Noticed Something, Probably not Useful

[shockli]

Hey,
Recently a script of mine went very wrong. Ended up forkbombing badly. Luckily I had affinity and all that shit set up so my server didn't go down completely.

Situtation:
384GB Ram 96 core windows server 2012 on gbit line server running a PHP-CGI script that simply opens a connection and closes PHP-CGI. From that I noticed TeamSpeak allows a 30s timeout period. Which is useful.

What happened:
Instead of my DDoS protection kicking in immediately (It did eventually and banned the IP that was running the PHP-CGI client), the amount of query connections at a single time seems to have crushed the smaller server (16GB ram 8 core archlinux, gbit line).

This had surprised me because of the following:

• The IP was NOT whitelisted.
• TeamSpeak has no prevention against millions of connections coming from one IP.
• TeamSpeak server (3.11.4) crashed immediately after about the 200th connection, and I was running a 256 slot server.

I have confirmed all of the above from logs and config. Also to take note that none of the administrators and technical staff found any records of a "bandwidth increase" which is sort of expected. Because my server runs 20-30 query bots almost all time they didn't even consider looking at that.

I think that testing into this is required a bit further, because crashing a server via query as of latest versions is not something that is currently happening, and if this is able to be imitated and actually can be built into something that works this needs to be fixed (after a VIP release of tool and a few weeks ofc ;P).

 

[0x0539]

• TeamSpeak server (3.11.4) crashed immediately after about the 200th connection, and I was running a 256 slot server.

*cough* Another TS3 crasher

----

Did you also test this with older versions?
What I have noticed is that the 3.0.12+ crasher(s) don't work on versions older than 3.0.7.

 

[Qraktzyl]

Hey,
384GB Ram 96 core windows server 2012 on gbit line server

Did I read correctly.
If yes, are you a nigerian prince?

12 servers in your cluster?

EDIT : Yes, I already abused the server query protocol. I populate 200 slots by query with a little client i've made. Pretty useless except it takes slot usage and only works on server that accept guest queries.

 

[Derp]

What did that script actually do?

Did it just query the server, or did it try to login and get it's info or something?

 

[shockli]

*cough* Another TS3 crasher

----

Did you also test this with older versions?
What I have noticed is that the 3.0.12+ crasher(s) don't work on versions older than 3.0.7.

No I haven't tested this on any further servers. My environment was very controlled that it happened in and I crashed my own server. This was not expected and after checking the logs I noticed the application was not able to handle the query connections. This can be due to many things, eg my SSD being too slow to write a few hundred lines of text (probably not), I actually DoS'd my server instead (Doesn't explain the crashing or lower connection count). But if this were to be confirmed by others that a script that can open a multiple connections (about lets say 5000 just to be super sure) at once with a gbit or maybe even 100mbit local connection test it would confirm if it is a vulnerability on MY server setup or on someone elses. If this is actually a "vulnerability" then it will require an extremely fast line to actually do this.

 

[Qraktzyl]

Who's not on gbit these days...

Hey you didn't answer my question

 

[shockli]

What did that script actually do?

Did it just query the server, or did it try to login and get it's info or something?

The script's purpose was to sit in the default channel. (Was to cheat stats as local stat website adds query connections as well as normal connections, due to a connection issue it created a forkbomb which created ~200 connections and my teamspeak server application crashed.)

 

[0x0539]

Hey, you still didn't answer his question.

 

[shockli]

Did I read correctly.
If yes, are you a nigerian prince?

12 servers in your cluster?

EDIT : Yes, I already abused the server query protocol. I populate 200 slots by query with a little client i've made. Pretty useless except it takes slot usage and only works on server that accept guest queries.

Maybe try turning that up to 5000+ at one go and make no delay at all between connection and give results?

Who's not on gbit these days...

Hey you didn't answer my question

Everyone in south africa

 

[0x0539]

Still didn't answer the question... Get off your high throne and answer us.

 

[shockli]

Hey, you still didn't answer his question.

Dear god let me finish typing. Forums are synchronous for a reason...

 

[0x0539]

Dear god let me finish typing. Forums are synchronous for a reason...

Haha lmao, okay.

 

[Derp]

The script's purpose was to sit in the default channel. (Was to cheat stats as local stat website adds query connections as well as normal connections, due to a connection issue it created a forkbomb which created ~200 connections and my teamspeak server application crashed.)

This is very strange. But still, it does make sense.SQ is programmed to blacklist offending IP's after a total of three failed login attempts, this however tells us nothing about what happens if the login attempts are valid.

I think we might have something new here.

Thank you for sharing this.


-Derp

 

[shockli]

Still didn't answer the question... Get off your high throne and answer us.

So I just post how I accidentally crashed my server and I would like you guys to duplicate it, and you ask if I'm a nigerian price..

He so rich he owns a hotel.

Nuff said.

 

[0x0539]

So I just post how I accidentally crashed my server and I would like you guys to duplicate it, and you ask if I'm a nigerian price..

Well you don't just 'shit' the servers with the specs you provided above lol, it sounded more interesting. :$

 

[shockli]

This is very strange. But still, it does make sense.SQ is programmed to blacklist offending IP's after a total of three failed login attempts, this however tells us nothing about what happens if the login attempts are valid.

I think we might have something new here.

Thank you for sharing this.


-Derp

Thank you. Currently I have my hands full and would like to see if this is actually worth something before investing any time in it. If it doesn't work we are able to answer that and do further research.

 

[Qraktzyl]

I didn't mean that into an insulting way, just wanted to make it funnier. Sorry if it feels like an attack. I didn't mean to.

This is the max I can do for some reason (might be my connection, i will try it on my dedi later ):

44 legitimate clients, 201 queries constantly

 

[Derp]

Thank you. Currently I have my hands full and would like to see if this is actually worth something before investing any time in it. If it doesn't work we are able to answer that and do further research.

It's not something to worry about, at this current moment it's not something concrete yet. And from the looks of it, an attacker will need login credentials to trigger this.

However, It is still something unusual that may lead us to more dangerous vulnerabilities.

-Derp

 

[Qraktzyl]

It's not something to worry about, at this current moment it's not something concrete yet. And from the looks of it, an attacker will need login credentials to trigger this.

However, It is still something unusual that may lead us to more dangerous vulnerabilities.

-Derp

Didn't need to login for the image I posted above, just need to have guest queries allowed.

 

[shockli]

Well you don't just 'shit' the servers with the specs you provided above lol, it sounded more interesting. :$

They're just some servers that we use for hosting games and running companies' who we overcharge's websites on.
If you really want something you can see my workspace is rather average..

Sadly the only thing that sucks is my internet connection. Hellkom is bringing us down here. Paying approx $40 (and our R:$ is weak) for a 2mbit/s line that's actually .512mbit/s

I didn't mean that into an insulting way, just wanted to make it funnier. Sorry if it feels like an attack. I didn't mean to.

This is the max I can do for some reason (might be my connection, i will try it on my dedi later ):

44 legitimate clients, 201 queries constantly

Ok awesome thanks man. But by spam forkbomb I mean it (forbomb) literally opened enough PHP-CGI's to make the big(er) server inaccessible for a few mins. After that within seconds my actual TS which is on other server in other side of south africa went down. The TS itself crashed after 200 connections within a second or so SUCCESSFUL. So what I am saying is try focus on connections/second and not 1million+ queries over an hour