Urban Terror Forums: [WARNING] Malicious ghost clients - Urban Terror Forums

Jump to content

 Login | Register 
Advertisement
  • (3 Pages)
  • +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • You cannot reply to this topic

[WARNING] Malicious ghost clients Rate Topic: -----

#11 User is offline   Iye Icon

  •   moderator   
    Community Moderator
  • Account: iye
  • Country:
  • Joined: 07-June 11
  • Posts: 855
  • Notoriety: serious

Posted 11 December 2015 - 04:23 PM

well, you can create a new quid by deleting your Qkey, and i suppose what Mr. Yeah meant there, was not allowing a new client to open a connection from the same IP within a given timespan:
you can have as many connections as you want (probably quite a few less), but have to wait X seconds before connecting a new client.

I quite like that idea. It basically has the same flaws as any other method, by potentially making it difficult to play from something like a college, company connection.
Sorry for my bad spelling - I am still asleep. :)

|=| Iye's UrT Addon |=| Firefox Personas |=| Maps |=|
http://www.mediafire...vk3a602hcfg.jpg

#12 User is offline   DSZ Icon

  •   verified user   
  • Account: dsz
  • Country:
  • Joined: 13-August 13
  • Posts: 32
  • Notoriety: basic (afk)

Posted 02 January 2016 - 08:07 PM

Hey!

I think those attackers used way in which urban terror trying keep connection alive with urt server before map download.

When client connecting to urt server with map which dont have than got this popup window to accept or cancel map download and in this moment when player wont click anything cus probably afk than he will stay as 999 ping player on server and urt sv_timeout wont work at all cus he all time sending some short keep alive packets to the server.

Drop client connection at all before map download popup could be a solution. I doubt those "attackers" could use some sophisticated method to cheat server about client connection AND generate those keep alive packets.

If it help I ran tcpdump on server during that and in ASCII mode packet content looks like that (every packet start from letter "E"):


E..,..@.@..m
..

..dm8.....F....-.+.......F...

E..,.)@.@..)
..

..dm8....l0....-.+.....F.....

E..,..@.@..R
..

..dm8.....Q....-.+.......F...

E..,.!@.@..1
..

..dm8..........-.+.......F...

E..9.o@.@...
..

..dm8...%.?....-.+........n........5....



#13 User is offline   egia Icon

  • Account: egia
  • Country:
  • Joined: 23-February 14
  • Posts: 13
  • Notoriety: basic

Posted 10 November 2017 - 12:57 AM

So there is no place for knowledge (..) suit yourself

#14 User is offline   Clear Icon

  •   former FS member   
    Codebase Developer
  • Account: clear
  • Main tag: 6th|
  • Country:
  • Joined: 16-August 11
  • Posts: 121
  • Notoriety: basic

Posted 10 November 2017 - 12:59 AM

View Postegia, on 10 November 2017 - 12:57 AM, said:

So there is no place for knowledge (..) suit yourself


?

#15 User is offline   egia Icon

  • Account: egia
  • Country:
  • Joined: 23-February 14
  • Posts: 13
  • Notoriety: basic

Posted 10 November 2017 - 01:10 AM

View PostClear, on 10 November 2017 - 12:59 AM, said:

?


ioq3 huffman port for python3 (before it you need cython or C to handle raw packets) makes easier for anyone to make mess over urt and quake3 servers.
My post (that went erased) with the code for malicious.... was aimed for develop resources to avoid this issue and for check related issues on UE.

