1

Topic: Patching current vulnerabilities and moving on to 0.7.0

Split topic from here. // Dune

Fudgyking wrote:

There is a patch available here https://github.com/axblk/teeworlds/tree/0.6-improved
With this commit patching the vulnerability https://github.com/axblk/teeworlds/comm … b8d92cd1ac
(I think it was merged from ddnet)

The commit you've linked to only limits how many player lists are send out per second (to clients looking for servers), but AFAIK that not the main problem right now.

The attacker appears to be using that it is possible to occupy slots without ever receiving and responding to a reply from the server. Right now taking up a slot is as easy as sending one UDP packet with the right content to the server. This leads to the many "(connecting)" clients that clog the servers. I tested it offline, trying to replicate the attack.

Stopping the attack might be possible by blacklisting the IPs that try to connect too often over and over a long period of time, but if the attackers ISP lets them forge their source IP address, they can make up as many addresses as they want (but only for sending, not receiving). In that case it is necessary add some kind of token to the protocol. Unfortunately that needs changes in both the server and the client. Maybe it is possible to improvise by putting a token (generated specifically for each player) in the server name and having them use it as a password. Unfortunately right now players already take up a slot when they are looking at the password prompt and the slot number appears to double as the player id (Not quite sure, don't quote me on that) making this a difficult to implement.

I did not have a server running before the attack started and the attacker does not appear to refresh their sever list so this is mostly guesswork.

Another idea to at least make the attack more difficult is to modify the server to not refuse new clients when the server is full of "clients" that aren't fully connected and instead randomly drop one of the other clients. This way the attacker can not block the server completely, just reduce the probability of a successful connection. Of course that's a rather dirty solution but at least it's very easy to implement. Here (https://pastebin.com/4Bj8mPnt) is a patch doing exactly that, but I wouldn't advice anyone to use it because it is barely tested, still has some printline debugging in it and is easy to circumvent for the attacker. At least it works against my test attack script.

2

Re: Patching current vulnerabilities and moving on to 0.7.0

In the end, yes, it's an intrinsic problem within the teeworlds protocol, a design mistake. Just as a side note, I first thought the servers were filled solely to enlarge the server status response which could easily be abused for an amplification attacks (and I even noticed at least one attack being performed that way). It's just yet another vulnerability that's there.

Having troubles finding servers in the serverlist? Go to Pastebin (its a referer cause there is daily a new pastebin) and add the lines to your settings.cfg (in %APPDATA%\teeworlds). Then open teeworlds and go to the favorites tab. (Note however, standard teeworlds client can only show 256 favorites, use ddnet instead)

3 (edited by jxsl13 2018-08-23 16:42:31)

Re: Patching current vulnerabilities and moving on to 0.7.0

This is the actual ddnet patch, that exists since about 2015:

this is the original since 2015: https://github.com/east/teeworlds/commi … _antispoof
updated here:https://github.com/eeeee/ddnet/commit/4 … e61c7d56e6

patched ddnet vanilla servers here: https://github.com/Learath2/teeworlds/c … catchspoof

Learath2 also seems to have patched other vanilla mods, which you could search for.

Teeworlds [ friends ] clan
Some YouTube Stuff about Teeworlds

4

Re: Patching current vulnerabilities and moving on to 0.7.0

Can anyone confirm if / which of these patches solves the attack problem and still allows me to run vanilla servers, or if there's going to be an official patch? I'd love to keep running my teeworlds servers but the machine is also used for many other things and I can't afford to have its bandwidth flooded by these attacks. I've had to shut my servers down. I know this is what the attacker wants, but like I said I can't afford to lose access to the machine.

5

Re: Patching current vulnerabilities and moving on to 0.7.0

antisol wrote:

Can anyone confirm if / which of these patches solves the attack problem and still allows me to run vanilla servers, or if there's going to be an official patch? I'd love to keep running my teeworlds servers but the machine is also used for many other things and I can't afford to have its bandwidth flooded by these attacks. I've had to shut my servers down. I know this is what the attacker wants, but like I said I can't afford to lose access to the machine.

This is the correct link: https://github.com/eeeee/ddnet/commit/4 … 61c7d56e6.

I'm sorry that there hasn't been an official patch so far.

6 (edited by lucid.dreaming 2018-10-07 08:25:20)

Re: Patching current vulnerabilities and moving on to 0.7.0

This is happening again, right now... I can't play on vanilla servers :-/

Schwertspize wrote:

In the end, yes, it's an intrinsic problem within the teeworlds protocol, a design mistake. Just as a side note, I first thought the servers were filled solely to enlarge the server status response which could easily be abused for an amplification attacks (and I even noticed at least one attack being performed that way). It's just yet another vulnerability that's there.

No!, it is not just another vulnerability, this is exactly what he is doing, he has a ddos website, he is abusing teeworlds protocol to earn money.

I know who is him, he is vali from exec clan, i worked for him, i had access to his spoofing servers, and i am the one who wrote in C the tools that he is using to abuse the teeworlds protocol :-/, but i got tired of this shit.

