DoS attack?

Discussions about Servers

DoS attack?

Postby Barbie » Sun Mar 18, 2018 1:12 am

I just experienced a server crash. The important part of server's log:
Open MyLevel Sun Mar 18 00:32:50 2018 194.187.249.30:23607
NotifyAcceptingChannel Control 0 server Level MH-ATAA0Plus.MyLevel: Accepted
Level server received: HELLO REVISION=0 MINVER=432 VER=451
Level server received: LOGIN RESPONSE=-1302142376 URL=?Class=%n%n%n%n%s%s%n%n%s%s
Client passed challenge
Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
Level server received: PETE PKT=1 PKG=1
Level server received: REPEAT
Level server received: CRITOBJCNT 1
Level server received: JOIN
Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
Failed to load 'NULL': Can't resolve package name
Signal: SIGSEGV [segmentation fault]
Aborting.
Exiting.
Name subsystem shut down
Allocation checking disabled
Is that a fake client connecting with invalid parameters? (I have found "Unreal engine basic client and Fake Players DoS 0.1.1 by Luigi Auriemma" for example on my web based search.)
If it is a DoS attack, how to fend off it? Does "ServerCrashFix_v10" help?
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
User avatar
Barbie
Godlike
 
Posts: 1523
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

Re: DoS attack?

Postby Higor » Sun Mar 18, 2018 5:42 am

What's your UT server setup?
Higor
Godlike
 
Posts: 1639
Joined: Sun Mar 04, 2012 6:47 pm

Re: DoS attack?

Postby Barbie » Sun Mar 18, 2018 3:26 pm

Mutators are: MapPatcherSvr, MapVoteULv1_2, SBMutatorFastWarShell-V4

ServerActors in [Engine.GameEngine] are:
ServerActors=IpDrv.UdpBeacon
ServerActors=IpServer.UdpServerQuery
ServerActors=IpServer.UdpServerUplink MasterServerAddress=unreal.epicgames.com MasterServerPort=27900 DoUplink=True
ServerActors=IpServer.UdpServerUplink MasterServerAddress=master.333networks.com MasterServerPort=27900 DoUplink=True
ServerActors=IpServer.UdpServerUplink MasterServerAddress=master.oldunreal.com MasterServerPort=27900 DoUplink=True
ServerActors=ipToCountry.LinkActor
ServerActors=Nexgen112.NexgenActor
ServerActors=ServerAdds.ServerAdds
Or what did you mean with "setup"?
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
User avatar
Barbie
Godlike
 
Posts: 1523
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

Re: DoS attack?

Postby Dizzy » Sun Mar 18, 2018 8:11 pm

Same issue here. My log is a lot less verbose but it's the same exploit:

Code: Select all
Open MyLevel Sat Mar 17 23:35:07 2018 194.187.249.30:23625
Failed to load 'NULL': Can't resolve package name
Signal: SIGSEGV [segmentation fault]


@Barbie: how did you make your log more verbose, please?
Image
Join our UT Discord chat server: https://www.bunnytrack.net/discord
User avatar
Dizzy
Experienced
 
Posts: 82
Joined: Tue May 21, 2013 3:57 pm
Personal rank: Somewhere above oaf

Re: DoS attack?

Postby Barbie » Sun Mar 18, 2018 9:30 pm

It is the same IP; it is also blacklisted at some places. :satan:
Dizzy wrote:how did you make your log more verbose, please?
Oh, I did nothing to make it more verbose. If yours is a windows server: maybe the logging is different for windows and linux?
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
User avatar
Barbie
Godlike
 
Posts: 1523
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

Re: DoS attack?

Postby Higor » Sun Mar 18, 2018 11:57 pm

Any reason to not use XC_Engine or SCF?
Higor
Godlike
 
Posts: 1639
Joined: Sun Mar 04, 2012 6:47 pm

Re: DoS attack?

Postby Barbie » Mon Mar 19, 2018 2:02 am

Higor wrote:Any reason to not use XC_Engine?
Some months ago I tried XC_Engine and the first map the server loaded was accidentally MH-Crescendo with more than 1000 monsters which caused that login was not possible anymore. So I abandon usage of XC engine; also because I didn't see a reason to change the current working server setup.
Can XC_Engine protect against invalid login strings?

Higor wrote:Any reason to not use SCF?
What is SCF? :omfg:


PS: The file "https://dl.dropboxusercontent.com/u/58384316/Y8qfg.gif" given in your signature is not accessible.
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
User avatar
Barbie
Godlike
 
Posts: 1523
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

Re: DoS attack?

Postby Chamberly » Mon Mar 19, 2018 5:57 am

Barbie wrote:
Higor wrote:Any reason to not use XC_Engine?
Some months ago I tried XC_Engine and the first map the server loaded was accidentally MH-Crescendo with more than 1000 monsters which caused that login was not possible anymore. So I abandon usage of XC engine; also because I didn't see a reason to change the current working server setup.
Can XC_Engine protect against invalid login strings?

