15.01.2011 - 12:12:30

ATTENTION -- fits only for linux OS -- ATTENTION

Hi all,


Yesterday I noticed, that the ETPro server of my clan (ETW-FunZone) produced an upstream of 3MBit/s even if no player was online.

That was the point, I remembered the
ET Getstattus Exploit (fixed by applying this patch)

But for now, I`m starting from beginniing.

You don`t know if your server is also flooded?

It`s simple to test out this:

Step 1:
Run "vnstat -l" (if vnstat not is installed on your server, simply do that following the description found here

Run vnstat -l for about a minute and stop the app by CRTL + C
Now you`ll see a result-page, showing the up- and downstream.

Quote

eth0 / traffic statistics rx | tx --------------------------------------+------------------ bytes 168 KiB | 22 KiB --------------------------------------+------------------ max 100 kbit/s | 20 kbit/s average 89.60 kbit/s | 11.73 kbit/s min 96 kbit/s | 8 kbit/s --------------------------------------+------------------ packets 2865 | 49 --------------------------------------+------------------ max 208 p/s | 6 p/s average 191 p/s | 3 p/s min 200 p/s | 2 p/s --------------------------------------+------------------ time 15 seconds

those one looks not bad, but if you have an upstream of more than 1 MBit/s, even if no player is connected, you should go to step 2

On ETW-Funzone, for example we had this report:

Quote

max 756 kbit/s | 4.57 Mbit/s average 600.71 kbit/s | 3.82 Mbit/s min 536 kbit/s | 3.59 Mbit/s

Notice the 4,57MBit/s upstream!

Step 2:
Check with tcpdump if the getstatus exploit trigger this.
If tcpdump is not installed on your server yet, do it (should be located in the most distribution repos). Use your packege-manager to install tcpdump.

Now capture 1000 tcp packets with the command
tcpdump -c1000 -A 2>/dev/null | grep -B1 getstatus | wc -l

which will output the linecount. Divide it through 2 and you`ll get the number of
getstatus packets your server received within the few seconds tcpdump runs.

If the number increases 50 (empty server!), you should be warned!
And you should go forward with step 3.

Because this attack is driven with spoofed ip-adresses, there`s no sence in writing tons of abuse-messages to the concerned hosters.


Step 3:
Fix your etded.x86 (works only with 2.60B AFAIK!) with the Exploit Fix

How to do this?

For this example I use putty as ssh client to administrate the server -Connect to your server -Change directory to your game-folder (where etded.x86 is located) -make a temporary folder mkdir tmpfix -move to this folder, also copy your etded.x86 to that place cp etded.x86 tmpfix/ cd tmpfix -download the fix wget http://wolffiles.de/filebase/ET/Patches/etfix_getstatus_0.2.zip -unzip the package unzip etfix_getstatus_0.2.zip Now it`s time to aply the patch ./etfix_getstatus etded.x86 -you should receive such an output:  Quote ------------------------------------------------ ** limit getstatus patch 0.2 for etded.x86 2.60b yada // staatsschutz.org // jan. 2011 ------------------------------------------------ Patching: 23 bytes at offset 71BC0. Patching: 117 bytes at offset 71BE0. Patching: 11 bytes at offset E4EF. Patching: 5 bytes at offset E507. Patching: 4 bytes at offset 10C13. Success: etded.x86 patched. which indicates that the patch is applied successfully. -Now rename the original etded.x86 mv ../etded.x86 ../etded.x86_unfixed -Copy the fixed etded.x86 to the gamefolder cp etded.x86 ../ Now the fixing is done.

Restart the server, and use the tcpdump command to see the results
tcpdump -c1000 -A 2>/dev/null | grep -B1 getstatus | wc -l



Example:
On ETW-FZ, the first tcpdump - output showed, that 436 from 1000 packets where getstatus requests and the ansers the server gave (output 872 / 2).
After the fix was applied, the count decreased to 320 of 1000.
It sounds not realy successfull, but use
vnstat -l
to see the real effort!

The reason, tcpdump shows a high count, even the fix is applied is simple:
The server still receive the getstatus queries, but only 1 of those queries from each IP is answered every 4 seconds.
This fix isn`t made to stop those attacks completly, but it will help massiv to decrease the attackers acc

REMARK:
This fix will cause your server is shown laggy in HSLW.
This occours because some getstatus-packaged from HSLW were dropped by the server.


last changed by schnoog am 15.01.2011 - 14:29:37

15.01.2011 - 18:26:50

Was bei Dir in test2.txt landet ist die stderr - Ausgabe.
stdout wird mit der Pipe an grep weitergeleitet, der gibt es an wc -l weiter.
Mach das
| wc -l
weg und dafür
>test2.txt
hin. Dann landet alles in der Datei. Die Zeilenanzahl kannst Du dann problemlos mit
cat test2.txt | wc -l
ermitteln.

Bezüglich Hetzner Forum würd ich sagen "ins schwarze getroffen"

02.08.2011 - 23:05:49

Referring to http://wolffiles.de/index.php?forum-showposts-44-p3#459

this file works well for me since many weeks: http://wolffiles.de/index.php?filebase&fid=4286


last changed by schnoog am 02.08.2011 - 23:06:16

27.08.2011 - 22:06:18

Which windows and which firewall are you running?

06.09.2011 - 17:53:53

any help on this?

02.11.2011 - 20:34:39

hi we having a spoof attack like you described here on our game server
and we like to know if you have a similar solution for a Windows 2008 R2 server?

specially the patches you have as you described for the linux server

Thanks in advance

03.11.2011 - 21:00:28

Zitat von schnoog

HI Senna, AFAIK there is no solution for windows based server yet. And the only firewall for windows I found which is able to handle the package content is the InJoy firewall: http://www.fx.dk/firewall/ Maybe also WFP is able to do such investigations ( http://msdn.microsoft.com/en-us/library/windows/desktop/aa366504(v=vs.85).aspx ) , but tbh, I never tried it.

but thanks anyway for your swift answer
we gonna have a look at your suggestions and i will let you know the outcome