was released without PB support, so unfortunately there’s no way to get PB running on ETFix

Nitrox1 · 2012-02-06 22:53:28 UTC

I made a few changes today:

Added: sv_masterSend82 cvar - If enabled (1), server will try to send protocol 82 and 84 info to master servers (not fully tested due to the actual issues with master servers). Default: Disabled (0) - Normal behavior

Added: sv_IPmaxGetstatusPerSecond cvar - Sets how many ‘getstatus’ requests from the same IP are allowed per second on your server.
Exemple: Let’s assume this cvar is set to its default value (4).
IP 1.2.3.4 sends 10 ‘getstatus’ requests per second to your server.
Your server will only respond to 4 of these 10 requests per second.

Reworked: “Getstatus Exploit Fix” reworked, the old one was actually kind of broken… This one works as intended!

The new method is better than the old one since it will only reject abusive requests for 1 second, while the old one used to allow X requests in a row, and reject any new requests from this IP for Y seconds (this probably caused some problems with server trackers… :eek: )

The AutoCleanup feature has also been improved:

If an IP keeps sending getstatus requests to your server, it will be removed from the IP’s array every second.
If an IP has stopped sending getstatus requests to your server, it will be removed from the IP’s array every 3 seconds.

This should avoid problems with server trackers such as SL, TB, GT… and also with softwares like HLSW, XQF, etc…

I also added the latest linux build to the SVN, so feel free to test and give some feedback

Oh and just wondering, does anybody wants me to add the Win32 builds to the SVN aswell ?

Smurfer · 2012-02-07 05:39:55 UTC

Seems to be working just fine. Gametracker banners came back with the new version.

You should open your own thread - make it easier to find info.

BigBear · 2012-02-07 10:35:28 UTC

Hi!

For your information the Attacks that we got now Each Morning Very strong Queries attack each Second.
And it is at least for Many Hours…

And the Anti-Flood Script is not Enough. The IP is correctly Dropped but the Attacks Are going through the Firewall including with the Ports Correctly Closed !

While the ETDED Servers are Active : they are Able to act with their bad way :o
The Security Breach is coming from the WET Servers not of the rest !!

If you think to be protected ONLY just with the simple Anti-Flood : Do not Dream !
Yes the script is nice and always useful to use it… But the Anti-Flood Script is not Enough.
Who will be the Next to got those kinds of Attacks ? :o
Your Clan… Your Players ?? Who ?

It is why I have requested the Help of you all that are Skilled! Because this is not Only for me
And it is why I have Requested a new Hard Coded ETDED version. (or at least New Mods versions)
*** Because I Manage 4 MODS Versions all Based on ETPub ***

>>>But all of that is more for my Players (I have not really the time to play… We are not a clan and I pass my Money and My own time to keep the servers alive just for fun)
First it is for ALL WET Servers, For ALL Players, For ALL Clans !
Yes WE got the problem : But this is not only my own problem this is a Global Reality for all Admins!

** Thank you to all for your Nice initiative ***
But…

Please,
1) Can you Provide those New Files Versions ? If I am not wrong it is a New ETDED version ? (not a MOD version)

2) If new ETDED please can you make it 2.55+ compatible (2.55 and 2.6X versions)

Here you can find some informations for Creating a Patched 2.55+ Version :
http://equalone.freeunix.net/index.php?index=6

The last version is the “wwwdl exploit” workaround
http://equalone.freeunix.net/download/etded3/linux/etded.zip

And if a Coder will Be enjoy that I can Test if his New Version Work !
You can Contact me I have Servers that could be a good test for your new Version !!!

WE Thank you for your Help

Slut · 2012-02-07 12:51:26 UTC

BigBear, why not use this fix: http://www.splashdamage.com/forums/showthread.php/22936-POTENTIONAL-FIX-etded-x86-getstatus-exploit (linux only)
What it does can be read in the above link.

This fix does “not” break the punkbuster compatibility.

BigBear · 2012-02-07 13:15:58 UTC

Hi!

Thank you for your answer
I have the ** limit getstatus patch 0.2 for etded.x86 2.60b
yada // staatsschutz.org // jan. 2011
But it do not work with the Patched version 2.55+ “wwwdl exploit” workaround

If it could be compatible in the future it could interest me but for the moment that getstatus patch 0.2 seems not to work for the last 2.55+ patched version.

I maintain my request because can be too a good way to solve that problem : see my previous posts.

The solution is certainly buy using many Protections at the same time

Like a Cascade of protections But we need too, to preserve the frag quality as possible.

