Hello! Long time follower of aluigi's work as a security researcher.
This is in reference to an old topic on the old zenhax forum.http://old.zenhax.com/call-of-duty-fs-h ... -t296.html
I have been hosting cod servers for a long time, but never actually hosted a CoD1 server until a friend of a friend reached out because they knew I had experience in it, and their server kept going down and they didn't know why.
I immediately went to alugis website and just browsed over his patches, saw one in particular that fit the description of the problem (player joins while they are joining, server goes down)
Started up a Linux 1.5b version of the server, copied over there mods etc, got it running, and finally began to investigate what was going on.
A player joins - I get the error fs handle for file.
Also what can happen is you can see a bunch of downloads being requested by the same user and the server crashes with no error.
So I have absolutely narrowed down the exploit they are using, and it appears CoD1 is running rampage with this exploit. Upon talking to multiple people with servers they have server crashes 2-3 times a day and have been told about this "exploit". I am doing what I can (banning those players GUID), but soon after another one comes and does it again. I'm assuming there is a GUID spoofer out there.
I have attempted to do the research that my little security knowledge is letting me do which is basically this - I tried to sniff packets while performing the exploit myself to find some kind of "string" or some type of reoccurring packet being sent by the client to effectively block those request packets from being received through some iptables rules, I have found none and my knowledge of how call of duty in general at the packet by packet-level works is small. Best I can assume is that's is way more complicated than sending a packet with a string containing "download main/.....pk3 fill" etc.
I wished there was a command that completely disabled server downloading and didn't give the option, that forced players to go to the redirect, but to no avail.
So I've come here for some help, hopefully you guys have some type of idea or can lead me in the right direction on how to mitigate or disable this exploit. My only current failed idea was to try to identify the packets being sent by the client, and apply a rate limiter or filter that upon detection would block that IP address. Which in and of itself would be a hard thing to apply even if i was able to identify a similar packet.
I look forward to hearing from some of you if you have any ideas! I am a current cyber security student and absolutely love learning new things.