Jump to content

Looking for a mod to guard against a MOTD overflow attack


Recommended Posts

Heya,

 

**Edited 03/07/2015 with relevant information. I found out his attack vector**

 

I'm having issues with a hacker who crashes my 1.7.10 server by repeatedly requesting the MOTD by which the memory overflows on the server because of the json that gets compiled over and over(playercount and such)

 

He crashes my server multiple times a day because he doesn't get whitelisted.

 

So, basicaly I want to write/use a mod that logs how often the MOTD gets requested. I know I have to use the trail that sends s00PacketServerInfo, but what i'm wondering is how to get the IP of the user requestion so I can log it and hand it over to IPtables if it reaches a treshold.

 

Kind regards,

 

Tschallacka

How much wood could a woodchuck chuck if a wood chuck could chuck wood - Guybrush Treepwood

 

I wrote my own mod ish... still a few bugs to fix. http://thaumcraft.duckdns.org/downloads/MagicCookies-1.0.6.4.jar

Link to comment
Share on other sites

Hmmh, then he must be using a different weakness.

 

I so thought he used this one...

 

Clearly he's not whitelisted. I'm kinda stuck atm with coreprotect and cauldron. so im still chugging along with forge 1231.

 

I am writing my own anti grief/logging mod as we speak, and it would be relatively simple to turn it into a 1.7.10 mod so we can finally update forge.

 

I was just hoping someone would have made a coremod to fix this.

How much wood could a woodchuck chuck if a wood chuck could chuck wood - Guybrush Treepwood

 

I wrote my own mod ish... still a few bugs to fix. http://thaumcraft.duckdns.org/downloads/MagicCookies-1.0.6.4.jar

Link to comment
Share on other sites

Okay, so he started bragging about how smart he is and bla bla but he dropped his attack vector.

 

He's requesting the motd multiple times which causes the server to crash because of all the json that gets compiled to answer the request.

 

Now my question is basically this:

 

Is there a way in forge that I can catch when S00PacketServerInfo is sent and to which ip? Then I can log that so IPTables can block it.

 

If I should write a coremod for this, which would be the best point to hook it in so I can get the IP? Anyone have experience with this?

How much wood could a woodchuck chuck if a wood chuck could chuck wood - Guybrush Treepwood

 

I wrote my own mod ish... still a few bugs to fix. http://thaumcraft.duckdns.org/downloads/MagicCookies-1.0.6.4.jar

Link to comment
Share on other sites

Haha this isn't a overflow issue at most it'd be a OOM issue. (Seriously would of been simple to detect if you sent the crash log)

But this is an interesting avenue.

Anyways did a little work to mitigate it, https://github.com/MinecraftForge/MinecraftForge/commit/5064d33519649a61b4975727b7522eeb4b50f7dc

This doesn't 100% solve it because the 'send small packet to server get large response' aspect still exists. But that shouldn't be that big of a issue unless your server is on a thin uplink.

But it addresses the memory issue.

The server invalidates the cache every 5 seconds, because it's dumb and shuffles the player list for an unknown reason (really guys...) but meh.

I do Forge for free, however the servers to run it arn't free, so anything is appreciated.
Consider supporting the team on Patreon

Link to comment
Share on other sites

I wish I had crash logs, then it would have been easy to pinpoint. But what we got were only the crashes that the service just stopped because the OS killed it/detected it dying.

 

Thanks for the modifications though :-)

How much wood could a woodchuck chuck if a wood chuck could chuck wood - Guybrush Treepwood

 

I wrote my own mod ish... still a few bugs to fix. http://thaumcraft.duckdns.org/downloads/MagicCookies-1.0.6.4.jar

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.