search

SmartlyDressedGames / Unturned-3.x-Community

Community portion of the Unturned-3.x repo. If you have access to the source code you can find it here:
https://github.com/SmartlyDressedGames/Unturned-3.x/
88 stars 18 forks source link

Players use special protocol packets to crash servers #1993

Closed Aikkes-xk closed 1 year ago

Aikkes-xk commented 4 years ago

My server recently had a player come in and the server crashed after he came in, I learned through the sniffer packet that he was sending a piece of garbage packet to the server after he entered the server, causing the server to crash, hopefully this problem can be fixed Here are the spam packets he sent. characteristics.txt

Aikkes-xk commented 4 years ago

That player's STEAMID: 76561198990618401 He's already used this spam packet to crash multiple servers!

SDGNelson commented 4 years ago

It looks like it might be trying to invoke the warmth RPC on the server, but that would be getting rejected because it is server-to-client only.

Is there any crash log or details of what sort of crash it was?

Aikkes-xk commented 4 years ago

It looks like it might be trying to invoke the warmth RPC on the server, but that would be getting rejected because it is server-to-client only.

Is there any crash log or details of what sort of crash it was?

It mainly causes server non-response and does not generate messages to the logs.

Aikkes-xk commented 4 years ago

He has to get into the server before he can send this packet, and will send multiple, regularly changing, which will instantly cause the server to crash unresponsive

SDGNelson commented 4 years ago

Are they using alt Steam accounts to bypass your ban?

To double-check: nothing in the built-in Logs/Server_(name).log (not Rocket log).

If I interpreted it correctly the control code they are using is obsolete-ish so I have tidied that up for the next update, but otherwise it should just be ignoring these packets. How many are they sending?

Aikkes-xk commented 4 years ago

Are they using alt Steam accounts to bypass your ban?

To double-check: nothing in the built-in Logs/Server_(name).log (not Rocket log).

If I interpreted it correctly the control code they are using is obsolete-ish so I have tidied that up for the next update, but otherwise it should just be ignoring these packets. How many are they sending?

If I ban them, I can indeed avoid this problem, but they can continue to attack the server by creating new steam accounts I did check the Logs folder for logs after the server crash, but I sure didn't find any log messages about him! If I can I can get back to you with screenshots and log files the next time the same problem occurs!

rube200 commented 4 years ago

Did u check the temp files for a crash

Aikkes-xk commented 4 years ago

@SDGNelson I obtained the log of the error report when they did the crash attack again! error.zip

SDGNelson commented 4 years ago

Thanks for the crash files. Summarized the stack trace is all in Unity and Mono, and appears to happen when looking up a class while async loading from an asset bundle. By default the server does not use AssetBundle.LoadAssetAsync, so I wonder if you have any plugins that use their own custom asset bundles?

warren39 commented 4 years ago

My server also under this special packet attack and servers crash. Their SteamID: 76561198990618401 and 76561198382781523. Both from the same IP and same HWID.

Aikkes-xk commented 4 years ago

Thanks for the crash files. Summarized the stack trace is all in Unity and Mono, and appears to happen when looking up a class while async loading from an asset bundle. By default the server does not use AssetBundle.LoadAssetAsync, so I wonder if you have any plugins that use their own custom asset bundles?

This isn't just happening on my server, many others are experiencing the same thing, and I don't think it has anything to do with AssetBundle!

Aikkes-xk commented 4 years ago

@SDGNelson This sort of thing belongs to sort of a cheating program for crashing other servers, where the player he has to attack is in the server, and as soon as he leaves the server, it causes it to crash!

TH3AL3X commented 4 years ago

In case it is so and there is still no solution, I would recommend using a plugin that restricts IPS, from China and VPNs or PROXIES

Sl4vP0weR commented 4 years ago

Cheaters can crash servers by Steam P2P packets, they r sending some packet type that game wouldn't to resolve and just crashing by overflow.

SDGNelson commented 4 years ago

Cheaters can crash servers by Steam P2P packets, they r sending some packet type that game wouldn't to resolve and just crashing by overflow.

