Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 14:00

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 13 posts ] 
Author Message
 Post subject: SOF2 DoS patch
PostPosted: 09 Jan 2011 16:46 

Joined: 09 Jan 2011 16:38
Posts: 6
I operate a dedicated windows server that runs several SOF2 dedicated game servers. Starting about a month ago the servers have come under an attack that constantly queries the host with the "getstatus" request. It does not crash the server but does cause lag until I identify and ban the offending ip address.

Is there any patch that could limit the number of status requests to the server?


Top
 Profile  
 
 
 Post subject: Re: SOF2 DoS patch
PostPosted: 09 Jan 2011 18:10 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
you could filter it manually via a firewall of your choice otherwise you could implement something like the playerslimitermax plugin for proxocket:
http://aluigi.org/patches.htm#playerslimiter

but instead of using the yyyyconnect packet you should use yyyygetstatus.
maybe one of these days I should update that plugin so that you can filter more packets, anyway try that idea


Top
 Profile  
 
 Post subject: Re: SOF2 DoS patch
PostPosted: 09 Jan 2011 20:27 

Joined: 09 Jan 2011 16:38
Posts: 6
Sounds like it should do the trick. I am not sure I am straight on how to use it though.

I renamed the quake3_packet.dat to packet.dat and placed it along with the myproxocket.dll and ws2_32.dll into the folder where the exe file resides. I then restarted the server. Is that it?


Top
 Profile  
 
 Post subject: Re: SOF2 DoS patch
PostPosted: 09 Jan 2011 22:59 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
exactly, now using the default quake3_packet.dat you are filtering the "connect" packet.
so if you open packet.dat with a hex editor and remove connect and plage getstatus then you will avoid the sof2 process to handle all these getstatus packets (but you can't avoid the saturation of the line).

this is how should look your packet.dat with a hex editor:
Code:
ff ff ff ff 67 65 74 73 74 61 74 75 73            ....getstatus


Top
 Profile  
 
 Post subject: Re: SOF2 DoS patch
PostPosted: 10 Jan 2011 01:07 

Joined: 09 Jan 2011 16:38
Posts: 6
Thank you very much. I have applied the patch to all the servers and should know how they work in a day or so.

I will still have to monitor the connections and ban ips once a day to avoid the saturation, but this should stop the cpu spikes.


Top
 Profile  
 
 Post subject: Re: SOF2 DoS patch
PostPosted: 20 Jan 2011 12:41 

Joined: 09 Jan 2011 16:38
Posts: 6
It seemed to work well for a while but now the packet has changed a little and is getting through again. Where as it was sending "....getstatus" before, it is now sending "....getstatus." (adding an extra "." on the end)

Would it be possible to add additional lines in packet.dat to filter it with the additional character?


Top
 Profile  
 
 Post subject: Re: SOF2 DoS patch
PostPosted: 24 Jan 2011 03:48 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
what do you mean ? you are saying you do not understand the example that Luigi gave you ?
you just add another . (dot) and thats it, you are done.


Code:
ff ff ff ff 67 65 74 73 74 61 74 75 73 ff            ....getstatus.


Top
 Profile  
 
 Post subject: Re: SOF2 DoS patch
PostPosted: 24 Jan 2011 03:59 

Joined: 09 Jan 2011 16:38
Posts: 6
No it worked fine until they added the dot. To add more filters would I just add another line in the dat file?

example:
Code:
ff ff ff ff 67 65 74 73 74 61 74 75 73             ....getstatus
ff ff ff ff 67 65 74 73 74 61 74 75 73 ff            ....getstatus.


Also, does this filter only inbound? Or would I be able to stop the response in the event they are sending malformed packets?


Top
 Profile  
 
 Post subject: Re: SOF2 DoS patch
PostPosted: 24 Jan 2011 15:09 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the filter blocks incoming packet anyway it blocks anything starting with the data you have placed in packet.dat so yyyygetstatusblahblahblah gets filtered too, that's why I don't understand why you have this problem


Top
 Profile  
 
 Post subject: Re: SOF2 DoS patch
PostPosted: 24 Jan 2011 15:21 

Joined: 09 Jan 2011 16:38
Posts: 6
Well it worked fine for two weeks and then quit working for a few days. I rebooted the box and now it has been working again for several days. I will continue to monitor and see if I can figure out what is going on.

Thanks for all the help Aluigi!!


Top
 Profile  
 
 Post subject: Re: SOF2 DoS patch
PostPosted: 25 Jan 2011 12:51 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
ok so seems that I will need to fix something in future because it's not good that after 2 weeks is necessary to restart the server.
ok it's not a so bad thing (2 weeks is a lot) but I will work on it... but don't know when :(


Top
 Profile  
 
 Post subject: Re: SOF2 DoS patch
PostPosted: 22 Feb 2011 21:52 

Joined: 22 Feb 2011 21:49
Posts: 1
I implemented this patch it it prevents programs like hlsw and also the game browser from seeing the window. Is it possible to limit this to a number of requests per second and then if they exceed that then block that ip or is it an all or nothing type thing.

George


Top
 Profile  
 
 Post subject: Re: SOF2 DoS patch
PostPosted: 22 Feb 2011 22:27 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
did you use playerlimiter or playerlimitermax?
the second one is usually better.

anyway if you talk specifically about this getinfo/getstatus problem remember that it's playerlimiter is NOT designed for it, but if you want to use it and you want to modify the current max 3 packets each 30 seconds open myproxocket.dll of playerslimitermax with a hex editor and go at offset 0x791 where you will find 0x1d, replace it with the number of seconds you desire like 1 or 2.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 13 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: