NoQuery DDoS "Protection"

Quotesecurity through obscurity

Description

This library embeds itself to linux servers by using the LD_PRELOAD environmental variable. It then checks all incoming packets, if the packet contains the q3 header followed by the query keywords getstatus or getinfo, then it simply drops the packet.

This causes your server not to respond to any master server queries or services like splatter ladder. All queries from applications such as HLSW will also be ignored. The attacker will therefore not be able to find out through these various utilities if the server is up.

As the server will not appear in the lists, or respond to any queries, it will not even show up on favourites. The only way to connect will be with:
/connect ip:port

Installation

YCN Customers
All YCN customers can enable this feature by:
  • Go to Command Line (Edit) and tick the NoQuery Option
  • Restart the server
  • The attacker may already know your IP:PORT and can still disrupt your game, simply post a ticket in the cpanel asking for your server to be moved to a new IP and our staff should do this fairly quickly
Linux Servers (dedicated server owners)
You will need to download the library (libnoquery.so) which can be found here:
http://www.ycn-hosting.com/downloads/noquery/
to your server.

Then in your server startup script you will need to either set the environmental variable with
export LD_PRELOAD="/path/to/libnoquery.so"
Or prefix your command with the setting
LD_PRELOAD="/path/to/libnoquery.so" etded +set .... +exe server.cfg ...

(in both examples remember to replace /path/to with the actual path pointing to the file)
Windows Servers
Sorry, windows does not support this type of code injection (function interposition).
Other Game Hosts
Most game hosts will not support this, or rather you will probably need their assistance to implement this, most command line editors do not permit you to add a preload setting. I'm quite sure that gameservers.com won't let you do this, but worth a try to ask them.

Source Code

The sourcecode for this is available, the app is very simple, you can find all the files here:
http://www.ycn-hosting.com/downloads/noquery/
(includes an example compile script)


Make sure to keep your server IP's hidden in the future to prevent the attacker from knowing it and spamming you when he thinks that you have a match.
Comments
81
EY John, fucking nice work!
cool stuff bro
posting in epic News
john to the rescue
GREAT JOB!!
All go buy YCN servers now.
Kboy should and all matches should be played on his servers.
Let's donate!









oh wait this is CF
Parent
Finally a glimpse of hope in this dark age of ET. :)

..I'd still like to see the peaceful ET-scenery getting involvoed in a dark and bloodyDDos-war by the SplatterLadder Confederation of Ignorant Pub-Noobs against the United Competitiveand Arrogant ET-Players. Would surely be epic :(
Junge, du hast definitiv zu viel Star Wars geguckt. xD
Parent
germans alwasy wanna war?!?
Parent
nice effort
Good job. :)
nice one.
though i don't like not being able to join via hlsw / the server appearing as down in hlsw, i guess some ppl will be like "lol can't connect, server is down" :D
but i guess it's worth it!
if u use slac, u cant connect via hslw anyway
Parent
it does, i'm using it.
just change path of the game to slac.exe
Parent
oh never tryed that, cuz i thought u need to run et via slac to get it working.
Parent
ye if you chose that hlsw starts et via slac ;)
Parent
yeh i did, setted to run game via slac and working perfectly.

thanks for the help :)
Parent
I might have got this wrong,but isn't it just blocking the scans of HLWS which will tell you whether the server is up and how many ppl are on it?
So you could still just "force" the connection to the server?
That's what I can do with ASE when the Scanner is bugged and the server is displayed offline... :s
I might be wrong though...
Parent
yes, but i usually delete the servers which are down :(
and i guess some random irc opponents who don't know about it might not get it!
Parent
You'll have to mention it when you search wars,just like you still have to mention that you'd prefer known opponents or SLAC :s
Parent
i prefer random opponents without slac though, do i still have to mention it? :(
Parent
YOU ARE A RANDOM OPPONENT WITHOUT SLAC!!!

OW SNAP
Parent
it could have be done with a modified server binary and a new cvar for enabling/disabling this, or am I wrong?

But good to see someone is doing something.
YCN PATCH

really want to slam this link to those sl admins, i'm sure they will die a little inside.

If i had a paypal account i'd donate/buy YCN Servers.
Paypal accounts are free to make you know ;)
Parent
don't have visa/electon card
Parent
Work with normals bank transfer
Parent
click 300000 ads per day :D
Parent
I would've bought a YCN server cause of this...if they werent so damn laggy :XD

not like anyone would DDoS low+ games XD
What country is that "laggy" YCN server located in?
Parent
They do actually suck -_-
Parent
the server in the Netherlands are quiet bad tbh
Parent
i manage to get 50 ping on german ycn servers, for me its a miracle, cos on any other server i get 98 ping :(
Parent
i lag on every dutch server, no matter which host
Parent
I dunno, my ping is stable on em but feels really laggy..see the comments below :)
Parent
they lag like crap lol
Parent
Improved a shitload over the past year, I'd say.
Parent
I've used them regularly since the company started and they've gotten worse over time.
Parent
I hope other servers will start support this aswell, otherwise i might end up playing in YCN's which might be worse than getting DDoSed :)
zero empathy servers i believe
Parent
nicely done.
Well done!!! We can play ESL vs CB NOW!!! :D
:D too easy < 5min supply
Parent
:D:D
Let's roll them again. It's fun!
Parent
can not say when I am available the next weeks
Parent
:(
We need to own them hard!
Parent
why do your servers lag like hell?
nice one ev
Too bad YCN servers suck.
YCN VENT


gj kamz, oh wait :D!
nice work, those splatterladder guys were _hilarious_ :D oh to be blind ;]
nice job
nice job!
eyjohn saves et once again
fucking nice work :D
finally

thx
Ought to work, well done!
Although, security through obscurity isn't a very convincing catchphrase.
YCN VENT
Quick reply to some of the comments

1) About the port changing, This was a bit of a rush job, I wrote the thing and built it into the system within an hour and a half, of which the half an hour was spent writing it up on CF. For the time being if you need your port changed, just ask the staff, in future, I may make an auto port switcher, or at the least will try to email/message every one about this.

2) As for the YCN Sucks / Lags comments, I like to think we provide a good service for the prices, but I do admit that there need to be improvements, We are constantly making changes and upgrades, and will be upgrading our DE provider in December, which should improve the service of our DE location. If any one does experience poor latency then they can always contact our support team and we'll try to solve it or let you know if its not going to be possible, in some cases we may offer refunds for serious latency problems.
Speaking of the DE provider, I had a server from there last year (since then I have moved it to Netherlands) and I had 50-60 ping on there. Recently I tried it again by moving my server to the DE host, and I had almost 100 ping. Is the provider upgrade going to help this matter, as the dutch servers have sometimes had weird problems with my ISP and I wasn't able to connect there for two days :-P
Parent
frankfurt has some serious issues with some finnish connections lately
Parent
so just because the servers are cheap, the lag is not an real issue?

the lag issue started a year or more ago and still isn't fixxed, thats what i call a good service
Parent
speedlink should pay pale (or whoever) to stop ddosin the servers and make them ddos proofs hehehe?
YCN just got loads of new customers
well i remember having always a bit of lag at YCN servers but if they already do help in this way it can only go up for them :) izi win
YCN saved ET
YCN VENT FUCK YEH BROZ'\
nice shit bro;) good job
John true legend. !
smart move ycn
Awesome John, thanks for doing this :)
gj, thanks
keeping et alive. eyjohn ladies and gentlemen. the guys a legend. now go buy ycn ! you know it makes sense...
Good job John :)
well done, and thanks :)
Back to top