Steam P2P is not handling the packet, or the game is logging an unhandled packet? The game should be banning any connections that send packets unhandled by the game.

rube200 commented 4 years ago

There is a lot of code running before the game validates the packet, and it does nothing if it is invalid. (I think I saw it in the right zone)

    public bool receive(CSteamID steamID, byte[] packet, int offset, int size)
    {
      if (SteamChannel.onTriggerReceive != null)
      {
        if (!SteamChannel.warnedAboutTriggerReceive)
        {
          SteamChannel.warnedAboutTriggerReceive = true;
          CommandWindow.LogError((object) "Plugin(s) using unsafe onTriggerReceive, please consider an alternative");
        }
        try
        {
          byte[] numArray = packet;
          if (Provider.useConstNetEvents)
          {
            numArray = new byte[offset + size];
            Array.Copy((Array) packet, (Array) numArray, numArray.Length);
          }
          SteamChannel.onTriggerReceive(this, steamID, numArray, offset, size);
          if (Provider.useConstNetEvents)
          {
            if (Provider.hasNetBufferChanged(packet, numArray, offset, size))
              CommandWindow.LogError((object) "Plugin(s) modified buffer during onTriggerReceive!");
          }
        }
        catch (Exception ex)
        {
          UnturnedLog.warn("Plugin raised an exception from SteamChannel.onTriggerReceive (deprecated, if you really have to use Provider.onServerReadingPacket instead):");
          UnturnedLog.exception(ex);
        }
      }
      if (size < 3)
        return true;
      int index = (int) packet[offset + 1];
      this.buildCallArrayIfDirty();
      if (index < 0 || index >= this.calls.Length)
        return true;
      ESteamPacket esteamPacket = (ESteamPacket) packet[offset];
      if (esteamPacket == ESteamPacket.UPDATE_VOICE && size < 6)
        return true;
      bool flag1;
      switch (this.calls[index].attribute.validation)
      {
        case ESteamCallValidation.NONE:
          flag1 = true;
          break;
        case ESteamCallValidation.ONLY_FROM_SERVER:
          flag1 = this.checkServer(steamID);
          break;
        case ESteamCallValidation.SERVERSIDE:
          flag1 = Provider.isServer;
          break;
        case ESteamCallValidation.ONLY_FROM_OWNER:
          flag1 = this.checkOwner(steamID);
          break;
        default:
          flag1 = false;
          UnturnedLog.warn("Unhandled RPC validation type on method: " + this.calls[index].method.Name);
          break;
      }
//....
}
Sl4vP0weR commented 4 years ago

Cheaters can crash servers by Steam P2P packets, they r sending some packet type that game wouldn't to resolve and just crashing by overflow.

Steam P2P is not handling the packet, or the game is logging an unhandled packet? The game should be banning any connections that send packets unhandled by the game.

https://www.github.com/wristcry/undeadhacks-decompiled/tree/master/System.UI%2FServerCrashThread.cs

rube200 commented 4 years ago

According to the code you sent, the server can take spam from these 4 types of packages:

ESteamPacket.WORKSHOP
ESteamPacket.CONNECT
ESteamPacket.UPDATE_UNRELIABLE_CHUNK_BUFFER
ESteamPacket.BATTLEYE

I did some basic checks and if the server received ESteamPacket.CONNECT the player is instantly expelled from the server (client side) but this appears to remain on the server until it takes timeout. And in turn ESteamPacket.WORKSHOP is answered with ESteamPacket.WORKSHOP then on the client side it returns ESteamPacket.CONNECT which it would kick him from server.

That leaves ESteamPacket.UPDATE_UNRELIABLE_CHUNK_BUFFER ESteamPacket.BATTLEYE, for obvious reasons I cannot test battleye package (module on client side) and for ESteamPacket.UPDATE_UNRELIABLE_CHUNK_BUFFER I was unable to send the server down.

SDGNelson commented 4 years ago

I think that code is outdated. rube200's analysis is correct, and to expand on it:

The Workshop packet array will be ignored if received from the same client less than 30 seconds since the last request. On the client the response is cached for 60 seconds so normal clients will not hit that rate limit.

The Battleye packet array2 is only handled for clients who have a player object in-game, and the cheat's 1 byte message should be treated as garbage by BattlEye.

The Connect packet array3 will register them as a pending connection preventing them from sending Connect packets again, and will reject them at some stage because they sent garbage data, e.g. their hash is mismatched.

The RPC packet array4 has not been updated for the RPC changes, so it is calling RPC index zero on a random player object, which should fail.

Sl4vP0weR commented 4 years ago

Nelson just should to add better packet resolving that will be using less ram and cpu resources