New Exploit ReHLDS ?

[wilianmaique]

I'm receiving an 'attack', but it's not a DDoS. As soon as the attack happens, I quickly restart the map, and the attack disappears instantly, which confirms it's some kind of 'exploit', but I still don't have enough details.

Note: It's a '4fun' server with not many plugins, and none of the plugins increase the ping, etc.

I'm posting here to see if anyone has more details.

[HypeGfx]

Yeah this is a new exploit I experienced it too recently...

[wilianmaique]

Yeah this is a new exploit I experienced it too recently...

Do you know any way to block etc?

[SmilexGamer]

Logs would be helpful.

[wilianmaique]

SmilexGamer

I don't have logs, it's an exploit, hard to know

[SmilexGamer]

SmilexGamer

I don't have logs, it's an exploit, hard to know

With no logs, there's not much the devs can do to fix this. Try intercepting the packets at the time of the attack

[HypeGfx]

Ok I'm not certain if this will fix it but try to check your mp_consistency and set it to 1.. I'm just changing a lot of ConVars desperate to find a reason for it.. I will reply on this topic in like 12-15 hr...

[rishhh78]

Let me explain the issue...

Basically what happens is, player does something I have no idea but it happens when is in the server (It's most likely related to map thingy i guess) so server resource gets utilized maximum and players starts to lag badly as if its like some DDoS attack.... server memory ramps up in rapid amount as well..

I got one report here not sure if its related to that one https://hernan.de/blog/lock-and-load-exploiting-counter-strike-via-bsp-map-files/ exploit from 2017

[SmilexGamer]

Let me explain the issue...

Basically what happens is, player does something I have no idea but it happens when is in the server (It's most likely related to map thingy i guess) so server resource gets utilized maximum and players starts to lag badly as if its like some DDoS attack.... server memory ramps up in rapid amount as well..

I got one report here not sure if its related to that one https://hernan.de/blog/lock-and-load-exploiting-counter-strike-via-bsp-map-files/ exploit from 2017

That's an exploit regarding arbitrary code execution, in which a malicious actor would infect a BSP map. This is totally not the same.

[di57inct]

try setting sv_send_logos 0 and sv_allowupload 0 and if you're using fast download sv_allowdownload 0. there's also sv_allow_dlfile too but idk what that does exactly. do some research.

[HypeGfx]

try setting sv_send_logos 0 and sv_allowupload 0 and if you're using fast download sv_allowdownload 0. there's also sv_allow_dlfile too but idk what that does exactly. do some research.

I will try these.. thank you

[wilianmaique]

try setting sv_send_logos 0 and sv_allowupload 0 and if you're using fast download sv_allowdownload 0. there's also sv_allow_dlfile too but idk what that does exactly. do some research.

not resolve

[di57inct]

have you tried setting sv_allow_dlfile 0 too?
have you messed with any of these cvars?:

[wilianmaique]

sv_net_incoming_decompression "1"
sv_net_incoming_decompression_max_ratio "80.0"
sv_net_incoming_decompression_max_size "65536"
sv_net_incoming_decompression_punish "-1"
sv_allowupload "0"
sv_send_logos "0"
sv_allowdownload "0"
sv_allow_dlfile "0"
syserror_logfile "addons/amxmodx/logs/sys_error.log"
sv_rehlds_hull_centering "1"
sv_force_ent_intersection "1"
sv_delayed_spray_upload "1"
sv_echo_unknown_cmd "1"
sv_rehlds_local_gametime "1"
sv_rehlds_movecmdrate_max_avg "40000"
sv_rehlds_movecmdrate_avg_punish "-1"
sv_rehlds_movecmdrate_max_burst "40000"
sv_rehlds_movecmdrate_burst_punish "-1"
sv_rehlds_stringcmdrate_max_avg "40000"
sv_rehlds_stringcmdrate_avg_punish "-1"
sv_rehlds_stringcmdrate_max_burst "40000"
sv_rehlds_stringcmdrate_burst_punish "-1"
sv_rehlds_attachedentities_playeranimationspeed_fix "1"
sv_rehlds_force_dlmax "1"
sv_auto_precache_sounds_in_models "1"
sv_usercmd_custom_random_seed "1"
fps_max "1000"
sys_ticrate "1000"
max_queries_sec_global "10"
max_queries_window "1"
max_queries_sec "1.0"
mp_consistency "1"

[di57inct]

try removing or commenting them from the cfg and using default values.