Higor wrote:Any reason to not use SCF?
What is SCF? :omfg:


PS: The file "https://dl.dropboxusercontent.com/u/58384316/Y8qfg.gif" given in your signature is not accessible.


Server Crash Fix: unrealtournament.99.free.fr/utfiles/index.php?dir=Patches/&file=ServerCrashFix_v11.zip

Have you tried the latest XC_Engine version?
Image
Image
irc.globalgamers.net #uscript
http://irc.lc/globalgamers/uscript
Image
User avatar
Chamberly
Godlike
 
Posts: 1624
Joined: Sat Sep 17, 2011 4:32 pm
Location: TN, USA
Personal rank: Dame. Vandora

Re: DoS attack?

Postby sektor2111 » Mon Mar 19, 2018 7:36 am

Logging everything (or not) depends on how server thread is killed, server can log every line into file or simply log will look like broken.
Exploit in cause is probably a new hybrid based on some flaws like that older from (original 436 Linux) Core.so file - a Linux issue, btw - and unrealiable buffer exploit is another one.
However these can be mitigated by XCGE (I'm using it) of course with some hooks disabled and... without some of those tweaks which are not intended to fix critical things. Yeah, in using XCGE is a bit of tricky setup but in Win-doze it does a good job so far - all right, IpToCountry.... :? probably will no longer be useful... - a bit disturbing for me...
Because you were speaking about DDoS, ummm, I think you should look here where you can figure some "creativity". Its about how to weaponize a default web-server. Your issue, that is a exploit-crash, without XCGE you will want to block entire IP range which was attacking...
User avatar
sektor2111
Godlike
 
Posts: 3554
Joined: Sun May 09, 2010 6:15 pm
Location: vect(1,1,1)

Re: DoS attack?

Postby Barbie » Mon Mar 19, 2018 10:16 am

Ahhh, SCF means "ServerCrashFix"... :D

Thanks for the hint; I tried the exploit without and with ServerCrashFix_v11 (192.168.1.155 is the linux test server in my LAN):
Code: Select all
192.168.1.12:~TMP$ ./Exploit30299 -l Index.unr?Name=?Class=%n%n%n%n%s%s%n%n%s%s 192.168.1.155 7777


Without SCF - crash:
NotifyAcceptingConnection: Server MyLevel accept
Open MyLevel Mon Mar 19 09:55:07 2018 192.168.1.12:32235
NotifyAcceptingChannel Control 0 server Level TestmapV1(SB).MyLevel: Accepted
Level server received: HELLO REVISION=0 MINVER=432 VER=451
Level server received: LOGIN RESPONSE=-1271577611 URL=Index.unr?Name=?Class=%n%n%n%n%s%s%n%n%s%s
Client passed challenge
Login request: Index.unr?Name=?Class=%n%n%n%n%s%s%n%n%s%s
Level server received: PETE PKT=1 PKG=1
Level server received: REPEAT
Level server received: CRITOBJCNT 1
Level server received: JOIN
Join request: Index.unr?Name=?Class=%n%n%n%n%s%s%n%n%s%s
Failed to load 'NULL': Can't resolve package name
Signal: SIGSEGV [segmentation fault]
Aborting.
Exiting.
Name subsystem shut down


With SCF - server stays alive:
NotifyAcceptingConnection: Server MyLevel accept
Open MyLevel Mon Mar 19 10:00:32 2018 192.168.1.12:32304
NotifyAcceptingChannel Control 0 server Level TestmapV1(SB).MyLevel: Accepted
Level server received: HELLO REVISION=0 MINVER=432 VER=451
================================================================================
[SCF] A player has been prevented access from the server.
[SCF] Player IP -> 192.168.1.12
[SCF] Reason -> Illegal Login Response URL: Index.unr?Class=%n%n%n%n%s%s%n%n%s%s (Possible Malformed String Exploit)
================================================================================
Close TcpipConnection1 Mon Mar 19 10:00:32 2018
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
User avatar
Barbie
Godlike
 
Posts: 1523
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

Re: DoS attack?

Postby Dizzy » Wed Mar 21, 2018 7:10 pm

This is a great example of why there needs to be a list of essential mods for modern UT servers.

Years ago I asked on this very forum about "best practices" for setting up a server and didn't get any answers.

Sorry Higor, this was not a helpful response:

Image

Someone (probably me) needs to write a one-page guide on how to set up a secure, high performance UT99 server.
Image
Join our UT Discord chat server: https://www.bunnytrack.net/discord
User avatar
Dizzy
Experienced
 
Posts: 82
Joined: Tue May 21, 2013 3:57 pm
Personal rank: Somewhere above oaf

Re: DoS attack?

Postby Culprit » Mon Jun 25, 2018 8:31 pm

I have scf and xc running. This guy didnt wanna give up. Im pretty sure i know who it is. Events happened that gave me several good clues.
The reason i say this is because it makes me wonder that it isnt an attack.

