Noticed Something, Probably not Useful

[Qraktzyl]

The TS itself crashed after 200 connections within a second or so SUCCESSFUL. So what I am saying is try focus on connections/second and not 1million+ queries over an hour

I understand, but right now i'm connecting from my home with this client and my OVH server connection > home connection. (OVH server can take way more queries than my home connection can do/send)

 

[shockli]

It's not something to worry about, at this current moment it's not something concrete yet. And from the looks of it, an attacker will need login credentials to trigger this.

However, It is still something unusual that may lead us to more dangerous vulnerabilities.

-Derp

Thanks. I expect the rest of this thread to continue with @0x0539 and @Qraktzyl posting non-related stuff but I got my point across

 

[Qraktzyl]

I'm just wondering how you have a 96 cores server cluster cause I'm jealous. It is unrelated but related at the same time.

 

[shockli]

I understand, but right now i'm connecting from my home with this client and my OVH server connection > home connection. (OVH server can take way more queries than my home connection can do/send)

Ok awesome! Keep me updated, try different stuff and all. I mentioned how I did it but it might work (maybe even better) if you try different ways, for example some have logins, others join channel, some set nick, some just be like 2 million join in one second, etc..

 

[shockli]

I'm just wondering how you have a 96 cores server cluster cause I'm jealous. It is unrelated but related at the same time.

It's a physical 4 core machine with 24 logical cores I think, not a cluster, cluster's are limited by networking capabilities and I'd need a major 100gbit/s+ tunnel to do that.

 

[0x0539]

That $300 gaming mouse tho

 

[shockli]

That $300 gaming mouse tho

I was waiting for you to notice the catalyst 3550 and the old dell servers I've upgraded a bit

 

[Derp]

Thanks. I expect the rest of this thread to continue with @0x0539 and @Qraktzyl posting non-related stuff but I got my point across

Those two never change

 

[0x0539]

Pfft, you hear that @Qraktzyl? They shit-talkin about us.

I'll take care of this, let me come up with a joke.

 

[shockli]

Pfft, you hear that @Qraktzyl? They shit-talkin about us.

I'll take care of this, let me come up with a joke.

You already joked about my sexy hairy legs. Let's see what next you can do

 

[0x0539]

 

[Derp]

They shit-talkin about us.

Leave me out of this, I don't want to get in between you guys, and skokk's "sexy hairy legs"

x)

(Assuming that was directed to me and skokk, if not, report this to qraktzyl <3)

 

[shockli]

So I have partially replicated it on my computer via a vLAN I quickly set up. Host is running at gbit/s and attacker is running at 100mbit/s. Server freezes for a few seconds to all users (3 real users speaking), but recovers afterwards. While 50 connections at once is a lot different that what I did do, this is definitely showing possibility as it seems to bypass the query whitelist and the ban on my IP only seems to get activated after all my clients have connected anyways. Check image below - Also, @Derp You might find it interesting that the server reports incorrect clients AND query information. There are only 3 actual clients.

 

[shockli]

So I have partially replicated it on my computer via a vLAN I quickly set up. Host is running at gbit/s and attacker is running at 100mbit/s. Server freezes for a few seconds to all users (3 real users speaking), but recovers afterwards. While 50 connections at once is a lot different that what I did do, this is definitely showing possibility as it seems to bypass the query whitelist and the ban on my IP only seems to get activated after all my clients have connected anyways. Check image below - Also, @Derp You might find it interesting that the server reports incorrect clients AND query information. There are only 3 actual clients.

View attachment 120

I will test this on 3.11.4 later, which might be even easier to break.

 

[0x0539]

So I have partially replicated it on my computer via a vLAN I quickly set up. Host is running at gbit/s and attacker is running at 100mbit/s. Server freezes for a few seconds to all users (3 real users speaking), but recovers afterwards. While 50 connections at once is a lot different that what I did do, this is definitely showing possibility as it seems to bypass the query whitelist and the ban on my IP only seems to get activated after all my clients have connected anyways. Check image below - Also, @Derp You might find it interesting that the server reports incorrect clients AND query information. There are only 3 actual clients.

View attachment 120

I like where this is going with the "incorrect clients / query information"

 

[Derp]

This means the server isn't propperly handling multiple connection attempts! Maybe leading to memory corruption or possible leaks, breaking it's stability.

Something we definitely need to check. I'll have all this information gathered in a dev thread.

Thank you.

 

[shockli]

This means the server isn't propperly handling multiple connection attempts! Maybe leading to memory corruption or possible leaks, breaking it's stability.

Something we definitely need to check. I'll have all this information gathered in a dev thread.

Thank you.

It is something that needs to be looked at. If you are to connect to the server via YATQA while such an attack is running (My current laptop can only do about 200 simultaneous connections, I'll need to recode this script to actually be effective), the information fed to YATQA is correct while to the clients is wrong. In some (1/8 current testing) cases the client is also not able to connect because of a slot limit, where the client could be fed the "incorrect" information.

 

[Kaptan647]

Can you share the logs with us ? It would give us more info regarding the crash