[rishhh78]

Well, Regarding the exploit of rehlds its so hard to determine the cause for this DDoS similar scenarios... What happens is the person when triggers the exploit server memory ramps up like crazy up... I did PCaP everything and even sent my results to the host of the server but the VAC team of the host mentioned there was no DDoS attack... No matter what change in ConVARS I do, the exploit doesn't get fixed...

[SmilexGamer]

Well, Regarding the exploit of rehlds its so hard to determine the cause for this DDoS similar scenarios... What happens is the person when triggers the exploit server memory ramps up like crazy up... I did PCaP everything and even sent my results to the host of the server but the VAC team of the host mentioned there was no DDoS attack... No matter what change in ConVARS I do, the exploit doesn't get fixed...

Probably worth sending those network captures here and server logs if possible.

[mlibre2]

maybe "reunion" will help mitigate it

[rishhh78]

@mlibre2 no it does not help... with latest rehlds and reunion

[dystopm]

If there's no actual proof of the exploit, then you can provide a net dump to analyze the incoming data

[justgo97]

What is version of ReHLDS are you running? If the latest try rolling back to older versions, if it's the newest try updating to latest version and report back.

[stamepicmorg]

@wilianmaique hello, please provide more info:

rehlds version \ build number
environment info: os type
installed plugins and versions: aka metamod-r, amxx, etc
installed amxx plugins and versions

[bulevar20]

just happened in my server, definitely new exploit, i try using tcpdump in linux and i cant find nothing,
probably a user is sending some malicious command

[stamepicmorg]

bulevar20
just happened in my server, definitely new exploit, i try using tcpdump in linux and i cant find nothing,
probably a user is sending some malicious command

please provide more info:
rehlds version \ build number
installed plugins and versions: aka metamod-r, amxx, etc
installed amxx plugins and versions

[wilianmaique]

bulevar20
just happened in my server, definitely new exploit, i try using tcpdump in linux and i cant find nothing,
probably a user is sending some malicious command

please provide more info: rehlds version \ build number installed plugins and versions: aka metamod-r, amxx, etc installed amxx plugins and versions

everything in the latest stable version...

[dystopm]

bulevar20
just happened in my server, definitely new exploit, i try using tcpdump in linux and i cant find nothing,
probably a user is sending some malicious command

please provide more info: rehlds version \ build number installed plugins and versions: aka metamod-r, amxx, etc installed amxx plugins and versions

everything in the latest stable version...

Please, can you provide concrete info? We need version numbers. Want support? Then do it

[wilianmaique]

bulevar20
just happened in my server, definitely new exploit, i try using tcpdump in linux and i cant find nothing,
probably a user is sending some malicious command

please provide more info: rehlds version \ build number installed plugins and versions: aka metamod-r, amxx, etc installed amxx plugins and versions

everything in the latest stable version...

Please, can you provide concrete info? We need version numbers. Want support? Then do it

you didn't understand, latest stable version, only stable versions, amx 1.10 rehlds, metamod-r, reapi, all in the latest versions

[dystopm]

bulevar20
just happened in my server, definitely new exploit, i try using tcpdump in linux and i cant find nothing,
probably a user is sending some malicious command

please provide more info: rehlds version \ build number installed plugins and versions: aka metamod-r, amxx, etc installed amxx plugins and versions

everything in the latest stable version...

