This topic is locked
A: With this exploit running freely on your system (No fix), your server will be running rampant with bandwidth.
B: With the exploit FIX, your server will be freed up, BUT it will only stop your server from responding (sometimes)
Though with the fix your server will run MUCH better, your bandwidth usage will still suffer tremendously!
Let me explain.
Before exploit fix:
Attacker (packet) => Reflector Server => Your Server => Reflector Server
After exploit fix:
Attacker (packet) => Reflector Server => Your Server
The fix ONLY stops your server from responding (SOMETIMES) to the sent packet from the reflector server.
Nonetheless, you are STILL receiving the packet request AND response from a: The attacker and b: The reflector server (Full server info)
Server providers monitor usage at the switch. NOT your server. It may be easier to see how this works with a textual diagram;
packets => Switch (Where bandwidth is monitored/measured) => Your vlan port on the switch => Your server:port => Your iptables (firewall) => Your game server binary
As you can see, the bandwidth is monitored WAY before your server binary even gets a chance to see it.
Even though your binary may be fixed, there are literally HUNDREDS of servers that are not. This means.. because the code is written something like:
GetMasterServerList => ForeachIP(SendBadPacketWithFalseHeader) => (Reflector) Reply to (YourServer as given in False header) of with the Response of request.
The ONLY true fix(es) to this problem would be;
1: For FS to limit clients/servers to be latest version for connection to Master Server list
2: Take advantage of Closed source URT HD and encrypt packets <=> master server list/servers/clients
3: (Step by step)
A: Close all their game servers @ current ports.
B: Contact their server host and have them block previously used UDP ports at the switch
C: Startup server leaving reporting to master server list OFF
4: (Step by step)
A: Change IP
B: Turn off master server list.
Those of you with metered bandwidth.. This is the ONLY way to save your a** a sh** ton of $$.
I can only hope that FS makes some changes VERY fast. It is in everyone's best interest. All old servers need to be removed from the master server list. The list needs to be changed to require some sort of encrypted string and to disallow certain connections. I'll be glad to provide a diagram of a simple authentication protocol I've made in case FS is interested. It's similar to GPG in how it works, but incredibly different and does not require an encrypted cipher.
EDIT: Addendum, I've also discovered the exploiters script also appears to be using connection verification functions as well. It seems it's only checking response of the IP though. That would make sense of course to only check the IP because you can't reliably check the port via UDP without getting your own medicine back at ya..
Perhaps another option would be to shut down the server completely for a period of time. Even with this option, you'd still have to remove your server from the master server list.
That being known.. EDIT I'll keep this a secret! :D . Oh I can't wait to get my hands on his grubby neck..
Edit (1-28-12 @ 11:58 AM): I've been monitoring all night several stacks.. So far, my above theory about explicit ICMP seems not to hold any water. This does not mean that there is no sort of connection verification. Just not through normal methods one may use for a simple verification. I've traced back several "odd" connections only to be led to things like qtracker (Why the are using a Mortgage firms IP subnet is WAY beyond me.) And also, several other "home-made" master list scripts (Such as UrtDB by wtf clan) etc.
Though, on a side note.. I couldn't believe how many Master Server scripts were out there.. All over the world, Sweden, Spain, UK, France (Although this is FS servers) etc. Many of them sending a slightly different connection string for getstatus and getinfo. (Strange). I've also found some servers that had WAY more exploit usage than others... This may be due to the fact that they are closer to offending server (Not quite sure.) I've contacted several ISP's an Host providers.. With this last instance I spoke of I suggested, since Comcast has metered bandwidth on it's customers, to have them send a warning of some sorts to this user letting them know that they are going to have a VERY large bill if they don't terminate their server. It seems the folks at Comcast were kind enough to oblige. They gave me no specifics, but the reaction of looking at their usage was... stark.
I just read the update about the Master Server List; this is GREAT news to hear that such changes will be implemented. I was definitely holding my breath on that one. Well, only to say that the implications of ongoing attacks could be severe and that I am ECSTATIC these changes are being made.
<rant>
I will also add something else as well... To those of you that do not understand the severity of the situation, don't comment on how URT is becoming "hidden" or "closed" or "harder to access info" etc etc. That is the most profoundly ignorant sort of thought I could ever hear! This exploit is NOT AT ALL limited to UrT. It's a Quake3 exploit. Meaning EVERY Quake3 game is vulnerable! At least FS is taking very strong heed at this and making a very workable resolution for us all!</rant>
Edit: (1-28-2012 18:34): Well, I've been working with several ISP's today to find the original sender. Because the packets are UDP, they are connectionless. This means validations is only done by packets. (Which as you can see in this case, is unreliable). This is a very long process indeed, but I am lining up the cards nicely.
I do have an advantage in the sense that I work for an ISP. Therefore, I can capture encapsulated packets pre-delivery. Unfortunately, I have to go through the daisy-chain of it all and contact the person that sent it before me and so on. It's been quite a hurdle because of legal issues. (Blah blah blah). Though the process has been slow, so far, the general response has been positive even though the latency of the response makes me want to bite my fingers off.
That being said, I hope to find out the true exploiter soon. This is not to say I won't hit a roadblock. Which I hope I do not because that could make things messy. Then again.. a subpoena is only $5 bucks.. So.. I'll just throw that into the lawsuit when I find this tool. So far, I'm 5 hops into this. Anyways.. I'll keep updating.
This post has been edited by Pussnboots: 29 January 2012 - 12:34 AM
MultiQuote
former FS member
verified donator
