Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Exploit ReHLDS ? #1054

Open
wilianmaique opened this issue Oct 5, 2024 · 46 comments
Open

New Exploit ReHLDS ? #1054

wilianmaique opened this issue Oct 5, 2024 · 46 comments
Labels
Engine: ⚙️ Independent Case do not refer to any Engine. OS: 💻 Independent Case do not refer to any OS. Priority: ⚠️ medium Medium priority tasks that should be addressed soon. Status: 🗣️ needs feedback Comments or feedback needed from the community or team. Type: 🔒 security Vulnerabilities or issues related to security.

Comments

@wilianmaique
Copy link

I'm receiving an 'attack', but it's not a DDoS. As soon as the attack happens, I quickly restart the map, and the attack disappears instantly, which confirms it's some kind of 'exploit', but I still don't have enough details.

Note: It's a '4fun' server with not many plugins, and none of the plugins increase the ping, etc.

I'm posting here to see if anyone has more details.

@HypeGfx
Copy link

HypeGfx commented Oct 8, 2024

Yeah this is a new exploit I experienced it too recently...

@wilianmaique
Copy link
Author

wilianmaique commented Oct 8, 2024

Yeah this is a new exploit I experienced it too recently...

Do you know any way to block etc?

@SmilexGamer
Copy link

Logs would be helpful.

@wilianmaique
Copy link
Author

SmilexGamer

I don't have logs, it's an exploit, hard to know

@SmilexGamer
Copy link

SmilexGamer commented Oct 8, 2024

SmilexGamer

I don't have logs, it's an exploit, hard to know

With no logs, there's not much the devs can do to fix this. Try intercepting the packets at the time of the attack

@HypeGfx
Copy link

HypeGfx commented Oct 9, 2024

Ok I'm not certain if this will fix it but try to check your mp_consistency and set it to 1.. I'm just changing a lot of ConVars desperate to find a reason for it.. I will reply on this topic in like 12-15 hr...

@rishhh78
Copy link

rishhh78 commented Oct 9, 2024

Let me explain the issue...

Basically what happens is, player does something I have no idea but it happens when is in the server (It's most likely related to map thingy i guess) so server resource gets utilized maximum and players starts to lag badly as if its like some DDoS attack.... server memory ramps up in rapid amount as well..

I got one report here not sure if its related to that one https://hernan.de/blog/lock-and-load-exploiting-counter-strike-via-bsp-map-files/ exploit from 2017

@SmilexGamer
Copy link

Let me explain the issue...

Basically what happens is, player does something I have no idea but it happens when is in the server (It's most likely related to map thingy i guess) so server resource gets utilized maximum and players starts to lag badly as if its like some DDoS attack.... server memory ramps up in rapid amount as well..

I got one report here not sure if its related to that one https://hernan.de/blog/lock-and-load-exploiting-counter-strike-via-bsp-map-files/ exploit from 2017

That's an exploit regarding arbitrary code execution, in which a malicious actor would infect a BSP map. This is totally not the same.

@di57inct
Copy link

di57inct commented Oct 9, 2024

try setting sv_send_logos 0 and sv_allowupload 0 and if you're using fast download sv_allowdownload 0. there's also sv_allow_dlfile too but idk what that does exactly. do some research.

@HypeGfx
Copy link

HypeGfx commented Oct 9, 2024

try setting sv_send_logos 0 and sv_allowupload 0 and if you're using fast download sv_allowdownload 0. there's also sv_allow_dlfile too but idk what that does exactly. do some research.