I actually believe this guy arranged to meet on the server with another player, who had already joined. For some reason, they couldnt join, as shown below.

Either that or this guy really hates the player who had already joined!

Code: Select all
NetComeGo: Open MyLevel 06/25/18 18:04:07 89.64.0.171:29262
NetComeGo: Open MyLevel 06/25/18 18:04:07 89.64.0.171:29208
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0
NetComeGo: Close XC_TcpipConnection8 06/25/18 18:04:08
NetComeGo: Open MyLevel 06/25/18 18:04:08 89.64.0.171:29204
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
DevNet: Level server received: LOGIN RESPONSE=306968192 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Open MyLevel 06/25/18 18:04:08 89.64.0.171:29246
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
NetComeGo: Close XC_TcpipConnection9 06/25/18 18:04:08
DevNet: Level server received: LOGIN RESPONSE=-1331252219 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Close XC_TcpipConnection10 06/25/18 18:04:08
NetComeGo: Open MyLevel 06/25/18 18:04:08 89.64.0.171:29278
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
DevNet: Level server received: LOGIN RESPONSE=947133514 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Open MyLevel 06/25/18 18:04:08 89.64.0.171:29308
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
NetComeGo: Close XC_TcpipConnection11 06/25/18 18:04:08
DevNet: Level server received: LOGIN RESPONSE=-7463384 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Close XC_TcpipConnection12 06/25/18 18:04:08
NetComeGo: Open MyLevel 06/25/18 18:04:08 89.64.0.171:29260
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
NetComeGo: Open MyLevel 06/25/18 18:04:08 89.64.0.171:29290
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
DevNet: Level server received: LOGIN RESPONSE=320434865 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Close XC_TcpipConnection13 06/25/18 18:04:09
DevNet: Level server received: LOGIN RESPONSE=-1595281407 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Close XC_TcpipConnection14 06/25/18 18:04:09
NetComeGo: Open MyLevel 06/25/18 18:04:09 89.64.0.171:29282
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
DevNet: Level server received: LOGIN RESPONSE=152958213 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Open MyLevel 06/25/18 18:04:09 89.64.0.171:29224
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
NetComeGo: Close XC_TcpipConnection15 06/25/18 18:04:09
DevNet: Level server received: LOGIN RESPONSE=-1503444611 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Close XC_TcpipConnection16 06/25/18 18:04:09
NetComeGo: Open MyLevel 06/25/18 18:04:09 89.64.0.171:29244
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
DevNet: Level server received: LOGIN RESPONSE=732130153 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Open MyLevel 06/25/18 18:04:09 89.64.0.171:29238
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
NetComeGo: Close XC_TcpipConnection17 06/25/18 18:04:09
DevNet: Level server received: LOGIN RESPONSE=1322574466 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Close XC_TcpipConnection18 06/25/18 18:04:09
NetComeGo: Open MyLevel 06/25/18 18:04:09 89.64.0.171:29280
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
DevNet: Level server received: LOGIN RESPONSE=1384097415 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet .... And so on..


Edit by papercoffee
Culprit
Novice
 
Posts: 9
Joined: Mon Sep 14, 2015 8:22 pm

Re: DoS attack?

Postby papercoffee » Mon Jun 25, 2018 9:26 pm

Please put long logs into a code tag.
My mouse wheel will be thank full.
User avatar
papercoffee
Site Staff
 
Posts: 8835
Joined: Wed Jul 15, 2009 11:36 am
Location: Cologne, the city with the big cathedral.
Personal rank: coffee addicted !!!

Re: DoS attack?

Postby $carface » Tue Jun 26, 2018 1:27 am

Viewing on mobile here, looks like a DOS to me. Most like unreliable_adv
$carface
Skilled
 
Posts: 203
Joined: Sat Jul 23, 2011 10:58 pm

Re: DoS attack?

Postby sektor2111 » Tue Jun 26, 2018 6:11 am

Unreliable buffer is different, this is "class exploit" crash. Happens without XC SCF in Linux 436 servers using a borked Core.So file. Such a crash is available when a decal class or mover class attempts to join so to speak UT can be crashed by self content - LOL Loki. However this is more evil than that and probably can do more damage.

Admin should firewall this IP class range, things are harder for rented "managed" services where you cannot control stuff as you like. I do not have a clue why you are not supposed to be able to access sort of firewall for your server for keeping turds away. UT's banning system is poor and probably such exploits are reaching to server before to be rejected by policies I did not tested that... but I assume that first the guy should have some data in order to be checked if Server allows him or not, and while attempts to join like that, server is crashing before to complete policies checks...

Maybe Higor wants to help here with a prelogin stuff with way more locations defined in a sort of INI file (dynamic array like for XC_Actors) where admin can load IP ranges that are rejected before to do more damage...
User avatar
sektor2111
Godlike
 
Posts: 3554
Joined: Sun May 09, 2010 6:15 pm
Location: vect(1,1,1)

Next

Return to Servers

Who is online

Users browsing this forum: No registered users and 4 guests