Please, can you provide concrete info? We need version numbers. Want support? Then do it

you didn't understand, latest stable version, only stable versions, amx 1.10 rehlds, metamod-r, reapi, all in the latest versions

build number installed plugins and versions

This information is requested to generate the record, we cannot depend on the date of your comment, so please, I'll be repeating politely:

version
game version
amxx version
meta list

I don't know if this is about laziness (because yeah, you got the prob, we're not wasting time in searching versions or assuming not-mentioned 3rd-party plugins) or privacy concerns, but I welcome you to the XY problem and why it's important that you abide by our requirements: https://xyproblem.info/

@s1lentq @wopox1337 I think by now it is vastly important to provide a guideline of how to introduce an issue and the basic information that developers need, for archiving and solving. No logs, no net dump, no versions or builds, no plugins details. It's so common now for people to come and yell about a problem demanding support and fixes with poor underlying context.

[wilianmaique]

there are no logs, dumps, there is nothing, there is the case, the server is 'clean', there are almost no plugins, the plugins are made, the issue is precisely that, there is no data on the cause, there is no way to guess... difficult to understand, the 'issue' is precisely to see if anyone is going through this.

[stamepicmorg]

Please find the opportunity and time to provide answers to the questions.

your answers are too abstract.

the "latest release" is an uninformative thing.

thank you for your understanding

[mlibre2]

@wilianmaique In short, the following information is needed to track and/or follow up on the issue...

Important

• version
• game version
• amxx version
• meta list

Warning

enter these commands into the server console and comment out the returned data.

Note

for more details enable these parameters: hlds.exe -dev -condebug then locate the qconsole.log file, also supply your content.

[ghouls96]

The same thing happens to me... I captured packets with tcpdump and I don't find any packet flood, nor any suspicious packets.

Protocol version 48
Exe version 1.1.2.7/Stdio (cstrike)
ReHLDS version: 3.13.0.788-dev
Build date: 07:36:33 Jul 12 2023 (3378)
Build from: f955b07
Currently loaded plugins:
description stat pend file vers src load unload
[ 1] LocalizeBug Fix RUN - localizebugfix_mm_i386.so v2.0 ini Start Never
[ 2] Rechecker RUN - rechecker_mm_i386.so v2.7 ini Chlvl ANY
[ 3] SafeNameAndChat RUN - SafeNameAndChat.so v1.1 ini ANY ANY
[ 4] Reunion RUN - reunion_mm_i386.so v0.2.0.13 ini Start Never
[ 5] AMX Mod X RUN - amxmodx_mm_i386.so v1.10.0.5467 ini Start ANY
[ 6] HitBox Fix RUN - hitbox_fix_mm_i386.so v1.1.2 ini Start ANY
[ 7] ReSemiclip RUN - resemiclip_mm_i386.so v2.3.9 ini Chlvl ANY
[ 8] VoiceTranscoder RUN - VoiceTranscoder.so v2017RC5 ini ANY ANY
[ 9] MySQL RUN - mysql_amxx_i386.so v1.10.0.5467 pl5 ANY ANY
[10] Fun RUN - fun_amxx_i386.so v1.10.0.5467 pl5 ANY ANY
[11] Engine RUN - engine_amxx_i386.so v1.10.0.5467 pl5 ANY ANY
[12] FakeMeta RUN - fakemeta_amxx_i386.so v1.10.0.5467 pl5 ANY ANY
[13] GeoIP RUN - geoip_amxx_i386.so v1.10.0.5467 pl5 ANY ANY
[14] CStrike RUN - cstrike_amxx_i386.so v1.10.0.5467 pl5 ANY ANY
[15] CSX RUN - csx_amxx_i386.so v1.10.0.5467 pl5 ANY ANY
[16] Ham Sandwich RUN - hamsandwich_amxx_i386.so v1.10.0.5467 pl5 ANY ANY
[17] ReAPI RUN - reapi_amxx_i386.so v5.24.0.300-dev pl5 ANY Never
17 plugins, 17 running