I will try these.. thank you

@wilianmaique
Copy link
Author

try setting sv_send_logos 0 and sv_allowupload 0 and if you're using fast download sv_allowdownload 0. there's also sv_allow_dlfile too but idk what that does exactly. do some research.

not resolve

@di57inct
Copy link

have you tried setting sv_allow_dlfile 0 too?
have you messed with any of these cvars?:
Screenshot_20241010_212654_Chrome

@wilianmaique
Copy link
Author

sv_net_incoming_decompression "1"
sv_net_incoming_decompression_max_ratio "80.0"
sv_net_incoming_decompression_max_size "65536"
sv_net_incoming_decompression_punish "-1"
sv_allowupload "0"
sv_send_logos "0"
sv_allowdownload "0"
sv_allow_dlfile "0"
syserror_logfile "addons/amxmodx/logs/sys_error.log"
sv_rehlds_hull_centering "1"
sv_force_ent_intersection "1"
sv_delayed_spray_upload "1"
sv_echo_unknown_cmd "1"
sv_rehlds_local_gametime "1"
sv_rehlds_movecmdrate_max_avg "40000"
sv_rehlds_movecmdrate_avg_punish "-1"
sv_rehlds_movecmdrate_max_burst "40000"
sv_rehlds_movecmdrate_burst_punish "-1"
sv_rehlds_stringcmdrate_max_avg "40000"
sv_rehlds_stringcmdrate_avg_punish "-1"
sv_rehlds_stringcmdrate_max_burst "40000"
sv_rehlds_stringcmdrate_burst_punish "-1"
sv_rehlds_attachedentities_playeranimationspeed_fix "1"
sv_rehlds_force_dlmax "1"
sv_auto_precache_sounds_in_models "1"
sv_usercmd_custom_random_seed "1"
fps_max "1000"
sys_ticrate "1000"
max_queries_sec_global "10"
max_queries_window "1"
max_queries_sec "1.0"
mp_consistency "1"

@di57inct
Copy link

try removing or commenting them from the cfg and using default values.

@rishhh78
Copy link

Well, Regarding the exploit of rehlds its so hard to determine the cause for this DDoS similar scenarios... What happens is the person when triggers the exploit server memory ramps up like crazy up... I did PCaP everything and even sent my results to the host of the server but the VAC team of the host mentioned there was no DDoS attack... No matter what change in ConVARS I do, the exploit doesn't get fixed...

@SmilexGamer
Copy link

Well, Regarding the exploit of rehlds its so hard to determine the cause for this DDoS similar scenarios... What happens is the person when triggers the exploit server memory ramps up like crazy up... I did PCaP everything and even sent my results to the host of the server but the VAC team of the host mentioned there was no DDoS attack... No matter what change in ConVARS I do, the exploit doesn't get fixed...

Probably worth sending those network captures here and server logs if possible.

@mlibre2
Copy link

mlibre2 commented Oct 13, 2024

maybe "reunion" will help mitigate it

@rishhh78
Copy link

@mlibre2 no it does not help... with latest rehlds and reunion

@dystopm
Copy link
Contributor

dystopm commented Oct 16, 2024

If there's no actual proof of the exploit, then you can provide a net dump to analyze the incoming data

@justgo97
Copy link

justgo97 commented Oct 23, 2024

What is version of ReHLDS are you running? If the latest try rolling back to older versions, if it's the newest try updating to latest version and report back.

@stamepicmorg
Copy link
Contributor

@wilianmaique hello, please provide more info:

rehlds version \ build number
environment info: os type
installed plugins and versions: aka metamod-r, amxx, etc
installed amxx plugins and versions

@bulevar20
Copy link

bulevar20 commented Oct 27, 2024

just happened in my server, definitely new exploit, i try using tcpdump in linux and i cant find nothing,
probably a user is sending some malicious command

@stamepicmorg
Copy link
Contributor

stamepicmorg commented Oct 27, 2024

bulevar20
just happened in my server, definitely new exploit, i try using tcpdump in linux and i cant find nothing,
probably a user is sending some malicious command

please provide more info:
rehlds version \ build number
installed plugins and versions: aka metamod-r, amxx, etc
installed amxx plugins and versions

@wilianmaique
Copy link
Author

bulevar20
just happened in my server, definitely new exploit, i try using tcpdump in linux and i cant find nothing,
probably a user is sending some malicious command

please provide more info: rehlds version \ build number installed plugins and versions: aka metamod-r, amxx, etc installed amxx plugins and versions

everything in the latest stable version...

