[Pussnboots]

Also, more importantly, I would like to know the PORTS of the servers being affected. It's possible that only the 27*** range is affected. Please post what you got if you have been affected! :D

EDIT: Good lord I yap a lot! lol Addendum: If you have a local server.. You may be able to resolve this issue with your router. If you would like to spend buku bucks on a firewall router/switch, by all means do so. But, if you are bit savvy and would like to dabble a bit in some new sh**.. Check out dd-wrt. I personally use this firmware myself. It's incredibly diverse and allows for QOS/ DMZ / Port Forwarding / VLAN management etc.

The firmware is VERY robust and is UNIX based as well complete with iptables. If you don't have it.. Get it. (Unless you have a linksys, because frankly.. linksys and Belkin are the biggest POS networking devices I've ever seen).

This goes with a disclaimer.. As aforementioned, if you are SAVVY... AND if you are NOT technically inept.. Install, configure, let it be. If you do, DONATE. Everyone that makes software this 1337 deserves some $$!

This post has been edited by Pussnboots: 24 January 2012 - 02:31 PM

[|P|Nitro]

Pussnboots, on 24 January 2012 - 12:15 AM, said:

Also, more importantly, I would like to know the PORTS of the servers being affected. It's possible that only the 27*** range is affected. Please post what you got if you have been affected! :D

the attack works with any port. all it does is query the q3a master server and other known master servers that run q3a protocols such as cod2, takes the entire list of the IP:Port and sends a getstatus query request with a spoofed source address so that the thousands upon thousands of servers respond to the same IP address with the status data, saturating the victims inbound bandwidth. typical DDoS but using a exploint found in a game rather than infecting peoples pc's with a virus.


for each getstatus packet the attacker only needs to send arround ~50bytes and in return the server will respond with ~500bytes of information (more if you have extra cvars, or info vars compared to standard build).


now for every 50bytes of bandwidth the attacker has he can increase his attack 10 fold if not more. The reason why this is a great security risk is because the potential is out for the attacker to get his hands on a few VPS server (even one would do) with multiple 100-1000mbit connections for spare pocket change for a whole month.

if the attacker had 100mbit connection thats 5000Mbits of DDoS bandwidth that can be produced (more than enough to take out most websites even with backup servers)
its also enough to take down a lot of game servers at once (specially with all the home server out there)

God forbid if the attack should get a 1Gbit line. When people ask how serious this problem is, all the need to do is look at their logs to see some of the victims that are being attacked, This is why I am angry at companies such as gameservers.com refusing to compile their own damn executable (it takes less than 3 mins to do and probably less than 1 to deploy)

even if all the urban terror servers are patched, its still a small puzzle piece it in the bigger picture, there is only ~1500 servers in this game, its the companies like gamerservers.com hosting tens of thousands of call of duty servers and other gametypes that NEED to do something about this to really resolve this issue.

[Pussnboots]

EDIT: Disregard this post. I've got bigger fish to fry atm...

This post has been edited by Pussnboots: 24 January 2012 - 02:34 PM

[Runamuk]

Here is the issue at Gameservers.com and why they won't use it.

"The binary on the page you linked is dynamic.

ldd ioUrTded.i386
./ioUrTded.i386: /lib/libc.so.6: version `GLIBC_2.7' not found (required by ./ioUrTded.i386)
   linux-gate.so.1 => (0x00960000)
   libdl.so.2 => /lib/libdl.so.2 (0x0077f000)
   libm.so.6 => /lib/libm.so.6 (0x00800000)
   libc.so.6 => /lib/libc.so.6 (0x0063a000)
   /lib/ld-linux.so.2 (0x00617000)

GLIBC_2.7 is simply not something we can upgrade to. GLIBC upgrades are extremely dangerous to do to a live system. Either a static version of this mod needs to be made available, or, it needs to be compiled versus a lower GLIBC version.Â

We have seen this happen many, many times before with various mods/updates. Usually, people make a note of the issue, and a new version with one of the two above scenarios is made.

At this point, there isn't anything we are able to do. We do not have any glibc2.7+ systems in play currently in Chicago.

Thanks,

Zachary Williams
http://www.gameservers.com/
Frag. Not Lag."

[Pussnboots]

Runamuk, on 24 January 2012 - 03:36 PM, said:

Here is the issue at Gameservers.com and why they won't use it.

