Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Multi-vendor Game Server (GameSpy) DDoS Attack 188

w4rl5ck writes "PivX has this security advisory about DDoS attacks using a single modem line and some game servers (i.e. Counter Strike, QuakeX, Battlefield 1942 - in short, those supporting GameSpy). Works via spoofed udp packages querying the server stats, and because udp is connectionless, the server simply answers - to the spoofed address, of course. Funny thing, isn't it? (originally found on heise.de)"
This discussion has been archived. No new comments can be posted.

Multi-vendor Game Server (GameSpy) DDoS Attack

Comments Filter:
  • by Lukano ( 50323 ) on Sunday January 19, 2003 @01:34PM (#5113950)
    For coming up with a rather ingenious DDOS attack style. Mind you I wonder how many gamers on those servers were complaining about ping times when that was happening.

    Way to go GameSpy, yet another ounce of proof of a useless service for idjits.
    • None, Each server dosnt feel much of an effect since the load is spread out upon many different servers. Atleast, thats how it was when I used to do this a few years ago.
    • This approach and idea is actually very old, and it has already been done (although not through Gamespy).

      I wrote a program for Quake 1 that flooded a server with false connections and disconnected legitimate users (http://online.securityfocus.com/bid/3051 [securityfocus.com]), and a friend changed 1 line of code to make my exploit do a "smurf" attack on a client (http://online.securityfocus.com/bid/3060 [securityfocus.com]).
    • by quakeroatz ( 242632 ) on Sunday January 19, 2003 @02:15PM (#5114140) Journal
      Way to go GameSpy, yet another ounce of proof of a useless service for idjits.

      Sorry? Yes, I'd be the first to bash Gamespy for their heavyhanded marketing approaches and Microsoftesque software pushing... but... they merely supply a tool that uses a service built into just about every FPS on the planet. This is an extremely useful service that's essential to find buddies, favourite maps and most importantly, the lowest pinging servers. Even "open" server browsers such as the All Seeing Eye use the same service as Gamespy3D/GamespyArcade and are equally susceptible to the same vulnerability.

      Yes it's time to rethink client/server game querying, but not the time to bash M$, Gamespy or any other corporate scapegoat.

      And to think Carmack didn't think about this years ago.... Shudder.

    • "Mind you I wonder how many gamers on those servers were complaining about ping times when that was happening."

      Since when are people on Gamespy not complaining about ping times?
  • hehehe (Score:5, Funny)

    by SuperDuG ( 134989 ) <[be] [at] [eclec.tk]> on Sunday January 19, 2003 @01:34PM (#5113953) Homepage Journal
    Kill your enemies. Kill those not on your team. Kill a server.

    All in a days work.

    *SNIFF* "God I love the smell of napalm^H^H^H^H^H^H severs burning in the morning"

  • Good to see that an actual error was found with the program - It might make developers think twice before using their bloated propriatary, closed, middleware that is all but designed to lock out other browsers like all seeing eye [udpsoft.com].
    • by Anonymous Coward
      As much as I love the All Seeing Eye and I hate Gamespy, the problem exists in the games themselves, any games that support Gamespy. Next time read the article.
    • by Anonymous Coward
      ...It might make developers think twice before using their bloated propriatary, closed, middleware ...,

      Dam them and their bloated propriatary , closed, middleware UDP, dam them all to hell.

  • by grub ( 11606 ) <slashdot@grub.net> on Sunday January 19, 2003 @01:37PM (#5113968) Homepage Journal
    .. it wouldn't be hard to put in some sort of verification to ensure the packets are getting to an appropriate destination. Witness NFS.
    • but then it wouldn't be udp....
      • by Yokaze ( 70883 ) on Sunday January 19, 2003 @01:58PM (#5114085)
        It would be and it is.