Currently loaded plugins:
id name version author url file status
[ 1] 0 Anti Flood 1.10.0.546 AMXX Dev Team antiflood.a running
[ 2] 1 mdbBans 4.8 Desikac unknown mdbBansEN.a running
[ 3] 2 Spam Blocker v4 1.0 www.4evergaming. spam_blocke running
[ 4] 3 Unreal Demo Plugin 1.63 karaulov unreal_demo running
[ 5] 4 Chat Manager 4.8 OciXCrom crx_chatman running
[ 6] 5 Advanced Vault System 1.5 Destro unknown adv_vault.a running
[ 7] 6 Admin Base 1.10.0.546 AMXX Dev Team admin.amxx running
[ 8] 7 Simple Knife Top 1.1 Destro unknown fakatop_cap running
[ 9] 8 Admin Commands 1.9.0.5271 AMXX Dev Team unknown admincmd.am running
[ 10] 9 Admin Help 1.10.0.546 AMXX Dev Team adminhelp.a running
[ 11] 10 Multi-Lingual System 1.10.0.546 AMXX Dev Team multilingua running
[ 12] 11 Instant AutoTeamBalanc 1.2.0 ConnorMcLeod unknown instant_aut running
[ 13] 12 Menus Front-End 1.10.0.546 AMXX Dev Team menufront.a running
[ 14] 13 Commands Menu 1.10.0.546 AMXX Dev Team cmdmenu.amx running
[ 15] 14 Players Menu 1.10.0.546 AMXX Dev Team plmenu.amxx running
[ 16] 15 Maps Menu 1.10.0.546 AMXX Dev Team mapsmenu.am running
[ 17] 16 Plugin Menu 1.10.0.546 AMXX Dev Team pluginmenu. running
[ 18] 17 Admin Chat 1.10.0.546 AMXX Dev Team adminchat.a running
[ 19] 18 Scrolling Message 1.10.0.546 AMXX Dev Team scrollmsg.a running
[ 20] 19 Info. Messages 1.10.0.546 AMXX Dev Team imessage.am running
[ 21] 20 Admin Votes 1.10.0.546 AMXX Dev Team adminvote.a running
[ 22] 21 Pause Plugins 1.10.0.546 AMXX Dev Team pausecfg.am running
[ 23] 22 Stats Configuration 1.10.0.546 AMXX Dev Team statscfg.am running
[ 24] 23 Restrict Weapons 1.8.2 www.4evergaming. unknown restmenu.am running
[ 25] 24 StatsX 1.10.0.546 AMXX Dev Team statsx.amxx running
[ 26] 25 Spectator Banner Ads 0.1.16 iG_os unknown spec_banner running
[ 27] 26 Accuracy Fix 3.0 Numb unknown accuracy_fi running
[ 28] 27 Sistema de Advertencia 0.2 Mario AR. unknown sistema_de_ running
[ 29] 28 Knife Models 3.1.1 OciXCrom crx_knife_m running
[ 30] 29 Voices Management 1.0.2 www.4evergaming. unknown Voices_Mana running
[ 31] 30 UFPS Map Manager 3.0.3(z) UFPS.Team unknown umm.amxx running
[ 32] 31 UFPS Map Config 1.2 UFPS.Team unknown umm_mapconf running
[ 33] 32 UFPS Lastmap Recovery 1.0 UFPS.Team unknown umm_lastmap stopped
[ 34] 33 UFPS MOTD Notification 1.0 UFPS.Team unknown umm_notific running
[ 35] 34 UFPS Spawn Control 1.1 UFPS.Team unknown umm_spawn_c running
