As an administrator of several Source based game servers, I’ve dealt with various known security vulnerabilities that Valve hasn’t bothered to fix. Some of the most common include client side console commands, that if run once, or spammed (which the server will allow), will cause a degradation (massive lag) or denial of service (you guessed it, the server will crash). These really aren’t all that bad, since they are well known, server plugins are available to block the commands.
The most troubling incident I’ve dealt with involved an attacker who exploited a security vulnerability in Valve’s server query protocol, which caused a serious degradation of service condition. I couldn’t simply block all the query packets, since legitimate clients needed to be able to query servers. To further complicate matters, the attacker was also spoofing IP headers, which ruled out the possibility of a simple firewall rule.
This particular vulnerability was not really bad design per say (although it was poorly designed), but more a really poor implementation. Here are the details:
Read more…
I’m currently working on a TCP client/server system, and I wanted to prevent clients from DoSing the server.
One way to do that is by restricting clients to a certain number of connections in a given time period. Since the code is designed to prevent a DoS condition, it must be extremely fast and efficient because it may be run thousands of times per minute (during a DoS attack for example).
I designed the connection limit system around a collection of connection records, a prune timer, and a test when the server accepts a client connection.
Since I needed to check two variables (timestamp and ip) in each connection record to determine the connection count for a given IP address in a given time period, I decided to use LINQ, which worked nicely:
// Get this client's connection count
int connCount = (from conn in _connectionList
where conn.Ip == clientIp &&
conn.Timestamp >
DateTime.Now.AddMinutes(-howFarBackInMinutesToCheck)
select conn.Ip).Count();
The other query I needed was for pruning the connection list:
// Get the connections to prune
var connQuery = from conn in _connections
where conn.Timestamp <
DateTime.Now.AddMinutes(-howFarBackInMinutesToCheck)
select conn;
After checking the number of records to prune was greater than zero (connQuery.Count()), I pruned them by iterating through the query (LINQ queries implement IEnumerable).
Most projects have multiple release packages whenever a new version comes out. Depending on the project, there are usually two, a binary (one for each platform) and a source distribution. Some projects don’t distribute binaries at all.
What really got to me a few days ago was the MinGW project. This is a project that is intended to be used exclusively on Windows. Yet, the developers deprecated the installer (these are standard for most Windows applications), and instead asked users to download 17 packages by hand (something that is a little much even on Linux).
Even worse, some of the packages were compressed not with zip, gzip, or bz2. They chose to use lzma, one of the least common and supported compression formats on Windows. Why would a developer pick the hardest format for a given operating system when packaging specifically for that system?
I try to avoid exotic archive formats like 7z (ironically, these use LZMA compression), but the compression offered by them is so incredible that I decided to post one publicly for the first time. Why? It reduced my 119 MB MinGW distribution to 14.5 MB, and MinGW is intended for use on Windows, so most people will be able to easily read the package with 7-Zip.
If I was packaging source code that could be used on Linux, I wouldn’t use 7z, since it’s harder to deal with on Linux. In my opinion, a zip file or tarball would be the most appropriate means of packaging.
Here’s my personal table for package format selection:
ironically
Read more…
After needing a copy of MinGW to compile some C code, I was somewhat annoyed to find that their all in one installer is now considered “deprecated”. That meant I had to download and extract 15 packages manually (two of them were even compressed as .lzma).
Why anyone would compress a package designed for Windows in .lzma format? The only way to extract it is with a command line sdk tool. Even on Linux, distributing archives in .lzma format is a little strange.
Anyhow, to save everyone the trouble, here’s a package (includes C, C++ and all necessary tools) in .7z format (which can be extracted by 7-Zip, the best file archiver for Windows) -> MinGW Compiler Package (13).
December 27th, 2009
recon
Now that I’m correctly loading the extension (zend_extension_ts), eAccelerator is running smoothly.
I found something interesting in the event log yesterday:
PHP Warning: [eAccelerator] This build of "eAccelerator" was compiled for PHP version 5.2.9. Rebuild it for your PHP version (5.2.9-2) or download precompiled binaries.