He doesn't care about teeworlds, and there is not anything you can do to stop him, even if i tell you all his information. I know his provider, spoofing servers ips, ddos website url, name, etc..

But honestly i don't think that would stop him, because i doubt the german police would do something with that information.

PS: Someone needs to make a new teeworlds
PS2: Stitch knows him too, and i know he is well known on teeworlds but stitch had access to one of the spoofing servers for a few hours, because i gave access to [MLP] Rafael and him for a few hours, then stitch had the opportunity "to stalk" the spoofing server with the htop command, plus i am sure he checked all files in the spoofing server too, then i am sure he knows everything too.
PS3: I have a dream about to make a new teeworlds completely written in Ada 2012 with a lot of new features plus a secure network protocol (without DoS bugs), for all popular operating systems, Linux, Windows, Mac OS X, *BSD (Like FreeBSD), iOS and Android.....
PS4: Yes, i am Cider, the one who was ddosing ddnet, i was using vali's spoofing servers to ddos ddnet, but as i said i got tired of this shit.

7

Re: Patching current vulnerabilities and moving on to 0.7.0

lucid.dreaming: just another fatso kid, whithout life.
Srsly, my hint: shut down your pc and achieve sth of value in life or either kill yourself ^_^

Welcome to the internet.

1338 - One step ahead of the average Nerd.

8 (edited by lucid.dreaming 2018-10-13 21:08:02)

Re: Patching current vulnerabilities and moving on to 0.7.0

Ok

You should say that to -> vali <-

After all He is the main person behind all this shit smile

I wouldn't be surprised if you were vali's brown noser

9

Re: Patching current vulnerabilities and moving on to 0.7.0

My two cents. I guess you should re-read that post.

Mod, please close.

Having troubles finding servers in the serverlist? Go to Pastebin (its a referer cause there is daily a new pastebin) and add the lines to your settings.cfg (in %APPDATA%\teeworlds). Then open teeworlds and go to the favorites tab. (Note however, standard teeworlds client can only show 256 favorites, use ddnet instead)

10

Re: Patching current vulnerabilities and moving on to 0.7.0

@lucid.dreaming You said he's doing this to earn money. Can you explain how?

11 (edited by lucid.dreaming 2018-10-08 17:33:11)

Re: Patching current vulnerabilities and moving on to 0.7.0

Magnet wrote:

@lucid.dreaming You said he's doing this to earn money. Can you explain how?

Yes.

First of all, let me talk about vali and his chinese mate.

They offer a "Professional Stress Testing Service" at this website http://www.kcddos.com/index_en.php (this is the english version)

If you buy a membership then you can launch DDoS attacks from their website.

And it is possible to use Teeworlds' protocol to reflect and amplify DDoS attacks by using ip spoofing.

And vali knows it...

Then, basically, if you buy a membership, you can launch DDoS attack that use the Teeworlds' protocol, from his website.

If you register at his website (registration is free), and you go to the Hub, you can see a DDoS method called "TEE Reflection AMP".

https://thumb.ibb.co/hr1epU/Screenshot_2018_10_08_095908.jpg
(Click the miniature to view the screenshot in full size)

He fills up all teeworlds servers with fake connections to improve the amplification.

Then his customers can use all teeworlds servers to reflect and amplify DDoS attacks.

And that's how he is earning money by abusing the Teeworlds' protocol.

This is a DDoS attack https://en.m.wikipedia.org/wiki/Denial- … ice_attack
This is IP Address Spoofing https://en.m.wikipedia.org/wiki/IP_address_spoofing

12

Re: Patching current vulnerabilities and moving on to 0.7.0

If any of his is true, it is exactly what I thought it was. XD. And yes, it is one of several security issues that teeworlds has.

#1. Sending (connecting) in the serverlist and filling up a slot by just a single packet, instead of a three way handshake (which if properly implemented effectively counters ip spoofing). This supports..
#2, which is that the server status protocol (and especially any enlarged like the ddnet one) suffer from, namely unconfirmed addresses (no prior three way handshake) can send small packets that provoke large responses. This is called reflection attack. Normally you would only allow packet responses that are at maximum as large as an artificially enlarged request packet (no optimization here please). #1 just enlarges this and you get more output traffic for your own traffic.

I myself got attacked and was abused by said methods, collected a bit of information during that time smile as I said, those are just two of several problems, I didn't even look further, but I heared spoofing an existing connection was another one, for example.

Having troubles finding servers in the serverlist? Go to Pastebin (its a referer cause there is daily a new pastebin) and add the lines to your settings.cfg (in %APPDATA%\teeworlds). Then open teeworlds and go to the favorites tab. (Note however, standard teeworlds client can only show 256 favorites, use ddnet instead)

13

Re: Patching current vulnerabilities and moving on to 0.7.0

This is similar to DNS amplification. I guess the responsible thing to do is patching the protocol with an appropriate handshake and having the master servers enforce such behavior. This would probably not be backwards compatible with the 0.6 protocol.