        Connectionless is on the connection layer. This doesn't mean, that the application can't be stateful.
        HTTP is a stateless protocol, still you are surfing just this moment a stateful website.
        • by 0x0d0a ( 568518 ) on Sunday January 19, 2003 @04:08PM (#5114694) Journal
          Though, to be fair, it'd probably be easier for Taco if HTTP *were* stateful, and easier for the Gamespot people if they were using a stateful protocol.

          WTF do they do that, anyway? I mean, UDP makes plenty of sense for the in-game engine in Quake or something, but has little point for just transmitting server lists.

          If they're trying to do traffic reduction, I'd think they'd be better off implementing advanced queries, so that the *server* can return only the list of servers you're interested in, instead of the client having to do filtering on an enormous dataset all the time. Most people have some pretty easy-to-fit contraints (no more than a certain ping time, usually same continent, usually a specific game type...)
          • by The Raven ( 30575 ) on Sunday January 19, 2003 @06:13PM (#5115277) Homepage
            WTF do they do that, anyway?
            Because a program that queries thousands of servers would take HOURS to query them all if it had to negotiate a connection, query, then break down the connection for EVERY SINGLE ONE of the servers it queries.

            It's not uncommon for me to query 20 thousand servers in a few minutes. Doing this with a stateful method would take over an hour. Imagine downloading 20 thousand 500 byte images from 20 thousand web servers. With a well written program, you should be able to do 20 a second... IF you have Windows NT (or derivatives, like 2000 or XP) or Linux. Windows 9x wouldn't be able to do more than 3 or 4, because it can't handle the massive number of TCP connections that NT can.

            Using UDP, on Windows 9x or NT or Linux, I can query 100-200 servers per second.

            The advantages of a connectionless protocol are clear. Yes, we may need to consider an alternative, but don't bash them for stupidity when you don't know the first thing about what you're talking about.
            • I recently wrote an application which managed about 200 outbound TCP connections per second from a single thread. Each connection went through about three request/response steps before it was closed. Typically there were about 4000 simultaneous connections open, so the average lifetime would obviously be somewhere around 20 seconds.

              With a state machine it's really not difficult. Had I used /dev/kqueue (this was on FreeBSD) instead of select(), it probably could have scaled up to the point of using all the network bandwidth available to the host.

              I agree that TCP is overused, and that depending on the OS to manage session state is not always the best solution. Certainly for a lightweight application like asking how many players are currently on a game server, a stateless ping-pong over UDP makes more sense. But TCP performance is not nearly as lousy as you claim, if you write the client properly.
            • Ahhh...I see. I hadn't read the advisory -- I had thought that people were amplifying their attack off of the *meta*servers, not the servers. That makes more sense.
    • No Shit... (Score:2, Interesting)

      by Talez ( 468021 )
      UDP Message: GIVE ME STATS!
      UDP Reply: Challenge #HASHOFCURRENTTIME
      UDP Message: VERIFY #HASHOFCURRENTTIME
      UDP Reply: DATA

      Problem Solved(TM)
      • All you'd have to do to defeat your solution would be to send along a few extra packets that guessed the hash (based on ping time, for example).

        This is basically the same way TCP connection hijacking works, by guessing the TCP packet IDs coming from the server.

      • Er, why bother hashing the current time? Just send random "x | -2^32 Client: Stats, please.
        Server: Challenge 876053
        Client: Response 876053
        Server: DATA

        Yeah, I do this stuff for a living.

        Jouster
        • Dang preview button!

          Let's try again:

          Er, why bother hashing the current time? Just send random "x | -2^32 <= x < 2^32" and ask for it back.

          Client: Stats, please.
          Server: Challenge 876053
          Client: Response 876053
          Server: DATA


          Yeah, I do this stuff for a living.

          Jouster
    • Several easy fixes (Score:5, Interesting)

      by billstewart ( 78916 ) on Sunday January 19, 2003 @05:45PM (#5115132) Journal
      OK, any definition of "easy" that requires getting millions of clients changed isn't _that_ easy :-) But if you're doing a new version of a server, it's worth doing things like this, and it's important to consider scale factors. It may be a big easier to get people to upgrade by sending out a message saying "upgrade to version N+1 or you'll get Fragged off the Net, send this email to everybody you game with right now!", but that's got its own problems :-)

      Lots of server protocols prevent attacks by requesting a cookie before they do anything difficult or resource-consuming. Besides security, that's useful for basic reliability - it makes sure the IP routes are all working, the client can reach the server, the server's working, and the server can reach the client, before either side does any real work. Most exceptions to this are simple protocols like DNS that don't require any state or much work and would do more work building the connection than sending the real data, and things like NFS which have some reason for the client to trust the server's availability before sending big packets and which make sure that retries with the same data are ok.

      Some of the crypto protocols, such as Photuris [networksorcery.com], do a cookie handshake first, because the first "real" step of the protocol comsumes lots of server CPU, and they'd be vulnerable to denial-of-service attacks otherwise. In this case, the attack is a forged-request attack on an unsuspecting client, but the server is still the only one that can provide any protection. Either way, the client firsts requests a cookie from the server, and the requests for real work need to include the cookie, or the cookie modified in a way that clearly indicates it was received.

      A variation on cookies is to make the client perform non-trivial amounts of work using the cookie, which the server can verify quickly - this lets the server limit the rate of requests, and means an successful attacker needs lots more resources than the server. Hashcash [cypherspace.org] is the canonical one - the client has to use brute-force search to find a string containing the cookie that has a hash value starting with a specified N bits, and the server can verify the hash quickly. This defense can be made stronger by including the sender's identification and a timestamp in the cookie string, making it harder to replay. While it's not possible to tune hashcash CPU consumption precisely (since different machines are different speeds, and the attacker may have a Beowulf cluster of Crays or a bunch of zombies to do calculations), the server can adjust the rate of requests by adjusting the hash length as needed. In addition to fullscale cookie-based hashcash, it's sometimes adequate to do a simple userid-and-timestamp version, or userid-and-counter, so the attacker has to do some work, e.g. burn a second of CPU time for every 2KB of response for a modem user, or 10KB for an online user, to prevent swamping.

      In this environment, though, anything that requires client upgrades won't fly; you're stuck with upgrades to servers (tough enough) and handshakes that use the existing user interface.
      Modifying the server to limit the number of responses per second for a given client (or of big responses) is probably a good start - it doesn't solve all the problems, and the attacker may be able to forge a stream of requests that prevents the victim from doing legitimate queries, but it protects the network connections. Another approach would be to do something password-like - the user queries for a password, or chooses a password, and has to use it to get any big queries, or more than N big queries.

  • by Sayten241 ( 592677 ) on Sunday January 19, 2003 @01:38PM (#5113971)
    I always knew that the 'D' in D-Day stood for DDoS.
  • I haven't left playing Doom II. I guess I'm safe.
  • by Sanity ( 1431 ) on Sunday January 19, 2003 @01:39PM (#5113977) Homepage Journal
    Freenet [freenetproject.org] developers Oskar Sandberg and Scott Miller did a presentation about a year ago at a O'Reilly P2P conference describing how Gnutella (and probably other P2P networks) could be used to initiate DDOS attacks in a similar manner.

    Perhaps someone familiar with the Gnutella protocol can say whether this has been fixed yet.

    • Talking of DDOS attacks - is anyone experiencing a slowdown very similar to that caused by a DDOS attack? Eg website requests time out, high packet loss etc.
  • Oh, great (Score:1, Interesting)

    by sean23007 ( 143364 )
    This appears to be a huge vulnerability in a lot of programs used by a lot of people (including a lot of us) that could allow a couple dozed (or less) script kiddies to take down a lot of game servers. That 1:393 response ratio is awful. Some kid with DSL could take down, what, 20 servers at the same time? What chance is there that EA will release a patch some time soon? They had been notified like 2 months ago, and haven't even responded yet.

