-
-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Exploit ReHLDS ? #1054
Comments
Yeah this is a new exploit I experienced it too recently... |
Do you know any way to block etc? |
Logs would be helpful. |
I don't have logs, it's an exploit, hard to know |
With no logs, there's not much the devs can do to fix this. Try intercepting the packets at the time of the attack |
Ok I'm not certain if this will fix it but try to check your mp_consistency and set it to 1.. I'm just changing a lot of ConVars desperate to find a reason for it.. I will reply on this topic in like 12-15 hr... |
Let me explain the issue... Basically what happens is, player does something I have no idea but it happens when is in the server (It's most likely related to map thingy i guess) so server resource gets utilized maximum and players starts to lag badly as if its like some DDoS attack.... server memory ramps up in rapid amount as well.. I got one report here not sure if its related to that one https://hernan.de/blog/lock-and-load-exploiting-counter-strike-via-bsp-map-files/ exploit from 2017 |
That's an exploit regarding arbitrary code execution, in which a malicious actor would infect a BSP map. This is totally not the same. |
try setting sv_send_logos 0 and sv_allowupload 0 and if you're using fast download sv_allowdownload 0. there's also sv_allow_dlfile too but idk what that does exactly. do some research. |
I will try these.. thank you |
not resolve |
|
try removing or commenting them from the cfg and using default values. |
Well, Regarding the exploit of rehlds its so hard to determine the cause for this DDoS similar scenarios... What happens is the person when triggers the exploit server memory ramps up like crazy up... I did PCaP everything and even sent my results to the host of the server but the VAC team of the host mentioned there was no DDoS attack... No matter what change in ConVARS I do, the exploit doesn't get fixed... |
Probably worth sending those network captures here and server logs if possible. |
maybe "reunion" will help mitigate it |
@mlibre2 no it does not help... with latest rehlds and reunion |
If there's no actual proof of the exploit, then you can provide a net dump to analyze the incoming data |
What is version of ReHLDS are you running? If the latest try rolling back to older versions, if it's the newest try updating to latest version and report back. |
@wilianmaique hello, please provide more info: rehlds version \ build number |
just happened in my server, definitely new exploit, i try using tcpdump in linux and i cant find nothing, |
please provide more info: |
everything in the latest stable version... |
Please, can you provide concrete info? We need version numbers. Want support? Then do it |
you didn't understand, latest stable version, only stable versions, amx 1.10 rehlds, metamod-r, reapi, all in the latest versions |
This information is requested to generate the record, we cannot depend on the date of your comment, so please, I'll be repeating politely: version I don't know if this is about laziness (because yeah, you got the prob, we're not wasting time in searching versions or assuming not-mentioned 3rd-party plugins) or privacy concerns, but I welcome you to the XY problem and why it's important that you abide by our requirements: https://xyproblem.info/ @s1lentq @wopox1337 I think by now it is vastly important to provide a guideline of how to introduce an issue and the basic information that developers need, for archiving and solving. No logs, no net dump, no versions or builds, no plugins details. It's so common now for people to come and yell about a problem demanding support and fixes with poor underlying context. |
there are no logs, dumps, there is nothing, there is the case, the server is 'clean', there are almost no plugins, the plugins are made, the issue is precisely that, there is no data on the cause, there is no way to guess... difficult to understand, the 'issue' is precisely to see if anyone is going through this. |
Please find the opportunity and time to provide answers to the questions. your answers are too abstract. the "latest release" is an uninformative thing. thank you for your understanding |
@wilianmaique In short, the following information is needed to track and/or follow up on the issue... Important
Warning enter these commands into the server Note for more details enable these parameters: |
The same thing happens to me... I captured packets with tcpdump and I don't find any packet flood, nor any suspicious packets. Protocol version 48 Currently loaded plugins: Metamod-r v1.3.0.149, API (5:13) |
https://www.youtube.com/watch?v=4eLAtaNudT4&t=72s |
It's more or less this attack, I received an attack, restarted the map and 'returned to normal' |
In this packet capture, the attacker uses
|
please drop link for 3.14 rehlds |
please any expert check this pcap, exploiter was attacking the server |
In this traffic capture I see only regular traffic from game clients without any exploits. However, I see only incoming packets from clients, without outgoing server ones, so the server is already hangs. Could you please capture the traffic just before the freezing moment and the freezing moment itself, when the server stops sending outgoing packets? Or just make the traffic capture a little longer, about 30-40 seconds. Most likely there will be a packet with an exploit there. |
please check this, here 191.113.179.89 was flooding the server ('probably' this is other type of attack) i dont know |
Same problem here, and many other friends who owns a server.. we need this to be fixed.. |
Try setting |
its on 0 already |
You still get the error message from bluevar20 image after setting |
In this packet capture, a static connectionless packet is sent in large quantities to your server:
But these packets do not contain any payload, only garbage, so it will not load the server even in large quantities. I think this can only work if the volume of incoming traffic exceeds the limits issued to the server by the network provider. How many mbit/s incoming bandwidth does your server use?
This happens when an attacker uses a flood command |
thanks |
pls help me with this what iptables rule work against this type of attack? (the server datacenter have 1gb) |
I'm receiving an 'attack', but it's not a DDoS. As soon as the attack happens, I quickly restart the map, and the attack disappears instantly, which confirms it's some kind of 'exploit', but I still don't have enough details.
Note: It's a '4fun' server with not many plugins, and none of the plugins increase the ping, etc.
I'm posting here to see if anyone has more details.
The text was updated successfully, but these errors were encountered: