Having problems with getting my server crashed that I hosted for years in a game called Rune. All I’ve been able to do to prevent it, is to ban their IP’s in my firewall. The script they use eats up all memory until the server crashes. Buffer overflow I guess it’s called among you guys with knowledge about these things?
Now I found this CFP after some googling. So I downloaded and installed it but have no clue about setting up the rules. I read the help file and most of the posts in this forum today. I still kinda lost here…
Anyone knows if it possible to stop these attacks with CFP 3. If yes, any pointers on how the rules should be set up?
Would be really nice to run a server and not have to worry about if/when it will get crashed.
try Comodo Memory Firewall. Obviously there is a vulnerability they are exploiting in your machine and doing a BO to inject stuff into it.
so the combo of CFP and CMF (pls note CMF is in beta though) should stop this happening. However, the vulnerability will still be there and you must find it. Most likely to be an unpatched software.
try Comodo Memory Firewall. Obviously there is a vulnerability they are exploiting in your machine and doing a BO to inject stuff into it.
so the combo of CFP and CMF (pls note CMF is in beta though) should stop this happening.
I tried the memory firewall with CFP wthout seccess. The server went down just as fast as it did without the Mem FW. Hope I used the software as I should. I think I did.
When I was trying this out the other night with a friend, it seemed he couldnt crash it every time. Just around 50% of the times he ran the unrCrash script my server actually went down. That doesnt make any sense to me? Cause without any Comodo software it goes 100% of the times. I tried looking at the logs, but it didn’t log very much from the sessions.
However, the vulnerability will still be there and you must find it. Most likely to be an unpatched software.
The problem lies in the Uengines (the same engine that was used for the first Unreal) memory managment. It would take some complex coding to make a useful patch. You would also have to get access to the engine core which is not released and probably never will be. At least thats what I heard from the guys that know more about Uscript and the Uengine than I do.
More detailed background if anyone finds it interesting:
This code wiz (Luigi Auriemma) checked this engine for vulnerbilitis. He presented everything he found on the web with the required tools to exploit the vulnerabilities. Epic released a gamefix for Unreal. I think all other games that was built on the engine got their security patches too. But not Rune. Developers thought it was too old I guess. Now years later script kiddies still find his homepage and uses the tools to crash servers, at least in Rune.
The tool (unrcrash.exe) creates and sends a malformed udp packet to the game server as join request. And it crashes the server when it runs out of ram.
Once I tried Ethereal to see if I could detect the malformed udp-packets. Ethereal detected them but there is no blocking function in Ethereal. Im not so familiar with networking tools and I havn’t found any solution that can detect and block malformed udp’s. So now my hopes are that CFP3/MemoryFW will manage to block these attacks with the right settings.
I’m no tech wiz, but I was thinking that since your problem seems to be based at the packet level, perhaps you could try enabling some of the extra protection options found from the main CFP menu via Firewall → Advanced → Attack Detection Settings → whatever sounds like it might work from the Intrusion Detection and/or Miscellaneous tabs. To my untrained eye, it sounds like some of this stuff might be able to help you. Good luck.
I’m not a programmer but it looks like the issue is not a malformed packed (which should affect the TCP/IP stack and system stability) but the unreal server app.
That server get the data from the UDP packet and doesn’t check it so when it attempts to interpret that malformed data the server crashes.
The corrupt udp text you linked actually say that the UDP is not malformed
I do not understand the protocol dumps either but it looks like that you got one ethernet frame with many protocols in it (Protocols in frame: eth:ip:udp:enip)
The malformed one was EtherNet/IP (Industrial Protocol)
CFP can block IP packet by protocol number but I don’t know what number those ENIP packets have nor i do know if blocking enip packets will work (I guess you should make sure that those packets are really not needed)
A couple of days ago I tried different settings while a friend tried crashing my server everytime I had made a change. Somehow I managed to get CFP to block the attacks every other time? Isn’t that weird?
Too bad that I have no idea exactly what I did that blocked it. And after a few more changes I was back to square 1 and server crashed at every attempt.
After checking hundreds of packets from unrCrash with Wireshark I havn’t found any ENIP packets. Looks like any other UDP to me. So I can’t find any explanation to why that was ENIP.
