SourceBan exploit? - Help - Facepunch Forum

Hey guys. Apperantly someone used a sourceban exploit to ban people from my server, by telling them to go to a link/ this is the link: [url]http://www.tier0cheats.com/forum/source-link-ban.php[/url] I am using the ulx ban system, is the sourceban then? in addition, for some reason my console keeps spamming this: Banning 83.100.219.58 for rcon hacking attempts on diffrent ip's

Well, don't open random links from the chat then. [editline]11th December 2014[/editline] One thing getting a server ban, but if someone were to post a virus there? Would you also open the link and complain someone get you a virus?

[QUOTE=Robotboy655;46691105]Well, don't open random links from the chat then. [editline]11th December 2014[/editline] One thing getting a server ban, but if someone were to post a virus there? Would you also open the link and complain someone get you a virus?[/QUOTE] I didn't open it, the players did :P

[QUOTE=tzahush;46690992]Hey guys. Apperantly someone used a sourceban exploit to ban people from my server, by telling them to go to a link/ this is the link: [URL]http://www.tier0cheats.com/forum/source-link-ban.php[/URL] I am using the ulx ban system, is the sourceban then? in addition, for some reason my console keeps spamming this: Banning 83.100.219.58 for rcon hacking attempts on diffrent ip's[/QUOTE] Ahh that's interesting. How that works is when the clients click on the link from chat the website logs their IP and then starts sending spoofed rcon login packets with their IP. Then the server sees this as an attempted bruteforce attempt from their IP and then bans it. Hrm, I just spent some time looking at all the sv_rcon_* commands and it doesn't look like you can disable rcon banning... As a shitty fix you could try hiding any chat messages that contain the link. EDIT: I'll look into a module to disable rcon bruteforce banning or as a better fix a module that makes sure the rcon TCP connection state is ESTABLISHED before bannning, preventing spoofed packets.

[QUOTE=mcd1992;46691678]Ahh that's interesting. How that works is when the clients click on the link from chat the website logs their IP and then starts sending spoofed rcon login packets with their IP. Then the server sees this as an attempted bruteforce attempt from their IP and then bans it. Hrm, I just spent some time looking at all the sv_rcon_* commands and it doesn't look like you can disable rcon banning... As a shitty fix you could try hiding any chat messages that contain the link. EDIT: I'll look into a module to disable rcon bruteforce banning or as a better fix a module that makes sure the rcon TCP connection state is ESTABLISHED before bannning, preventing spoofed packets.[/QUOTE] There's no "spoofed rcon login packets", all it literally does is creates 11 iframes with the servers IP. Edit: This one has actually a bit more iframes :v: [t]http://i.imgur.com/DgQuGRi.png[/t]

[QUOTE=Robotboy655;46691977]There's no "spoofed rcon login packets", all it literally does is creates 11 iframes with the servers IP. Edit: This one has actually a bit more iframes :v: [/QUOTE] Oh wow I'm overthinking this then. It's abusing the rcon packet size ban. `sv_rcon_maxpacketbans 0` will prevent this 'exploit' from working... I forgot that the source engine is retarded and just accepts any tcp connection on the game port and presumes its rcon data. So its banning because all the HTTP GET data comes out to be larger than 1024 bytes...

I actually [URL="http://smashinglim.es/doc/Source-Query-Exploit.html"]created a detailed documentation[/URL] a few months ago with info on how it works, why it works, and a few ways to fix it.

[QUOTE=WitheredPyre;46692773]I actually [URL="http://smashinglim.es/doc/Source-Query-Exploit.html"]created a detailed documentation[/URL] a few months ago with info on how it works, why it works, and a few ways to fix it.[/QUOTE] A lot of that writeup is incorrect though. The min/max values for sv_rcon_banpenalty, sv_rcon_maxfailures, and sv_rcon_minfailures disallow fully disabling rcon bans. Rate limiting TCP on the game port wont fix the issue as it only needs to send one large amount of data, once, to trigger the ban. Blocking rcon traffic from non-whitelisted IPs at the firewall is a good fix. And disabling rcon is not a bulletproof fix as even with rcon_password set to "" clients still get banned for large rcon packets. sv_rcon_maxpacketbans 0 works just fine though. That is only for the simple [url]http://serverip:27015[/url] iframes though. It might still be possible to spoof the source on packets, depending on if the engine checks the TCP state or not.

[QUOTE=mcd1992;46692012]Oh wow I'm overthinking this then. It's abusing the rcon packet size ban. `sv_rcon_maxpacketbans 0` will prevent this 'exploit' from working... I forgot that the source engine is retarded and just accepts any tcp connection on the game port and presumes its rcon data. So its banning because all the HTTP GET data comes out to be larger than 1024 bytes...[/QUOTE] Huh, didn't think of it like that, cool, thanks very much! :)