ValveSoftware / Source-1-Games

Source 1 based games such as TF2 and Counter-Strike: Source
643 stars 74 forks source link

[L4D2] Servers are heavily vulnerable to empty UDP packet DOS attacks #5141

Open LuckyServ opened 1 year ago

LuckyServ commented 1 year ago

Empty UDP packets (size 28 bytes with empty body) heavily impact Left 4 Dead 2 servers. A server can be impacted with as little as 100 packets (2800 bytes) per second sent from a single source. This does not happen with a UDP packet of size 1 or more - only with empty UDP packets.

In other words, anyone can very easily DOS any unprotected Left 4 Dead 2 server and it does not require significant bandwidth. This isn't as much of an issue with community servers as server hosts can always the following iptables rule

/sbin/iptables -A INPUT -p udp -m multiport --dports 27015:27050 -m length --length 0:28 -j DROP

But valve servers are vulnerable to this and people have been DOSing servers with empty UDP packets for over a decade. Please either patch Left 4 Dead 2 servers to ignore empty UDP packets early or add a firewall rule to the host machines to block them.

NULLYUKI commented 1 year ago

@kisak-valve Why was the "Team Fortress 2" label added? Seems the wrong label to me if the user is talking about "Left 4 Dead 2"

kisak-valve commented 1 year ago

Thanks, classic thinko.

Tsuey commented 8 months ago

Reported resolved or significantly mitigated as of SRCDS update:

https://steamdb.info/app/222860/patchnotes/

LuckyServ commented 8 months ago

Issue is still present in Valve official servers and unprotected community servers.

For example: 100 empty packets per second affects the server, while 100 non empty packets does not, meaning that the servers are still more vulnerable to empty packets when compared to non empty packets.

lDrDooml commented 8 months ago

Issue is still present in Valve official servers and unprotected community servers.

For example: 100 empty packets per second affects the server, while 100 non empty packets does not, meaning that the servers are still more vulnerable to empty packets when compared to non empty packets.

https://github.com/Tsuey/L4D2-Community-Update/issues/485#issuecomment-1930704196

It seems that the community servers will have to use this iptables again

Tsuey commented 8 months ago

It seems that the community servers will have to use this iptables again

Just making a note here that according to our TLS contact with Kerry, Valve is actively working on implementing SDR for L4D2. Kerry also made a forum post mentioning this security measure.

As far as we guess, Official Dedicated will end the game of exploit whack-a-mole with SDR -- community servers will likely still need iptable solutions, as while the split-packet exploit was fixed recently via game code, our understanding is that this issue's exploit has only been mitigated through Valve's firewall, hence Luckylock's re-opening.

lDrDooml commented 8 months ago

It seems that the community servers will have to use this iptables again

Just making a note here that according to our TLS contact with Kerry, Valve is actively working on implementing SDR for L4D2. Kerry also made a forum post mentioning this security measure.

As far as we guess, Official Dedicated will end the game of exploit whack-a-mole with SDR -- community servers will likely still need iptable solutions, as while the split-packet exploit was fixed recently via game code, our understanding is that this issue's exploit has only been mitigated through Valve's firewall, hence Luckylock's re-opening.

The invalid split packet length exploit is indeed fixed, I tried to use this exploit on my servers to check it and it actually no longer works, however empty network packets are still a problem

MrBonesYk commented 6 months ago

Hello!

I have some information about DDoS attacks and what they are doing them with.

But it would be better to talk about it privately, I'm serious -> mr.bonesyk (Discord)