    I always knew GameSpy was a crappy product, but this just brings it to a whole new level.
  • now the whole slashdot community is going to slashdot gamespy to see if they are up. Double whammy.
  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Sunday January 19, 2003 @01:49PM (#5114034)
    Comment removed based on user account deletion
    • Actually, a number of games are useing Gamespy as their in game online game finder... Unreal Tournament 2003, Neverwinter Nights, Battlefield 1942, all have Gamespy packaged within them. Probably plenty of others
    • If you read through the advisory, you'll probably understand a little more clear that it's not just a gamespy related problem. Games that easily return huge query responses from little data are the problem.. but this isn't limited to games, as it can also be found even from standard open ports on Windows XP, and so on. UDP Spoofing isn't new, this advisory is just highlighting a source that returns a huge amount of data by sending so little.
    • I'd beg to differ. The multiplayer expansion for Civ III, Play the World is GameSpy branded for all of the pre game setup (this is when the Civ III application has been launched, not while you're still using GameSpy Arcade).

      In addition, there are a number of other games which pretty much exclusively provide match-making through GameSpy like Fallout Tactics.

      Certainly you can organize a game separately with a friend, but the developers and GameSpy are supporting one another. It is not simply GameSpy supporting certain interfaces with the game and servers that provide lists of active game hosts.
    • Games don't support GameSpy, GameSpy supports games.

      Not true. Gamespy licences their engine for use in some games. Many games strip down a lot of the features that are available in say, Gamespy 3D, but some games (like BF1942) use a surprising number of options.
  • by Tom ( 822 ) on Sunday January 19, 2003 @01:52PM (#5114048) Homepage Journal
    Including a posting to bugtraq. The original advisory is on my website. It's dated 13th March 2002.

  • Gotta love UDP (Score:3, Interesting)

    by cscx ( 541332 ) on Sunday January 19, 2003 @01:55PM (#5114065) Homepage
    And if those packets happen to slam into your Linksys BEFSR41 router, it will freeze up, crash, and flop around like a half-dead fish. [dslreports.com]
    • Re:Gotta love UDP (Score:3, Interesting)

      by Lukano ( 50323 )
      Or you could just flash your BEFSR41 Linksys router and not have to worry;

      http://www.linksys.com/download/firmware.asp?fwi d= 1

      Intelligence = Security folks.
  • by Anonymous Coward
    Does anybody know how well spoofed packets traverse the internet? I know that "good netizens" drop spoofed packets, and that this really needs to be implmented on edge routers. Do enough service providers do this to have any real effects on these type of attacks?
    • It needs to be done at the ISP level. Those at the core can't really do it because of the CPU horsepower it would require. Adding just a couple of ACLs reduces the throughput from maximum. Google for NANOG [google.com] and search their archives (third link).

      Of late, more and more DDOS are not using spoofed IP's (thought egress filtering would certainly help).
      • by Anonymous Coward
        No it has little to do with CPU power at the core. It has to do with the actual possibility of doing it. The only place you can do proper egress filtering is at the edge. Nowehere else. Jebus save me.
  • Egress filtering (Score:5, Insightful)

    by yggdrazil ( 261592 ) on Sunday January 19, 2003 @01:58PM (#5114080)
    Part of the problem is all the totally clueless ISPs which don't do proper egress filtering. That is, they don't filter out outgoing packets with falsified sender addresses.

    They've had years to do that, and still don't.
    • Exactly! Check the source address, see if it matches what was assigned to the port. If not, shut the guy down for 10 minutes. This would prevent almost all DoS attacks if every ISP did it.