Now that error message makes perfect sense. The reason I didn’t see it the first time around is that PHP logged two messages separately at the same time. If I was reading a flat file log, I would’ve noticed it immediately.
December 26th, 2009
recon
UPDATED
After a few seg-faults, I realized that eAccelerator isn’t thread safe (I was running it under a thread safe server)… It is thread safe… I just wasn’t loading it in thread safe mode (see the manual for details). Whoops.
December 26th, 2009
recon
After getting somewhat annoyed with the slowness of my blog, and having nothing better to do, I decided to setup eAccelerator. I’m pretty sure I tried setting it up a long time ago, but for some reason, didn’t finish.
Following the path of logic, I went to the eAccelerator website in search of the appropriate files. Their Windows section directed me to SiteBuddy, which had a nice collection of binaries for various PHP versions. After determining my PHP version (5.2.9-2), I tried the closest match (5.2.9), and was greeted by the following error in the Windows event log:
Unable to start eAccelerator module in Unknown on line 0.
My initial reaction to the error: what the ****… (UPDATE: See this post for more details) After a quick Google search, I found that PHP modules must be built for the EXACT PHP version you plan to use them on.
Since I have just about every Microsoft C++ compiler, I figured compiling a new eAccellerator module for my version of PHP would be simple. I downloaded the archived PHP files I needed (now I understand why they keep archives), switched to the release configuration, and pressed build.
Read more…
December 20th, 2009
recon
After playing around with the client and server, here are my thoughts.
Server
Setup is pretty simple for any Linux admin. May pose problems for inexperienced admins.
The latest update (beta2), required a manual SQL diff and subsequent manual insert to enable the new permissions. I’m guessing they’ll fix this in future releases.
Client
The client UI has been completely redesigned. The default sound notifications are kind of annoying. I switched to the TTS sound pack and turned 90% of them off.
General
It seems like theĀ “clan server” option has been removed in favor of “subscribing” to channels. Basically, users aren’t visible unless you are subscribed to the channel they are in, or are in the channel. There’s a button and several menu options to subscribe to all channels.
The permission system is one of the most powerful I’ve seen; however, the documentation isn’t as complete as I’d like.
December 16th, 2009
recon
As 2009 starts to wrap up, here’s my list of the best open source software that I’ve used:
| The best of open source |
| Software |
Comments |
| WordPress |
The best blogging platform. |
| Python |
One of the most modern and powerful programming languages. Incredible standard library. |
| Mumble |
The best conference style VOIP. Incredible sound quality, the lowest latency and lowest bandwidth usage that I’ve ever seen in a VOIP system (open source or not). Version 1.2 seems to have fixed some of the major server administration issues. |
| Sage (Open Source Mathematics) |
An open source alternative to “Magma, Maple, Mathematica and Matlab”. Good documentation. |
| Ubuntu |
My personal favorite Linux distribution. Version 9.10 adds cloud technology to both the desktop and server (yes, you can use it to make your own cloud). |
| SourceMod |
The most modular and powerful server administration tool for Source based game servers. |
| VirtualBox |
Open source (the RDP server, USB support, and USB over RDP are not) virtualization comparable to VMWare Workstation. Seamless windows for Linux and Windows guests. The closed source parts are available for free under the VirtualBox PUEL. |
| Firefox |
The best web browser. |
December 16th, 2009
recon
Amusingly, I didn’t use an ad blocker until a few months ago. Now, I enjoy viewing sites without half a million ads cluttering up my screen.
Ad blockers like ABP (Ad Block Plus) scan web pages for ads, and remove them. As simple as they are, ad blockers are incredible.
I installed ABP when I was trying to print an article from a coding website. There were so many ads on their main and print views of the article that printing it would have barely been worth the effort. I remembered that a friend of mine had talked about ABP, so I looked it up and installed it. After enabling it and returning to the website, the ads were gone, and I could actually print the article.
ABP also lets you block new ads that it doesn’t already detect with a few simple clicks. Some websites use JavaScript to display ads, and if ABP can’t block them, NoScript can.
Web masters should realize that intrusive ads will just cause more and more people to start using ad blockers, and start being reasonable.