ATTENTION -- fits only for linux OS -- ATTENTION
Hi all,
Yesterday I noticed, that the ETPro server of my clan (ETW-FunZone) produced an upstream of 3MBit/s even if no player was online.
That was the point, I remembered the
ET Getstattus Exploit (fixed by applying this patch)
But for now, I`m starting from beginniing.
You don`t know if your server is also flooded?
It`s simple to test out this:
Step 1:
Run "vnstat -l" (if vnstat not is installed on your server, simply do that following the description found here
Run vnstat -l for about a minute and stop the app by CRTL + C
Now you`ll see a result-page, showing the up- and downstream.
Quote | |
|
those one looks not bad, but if you have an upstream of more than 1 MBit/s, even if no player is connected, you should go to step 2
On ETW-Funzone, for example we had this report:
Quote | |
|
Notice the 4,57MBit/s upstream!
Step 2:
Check with tcpdump if the getstatus exploit trigger this.
If tcpdump is not installed on your server yet, do it (should be located in the most distribution repos). Use your packege-manager to install tcpdump.
Now capture 1000 tcp packets with the command
tcpdump -c1000 -A 2>/dev/null | grep -B1 getstatus | wc -l
which will output the linecount. Divide it through 2 and you`ll get the number of
getstatus packets your server received within the few seconds tcpdump runs.
If the number increases 50 (empty server!), you should be warned!
And you should go forward with step 3.
Because this attack is driven with spoofed ip-adresses, there`s no sence in writing tons of abuse-messages to the concerned hosters.
Step 3:
Fix your etded.x86 (works only with 2.60B AFAIK!) with the Exploit Fix
How to do this? |
Restart the server, and use the tcpdump command to see the results
tcpdump -c1000 -A 2>/dev/null | grep -B1 getstatus | wc -l
Example:
On ETW-FZ, the first tcpdump - output showed, that 436 from 1000 packets where getstatus requests and the ansers the server gave (output 872 / 2).
After the fix was applied, the count decreased to 320 of 1000.
It sounds not realy successfull, but use
vnstat -l
to see the real effort!
The reason, tcpdump shows a high count, even the fix is applied is simple:
The server still receive the getstatus queries, but only 1 of those queries from each IP is answered every 4 seconds.
This fix isn`t made to stop those attacks completly, but it will help massiv to decrease the attackers acc
REMARK:
This fix will cause your server is shown laggy in HSLW.
This occours because some getstatus-packaged from HSLW were dropped by the server.
last changed by schnoog am 15.01.2011 - 14:29:37