I think; It is required to manage the problem now before it could be Bigger and Bigger :o

Many are working on many things, new mods, news maps, etc… but the basics are a good frag quality not disturbed by many UDP Floods

And too those Diverting Floods can be used to do some bad actions… It is necessary to find almost as possible many ways to prevent those kinds of attacks or those potential exploits.

Slut · 2012-02-07 13:47:53 UTC

Oh, 2.55+ may cause problems. Was it bitching about the filesize when you tried to patch the etded.x86 file?

anyways, afaik the DPMaster serverlister seems to have fixed that. Thats why i hope that WHEN the masterserver gets online again they use a fixed lister like dp master cause it may fix, or at least cripple the stupid expoit.

BigBear · 2012-02-07 16:17:09 UTC

Hi !

You be right it work when be able to execute it on the good version
Perhaps a Linux version problem.

The Masterfloor of Staatsschutz.org have been kind to provide it to me

And your suggestion is good they can use this patch :

http://files.staatsschutz.org/wolfenstein/etfix_getstatus.tar.gz

But other version & solution they have all spoken about are welcomed
Because preventing security problems is a permanent research.

Thank you

zbzero · 2012-02-07 17:10:16 UTC

[QUOTE=BigBear;392770]Hi!

For your information the Attacks that we got now Each Morning are more than > 12000 Queries by Second.
And it is at least for Many Hours…

And the Anti-Flood Script is not Enough. The IP is correctly Dropped but the Attacks Are going through the Firewall including with the Ports Correctly Closed !
[/QUOTE]

I have 4 servers up and i didnt see a problem using the oldman script until now and after i read your post i checked my banlist file and i found the maximum of the requests from today as 4627 requests per second, i think you need to check better if your script is right configurated because for me its running as expected!!

OldMan2011 · 2012-02-07 17:43:15 UTC

Nonsense. If the IP is as drop rule in your iptables (chain getstatus) work it has to.
Otherwise, your firewall is configured incorrectly.

Run this Script 1 time per minute as cronjob.
Maximum can be generated for highest one minutes outgoing traffic before the IP dropped.

ex: my server you can see it works

**.60.144.72 = banned Reason: (search pattern: getstatus and UDP) 2012-02-07 18:08:20 for 4372 Requests in 8 seconds / 546 Requests per second
**.37.50.162 = banned Reason: (search pattern: getstatus and UDP) 2012-02-07 18:13:20 for 5395 Requests in 8 seconds / 674 Requests per second
**.59.17.204 = banned Reason: (search pattern: getstatus and UDP) 2012-02-07 18:18:20 for 5435 Requests in 8 seconds / 679 Requests per second

schnoog · 2012-02-07 18:35:53 UTC

Oh, just remembered. Please post the output of iptables -L .

Iptables works on the 1st match principle so it is likely that you have rule that is allowing access on port 80 earlier in the chain.

My todays toprater

1328607672 82.165.38.66  = banned Reason: (search pattern: getstatus and UDP) 2012-02-07 09:41:12 for 45504 Requests in 10 seconds / 4550  Requests per second

which targets on crimebloc.com

zbzero · 2012-02-07 18:45:48 UTC

you must write tophated instead toprate schnoog

BigBear · 2012-02-08 10:14:38 UTC

HI!

I love the Double Post bug of Vbulletin
(come from my internet browser ? perhaps)

BigBear · 2012-02-08 10:20:21 UTC

HI!

I prefer to vote for TopRated Helper Schnoog than for the Baddest Flood of the day
The best Flood I have got Very strong Queries attack each Second and very more than other servers.
At more than */second I think that many FW “go west”

Thank you to all and to Dutchman, N!trox, Old Man, Schnoog, Yada !

I suggest to add and to use :

The AntiFlood Script : Thank you all and sure “Oldman” and “Shnoog”
http://et-zone.de/downloads/?action=download&id=14

+

Yada ETDED ETfix Thank to Dutchman from staatsschutz.org for his help to WET Community
http://www.eurobunkerarena.com/downloads/ETDED-PAFW.zip
http://files.staatsschutz.org/wolfenstein/etfix_getstatus.tar.gz
One time this exploit is fixed it seriously help !

Now I wait my Top next top flood By second
Just to see if we are really targeted or if it was hasard…

Thank you to all for your Help and for your Strong support

schnoog · 2012-02-26 20:24:05 UTC

I found something in the wides of internet, which could be a solution for Windows server.
2 modified dlls could bring at least help.
I tested it on my local pc and it seems to work (furthermore all engines on virustotal saying the files are clean)

But like almost everything: It cames without any warrenty: