DoS attack?

Discussions about Servers
User avatar
Barbie
Godlike
Posts: 2792
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

DoS attack?

Post by Barbie »

I just experienced a server crash. The important part of server's log:
Open MyLevel Sun Mar 18 00:32:50 2018 194.187.249.30:23607
NotifyAcceptingChannel Control 0 server Level MH-ATAA0Plus.MyLevel: Accepted
Level server received: HELLO REVISION=0 MINVER=432 VER=451
Level server received: LOGIN RESPONSE=-1302142376 URL=?Class=%n%n%n%n%s%s%n%n%s%s
Client passed challenge
Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
Level server received: PETE PKT=1 PKG=1
Level server received: REPEAT
Level server received: CRITOBJCNT 1
Level server received: JOIN
Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
Failed to load 'NULL': Can't resolve package name
Signal: SIGSEGV [segmentation fault]
Aborting.
Exiting.
Name subsystem shut down
Allocation checking disabled
Is that a fake client connecting with invalid parameters? (I have found "Unreal engine basic client and Fake Players DoS 0.1.1 by Luigi Auriemma" for example on my web based search.)
If it is a DoS attack, how to fend off it? Does "ServerCrashFix_v10" help?
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
Higor
Godlike
Posts: 1866
Joined: Sun Mar 04, 2012 6:47 pm

Re: DoS attack?

Post by Higor »

What's your UT server setup?
User avatar
Barbie
Godlike
Posts: 2792
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

Re: DoS attack?

Post by Barbie »

Mutators are: MapPatcherSvr, MapVoteULv1_2, SBMutatorFastWarShell-V4

ServerActors in [Engine.GameEngine] are:
ServerActors=IpDrv.UdpBeacon
ServerActors=IpServer.UdpServerQuery
ServerActors=IpServer.UdpServerUplink MasterServerAddress=unreal.epicgames.com MasterServerPort=27900 DoUplink=True
ServerActors=IpServer.UdpServerUplink MasterServerAddress=master.333networks.com MasterServerPort=27900 DoUplink=True
ServerActors=IpServer.UdpServerUplink MasterServerAddress=master.oldunreal.com MasterServerPort=27900 DoUplink=True
ServerActors=ipToCountry.LinkActor
ServerActors=Nexgen112.NexgenActor
ServerActors=ServerAdds.ServerAdds
Or what did you mean with "setup"?
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
User avatar
Dizzy
Experienced
Posts: 109
Joined: Tue May 21, 2013 3:57 pm
Personal rank: Oaf
Contact:

Re: DoS attack?

Post by Dizzy »

Same issue here. My log is a lot less verbose but it's the same exploit:

Code: Select all

Open MyLevel Sat Mar 17 23:35:07 2018 194.187.249.30:23625
Failed to load 'NULL': Can't resolve package name
Signal: SIGSEGV [segmentation fault]
@Barbie: how did you make your log more verbose, please?
Join the BunnyTrack.net Discord chat server: https://www.bunnytrack.net/discord
User avatar
Barbie
Godlike
Posts: 2792
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

Re: DoS attack?

Post by Barbie »

It is the same IP; it is also blacklisted at some places. :satan:
Dizzy wrote:how did you make your log more verbose, please?
Oh, I did nothing to make it more verbose. If yours is a windows server: maybe the logging is different for windows and linux?
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
Higor
Godlike
Posts: 1866
Joined: Sun Mar 04, 2012 6:47 pm

Re: DoS attack?

Post by Higor »

Any reason to not use XC_Engine or SCF?
User avatar
Barbie
Godlike
Posts: 2792
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

Re: DoS attack?

Post by Barbie »

Higor wrote:Any reason to not use XC_Engine?
Some months ago I tried XC_Engine and the first map the server loaded was accidentally MH-Crescendo with more than 1000 monsters which caused that login was not possible anymore. So I abandon usage of XC engine; also because I didn't see a reason to change the current working server setup.
Can XC_Engine protect against invalid login strings?
Higor wrote:Any reason to not use SCF?
What is SCF? :omfg:


PS: The file "https://dl.dropboxusercontent.com/u/58384316/Y8qfg.gif" given in your signature is not accessible.
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
User avatar
Chamberly
Godlike
Posts: 1963
Joined: Sat Sep 17, 2011 4:32 pm
Personal rank: Dame. Vandora
Location: TN, USA
Contact:

Re: DoS attack?

Post by Chamberly »

Barbie wrote:
Higor wrote:Any reason to not use XC_Engine?
Some months ago I tried XC_Engine and the first map the server loaded was accidentally MH-Crescendo with more than 1000 monsters which caused that login was not possible anymore. So I abandon usage of XC engine; also because I didn't see a reason to change the current working server setup.
Can XC_Engine protect against invalid login strings?
Higor wrote:Any reason to not use SCF?
What is SCF? :omfg:


PS: The file "https://dl.dropboxusercontent.com/u/58384316/Y8qfg.gif" given in your signature is not accessible.
Server Crash Fix: unrealtournament.99.free.fr/utfiles/index.php?dir=Patches/&file=ServerCrashFix_v11.zip

Have you tried the latest XC_Engine version?
Image
Image
Image Edit: Why does my sig not work anymore?
User avatar
sektor2111
Godlike
Posts: 6403
Joined: Sun May 09, 2010 6:15 pm
Location: On the roof.

Re: DoS attack?

Post by sektor2111 »

Logging everything (or not) depends on how server thread is killed, server can log every line into file or simply log will look like broken.
Exploit in cause is probably a new hybrid based on some flaws like that older from (original 436 Linux) Core.so file - a Linux issue, btw - and unrealiable buffer exploit is another one.
However these can be mitigated by XCGE (I'm using it) of course with some hooks disabled and... without some of those tweaks which are not intended to fix critical things. Yeah, in using XCGE is a bit of tricky setup but in Win-doze it does a good job so far - all right, IpToCountry.... :? probably will no longer be useful... - a bit disturbing for me...
Because you were speaking about DDoS, ummm, I think you should look here where you can figure some "creativity". Its about how to weaponize a default web-server. Your issue, that is a exploit-crash, without XCGE you will want to block entire IP range which was attacking...
User avatar
Barbie
Godlike
Posts: 2792
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

Re: DoS attack?

Post by Barbie »

Ahhh, SCF means "ServerCrashFix"... :D

Thanks for the hint; I tried the exploit without and with ServerCrashFix_v11 (192.168.1.155 is the linux test server in my LAN):

Code: Select all

192.168.1.12:~TMP$ ./Exploit30299 -l Index.unr?Name=?Class=%n%n%n%n%s%s%n%n%s%s 192.168.1.155 7777
Without SCF - crash:
NotifyAcceptingConnection: Server MyLevel accept
Open MyLevel Mon Mar 19 09:55:07 2018 192.168.1.12:32235
NotifyAcceptingChannel Control 0 server Level TestmapV1(SB).MyLevel: Accepted
Level server received: HELLO REVISION=0 MINVER=432 VER=451
Level server received: LOGIN RESPONSE=-1271577611 URL=Index.unr?Name=?Class=%n%n%n%n%s%s%n%n%s%s
Client passed challenge
Login request: Index.unr?Name=?Class=%n%n%n%n%s%s%n%n%s%s
Level server received: PETE PKT=1 PKG=1
Level server received: REPEAT
Level server received: CRITOBJCNT 1
Level server received: JOIN
Join request: Index.unr?Name=?Class=%n%n%n%n%s%s%n%n%s%s
Failed to load 'NULL': Can't resolve package name
Signal: SIGSEGV [segmentation fault]
Aborting.
Exiting.
Name subsystem shut down
With SCF - server stays alive:
NotifyAcceptingConnection: Server MyLevel accept
Open MyLevel Mon Mar 19 10:00:32 2018 192.168.1.12:32304
NotifyAcceptingChannel Control 0 server Level TestmapV1(SB).MyLevel: Accepted
Level server received: HELLO REVISION=0 MINVER=432 VER=451
================================================================================
[SCF] A player has been prevented access from the server.
[SCF] Player IP -> 192.168.1.12
[SCF] Reason -> Illegal Login Response URL: Index.unr?Class=%n%n%n%n%s%s%n%n%s%s (Possible Malformed String Exploit)
================================================================================
Close TcpipConnection1 Mon Mar 19 10:00:32 2018
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
User avatar
Dizzy
Experienced
Posts: 109
Joined: Tue May 21, 2013 3:57 pm
Personal rank: Oaf
Contact:

Re: DoS attack?

Post by Dizzy »

This is a great example of why there needs to be a list of essential mods for modern UT servers.

Years ago I asked on this very forum about "best practices" for setting up a server and didn't get any answers.

Sorry Higor, this was not a helpful response:

Image

Someone (probably me) needs to write a one-page guide on how to set up a secure, high performance UT99 server.
Join the BunnyTrack.net Discord chat server: https://www.bunnytrack.net/discord
Culprit
Novice
Posts: 9
Joined: Mon Sep 14, 2015 8:22 pm

Re: DoS attack?

Post by Culprit »

I have scf and xc running. This guy didnt wanna give up. Im pretty sure i know who it is. Events happened that gave me several good clues.
The reason i say this is because it makes me wonder that it isnt an attack.

I actually believe this guy arranged to meet on the server with another player, who had already joined. For some reason, they couldnt join, as shown below.

Either that or this guy really hates the player who had already joined!