      Of course, there must be a reason they don't.. I'm assuming it's just too CPU intensive to do something like that for every packet. Perhaps every 100th packet? People who are DoSing are likely to be sending out thousands of these packets anyways, so you'd probably still catch them.
      • Exactly! Check the source address, see if it matches what was assigned to the port. If not, shut the guy down for 10 minutes. This would prevent almost all DoS attacks if every ISP did it.

        I don't think you're quite getting it. What he's talking about is this:

        Hacker A breaks into bystander B's PC, and uses it to send packets to server D with a spoofed source IP so it looks like the packets come from victim E.

        Bystander B's ISP has certain ranges of IP addresses that they assign to their customers, including bystander B. Victim E's IP address is not one of those IPs. The ISP should set up their firewall so outgoing packets that do not originate within their own network are always blocked. Bystander B can still get his pr0n, because he's sending traffic out from his own IP address, but this kind of attack now fails.

        Naturally, hacker A will just find some other bystander whose ISP doesn't firewall like this, but the more ISPs that do it, the harder that becomes.

        And of course, this doesn't work when bystander B and victim E are on the same network, but very often they're not.

        Server D can't really do much to stop this, other than look for flooding and try to block it. Server D doesn't know the packets didn't come from victim E. In the case of a game server, maybe the game server can tell which IPs belong to players and which don't, so if victim E isn't playing the game, requests for stats would be ignored. I don't know how practical that would be.
      • Re:Egress filtering (Score:3, Interesting)

        by extra88 ( 1003 )
        ISPs wouldn't even be that specific. Since many of these DDoS attacks depend upon tricking another machine into sending packets to the real target of the attack, it would help a great deal if ISPs at least made sure outgoing packets matched their own subnets. How intensive could it be to check the first 2 octets and drop the packet if they don't match a class B subnet the ISP uses?
      • Well, setting up a firewall to do that isn't hard at all.

        But there are some issues.

        For example some legitimate traffic will enter an ISPs network from outside on its way somewhere else; you do NOT want to kill that traffic, and by the time it reaches the firewall on the way out, the packet contains no record of how it got there.

        Depending on network topology you may still be able to do it of course, but you'd have to do it with some care.

    • There is one problem with this at least Mobile IP it's a spec it's designed to work and it dosent provide a return path like a VPN. Now granted most people would be better served by a VPN than using mobile IP. Next is ou have to remember there are a LOT of things that assume packets can originate from any address.

      Geo Load ballancers, especialy the ones that use DNS timed race now this is somehting with a fixed Ip address but it's hard to keep up all sorts of exceptions. BTW this works pretty well.

      Dual headed users (say DSL and Cable) that LB there outgoing requests. Now granted this is minor and isn't supposed to work but it's nice and gets you a good deal of redundancy.

      Multihomed servers, they can send packets from any of there interface IP's via any of it's interface IP's some mail servers and DNS servers do this alot. Remember GigE is a new thing and servers have seen 100bt as a limitation for awhile.

      And there are a lot of other issues. Now I have setup IPP's to do this and it works well enough at say a up to a tier 3 provider. This will give every multihomed carrier problems with traffic management especialy ones with old routers not taking more than a BGP default, not having the same carriers at every router, running disconnected AS's (Ok this is a no no but they do it)

      Basic egress filtering should be in place for everybody all the martians should be blocked perferably at the ingress routers doing DSL, Cable and Modem agrigation. Yea this has some maintnence associated with it as the martians list changes every now and again as new /8 are given out. It's easier to tell an aggrigation router to only allow packets say from the /32 of a modem user than make all the edge routers filter things.
  • Maybe I'm missing something, but since the data volume sepends on the number of people on the server, and gamers are notoriously intolerant of lag, the attack will in effect kill its own datasource as well if it goes on for more than a few minutes. The players will just jump off and look for another server.
    • You're missing the fact that the target isn't the game server, the game server is the weapon, the target is elsewhere e.g. www.slashdot.org ;-( and there are tens of thousands of servers out there you can use simultaneously; so the users of the game server probably wouldn't notice.

