Microbits

As an administrator of several Source based game servers, I’ve dealt with various known security vulnerabilities that Valve hasn’t bothered to fix. Some of the most common include client side console commands, that if run once, or spammed (which the server will allow), will cause a degradation (massive lag) or denial of service (you guessed it, the server will crash). These really aren’t all that bad, since they are well known, server plugins are available to block the commands.

The most troubling incident I’ve dealt with involved an attacker who exploited a security vulnerability in Valve’s server query protocol, which caused a serious degradation of service condition. I couldn’t simply block all the query packets, since legitimate clients needed to be able to query servers. To further complicate matters, the attacker was also spoofing IP headers, which ruled out the possibility of a simple firewall rule.

This particular vulnerability was not really bad design per say (although it was poorly designed), but more a really poor implementation. Here are the details:
Read more…

Classes started today, pretty exhausted…

I’m planning a new project, pygcp, which will be a GCP for people who have a dedicated box, and want to manage their servers from a web interface.

At this point, I’m planning to write pygcp for people who install their own servers, but want to use something to manage the task of running them (it would replace something like ServerChecker) from a web interface.

I might add auto installs and a master/slave system, but that’s a long way off.