[Drizzt]

Barbatos, on 20 January 2012 - 07:39 PM, said:

You can now download the official patched builds:
http://www.urbanterr...loads/security/

Here is the source code:
https://github.com/B...r-UrbanTerror-4

A news post will be posted soon.

Then, with this security update, the problem is fixed?

[gXS.looza]

Quote

Then, with this security update, the problem is fixed?

im not sure... there are still lots of incoming requests, i still ban the incoming ips in iptables.
im not sure if this is necessary, but i feel better when the requests dont even touch my gameserver :D

i try to ban much targest as possible... i have 100 ips now but always new ips show up,
maybe its useless because i dont know how much victims the atacker has. i hope its not endless?

This post has been edited by looza: 22 January 2012 - 09:13 PM

[FS |HSO|RaideR]

okay, i think the point here is being missed. If you have used iptabled to make this vunerability impossible, then that HAS to be a better solution. But from a "joe blogs" point of view. This stops the abuse being possible. Your server will allways see the abuse, you can't stop that, but this prevents YOUR bandwidth from being wasted and "OTHERS" from getting swarms of data.

In reply to the question "is this really as bad as people are making it out to be", simply put yes! Bot nets are used to generate the "Spoofed" Getstatus messages and blast them at servers. The server replys as it should but to the wrong place, thus the effect is a huge ddos. With a network of 1000 servers + that we have here at UrT and a simple botnet, you can generate (1000 x 100Mbits) as a full capasity shitstorm.

In other words, how well do you think a poor website is going to do against say (400 IPs) all blasting you with data you dont even want. This results in your downstream (inbound) data getting saturated and thus killing coms to your box. The pure nature of a DDoS. Not to mension the hell it pays to your network layer and lagging your servers bus out.

So in conclusion, anyone who doesnt take steps now to make sure there server is secure (there is no reason why not now) are almost party to the abuse.

Update your binary, or use IP Tables to protect against it OR secure it yourself. The options are all there now. Don't not do any, or your just letting the abusers use you to hurt 3rd partys. Now we have patched UrT, its your fault when people get attacked. I Urge you to update!

[rfx]

Absolutely right, it just needs a big fat news message now.

[FS Barbatos]

Yup, it will come in a few days.

[undead]

Can you merge the security updates into the main download page? I don't see a reason why you would want to advertise the vulnerable binaries and bury the fix into a separate page that's not linked to the main header. Everyone should have one download link that they use.

The github project is a mess. Can you remove the build directory, object files, subversion directories and other junk? Those changes obviously came from newer ioquake3 revisions (I can't see you updating the Irix target) and the commit logs don't mention anything.

This post has been edited by undead: 22 January 2012 - 11:07 PM

[Rambetter]

Two things.

Barbatos - In my opinion I think you should compile the "official" server binary on Debian Lenny 5.0, which is an older system. Binaries compiled here will likely work on the largest number of other systems, including new ones.

As far as iptables scripts go, I would say that once you update your binary, it's pretty fruitless to have iptables block stuff also. Regardless of whether or not you use iptables, those incoming getstatus+getinfo requests will still be coming to your server machine. Also, the IP addresses being attacked are constantly changing, so attempting to maintain iptables with those IP addresses is not a worthwhile endeavor. The patched binary will only allow a very slow trickle of traffic through to the IP addresses being attacked.

[gXS.looza]

Quote

Barbatos - In my opinion I think you should compile the "official" server binary on Debian Lenny 5.0, which is an older system. Binaries compiled here will likely work on the largest number of other systems, including new ones.

i compiled the "official" source on lenny, ok since i did that it isnt "official" anymore but if it helps someone here we go ->

http://gamexs.de/ioUrTded.i386

This post has been edited by looza: 05 March 2012 - 08:14 AM

[|P|Nitro]

Rambetter, on 23 January 2012 - 07:42 PM, said:

Two things.

Barbatos - In my opinion I think you should compile the "official" server binary on Debian Lenny 5.0, which is an older system. Binaries compiled here will likely work on the largest number of other systems, including new ones.

As far as iptables scripts go, I would say that once you update your binary, it's pretty fruitless to have iptables block stuff also. Regardless of whether or not you use iptables, those incoming getstatus+getinfo requests will still be coming to your server machine. Also, the IP addresses being attacked are constantly changing, so attempting to maintain iptables with those IP addresses is not a worthwhile endeavor. The patched binary will only allow a very slow trickle of traffic through to the IP addresses being attacked.

well it would depend solely on wether or not you are hosting other games, I host a Call of Duty 2 server which has the same problem but support for that game is long gone so the only way to protect it is to use the iptables.

[Pussnboots]

Well, this is quite easy to do. I have a script I made myself for troublesome players that change their IP and GUID to evade bans.. I just became aware of this issue myself via another clan that may be having the same problems (Granted from what I have seen, there are no floods UDP or TCP that I have seen directly via TCP and UDP packets with this particular instance.)

I'd suggest also modifying your firewall to dump/block/reject excessive requests.

If you are getting flooded with packets, it's easy to find who the culprit is easily by monitoring packet traffic. If anyone who is affected, has the ability to detect this, I'd surely like to know the IP address of the offender. I can take it from there >:D

I won't give instructions because such a thing should not be left to a novice to determine. But for those of you that can.. Give me the info please.. I would like your proof and I'll take it from there.

This type of scripting is INCREDIBLY easy and is likely the work of some n00b. (Yes, I'll start another war >:D One tried, and one failed.. Who's next!? :D )
Let's get rid of this tool!

Thanks! :D