ValveSoftware
[L4D2] Servers are heavily vulnerable to empty UDP packet DOS attacks
Empty UDP packets (size 28 bytes with empty body) heavily impact Left 4 Dead 2 servers. A server can be impacted with as little as 100 packets (2800 bytes) per second sent from a single source. This does not happen with a UDP packet of size 1 or more - only with empty UDP packets.
In other words, anyone can very easily DOS any unprotected Left 4 Dead 2 server and it does not require significant bandwidth. This isn't as much of an issue with community servers as server hosts can always the following iptables rule
/sbin/iptables -A INPUT -p udp -m multiport --dports 27015:27050 -m length --length 0:28 -j DROP
But valve servers are vulnerable to this and people have been DOSing servers with empty UDP packets for over a decade. Please either patch Left 4 Dead 2 servers to ignore empty UDP packets early or add a firewall rule to the host machines to block them.
@kisak-valve Why was the "Team Fortress 2" label added? Seems the wrong label to me if the user is talking about "Left 4 Dead 2"
Reported resolved or significantly mitigated as of SRCDS update:
https://steamdb.info/app/222860/patchnotes/
Issue is still present in Valve official servers and unprotected community servers.
For example: 100 empty packets per second affects the server, while 100 non empty packets does not, meaning that the servers are still more vulnerable to empty packets when compared to non empty packets.
Issue is still present in Valve official servers and unprotected community servers.
For example: 100 empty packets per second affects the server, while 100 non empty packets does not, meaning that the servers are still more vulnerable to empty packets when compared to non empty packets.
https://github.com/Tsuey/L4D2-Community-Update/issues/485#issuecomment-1930704196
It seems that the community servers will have to use this iptables again
It seems that the community servers will have to use this iptables again
Just making a note here that according to our TLS contact with Kerry, Valve is actively working on implementing SDR for L4D2. Kerry also made a forum post mentioning this security measure.
As far as we guess, Official Dedicated will end the game of exploit whack-a-mole with SDR -- community servers will likely still need iptable solutions, as while the split-packet exploit was fixed recently via game code, our understanding is that this issue's exploit has only been mitigated through Valve's firewall, hence Luckylock's re-opening.
It seems that the community servers will have to use this iptables again
Just making a note here that according to our TLS contact with Kerry, Valve is actively working on implementing SDR for L4D2. Kerry also made a forum post mentioning this security measure.
As far as we guess, Official Dedicated will end the game of exploit whack-a-mole with SDR -- community servers will likely still need iptable solutions, as while the split-packet exploit was fixed recently via game code, our understanding is that this issue's exploit has only been mitigated through Valve's firewall, hence Luckylock's re-opening.
The invalid split packet length exploit is indeed fixed, I tried to use this exploit on my servers to check it and it actually no longer works, however empty network packets are still a problem
Hello!
I have some information about DDoS attacks and what they are doing them with.
But it would be better to talk about it privately, I'm serious -> mr.bonesyk (Discord)