[ 36] 35 Ultimate RSlots 1.0 OneEyed unknown ultimate_rs running
[ 37] 36 Style C4 Timer 3.1 OciXCrom crx_c4timer running
[ 38] 37 AMX Slay Losers 1.1 [email protected] unknown slaylosers. running
[ 39] 38 Steal Frags 1.0 4evergaming steal_frags running
[ 40] 39 Reconnect Features 0.2.4 BETA ConnorMcLeod reconnect_f debug
[ 41] 40 Restrict Weapons 1.8.2 www.4evergaming. unknown RestringirA running
[ 42] 41 Registro de jugadores 1.0 www.4evergaming. unknown registro_ju running
[ 43] 42 Advanced MuteMenu 1.0 www.4evergaming. unknown mutemenu-ad running
[ 44] 43 Menu Rates 1.0 4evergaming unknown menu_rates. running
[ 45] 44 Map Spawns Editor 1.0.16 iG_os unknown Map_Spawns_ running
[ 46] 45 Descriptive Fire in th 0.1 VEN descriptive running
[ 47] 46 Advanced Kill Assists 1.3c Xelson unknown next21_kill running
[ 48] 47 unknown unknown unknown unknown ventas.amxx running
[ 49] 48 unknown unknown unknown unknown reglas.amxx running
[ 50] 49 CS AFK Manager 1.0.6 (amx Freeman unknown afk_manager running
[ 51] 50 Resetscore System 1.0 OciXCrom unknown crx_resetsc running
[ 52] 51 Invisible Spectator 1.0 ReHLDS Team unknown invisible_s running
[ 53] 52 High Ping Kicker (WON) 0.16.2 OLO/shadow unknown high_ping_k running
[ 54] 53 Admin Clexec 0.9.4 default unknown admin_clexe running
[ 55] 54 Enhanced Auto Demo 0.5.1 lonewolf unknown enhanced_au running
[ 56] 55 Lite Admin ESP 1.1 neygomon, AcE unknown admin_esp.a running
[ 57] 56 Spawn Fixer con SC 1.1 GameHost.com.ar unknown spawnfixer. running
[ 58] 57 WarmUP Pro 5.6 Beta ReymonARG unknown warmuppro.a running
[ 59] 58 Parachute Lite [ReAPI] 11.0 Leo_[BH] unknown parachute_l running
[ 60] 59 Menu 1.0 RevCrew menu_skins. running
[ 61] 60 AWP Models 2.1.4 OciXCrom crx_awp_mod running
[ 62] 61 M4A1 Models 2.1.4 OciXCrom crx_ak47_mo running
[ 63] 62 M4A1 Models 2.1.4 OciXCrom crx_m4a1_mo running
[ 64] 63 unknown unknown unknown unknown demos.amxx running
[ 65] 64 Auto datear 1.0 CincoYA.net autodatear. running
[ 66] 65 Autoresponder/Advertis 0.5 MaximusBrood unknown ad_manager. running
[ 67] 66 CincoYA 5.0 CincoYA.net unknown cincoya.amx running
[ 68] 67 In-Game Ads 1.83 stupok unknown in_game_ads running
[ 69] 68 AMX Show IP 1.0 4evergaming unknown amx_showip. running
[ 70] 69 AFK Bomb Transfer 0.4 VEN unknown afkbombtran running
[ 71] 70 amx_cheat 1.0 watch unknown noclip.amxx running
[ 72] 71 Anti-Scroll Fade To Bl 1.2 Pancho.-'+hud;Er unknown anti_scroll running
72 plugins, 71 running

