Urban Terror Forums: [WARNING] Malicious ghost clients - Urban Terror Forums

Jump to content

 Login | Register 
Advertisement
  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

[WARNING] Malicious ghost clients Rate Topic: -----

#11 User is offline   Iye Icon

  •   moderator   
    Community Moderator
  • Account: iye
  • Country:
  • Joined: 07-June 11
  • Posts: 847
  • Notoriety: serious

Posted 11 December 2015 - 04:23 PM

well, you can create a new quid by deleting your Qkey, and i suppose what Mr. Yeah meant there, was not allowing a new client to open a connection from the same IP within a given timespan:
you can have as many connections as you want (probably quite a few less), but have to wait X seconds before connecting a new client.

I quite like that idea. It basically has the same flaws as any other method, by potentially making it difficult to play from something like a college, company connection.
Sorry for my bad spelling - I am still asleep. :)

|=| Iye's UrT Addon |=| Firefox Personas |=| Maps |=|
http://www.mediafire...vk3a602hcfg.jpg

#12 User is offline   DSZ Icon

  •   verified user   
  • Account: dsz
  • Country:
  • Joined: 13-August 13
  • Posts: 32
  • Notoriety: basic (afk)

Posted 02 January 2016 - 08:07 PM

Hey!

I think those attackers used way in which urban terror trying keep connection alive with urt server before map download.

When client connecting to urt server with map which dont have than got this popup window to accept or cancel map download and in this moment when player wont click anything cus probably afk than he will stay as 999 ping player on server and urt sv_timeout wont work at all cus he all time sending some short keep alive packets to the server.

Drop client connection at all before map download popup could be a solution. I doubt those "attackers" could use some sophisticated method to cheat server about client connection AND generate those keep alive packets.

If it help I ran tcpdump on server during that and in ASCII mode packet content looks like that (every packet start from letter "E"):


E..,..@.@..m
..

..dm8.....F....-.+.......F...

E..,.)@.@..)
..

..dm8....l0....-.+.....F.....

E..,..@.@..R
..

..dm8.....Q....-.+.......F...

E..,.!@.@..1
..

..dm8..........-.+.......F...

E..9.o@.@...
..

..dm8...%.?....-.+........n........5....



#13 User is offline   egia Icon

  • Account: egia
  • Country:
  • Joined: 23-February 14
  • Posts: 7
  • Notoriety: basic

Posted 10 November 2017 - 12:57 AM

So there is no place for knowledge (..) suit yourself

#14 User is offline   Clear Icon

  •   former FS member   
    Codebase Developer
  • Account: clear
  • Main tag: 6th|
  • Country:
  • Joined: 16-August 11
  • Posts: 121
  • Notoriety: basic

Posted 10 November 2017 - 12:59 AM

View Postegia, on 10 November 2017 - 12:57 AM, said:

So there is no place for knowledge (..) suit yourself


?

#15 User is offline   egia Icon

  • Account: egia
  • Country:
  • Joined: 23-February 14
  • Posts: 7
  • Notoriety: basic

Posted 10 November 2017 - 01:10 AM

View PostClear, on 10 November 2017 - 12:59 AM, said:

?


ioq3 huffman port for python3 (before it you need cython or C to handle raw packets) makes easier for anyone to make mess over urt and quake3 servers.
My post (that went erased) with the code for malicious.... was aimed for develop resources to avoid this issue and for check related issues on UE.

But admins choose to erase it, ok, again, suit yourself. Regards

bullet_disabledSponsored link
www.urbanterror.info

#16 User is offline   Iye Icon

  •   moderator   
    Community Moderator
  • Account: iye
  • Country:
  • Joined: 07-June 11
  • Posts: 847
  • Notoriety: serious

Posted 10 November 2017 - 01:41 AM

I relayed it to the admins, but chose to hide your post, as it, by your own admission, basically is a blueprint for how to spam servers. (Probably should have left a note here, but i'm tiered and just still here as i figure i still got stuff to do... :S)
Sorry for my bad spelling - I am still asleep. :)

|=| Iye's UrT Addon |=| Firefox Personas |=| Maps |=|
http://www.mediafire...vk3a602hcfg.jpg

#17 User is offline   egia Icon

  • Account: egia
  • Country:
  • Joined: 23-February 14
  • Posts: 7
  • Notoriety: basic

Posted 10 November 2017 - 02:03 AM

View PostIye, on 10 November 2017 - 01:41 AM, said:

I relayed it to the admins, but chose to hide your post, as it, by your own admission, basically is a blueprint for how to spam servers. (Probably should have left a note here, but i'm tiered and just still here as i figure i still got stuff to do... :S)

Ok, so this code need another module to handle request to the master server for get IP:PORT on 800 ms range, there are third party applications (fan apps) for select servers out of urt's client.
The only trick needed when you request info to MS is wait to the last packet to get all servers in ping range, then only one attacker can fill ~ 80% of urt servers alive (only need a regular inet, bot net is not needed, this is what happens on theses attacks)

Another found is, passcode for private servers dont be erased form conn packet after the player log into an private server, then if you handle the qconsole.log you can make a little dict for bruteforce this passcodes (the are no passcode security policies on urt clans), so make the server private not solve the gap, its just a matter of time.

One way to get this information is spawn fake servers just like spawn fake players.

The code in the link, show a way to bruteforce guid in order to grant permissions to the server's bot, it takes time, but if you want to mess some Clan, you can do it.

For information, related to another post on this thread, ran tcpdump, without parse with huffman is useless.

I hope this post help you. Regards.

  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

Advertisement


Copyright © 1999-2017 Frozensand Games Limited  |  All rights reserved  |  Urban Terror™ and FrozenSand™ are trademarks of Frozensand Games Limited

Frozensand Games is a Limited company registered in England and Wales. Company Reg No: 10343942