14

Re: Patching current vulnerabilities and moving on to 0.7.0

Schwertspize Ok.

Magnet Ok cool big_smile, i hope this issue is fixed soon.

Stitch626 wrote:

It's not allowed to host a modified vanilla server (as DM,CTF, etc), no matter what kind of edit it is.

I think a security patch must be acceptable because it wouldn't modify the game play at all.

And it looks like you are on the attacker's side.

15

Re: Patching current vulnerabilities and moving on to 0.7.0

Magnet wrote:

This is similar to DNS amplification. I guess the responsible thing to do is patching the protocol with an appropriate handshake and having the master servers enforce such behavior. This would probably not be backwards compatible with the 0.6 protocol.

I fixed the protocol in a backwards-compatible way here: https://github.com/heinrich5991/teeworlds/tree/fix-0.6

I still need to test compiling on Windows and Mac, compiling on Linux and cross-compiling from Linux to Windows and Mac works.

Note that this still does not fix the master servers or the info packet, it's just a three-way handshake on connect, with backward-compatibility to existing clients.

16

Re: Patching current vulnerabilities and moving on to 0.7.0

@heinrich: does it require a handshake before sending server/player infos? These are the structures used to flood third-parties. I can't look at your patch now but the one I saw earlier only limited the rate of sending info, which penalizes legitimate players who can't read the player list when there's a surge of requests.

17

Re: Patching current vulnerabilities and moving on to 0.7.0

magnet wrote:

does it require a handshake before sending server/player infos? These are the structures used to flood third-parties. I can't look at your patch now but the one I saw earlier only limited the rate of sending info, which penalizes legitimate players who can't read the player list when there's a surge of requests.

No. It doesn't fix the serverinfo part. It does fix joining from spoofed IPs and as such also map download to spoofed IPs.

The proper fix for the serverinfo stuff would be http masters, which I haven't come around to write yet, unfortunately.

18

Re: Patching current vulnerabilities and moving on to 0.7.0

What is happening to master servers these days? Servers shown in server list count jumps from 50 to 600 (250, 400 etc).

19

Re: Patching current vulnerabilities and moving on to 0.7.0

@lucid.dreaming: Not really, was just pointing to the rules...
@Magnet / @ heinrich5991: Don't you think it would be better to finally release 0.7 with better standards instead of bugfixing a now 7 year old release? (0.6 was released in 2011...)

20 (edited by MrAnderson 2018-10-09 15:28:48)

Re: Patching current vulnerabilities and moving on to 0.7.0

@yavl: The master servers are attacked with a "bea2" flood since about 3 days. The effect of this is that Teeworlds servers can no longer register at the master servers. As long as the attack is running, a patch, which prevents the master server from being flooded with heartbeat packets, will be active. As soon as the attack is over, I will switch the master server back to normal mode. This is only a temporary solution, there would be no server listed without a temporary "fix".

I would also prefer to finally release 0.7.

15:07:25.340494 IP (tos 0x0, ttl 60, id 11309, offset 0, flags [none], proto UDP (17), length 44)
    188.107.118.xxx.17131 > 51.254.183.249.8300: [udp sum ok] UDP, length 16
        0x0000:  4500 002c 2c2d 0000 3c11 3362 bc6b 76cf  E..,,-..<.3b.kv.
        0x0010:  33fe b7f9 42eb 206c 0018 6ab2 affd a0f0  3...B..l..j.....
        0x0020:  0ffb ffff ffff 6265 6132 ee00            ......bea2..

21

Re: Patching current vulnerabilities and moving on to 0.7.0

Probably best to just release 0.7 and then go on from there. Will check/fix crucial stuff and then release it this weekend. Anyone is invited to test and report current bugs.

Remember the 80s - good times smile

22

Re: Patching current vulnerabilities and moving on to 0.7.0

Good news! Exciting times ahead.

Not Luck, Just Magic.

23 (edited by ShootXen 2018-10-09 22:01:18)

Re: Patching current vulnerabilities and moving on to 0.7.0

Oy wrote:

Probably best to just release 0.7 and then go on from there. Will check/fix crucial stuff and then release it this weekend. Anyone is invited to test and report current bugs.


1.April?

"0.7 will be released in 2015"

24

Re: Patching current vulnerabilities and moving on to 0.7.0

Given the circumstances, I think it's appropriate to link the 13 open issues tagged as bugs: https://github.com/teeworlds/teeworlds/ … abel%3Abug

Not Luck, Just Magic.

25 (edited by Stitch626 2018-10-10 00:41:23)

Re: Patching current vulnerabilities and moving on to 0.7.0

And what about slopes? There was a demo code which actually worked. There arent any big improvements over the past years (except the new skin system).. I'd like to see slopes! It would definitely improve the game!

Edit: What about 0.5/0.4? Thats now definitely dead, will tw itself drop the support for those old versions? I mean, if you really improve the master server security, you should/could drop the support for older versions (it would otherwise create a new hole).