@dystopm
Copy link
Contributor

dystopm commented Oct 27, 2024

bulevar20
just happened in my server, definitely new exploit, i try using tcpdump in linux and i cant find nothing,
probably a user is sending some malicious command

please provide more info: rehlds version \ build number installed plugins and versions: aka metamod-r, amxx, etc installed amxx plugins and versions

everything in the latest stable version...

Please, can you provide concrete info? We need version numbers. Want support? Then do it

@wilianmaique
Copy link
Author

bulevar20
just happened in my server, definitely new exploit, i try using tcpdump in linux and i cant find nothing,
probably a user is sending some malicious command

please provide more info: rehlds version \ build number installed plugins and versions: aka metamod-r, amxx, etc installed amxx plugins and versions

everything in the latest stable version...

Please, can you provide concrete info? We need version numbers. Want support? Then do it

you didn't understand, latest stable version, only stable versions, amx 1.10 rehlds, metamod-r, reapi, all in the latest versions

@dystopm
Copy link
Contributor

dystopm commented Oct 27, 2024

bulevar20
just happened in my server, definitely new exploit, i try using tcpdump in linux and i cant find nothing,
probably a user is sending some malicious command

please provide more info: rehlds version \ build number installed plugins and versions: aka metamod-r, amxx, etc installed amxx plugins and versions

everything in the latest stable version...

Please, can you provide concrete info? We need version numbers. Want support? Then do it

you didn't understand, latest stable version, only stable versions, amx 1.10 rehlds, metamod-r, reapi, all in the latest versions

build number installed plugins and versions

This information is requested to generate the record, we cannot depend on the date of your comment, so please, I'll be repeating politely:

version
game version
amxx version
meta list

I don't know if this is about laziness (because yeah, you got the prob, we're not wasting time in searching versions or assuming not-mentioned 3rd-party plugins) or privacy concerns, but I welcome you to the XY problem and why it's important that you abide by our requirements: https://xyproblem.info/

@s1lentq @wopox1337 I think by now it is vastly important to provide a guideline of how to introduce an issue and the basic information that developers need, for archiving and solving. No logs, no net dump, no versions or builds, no plugins details. It's so common now for people to come and yell about a problem demanding support and fixes with poor underlying context.

@wilianmaique
Copy link
Author

wilianmaique commented Oct 27, 2024

there are no logs, dumps, there is nothing, there is the case, the server is 'clean', there are almost no plugins, the plugins are made, the issue is precisely that, there is no data on the cause, there is no way to guess... difficult to understand, the 'issue' is precisely to see if anyone is going through this.

@stamepicmorg
Copy link
Contributor

Please find the opportunity and time to provide answers to the questions.

your answers are too abstract.

the "latest release" is an uninformative thing.

thank you for your understanding

@mlibre2
Copy link

mlibre2 commented Oct 28, 2024

@wilianmaique In short, the following information is needed to track and/or follow up on the issue...

Important

  • version
  • game version
  • amxx version
  • meta list

Warning

enter these commands into the server console and comment out the returned data.

Note

for more details enable these parameters: hlds.exe -dev -condebug then locate the qconsole.log file, also supply your content.

@ghouls96
Copy link

The same thing happens to me... I captured packets with tcpdump and I don't find any packet flood, nor any suspicious packets.