Metamod-r v1.3.0.149, API (5:13)
Metamod-r build: 11:31:17 Apr 23 2024
Metamod-r from: rehlds/Metamod-R@603a257

ddos.zip

[bulevar20]

https://www.youtube.com/watch?v=4eLAtaNudT4&t=72s
this guy is the hacker, he claim using "TSourceEngineQuery Exploit" , "Sockets Exploit" , "WinSock2.h"

[wilianmaique]

https://www.youtube.com/watch?v=4eLAtaNudT4&t=72s this guy is the hacker, he claim using "TSourceEngineQuery Exploit" , "Sockets Exploit" , "WinSock2.h"

It's more or less this attack, I received an attack, restarted the map and 'returned to normal'

[Splatt581]

The same thing happens to me... I captured packets with tcpdump and I don't find any packet flood, nor any suspicious packets.

Protocol version 48 Exe version 1.1.2.7/Stdio (cstrike) ReHLDS version: 3.13.0.788-dev Build date: 07:36:33 Jul 12 2023 (3378)
ddos.zip

In this packet capture, the attacker uses dlfile command flooding. This attack must be rejected at least a few checks in rehlds:

1. Network data decompression protection sv_net_incoming_decompression / sv_net_incoming_decompression_max_ratio. But as I see you are using an old build from July 2023 without these new features. I recommend upgrading to the latest build with these cvars.

2. String command flood protection sv_rehlds_stringcmdrate_max_avg / sv_rehlds_stringcmdrate_max_burst. What values ​​do you use for these cvars? I recommend setting the default values.

[bulevar20]

please drop link for 3.14 rehlds

[bulevar20]

     Exe version 1.1.2.7/Stdio (cstrike)
     ReHLDS version: 3.13.0.788-dev
     Build date: 07:36:33 Jul 12 2023 (3378)
     Build from: https://github.com/dreamstalker/rehlds/commit/f955b07
     
     01:44:18 ReGameDLL version: 5.20.0.516-dev
     Build date: 21:01:56 Jun 14 2021
     Build from: https://github.com/s1lentq/ReGameDLL_CS/commit/2c52c4f

DDoSraro2.zip
please any expert check this pcap, exploiter was attacking the server

[Splatt581]

DDoSraro2.zip please any expert check this pcap, exploiter was attacking the server

In this traffic capture I see only regular traffic from game clients without any exploits. However, I see only incoming packets from clients, without outgoing server ones, so the server is already hangs.

Could you please capture the traffic just before the freezing moment and the freezing moment itself, when the server stops sending outgoing packets? Or just make the traffic capture a little longer, about 30-40 seconds. Most likely there will be a packet with an exploit there.

[bulevar20]

please check this, here 191.113.179.89 was flooding the server

('probably' this is other type of attack) i dont know

[bulevar20]

when the attack happen, console with developer "2" show this

[CirovicFG]

Same problem here, and many other friends who owns a server.. we need this to be fixed..

[justgo97]

Try setting sv_send_logos to 0
Keep it in server.cfg to persist the value

[CirovicFG]

Try setting sv_send_logos to 0 Keep it in server.cfg to persist the value

its on 0 already

[justgo97]

Try setting sv_send_logos to 0 Keep it in server.cfg to persist the value

its on 0 already

You still get the error message from bluevar20 image after setting sv_send_logos to 0 or a different error?
You might also try setting sv_allow_download to 0 but then you will have to add all the custom files that client needs to fast download or else they won't be able to connect.

[Splatt581]

please check this, here 191.113.179.89 was flooding the server

('probably' this is other type of attack) i dont know

In this packet capture, a static connectionless packet is sent in large quantities to your server:

0000   ff ff ff ff e9 20 b3 e6 8e 85 e8 8f ba e7 bb 8b   ÿÿÿÿé ³æ..è.ºç».
0010   e8 9d bc e9 8f 85 e7 bd 8d e7 b0 94 e9 84 8b e9   è.¼é..ç½.ç°.é..é
0020   9b 8d 69 da 4c 20 20 20 20 20 20 20 20 20 20 20   ..iÚL           
0030   20 20 20 20 20 20 20 20 20 df 20 20 20 20 20 20            ß      
0040   20 20 64 af 20 20 20 20 6c 20 20 20 20 20 20 20     d¯    l       
0050   20 4f 20 20 20 20 25 20 2e 2e 2e 2e 2e             O    % .....

But these packets do not contain any payload, only garbage, so it will not load the server even in large quantities. I think this can only work if the volume of incoming traffic exceeds the limits issued to the server by the network provider. How many mbit/s incoming bandwidth does your server use?

when the attack happen, console with developer "2" show this

This happens when an attacker uses a flood command dlfile, requesting client logos from the server. I described the solution in this post above #1054 (comment)