Advertisement
[WARNING] Malicious ghost clients
#11
Posted 11 December 2015 - 04:23 PM
well, you can create a new quid by deleting your Qkey, and i suppose what Mr. Yeah meant there, was not allowing a new client to open a connection from the same IP within a given timespan:
you can have as many connections as you want (probably quite a few less), but have to wait X seconds before connecting a new client.
I quite like that idea. It basically has the same flaws as any other method, by potentially making it difficult to play from something like a college, company connection.
you can have as many connections as you want (probably quite a few less), but have to wait X seconds before connecting a new client.
I quite like that idea. It basically has the same flaws as any other method, by potentially making it difficult to play from something like a college, company connection.
Sorry for my bad spelling - I am still asleep. :)
|=| Iye's UrT Addon |=| Firefox Personas |=| Maps |=|
http://www.mediafire...vk3a602hcfg.jpg
|=| Iye's UrT Addon |=| Firefox Personas |=| Maps |=|
http://www.mediafire...vk3a602hcfg.jpg
#12
Posted 02 January 2016 - 08:07 PM
Hey!
I think those attackers used way in which urban terror trying keep connection alive with urt server before map download.
When client connecting to urt server with map which dont have than got this popup window to accept or cancel map download and in this moment when player wont click anything cus probably afk than he will stay as 999 ping player on server and urt sv_timeout wont work at all cus he all time sending some short keep alive packets to the server.
Drop client connection at all before map download popup could be a solution. I doubt those "attackers" could use some sophisticated method to cheat server about client connection AND generate those keep alive packets.
If it help I ran tcpdump on server during that and in ASCII mode packet content looks like that (every packet start from letter "E"):
I think those attackers used way in which urban terror trying keep connection alive with urt server before map download.
When client connecting to urt server with map which dont have than got this popup window to accept or cancel map download and in this moment when player wont click anything cus probably afk than he will stay as 999 ping player on server and urt sv_timeout wont work at all cus he all time sending some short keep alive packets to the server.
Drop client connection at all before map download popup could be a solution. I doubt those "attackers" could use some sophisticated method to cheat server about client connection AND generate those keep alive packets.
If it help I ran tcpdump on server during that and in ASCII mode packet content looks like that (every packet start from letter "E"):
E..,..@.@..m
..
..dm8.....F....-.+.......F...
E..,.)@.@..)
..
..dm8....l0....-.+.....F.....
E..,..@.@..R
..
..dm8.....Q....-.+.......F...
E..,.!@.@..1
..
..dm8..........-.+.......F...
E..9.o@.@...
..
..dm8...%.?....-.+........n........5....
#15
Posted 10 November 2017 - 01:10 AM
Clear, on 10 November 2017 - 12:59 AM, said:
?
ioq3 huffman port for python3 (before it you need cython or C to handle raw packets) makes easier for anyone to make mess over urt and quake3 servers.
My post (that went erased) with the code for malicious.... was aimed for develop resources to avoid this issue and for check related issues on UE.
But admins choose to erase it, ok, again, suit yourself. Regards
Advertisement
#16
Posted 10 November 2017 - 01:41 AM
I relayed it to the admins, but chose to hide your post, as it, by your own admission, basically is a blueprint for how to spam servers. (Probably should have left a note here, but i'm tiered and just still here as i figure i still got stuff to do... :S)
Sorry for my bad spelling - I am still asleep. :)
|=| Iye's UrT Addon |=| Firefox Personas |=| Maps |=|
http://www.mediafire...vk3a602hcfg.jpg
|=| Iye's UrT Addon |=| Firefox Personas |=| Maps |=|
http://www.mediafire...vk3a602hcfg.jpg
#17
Posted 10 November 2017 - 02:03 AM
Iye, on 10 November 2017 - 01:41 AM, said:
I relayed it to the admins, but chose to hide your post, as it, by your own admission, basically is a blueprint for how to spam servers. (Probably should have left a note here, but i'm tiered and just still here as i figure i still got stuff to do... :S)
Ok, so this code need another module to handle request to the master server for get IP:PORT on 800 ms range, there are third party applications (fan apps) for select servers out of urt's client.
The only trick needed when you request info to MS is wait to the last packet to get all servers in ping range, then only one attacker can fill ~ 80% of urt servers alive (only need a regular inet, bot net is not needed, this is what happens on theses attacks)
Another found is, passcode for private servers dont be erased form conn packet after the player log into an private server, then if you handle the qconsole.log you can make a little dict for bruteforce this passcodes (the are no passcode security policies on urt clans), so make the server private not solve the gap, its just a matter of time.
One way to get this information is spawn fake servers just like spawn fake players.
The code in the link, show a way to bruteforce guid in order to grant permissions to the server's bot, it takes time, but if you want to mess some Clan, you can do it.
For information, related to another post on this thread, ran tcpdump, without parse with huffman is useless.
I hope this post help you. Regards.
#18
Posted 29 November 2017 - 05:44 AM
rly intressting,
1 time i used this to troll a serveradmin who thinks he can used adminabuse anytime, i just written me a littl batch file who start and connect 20 times with a rdm name to the server with delet the qkey after any startto creat a new id
so the serveradmin just saw 20 users with 20 id came with 1 ip on the server and idl ther. and when he tryed to ban me with b3 its only banned 1 of them .
possible thats helped u out to fix this.
ps: i never used this again or puplished it.
1 time i used this to troll a serveradmin who thinks he can used adminabuse anytime, i just written me a littl batch file who start and connect 20 times with a rdm name to the server with delet the qkey after any startto creat a new id
so the serveradmin just saw 20 users with 20 id came with 1 ip on the server and idl ther. and when he tryed to ban me with b3 its only banned 1 of them .
possible thats helped u out to fix this.
ps: i never used this again or puplished it.
#19
Posted 29 November 2017 - 10:34 AM
warsheep, on 29 November 2017 - 05:44 AM, said:
rly intressting,
1 time i used this to troll a serveradmin who thinks he can used adminabuse anytime, i just written me a littl batch file who start and connect 20 times with a rdm name to the server with delet the qkey after any startto creat a new id
so the serveradmin just saw 20 users with 20 id came with 1 ip on the server and idl ther. and when he tryed to ban me with b3 its only banned 1 of them .
possible thats helped u out to fix this.
ps: i never used this again or puplished it.
1 time i used this to troll a serveradmin who thinks he can used adminabuse anytime, i just written me a littl batch file who start and connect 20 times with a rdm name to the server with delet the qkey after any startto creat a new id
so the serveradmin just saw 20 users with 20 id came with 1 ip on the server and idl ther. and when he tryed to ban me with b3 its only banned 1 of them .
possible thats helped u out to fix this.
ps: i never used this again or puplished it.
FYI: B3 bans by IP address and schedule reBans every 10 seconds, so if one of your fake clients has been banned, the others won't stay alive for more than 10 seconds.
Follow me: https://github.com/danielepantaleone
#20
Posted 30 November 2017 - 01:52 AM
Fenix, on 29 November 2017 - 10:34 AM, said:
FYI: B3 bans by IP address and schedule reBans every 10 seconds, so if one of your fake clients has been banned, the others won't stay alive for more than 10 seconds.
B3 works with iptables, or only ban by iq3 engine?, if B3 not work with iptables, the attacker still get server bandwith, BTW running B3 as root is not a good advise.
2 User(s) are reading this topic
0 members, 2 guests, 0 anonymous users
Advertisement