Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 14:00

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 6 posts ] 
Author Message
 Post subject: Methods to slowdown or stop udpsz
PostPosted: 28 Jan 2011 01:43 

Joined: 28 Jan 2011 01:37
Posts: 1
Hello, I have a simple gamer community. I have been having problems with the udpsz attack. I have been trying my best to stop it but with the ability to spoof IPs I cant keep up. Is there any way to stop or slow it down? We get attacked over and over. Everyday we get hit 13 or more times for at least 2 hours. I don't know who else to ask. Could any one enplane exactly how udpsz works?

The servers that get hit the most are CSS and GarrysMod.


Top
 Profile  
 
 
 Post subject: Re: Methods to slowdown or stop udpsz
PostPosted: 28 Jan 2011 02:06 

Joined: 16 Aug 2007 06:25
Posts: 367
Are you talking about a documented vulnerability in particular? Udpsz simply sends custom crafted udp packets. How do you know they are using udpsz? There are similar tools out there that do the same thing udpsz does. Are they hitting your server with lots of requests and causing it to slow down? Are they legitimate requests (like a request for player info) or is it garbage traffic? A packet scan could give you more info on this.

Unless there is a certain pattern (like a common IP range the requests are coming from) it can be pretty hard to contain a DDoS attack other than having greater resources than the attacker (more bandwidth, more server power, etc).


Top
 Profile  
 
 Post subject: Re: Methods to slowdown or stop udpsz
PostPosted: 30 Jan 2011 23:02 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
i agree with Soma, how you know that udpsz is used ?
if you want to prevent this, try using Luigi's universal players limiter. you can prevent any packet from being sent to your server, in case that they always flood with same data.
if they use different data and spoofed IPs everytime, then there is literally nothing you can do about it.


13 times a day and 2 hours each time ? i just had to say something, how is this possible ? that would make 26 hours in a day ....


Top
 Profile  
 
 Post subject: Re: Methods to slowdown or stop udpsz
PostPosted: 30 Jan 2011 23:18 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I don't know if the author is the same person who contacted me via e-mail anyway the problem was a flooding of the packet \xff\xff\xff\xff\x57 that is used for requesting the challenge of the Source servers.
I suggested to use playerslimitermax as solution or at least as initial work-around.


Top
 Profile  
 
 Post subject: Re: Methods to slowdown or stop udpsz
PostPosted: 30 Jan 2011 23:29 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
i just remembered one thing, one idea ive had for ages, but never told you (Luigi) about it.
lets say that i want to crash/lag somebody's server and they use fake players limiter. so my bypass to this, would be to spoof ip of each player. this alone should do it, but in case you can (i dont know if you can) change the playerslimiter to ignore IP and only allow ONE packet per min (one packet of a kind per min, no matter what ip is). then i would change each packet just a lil bit, enough to bypass playerslimiter.
lets say i would have 60 different packets, so it can send 60 packets per second and still not get blocked by playerslimiter.

now to still block this kind of attack with playerslimiter, it should have "block sequance of packets" per minute. for example if playerslimiter gets 10 different packets in certain order, then next time 1st packet of this sequance arrives, it gets blocked. unless its past the time limit (30 secs or 60 secs or whatever the playerslimiter limit is).

bit messy, but im sure Luigi understands what i mean by this. i used this kind of method in msn to flood, when "target" was using the addon that blocks message flood.


Top
 Profile  
 
 Post subject: Re: Methods to slowdown or stop udpsz
PostPosted: 30 Jan 2011 23:35 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the target of the attack is making the server unresponsive so if I allow only one packet per a certain amount of time the result is the same, exactly like the q3rconz bug on quake3.

but if you mean a more complex solution there is ever the problem of implementing it :)
after all playerslimiter was only a work-around and mainly a feature for testing a feature of proxocket.

and I need also to know how to fix that bug reported by another user who said that it no longer worked after 2 days.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 6 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron