Final statement regarding the DoS

For TFP server admins to post news or information related to the game servers.

Postby Witchiebunny » Thu Jan 22, 2009 12:38 am

This is our final statement on the matter:

The attack started at about 1 am EST, or Midnight Server time. Server Admin Nikkyvix was messaged about it 15-30 minutes into the attack by Server Admin Ailure, and all Admins online and active were summoned together.[1]

The final packets were recieved at 3:05:45.24745 EST on US #1, and 4:59:13.037554 on US #2. Those IPs that have been confirmed as attacking the server were 76.202.216.119 and 75.57.176.21, of which the former was most active, and the second was least, having been used towards the end of the attack, from 4:59:11.1967500 to 4:59:13.03841500. The servers were attacked twice, with a break approximately an hour long in between the attacks.

Our investigation has revealed exactly how the servers were attacked. (Long version here, see below for the tl;dr version)

The attack used a very specific exploit present in the Source Engine. Datagrams (UDP Packets) with with zero data and 8 bytes in total length are sent via a source port into a server and the server, in turn freezes its network activity.[2]

The data field here is non-existant, and the length field is set to 8 which is just enough to tell the incoming server that the information being sent is a packet, but is also enough for the packet to contain no data.[3]

tl;dr:
The attacking IPs spammed invalid server query packets into the TF2 server, causing it to freeze it's network activity.



Our admin team was able to recreate this attack against both our US and EU servers by creating a java program to send packets containing no information against said servers.


The attack was done by someone with a very good knowledge of how the Source Engine works and the knowledge of an as-yet-unencountered vulnerability in Source. The attack was directed very specifically against our source ports, with the (assumed) single intent of knocking out the Team Fortress 2 Servers. We have reported it to Valve and hope to have a patch out soon, however we hope that Server Owners will be on the lookout for such attacks in the future, and hopefully the info here will help other Server Owners in securing their own servers.

1. Please see "flood.png" attached here.
2. Please see http://en.wikipedia.org/wiki/User_Da...cket_structure for technical reference of datagrams
3. Please see http://developer.valvesoftware.com/wiki/Server_Queries to see what proper server query is supposed to look like, or look at the attached image.
Attachments
properserverquery2.PNG
What a proper server query looks like
properserverquery2.PNG (12.97 KiB) Viewed 1333 times
flood.PNG
The attack against our servers
flood.PNG (118.71 KiB) Viewed 1338 times
User avatar
Witchiebunny
 
Posts: 755
Joined: Thu Aug 07, 2008 6:43 pm
Location: In her burrow. Drinking Tea. Earl Grey. Hot.

Return to Server News Rules & Announcements

Who is online

Users browsing this forum: No registered users and 1 guest

cron