DEIMOS Posted March 2, 2019 Share Posted March 2, 2019 (edited) Hi, I noticed that the server is under exploit attack these days. Besides, I believe that the same intruder that makes server crash is the same hacker whom you couldn't easily get rid of. It became clear that you can't just ban him by STEAM_ID or IP. STEAM_ID can be easily changed, and for IP he might be using dynamic IP or proxy server. So are you going to do something about this violator? Because I have a solution. I can't help you with cheaters or enhancing your ban system but I thought that I could suggest to you how to cover your vulnerabilities so they at least won't be able to crash the server. I have an article with the list of all server vulnerabilities, known to the CS 1.6 community and solutions for their resolving (taken from here). It was written in Russian so I translated it into English. I thought you might want to go through and check what can be done from these measures to prevent using server vulnerabilities. I can not tell you exactly where the issue is without seeing the server console and logs so I leave this up to you... Exploit SpawnMalfunction Effects: Server crashes with the error "SZ_GetSpace: overflow without FSB_ALLOWOVERFLOW set on Server Reliable Datagram" Solution: Update DPROTO Exploit UnUTF8Chars Evidence: Connection of strange players. Flood in the console with a message "Values must be valid utf8 text" Solution 1: Install DPROTO of the latest version (0.9.391 and higher) Solution 2: Temporary solution for Orpheu. Download uttfix.rar Note: It is possible that only server with the build higher that HLDS 6xxx are vulnerable to this exploit. Exploit FragmBuf Evidence: Players connects. Server crashes with error "SZ_GETSPACE: Overflow without FSB_ALLOWOVERFLOW set on net_message" Solution 1: Install DPROTO of the latest version (0.3.391 or higher) Solution 2: Metamod plugin by [WPMG]PRoSToTeM@) - version for linux - click - version for windows - click Solution 3: Orpheu plugin. Click New Fake Players Evidence: Connection of a huge amount of players (usually, with generated nicknames). Fakes spawn, have their own ping and STEAM_ID. The server just starts filling with the fake players Solution 1: A small plugin prevents connection of more than X players from one IP address (by Safety1st) Solution 2: DPROTO 0.9.475 and higher Solution 3: Fake Detector by Asmodai Fake Players Evidence: Fake players connect. They spawn and flood in the voice channel. Server ping goes up and the lags start Solution 1: Use Fake Detector by Asmodai (not lower than 2.1.3) Solution 2: Use Voice Transcoder 2.0 RC1 Solution 3: Use Voice Packet Limiter Note: To enhance protection from fake players, it is suggested to use a combination of all solutions. Protection from # in the nickname and chat Evidence: Freezes a few clients at the same time. Usually, comes with an error: Reliable Channel Overflowed Solution 1: AMXX plugin Solution 2: Metamod plugin Solution 3: Metamod plugin Exploit darcode.com Evidence: Bot connects and the server crashes. Solution: Turn off resource downloading directly from the server (sv_allow_dlfile 0). Note: All server resources should be uploaded to your external download server. Exploit Buffer Overload v2 Evidence: Server freezes/crashes. Flood in the console: "Ignoring invalid custom decal from *" Solution 1: DPROTO 0.9.491 and higher Solution 2: Metamod plugin by Asmodai Solution 3: Metamod plugin by [WPMG]PRoSToTeM@ (WIN / LIN) HLDS Amplification attack Evidence: Request is sent to the server with a bogus IP address, resulting in response with a bigger packet. This can be used for DDOS attacks. Recomendation 1: For DPROTO lower than 0.9.509, set ServerInfoAnswerType 0. This will reduce the amplification factor. But players from older patches won't be able to connect. Recomendation 2: Install DPROTO 0.9.546 and higher. In newer versions during the attack, server automaticly switches to the new type of requests for reducing amplification factor. Solution: Iptable rules Exploit Buffer Overload v3 Evidence: Bot connects and ping goes up for all players. The server freezes until the bot disconnect. Solution 1: DPROTO 0.9.519 and higher Solution 2: Metamod plugin by s1lent (LIN / WIN) Solution 3: Metamod plugin by [WPMG]PRoSToTeM@ Exploit Buffer Overload v4 (patched v3) Evidence: Bot connects and the server temporary freezes. Solution: Fake Detector by Asmodai (not lower than 1.4) Fix by KickAss for servers using FakeDetector Evidence: Server crashes Solution: Solution by Fire for Linux: iptables -I INPUT -p udp -m u32 --u32 "26&0xFFFF=0xfeff" -j DROP Edited March 3, 2019 by DEIMOS 3 Link to comment Share on other sites More sharing options...
Respect_lawyer Posted March 2, 2019 Share Posted March 2, 2019 [uSER=1]AirStriker[/uSER] 4 Link to comment Share on other sites More sharing options...
-L|S- Huusam Posted March 3, 2019 Share Posted March 3, 2019 (edited) no one answered your post, I'll post, look, I think the airstriker already added some of those fakeplayer, so you should leave it like that for an adminlo review it and answer Airstrike nothing else added was the fakeplayer, Edited March 3, 2019 by -L|S- Huusam 1 Link to comment Share on other sites More sharing options...
DEIMOS Posted March 3, 2019 Author Share Posted March 3, 2019 (edited) no one answered your post, I'll post, look, I think the airstriker already added some of those fakeplayer, so you should leave it like that for an adminlo review it and answer Airstrike nothing else added was the fakeplayer, It's alright, thanks. I'll wait for his response. Generally, I think it is important to make sure that the server is running with the latest version of DPROTO and there is a way of preventing fake players to reach the server. As you could see it looked like the intruder was using fake players. Bots connected (I am pretty sure these were fakes), spawned and started chaotically moving with speedhack. And time to time server shut down and restarted itself. I can't assure you on 100%, but it almost looked like both making server shut down and connecting fake players were committed by one person. I will be glad if the article that I translated, helps somehow. Edited March 4, 2019 by DEIMOS Link to comment Share on other sites More sharing options...
-L|S- Huusam Posted March 4, 2019 Share Posted March 4, 2019 no one answered your post, I'll post, look, I think the airstriker already added some of those fakeplayer, so you should leave it like that for an adminlo review it and answer Airstrike nothing else added was the fakeplayer, It's alright, thanks. I'll wait for his response. Generally, I think it is important to make sure that the server is running with the latest version of DPROTO and there is a way of preventing fake players to reach the server. As you could see it looked like the intruder was using fake players. Bots connected (I am pretty sure these were fakes), spawned and started chaotically moving with speedhack. And time to time server shut down and restarted itself. I can't assure you on 100%, but it almost looked like both making server shut down and connecting fake players were committed by one person. I will be glad if the article that I translated, helps somehow. are still the evaders, use VPN TO AVOID A BAN IN YOUR HIDDEN IP, Link to comment Share on other sites More sharing options...
-L|S- Huusam Posted March 4, 2019 Share Posted March 4, 2019 no one answered your post, I'll post, look, I think the airstriker already added some of those fakeplayer, so you should leave it like that for an adminlo review it and answer Airstrike nothing else added was the fakeplayer, It's alright, thanks. I'll wait for his response. Generally, I think it is important to make sure that the server is running with the latest version of DPROTO and there is a way of preventing fake players to reach the server. As you could see it looked like the intruder was using fake players. Bots connected (I am pretty sure these were fakes), spawned and started chaotically moving with speedhack. And time to time server shut down and restarted itself. I can't assure you on 100%, but it almost looked like both making server shut down and connecting fake players were committed by one person. I will be glad if the article that I translated, helps somehow. for that there is no solution Link to comment Share on other sites More sharing options...
-L|S- Huusam Posted March 4, 2019 Share Posted March 4, 2019 no one answered your post, I'll post, look, I think the airstriker already added some of those fakeplayer, so you should leave it like that for an adminlo review it and answer Airstrike nothing else added was the fakeplayer, It's alright, thanks. I'll wait for his response. Generally, I think it is important to make sure that the server is running with the latest version of DPROTO and there is a way of preventing fake players to reach the server. As you could see it looked like the intruder was using fake players. Bots connected (I am pretty sure these were fakes), spawned and started chaotically moving with speedhack. And time to time server shut down and restarted itself. I can't assure you on 100%, but it almost looked like both making server shut down and connecting fake players were committed by one person. I will be glad if the article that I translated, helps somehow. if you have some Amxx cmd for the evader ban, you can edit them and add them Link to comment Share on other sites More sharing options...
DEIMOS Posted March 4, 2019 Author Share Posted March 4, 2019 (edited) no one answered your post, I'll post, look, I think the airstriker already added some of those fakeplayer, so you should leave it like that for an adminlo review it and answer Airstrike nothing else added was the fakeplayer, It's alright, thanks. I'll wait for his response. Generally, I think it is important to make sure that the server is running with the latest version of DPROTO and there is a way of preventing fake players to reach the server. As you could see it looked like the intruder was using fake players. Bots connected (I am pretty sure these were fakes), spawned and started chaotically moving with speedhack. And time to time server shut down and restarted itself. I can't assure you on 100%, but it almost looked like both making server shut down and connecting fake players were committed by one person. I will be glad if the article that I translated, helps somehow. There is always a solution. I was running CS servers for a long time ago. For violators who were changing their IP addresses and whom we could not normally ban, we were using a ban by cookies. Cookies insert when the user passes through the MOTD window. It is a welcome window that opens when the user enters the server (before choosing the team). Though, it happens in-game but the interesting thing that this window opens by emulating default system browser. For Windows, it opens IE, and for Linux it is Mozilla. It is just one example of how you can enhance your ban system and sure, there are a lot of other means how to deal with violators with dynamic IP / proxy servers. Edited March 4, 2019 by DEIMOS Link to comment Share on other sites More sharing options...
Recommended Posts