Code: Select all

NetComeGo: Open MyLevel 06/25/18 18:04:07 89.64.0.171:29262
NetComeGo: Open MyLevel 06/25/18 18:04:07 89.64.0.171:29208
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 
NetComeGo: Close XC_TcpipConnection8 06/25/18 18:04:08
NetComeGo: Open MyLevel 06/25/18 18:04:08 89.64.0.171:29204
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
DevNet: Level server received: LOGIN RESPONSE=306968192 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Open MyLevel 06/25/18 18:04:08 89.64.0.171:29246
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
NetComeGo: Close XC_TcpipConnection9 06/25/18 18:04:08
DevNet: Level server received: LOGIN RESPONSE=-1331252219 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Close XC_TcpipConnection10 06/25/18 18:04:08
NetComeGo: Open MyLevel 06/25/18 18:04:08 89.64.0.171:29278
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
DevNet: Level server received: LOGIN RESPONSE=947133514 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Open MyLevel 06/25/18 18:04:08 89.64.0.171:29308
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
NetComeGo: Close XC_TcpipConnection11 06/25/18 18:04:08
DevNet: Level server received: LOGIN RESPONSE=-7463384 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Close XC_TcpipConnection12 06/25/18 18:04:08
NetComeGo: Open MyLevel 06/25/18 18:04:08 89.64.0.171:29260
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
NetComeGo: Open MyLevel 06/25/18 18:04:08 89.64.0.171:29290
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
DevNet: Level server received: LOGIN RESPONSE=320434865 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Close XC_TcpipConnection13 06/25/18 18:04:09
DevNet: Level server received: LOGIN RESPONSE=-1595281407 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Close XC_TcpipConnection14 06/25/18 18:04:09
NetComeGo: Open MyLevel 06/25/18 18:04:09 89.64.0.171:29282
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
DevNet: Level server received: LOGIN RESPONSE=152958213 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Open MyLevel 06/25/18 18:04:09 89.64.0.171:29224
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
NetComeGo: Close XC_TcpipConnection15 06/25/18 18:04:09
DevNet: Level server received: LOGIN RESPONSE=-1503444611 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Close XC_TcpipConnection16 06/25/18 18:04:09
NetComeGo: Open MyLevel 06/25/18 18:04:09 89.64.0.171:29244
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
DevNet: Level server received: LOGIN RESPONSE=732130153 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Open MyLevel 06/25/18 18:04:09 89.64.0.171:29238
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
NetComeGo: Close XC_TcpipConnection17 06/25/18 18:04:09
DevNet: Level server received: LOGIN RESPONSE=1322574466 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet: Join request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Join failure: [XCGE] No player name in login request
NetComeGo: Close XC_TcpipConnection18 06/25/18 18:04:09
NetComeGo: Open MyLevel 06/25/18 18:04:09 89.64.0.171:29280
DevNet: NotifyAcceptingChannel Control 0 server Level CTF-BT-II-no078eursee2r.MyLevel: Accepted
DevNet: Level server received: HELLO REVISION=0 MINVER=432 VER=451
DevNet: Level server received: LOGIN RESPONSE=1384097415 URL=?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: Client passed challenge
DevNet: Login request: ?Class=%n%n%n%n%s%s%n%n%s%s
DevNet: PreLogin failure: XCGE Denied ()
DevNet .... And so on..
Edit by papercoffee
User avatar
papercoffee
Godlike
Posts: 10443
Joined: Wed Jul 15, 2009 11:36 am
Personal rank: coffee addicted !!!
Location: Cologne, the city with the big cathedral.
Contact:

Re: DoS attack?

Post by papercoffee »

Please put long logs into a code tag.
My mouse wheel will be thank full.
$carface
Skilled
Posts: 212
Joined: Sat Jul 23, 2011 10:58 pm

Re: DoS attack?

Post by $carface »

Viewing on mobile here, looks like a DOS to me. Most like unreliable_adv
User avatar
sektor2111
Godlike
Posts: 6403
Joined: Sun May 09, 2010 6:15 pm
Location: On the roof.

Re: DoS attack?

Post by sektor2111 »

Unreliable buffer is different, this is "class exploit" crash. Happens without XC SCF in Linux 436 servers using a borked Core.So file. Such a crash is available when a decal class or mover class attempts to join so to speak UT can be crashed by self content - LOL Loki. However this is more evil than that and probably can do more damage.

Admin should firewall this IP class range, things are harder for rented "managed" services where you cannot control stuff as you like. I do not have a clue why you are not supposed to be able to access sort of firewall for your server for keeping turds away. UT's banning system is poor and probably such exploits are reaching to server before to be rejected by policies I did not tested that... but I assume that first the guy should have some data in order to be checked if Server allows him or not, and while attempts to join like that, server is crashing before to complete policies checks...

Maybe Higor wants to help here with a prelogin stuff with way more locations defined in a sort of INI file (dynamic array like for XC_Actors) where admin can load IP ranges that are rejected before to do more damage...
Post Reply