"The binary on the page you linked is dynamic.

ldd ioUrTded.i386
./ioUrTded.i386: /lib/libc.so.6: version `GLIBC_2.7' not found (required by ./ioUrTded.i386)
   linux-gate.so.1 => (0x00960000)
   libdl.so.2 => /lib/libdl.so.2 (0x0077f000)
   libm.so.6 => /lib/libm.so.6 (0x00800000)
   libc.so.6 => /lib/libc.so.6 (0x0063a000)
   /lib/ld-linux.so.2 (0x00617000)

GLIBC_2.7 is simply not something we can upgrade to. GLIBC upgrades are extremely dangerous to do to a live system. Either a static version of this mod needs to be made available, or, it needs to be compiled versus a lower GLIBC version.Â

We have seen this happen many, many times before with various mods/updates. Usually, people make a note of the issue, and a new version with one of the two above scenarios is made.

At this point, there isn't anything we are able to do. We do not have any glibc2.7+ systems in play currently in Chicago.

Thanks,

Zachary Williams
http://www.gameservers.com/
Frag. Not Lag."

And of course.. That's because they use RedHat.. Pff. I just switched my server to Ubuntu LTS because of that very reason. I couldn't use my last compiled server binary because of the limitations with CentOs / RHEL. And, because I use Linux Mint (now 12) on my pc, I have the latest glibc. So when I coompile, it's compiled with that version and is not reverse compatible.

The only other solution would be (as stated previously in this thread), to have someone else compile an up-to-date binary on an out-of-date OS.

Frankly, I think the folks at Gamservers.com are just limping along on mistakes they've made in the past and don't want to admit they're wrong. Not to mention, it's not worth it to them. ******** tools!

I say, ditch them and get rent a virtual server for $30...

EDIT 2: RedHat is comparable to these folks.. Though as lovely as they are.. They just don't get the new stuff..

This post has been edited by Pussnboots: 24 January 2012 - 05:33 PM

[gXS.looza]

They only need to compile the source on the old machine they have.
I really cant understand that... copmiling the source is not much work and easy to do.
this shouldnt be a problem for a professional hoster...

all they have to do is :

Download the sourcecode from here https://github.com/B...r-UrbanTerror-4

extract it, go into the directory and type: make ARCH=i386

if you do that you will find the new bin in some subfolder

thats all

[Pussnboots]

You kidding me? Gameservers.com compiling a Q3 server binary.. Pssh.. Not likely.

You are absolutely right! Easy, but they won't do it.

[Runamuk]

I gave them Looza's compile and they applied that to my servers. They should be making that the default install and patch as it now works on their system. No it isn't hard but they are a corporation they don't make patches they apply stuff that works. Anyway, problem is solved and everyone at GS.com should now be able to ask for the patch using this version until the DEV's compile a proper official version.

[Pussnboots]

Rambetter, on 23 January 2012 - 07:42 PM, said:

Two things.

Barbatos - In my opinion I think you should compile the "official" server binary on Debian Lenny 5.0, which is an older system. Binaries compiled here will likely work on the largest number of other systems, including new ones.

As far as iptables scripts go, I would say that once you update your binary, it's pretty fruitless to have iptables block stuff also. Regardless of whether or not you use iptables, those incoming getstatus+getinfo requests will still be coming to your server machine. Also, the IP addresses being attacked are constantly changing, so attempting to maintain iptables with those IP addresses is not a worthwhile endeavor. The patched binary will only allow a very slow trickle of traffic through to the IP addresses being attacked.

1: iptables: Just reject simultaneous UDP requests more than 2 / sec +/- to specified game port(s). Good practice to limit traffic on a broad spectrum anyways.
2: Is that a 3500 in your photo's on your site? Do you have a rack for it :P
3: <ignore>Running old stuff is lame. It's no wonder there's so many exploits vis-a-vis current methods. I just think people are too lazy to update/secure their sh** and end up paying with a rod in their bum for their lackadaisical nature.. That's just a rant though lol.. </ignore>

This post has been edited by Pussnboots: 25 January 2012 - 04:40 AM

[Pussnboots]

Edit: I need to hide this info for now :P

This post has been edited by Pussnboots: 27 January 2012 - 03:25 AM