But admins choose to erase it, ok, again, suit yourself. Regards

bullet_disabledSponsored link
www.urbanterror.info

#16 User is offline   Iye Icon

  •   moderator   
    Community Moderator
  • Account: iye
  • Country:
  • Joined: 07-June 11
  • Posts: 855
  • Notoriety: serious

Posted 10 November 2017 - 01:41 AM

I relayed it to the admins, but chose to hide your post, as it, by your own admission, basically is a blueprint for how to spam servers. (Probably should have left a note here, but i'm tiered and just still here as i figure i still got stuff to do... :S)
Sorry for my bad spelling - I am still asleep. :)

|=| Iye's UrT Addon |=| Firefox Personas |=| Maps |=|
http://www.mediafire...vk3a602hcfg.jpg

#17 User is offline   egia Icon

  • Account: egia
  • Country:
  • Joined: 23-February 14
  • Posts: 13
  • Notoriety: basic

Posted 10 November 2017 - 02:03 AM

View PostIye, on 10 November 2017 - 01:41 AM, said:

I relayed it to the admins, but chose to hide your post, as it, by your own admission, basically is a blueprint for how to spam servers. (Probably should have left a note here, but i'm tiered and just still here as i figure i still got stuff to do... :S)

Ok, so this code need another module to handle request to the master server for get IP:PORT on 800 ms range, there are third party applications (fan apps) for select servers out of urt's client.
The only trick needed when you request info to MS is wait to the last packet to get all servers in ping range, then only one attacker can fill ~ 80% of urt servers alive (only need a regular inet, bot net is not needed, this is what happens on theses attacks)

Another found is, passcode for private servers dont be erased form conn packet after the player log into an private server, then if you handle the qconsole.log you can make a little dict for bruteforce this passcodes (the are no passcode security policies on urt clans), so make the server private not solve the gap, its just a matter of time.

One way to get this information is spawn fake servers just like spawn fake players.

The code in the link, show a way to bruteforce guid in order to grant permissions to the server's bot, it takes time, but if you want to mess some Clan, you can do it.

For information, related to another post on this thread, ran tcpdump, without parse with huffman is useless.

I hope this post help you. Regards.

#18 User is offline   warsheep Icon

  • Account: warsheep
  • Country:
  • Joined: 20-October 13
  • Posts: 18
  • Notoriety: basic

Posted 29 November 2017 - 05:44 AM

rly intressting,
1 time i used this to troll a serveradmin who thinks he can used adminabuse anytime, i just written me a littl batch file who start and connect 20 times with a rdm name to the server with delet the qkey after any startto creat a new id
so the serveradmin just saw 20 users with 20 id came with 1 ip on the server and idl ther. and when he tryed to ban me with b3 its only banned 1 of them .
possible thats helped u out to fix this.

ps: i never used this again or puplished it.

#19 User is offline   Fenix Icon

  •   former FS member   
  • Account: fenix
  • Main tag: [Gore]
  • Country:
  • Joined: 06-December 10
  • Posts: 423
  • Notoriety: basic

Posted 29 November 2017 - 10:34 AM

View Postwarsheep, on 29 November 2017 - 05:44 AM, said:

rly intressting,
1 time i used this to troll a serveradmin who thinks he can used adminabuse anytime, i just written me a littl batch file who start and connect 20 times with a rdm name to the server with delet the qkey after any startto creat a new id
so the serveradmin just saw 20 users with 20 id came with 1 ip on the server and idl ther. and when he tryed to ban me with b3 its only banned 1 of them .
possible thats helped u out to fix this.

ps: i never used this again or puplished it.


FYI: B3 bans by IP address and schedule reBans every 10 seconds, so if one of your fake clients has been banned, the others won't stay alive for more than 10 seconds. Posted Image

#20 User is offline   egia Icon

  • Account: egia
  • Country:
  • Joined: 23-February 14
  • Posts: 13
  • Notoriety: basic

Posted 30 November 2017 - 01:52 AM

View PostFenix, on 29 November 2017 - 10:34 AM, said:

FYI: B3 bans by IP address and schedule reBans every 10 seconds, so if one of your fake clients has been banned, the others won't stay alive for more than 10 seconds. Posted Image


B3 works with iptables, or only ban by iq3 engine?, if B3 not work with iptables, the attacker still get server bandwith, BTW running B3 as root is not a good advise.

  • (3 Pages)
  • +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

Advertisement


Copyright © 1999-2017 Frozensand Games Limited  |  All rights reserved  |  Urban Terror™ and FrozenSand™ are trademarks of Frozensand Games Limited

Frozensand Games is a Limited company registered in England and Wales. Company Reg No: 10343942