[ExoSanty]

This is the second time our server was attacking an other IP with the means of UDP floods. Very annoying due to the fact the datacenter's security systems notice the attacks and disable the host...

To be clear, our samp server was the SOURCE of the attack... No other application was running (and technically can't occupy the same port that is already in use by the samp server itself), no signs of intrusions were found in the host logs and no scripts (typically php or pl scripts for udp floods) were found either.

The only conlusion is that the samp server is used to perfom attacks on others somehow.
If you see the logs of the attack, it's as if the samp server is trying to find an available port with the client, which might look like a normal client connection attempt. This happens a few times per second for quite a while, see how the port on the client side is changing:


startime endtime
scr: port dst: port
-----------------------------------------------------------
-----------------------------------
2012-02-01 09:17:07 2012-02-01 09:17:07
9*.2*.6*.5*:7777 17*.6*.13*.15*:58421
2012-02-01 09:17:07 2012-02-01 09:17:07
9*.2*.6*.5*:7777 17*.6*.13*.15*:24395
2012-02-01 09:17:07 2012-02-01 09:17:07
9*.2*.6*.5*:7777 17*.6*.13*.15*:9050
2012-02-01 09:17:07 2012-02-01 09:17:07
9*.2*.6*.5*:7777 17*.6*.13*.15*:59222
2012-02-01 09:17:07 2012-02-01 09:17:07
9*.2*.6*.5*:7777 17*.6*.13*.15*:39286
2012-02-01 09:17:07 2012-02-01 09:17:07
9*.2*.6*.5*:7777 17*.6*.13*.15*:48431
2012-02-01 09:17:07 2012-02-01 09:17:07
... and so on

second time it attacks a few ips in the same range:

06:07:33.829922 IP 9*.2*.6*.5*:7777 > **.2*8.67.97.28974:
UDP, length 14
06:07:33.829922 IP 9*.2*.6*.5*:7777 > **.2*8.67.98.28990:
UDP, length 14
06:07:33.837922 IP 9*.2*.6*.5*:7777 > **.2*8.67.96.28971:
UDP, length 14
06:07:33.841921 IP 9*.2*.6*.5*:7777 > **.2*8.67.98.28990:
UDP, length 14
06:07:33.841921 IP 9*.2*.6*.5*:7777 > **.2*8.67.97.28974:
UDP, length 14
... and so on

(ips partially censored)

The port of the source (7777) is our samp server...
Server version is Linux.
Outgoing traffic exceeded 300mbit.
The outgoing connection attempts (e.g the udp floods) do not show in the samp log file.
It, obviously, lags the sh*t out of the players, causing timeouts.

is this a known issue and fixable?
i suppose this could be a serious security gab in the server software... once this "tool" or "technique" is out there it can be very damaging for many samp servers and/or communities...

[VOXrr]

Hey,

A couple quick checks; make sure the server executable is actually, well, the server executable.
Someone could've replaced it with a skiddy tool.

If that doesn't show any joy, run

Quote:

iotop

and

Quote:

netstat -n

Theoretically, anything pushing out that much bandwidth will be hammering the I/O a bit, so iotop should show you the offending process(es)
Post the results if you're unsure about what it means

[ExoSanty]

the executable hasn't been changed since the date that i un-tared it

i'm checking iftop, similar as iotop, multiple times a day
this and netstat is only useful when being attacked or being used to attack, tho

+ the provider is keeping the dedi blocked now while i'm trying to convince them that i'm not the one attacking ppl...

[Kalcor]

I have never heard of such a thing happening.

My main questions would be:
- What are the targets of the attack? Have these addresses previously queried or connected to the sa-mp server? You can enable query logging with rcon 'logqueries' variable.
- Can you provide bandwidth graphs that show 300Mbit of outgoing traffic? It seems difficult to get to 300Mbit from 14 byte UDP packet logs you provided.

I'm not ready to accept your conclusion at this point. The SA-MP server does not send out packets on its own.

[VOXrr]

@Kalcor, my thoughts exactly.

I suspect this is more of a server intrusion, than a software exploit.

[ExoSanty]

The targets seem to be servers.
These are snippets of the logs provided by the ISP.

How would you explain the same port being used as the running samp server? As far as i know 2 applications can't use the same port at the same time! However i've just read this:

Quote:

For UDP (Multicasts), multiple applications can subscribe to the same port.

All though i didn't find anything miscellaneous at first looks, it might be interesting to investigate further and even re-install the OS.

tnx for the replies, tips and hints.

[robintjeh]

I think it might be a plugin, since I heard some people creating bad things with plugins, abusing a plugin's power.

[Kalcor]

You can PM me with the full details and we'll investigate it. Please send uncensored logs and a list of all the scripts/plugins that your server uses.