Protocol version 48
Exe version 1.1.2.7/Stdio (cstrike)
ReHLDS version: 3.13.0.788-dev
Build date: 07:36:33 Jul 12 2023 (3378)
Build from: f955b07
Currently loaded plugins:
description stat pend file vers src load unload
[ 1] LocalizeBug Fix RUN - localizebugfix_mm_i386.so v2.0 ini Start Never
[ 2] Rechecker RUN - rechecker_mm_i386.so v2.7 ini Chlvl ANY
[ 3] SafeNameAndChat RUN - SafeNameAndChat.so v1.1 ini ANY ANY
[ 4] Reunion RUN - reunion_mm_i386.so v0.2.0.13 ini Start Never
[ 5] AMX Mod X RUN - amxmodx_mm_i386.so v1.10.0.5467 ini Start ANY
[ 6] HitBox Fix RUN - hitbox_fix_mm_i386.so v1.1.2 ini Start ANY
[ 7] ReSemiclip RUN - resemiclip_mm_i386.so v2.3.9 ini Chlvl ANY
[ 8] VoiceTranscoder RUN - VoiceTranscoder.so v2017RC5 ini ANY ANY
[ 9] MySQL RUN - mysql_amxx_i386.so v1.10.0.5467 pl5 ANY ANY
[10] Fun RUN - fun_amxx_i386.so v1.10.0.5467 pl5 ANY ANY
[11] Engine RUN - engine_amxx_i386.so v1.10.0.5467 pl5 ANY ANY
[12] FakeMeta RUN - fakemeta_amxx_i386.so v1.10.0.5467 pl5 ANY ANY
[13] GeoIP RUN - geoip_amxx_i386.so v1.10.0.5467 pl5 ANY ANY
[14] CStrike RUN - cstrike_amxx_i386.so v1.10.0.5467 pl5 ANY ANY
[15] CSX RUN - csx_amxx_i386.so v1.10.0.5467 pl5 ANY ANY
[16] Ham Sandwich RUN - hamsandwich_amxx_i386.so v1.10.0.5467 pl5 ANY ANY
[17] ReAPI RUN - reapi_amxx_i386.so v5.24.0.300-dev pl5 ANY Never
17 plugins, 17 running

Currently loaded plugins:
id name version author url file status
[ 1] 0 Anti Flood 1.10.0.546 AMXX Dev Team antiflood.a running
[ 2] 1 mdbBans 4.8 Desikac unknown mdbBansEN.a running
[ 3] 2 Spam Blocker v4 1.0 www.4evergaming. spam_blocke running
[ 4] 3 Unreal Demo Plugin 1.63 karaulov unreal_demo running
[ 5] 4 Chat Manager 4.8 OciXCrom crx_chatman running
[ 6] 5 Advanced Vault System 1.5 Destro unknown adv_vault.a running
[ 7] 6 Admin Base 1.10.0.546 AMXX Dev Team admin.amxx running
[ 8] 7 Simple Knife Top 1.1 Destro unknown fakatop_cap running
[ 9] 8 Admin Commands 1.9.0.5271 AMXX Dev Team unknown admincmd.am running
[ 10] 9 Admin Help 1.10.0.546 AMXX Dev Team adminhelp.a running
[ 11] 10 Multi-Lingual System 1.10.0.546 AMXX Dev Team multilingua running
[ 12] 11 Instant AutoTeamBalanc 1.2.0 ConnorMcLeod unknown instant_aut running
[ 13] 12 Menus Front-End 1.10.0.546 AMXX Dev Team menufront.a running
[ 14] 13 Commands Menu 1.10.0.546 AMXX Dev Team cmdmenu.amx running
[ 15] 14 Players Menu 1.10.0.546 AMXX Dev Team plmenu.amxx running
[ 16] 15 Maps Menu 1.10.0.546 AMXX Dev Team mapsmenu.am running
[ 17] 16 Plugin Menu 1.10.0.546 AMXX Dev Team pluginmenu. running
[ 18] 17 Admin Chat 1.10.0.546 AMXX Dev Team adminchat.a running
[ 19] 18 Scrolling Message 1.10.0.546 AMXX Dev Team scrollmsg.a running
[ 20] 19 Info. Messages 1.10.0.546 AMXX Dev Team imessage.am running
[ 21] 20 Admin Votes 1.10.0.546 AMXX Dev Team adminvote.a running
[ 22] 21 Pause Plugins 1.10.0.546 AMXX Dev Team pausecfg.am running
[ 23] 22 Stats Configuration 1.10.0.546 AMXX Dev Team statscfg.am running
[ 24] 23 Restrict Weapons 1.8.2 www.4evergaming. unknown restmenu.am running
[ 25] 24 StatsX 1.10.0.546 AMXX Dev Team statsx.amxx running
[ 26] 25 Spectator Banner Ads 0.1.16 iG_os unknown spec_banner running
[ 27] 26 Accuracy Fix 3.0 Numb unknown accuracy_fi running
[ 28] 27 Sistema de Advertencia 0.2 Mario AR. unknown sistema_de_ running
[ 29] 28 Knife Models 3.1.1 OciXCrom crx_knife_m running
[ 30] 29 Voices Management 1.0.2 www.4evergaming. unknown Voices_Mana running
[ 31] 30 UFPS Map Manager 3.0.3(z) UFPS.Team unknown umm.amxx running
[ 32] 31 UFPS Map Config 1.2 UFPS.Team unknown umm_mapconf running
[ 33] 32 UFPS Lastmap Recovery 1.0 UFPS.Team unknown umm_lastmap stopped
[ 34] 33 UFPS MOTD Notification 1.0 UFPS.Team unknown umm_notific running
[ 35] 34 UFPS Spawn Control 1.1 UFPS.Team unknown umm_spawn_c running
[ 36] 35 Ultimate RSlots 1.0 OneEyed unknown ultimate_rs running
[ 37] 36 Style C4 Timer 3.1 OciXCrom crx_c4timer running
[ 38] 37 AMX Slay Losers 1.1 [email protected] unknown slaylosers. running
[ 39] 38 Steal Frags 1.0 4evergaming steal_frags running
[ 40] 39 Reconnect Features 0.2.4 BETA ConnorMcLeod reconnect_f debug
[ 41] 40 Restrict Weapons 1.8.2 www.4evergaming. unknown RestringirA running
[ 42] 41 Registro de jugadores 1.0 www.4evergaming. unknown registro_ju running
[ 43] 42 Advanced MuteMenu 1.0 www.4evergaming. unknown mutemenu-ad running
[ 44] 43 Menu Rates 1.0 4evergaming unknown menu_rates. running
[ 45] 44 Map Spawns Editor 1.0.16 iG_os unknown Map_Spawns_ running
[ 46] 45 Descriptive Fire in th 0.1 VEN descriptive running
[ 47] 46 Advanced Kill Assists 1.3c Xelson unknown next21_kill running
[ 48] 47 unknown unknown unknown unknown ventas.amxx running
[ 49] 48 unknown unknown unknown unknown reglas.amxx running
[ 50] 49 CS AFK Manager 1.0.6 (amx Freeman unknown afk_manager running
[ 51] 50 Resetscore System 1.0 OciXCrom unknown crx_resetsc running
[ 52] 51 Invisible Spectator 1.0 ReHLDS Team unknown invisible_s running
[ 53] 52 High Ping Kicker (WON) 0.16.2 OLO/shadow unknown high_ping_k running
[ 54] 53 Admin Clexec 0.9.4 default unknown admin_clexe running
[ 55] 54 Enhanced Auto Demo 0.5.1 lonewolf unknown enhanced_au running
[ 56] 55 Lite Admin ESP 1.1 neygomon, AcE unknown admin_esp.a running
[ 57] 56 Spawn Fixer con SC 1.1 GameHost.com.ar unknown spawnfixer. running
[ 58] 57 WarmUP Pro 5.6 Beta ReymonARG unknown warmuppro.a running
[ 59] 58 Parachute Lite [ReAPI] 11.0 Leo_[BH] unknown parachute_l running
[ 60] 59 Menu 1.0 RevCrew menu_skins. running
[ 61] 60 AWP Models 2.1.4 OciXCrom crx_awp_mod running
[ 62] 61 M4A1 Models 2.1.4 OciXCrom crx_ak47_mo running
[ 63] 62 M4A1 Models 2.1.4 OciXCrom crx_m4a1_mo running
[ 64] 63 unknown unknown unknown unknown demos.amxx running
[ 65] 64 Auto datear 1.0 CincoYA.net autodatear. running
[ 66] 65 Autoresponder/Advertis 0.5 MaximusBrood unknown ad_manager. running
[ 67] 66 CincoYA 5.0 CincoYA.net unknown cincoya.amx running
[ 68] 67 In-Game Ads 1.83 stupok unknown in_game_ads running
[ 69] 68 AMX Show IP 1.0 4evergaming unknown amx_showip. running
[ 70] 69 AFK Bomb Transfer 0.4 VEN unknown afkbombtran running
[ 71] 70 amx_cheat 1.0 watch unknown noclip.amxx running
[ 72] 71 Anti-Scroll Fade To Bl 1.2 Pancho.-'+hud;Er unknown anti_scroll running
72 plugins, 71 running

Metamod-r v1.3.0.149, API (5:13)
Metamod-r build: 11:31:17 Apr 23 2024
Metamod-r from: rehlds/Metamod-R@603a257

ddos.zip

@bulevar20
Copy link

https://www.youtube.com/watch?v=4eLAtaNudT4&t=72s
this guy is the hacker, he claim using "TSourceEngineQuery Exploit" , "Sockets Exploit" , "WinSock2.h"

@wilianmaique
Copy link
Author

https://www.youtube.com/watch?v=4eLAtaNudT4&t=72s this guy is the hacker, he claim using "TSourceEngineQuery Exploit" , "Sockets Exploit" , "WinSock2.h"

It's more or less this attack, I received an attack, restarted the map and 'returned to normal'

@Splatt581
Copy link

The same thing happens to me... I captured packets with tcpdump and I don't find any packet flood, nor any suspicious packets.

Protocol version 48 Exe version 1.1.2.7/Stdio (cstrike) ReHLDS version: 3.13.0.788-dev Build date: 07:36:33 Jul 12 2023 (3378)
ddos.zip

In this packet capture, the attacker uses dlfile command flooding. This attack must be rejected at least a few checks in rehlds:

  1. Network data decompression protection sv_net_incoming_decompression / sv_net_incoming_decompression_max_ratio. But as I see you are using an old build from July 2023 without these new features. I recommend upgrading to the latest build with these cvars.

  2. String command flood protection sv_rehlds_stringcmdrate_max_avg / sv_rehlds_stringcmdrate_max_burst. What values ​​do you use for these cvars? I recommend setting the default values.

@bulevar20
Copy link

please drop link for 3.14 rehlds

@bulevar20
Copy link

bulevar20 commented Nov 20, 2024

     Exe version 1.1.2.7/Stdio (cstrike)
     ReHLDS version: 3.13.0.788-dev
     Build date: 07:36:33 Jul 12 2023 (3378)
     Build from: https://github.com/dreamstalker/rehlds/commit/f955b07
     
     01:44:18 ReGameDLL version: 5.20.0.516-dev
     Build date: 21:01:56 Jun 14 2021
     Build from: https://github.com/s1lentq/ReGameDLL_CS/commit/2c52c4f

please any expert check this pcap, exploiter was attacking the server

@Splatt581
Copy link

DDoSraro2.zip please any expert check this pcap, exploiter was attacking the server

In this traffic capture I see only regular traffic from game clients without any exploits. However, I see only incoming packets from clients, without outgoing server ones, so the server is already hangs.

Could you please capture the traffic just before the freezing moment and the freezing moment itself, when the server stops sending outgoing packets? Or just make the traffic capture a little longer, about 30-40 seconds. Most likely there will be a packet with an exploit there.

@bulevar20
Copy link

bulevar20 commented Nov 20, 2024

please check this, here 191.113.179.89 was flooding the server

('probably' this is other type of attack) i dont know

@bulevar20
Copy link

rehlds exploit LAG
when the attack happen, console with developer "2" show this

@CirovicFG
Copy link

Same problem here, and many other friends who owns a server.. we need this to be fixed..

@justgo97
Copy link

Try setting sv_send_logos to 0
Keep it in server.cfg to persist the value

@CirovicFG
Copy link

Try setting sv_send_logos to 0 Keep it in server.cfg to persist the value

its on 0 already

@justgo97
Copy link

Try setting sv_send_logos to 0 Keep it in server.cfg to persist the value

its on 0 already

You still get the error message from bluevar20 image after setting sv_send_logos to 0 or a different error?
You might also try setting sv_allow_download to 0 but then you will have to add all the custom files that client needs to fast download or else they won't be able to connect.

@SergeyShorokhov SergeyShorokhov added Priority: ⚠️ medium Medium priority tasks that should be addressed soon. Status: 🗣️ needs feedback Comments or feedback needed from the community or team. Type: 🔒 security Vulnerabilities or issues related to security. Engine: ⚙️ Independent Case do not refer to any Engine. OS: 💻 Independent Case do not refer to any OS. labels Nov 26, 2024
@Splatt581
Copy link

please check this, here 191.113.179.89 was flooding the server

('probably' this is other type of attack) i dont know

In this packet capture, a static connectionless packet is sent in large quantities to your server:

0000   ff ff ff ff e9 20 b3 e6 8e 85 e8 8f ba e7 bb 8b   ÿÿÿÿé ³æ..è.ºç».
0010   e8 9d bc e9 8f 85 e7 bd 8d e7 b0 94 e9 84 8b e9   è.¼é..ç½.ç°.é..é
0020   9b 8d 69 da 4c 20 20 20 20 20 20 20 20 20 20 20   ..iÚL           
0030   20 20 20 20 20 20 20 20 20 df 20 20 20 20 20 20            ß      
0040   20 20 64 af 20 20 20 20 6c 20 20 20 20 20 20 20     d¯    l       
0050   20 4f 20 20 20 20 25 20 2e 2e 2e 2e 2e             O    % .....

But these packets do not contain any payload, only garbage, so it will not load the server even in large quantities. I think this can only work if the volume of incoming traffic exceeds the limits issued to the server by the network provider. How many mbit/s incoming bandwidth does your server use?

when the attack happen, console with developer "2" show this

This happens when an attacker uses a flood command dlfile, requesting client logos from the server. I described the solution in this post above #1054 (comment)

@bulevar20
Copy link

bulevar20 commented Dec 4, 2024

please check this, here 191.113.179.89 was flooding the server
('probably' this is other type of attack) i dont know

In this packet capture, a static connectionless packet is sent in large quantities to your server:

0000   ff ff ff ff e9 20 b3 e6 8e 85 e8 8f ba e7 bb 8b   ÿÿÿÿé ³æ..è.ºç».
0010   e8 9d bc e9 8f 85 e7 bd 8d e7 b0 94 e9 84 8b e9   è.¼é..ç½.ç°.é..é
0020   9b 8d 69 da 4c 20 20 20 20 20 20 20 20 20 20 20   ..iÚL           
0030   20 20 20 20 20 20 20 20 20 df 20 20 20 20 20 20            ß      
0040   20 20 64 af 20 20 20 20 6c 20 20 20 20 20 20 20     d¯    l       
0050   20 4f 20 20 20 20 25 20 2e 2e 2e 2e 2e             O    % .....

But these packets do not contain any payload, only garbage, so it will not load the server even in large quantities. I think this can only work if the volume of incoming traffic exceeds the limits issued to the server by the network provider. How many mbit/s incoming bandwidth does your server use?

when the attack happen, console with developer "2" show this

This happens when an attacker uses a flood command dlfile, requesting client logos from the server. I described the solution in this post above #1054 (comment)

thanks

@bulevar20
Copy link

bulevar20 commented Dec 4, 2024

pls help me with this
https://www.mediafire.com/file/ff7ji8pav0div24/[FloodRaroUDP8](https://www.mediafire.com/file/ff7ji8pav0div24/FloodRaroUDP8.pcap/file).pcap/file

what iptables rule work against this type of attack? (the server datacenter have 1gb)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Engine: ⚙️ Independent Case do not refer to any Engine. OS: 💻 Independent Case do not refer to any OS. Priority: ⚠️ medium Medium priority tasks that should be addressed soon. Status: 🗣️ needs feedback Comments or feedback needed from the community or team. Type: 🔒 security Vulnerabilities or issues related to security.
Projects
None yet
Development

No branches or pull requests