      In fact you're better off using multiple servers because that makes it harder to filter out at the firewall, if you're stupid enough to do this kind of attack that is.

  • Dont blame Gamespy! (Score:4, Interesting)

    by coene ( 554338 ) on Sunday January 19, 2003 @02:04PM (#5114099)
    There are a hundred other programs that do the same thing as Gamespy, it's not their fault. They work around the protocols that the game uses.

    This is something that needs to be addressed by Game Developers (Valve, ID, etc.)
  • There is a great PDF [orst.edu] (HTML version [216.239.39.100]) of a research paper by Jeff Kato and Ryan Zojonc on all the issues of massive multiplayer gaming systems and leagues and why/when/what security breaches have occured and could occur in the future.

    Why do people attack games?
    - To get private info about others
    - They pirate a game and want to play it online
    - To get credit card numbers
    - To cheat
    - To delete others' characters
  • Among the other won.net server trackers, Half-Life.east.won.net, Half-life.west.won.net, and so on, are also able to be exploited in the same manner. They can return thousands of bytes for a 2 byte query. a 3000 byte response would be a 1500x magnification..
    • At the data level it is, but the whole query includes the UDP and IP headers, which are about 40 bytes, so it's really only ~75:1 magnifaction. (Modem users can do compressed PPP and get somewhat smaller headers for somewhat bigger effect.) Still an attractive nuisance.
  • by gmplague ( 412185 ) on Sunday January 19, 2003 @02:18PM (#5114150) Homepage
    If you have followed DoS attacks over the past few years, you will have noticed that the big trends is the decline of UDP based attacks. This is not because attacks like Pepsi and Smurf aren't still out there, it is because ISPs are limiting their use by filtering out spoofed UDP packets on their routers. Comcast, Verizon, AT&T, etc. all have routers that check the IPs of all outgoing UDP packets and replace the spoofed source IP with the true source IP (by checking which MAC address and port on the switch the packets are coming from.

    Consequently, these attacks are far less likely to occur because most people's ISPs "fix" their UDP packets to prevent against attacks that work this way. This doesn't mean there isn't a problem. Not every ISP implements it, and it only takes one person to launch a large scale attack. Plus, gamespy will probably be patched to fix this problem.
    • As I understand it, patching GameSpy alone won't help - you don't use GameSpy to flood the servers, but a nasty program to send spoofed UDP packets.

      Which means patching all servers. As I see it, many gaming providers have a LOT of games running that are vulnerable. And as working for a games service provider myself, I think games go into three categories:
      * too old to expect manufacturer/distributer support, but still played - sometimes 3rd party help available(fe. quakeworld, quake 2)
      * new or at least still selling enough to interest, and the manufacturer/distributor actually cares about technology(fe. quake 3, half-life)
      * new enough, but the manufacturer/distributer hasn't yet really understood why they should support people and companies running servers for them(fe. games from companies such as EA)

      True, thanks to ISP's, this isn't a huge problem and I think its also reasonable to thank GameSpy in advance, I'm sure they'll make fixing this reasonably easy by doing their homework well. But still, this has a potential of making nasty stuff hit the fan.

      Unfortunately, looking at the way many ISP's see online gaming, they might not give a damn about tuning their routers until they get a ton of packets stuffed in their cables.

      here's hoping that GameSpy can work quickly on this...
    • You dont even need to go though all the work of setting up packet mangling and mac address lookup and all of that other time consuming stuff.

      Its as simple as:

      I am ISP.
      For data coming INTO my router from the Internet, is the _source_ ip from my block of IPs?
      If yes, drop it silently and forget it ever existed.

      For data going OUT of my router to the Internet, is the _source_ ip from my block of IPs?
      If NO, drop it silently and forget it ever existed.

      There, that fixes 100% of all spoof attacks from you or your users/customers, and fixes 100% of the spoof attacks of outsiders attempting to pretend to be one of your own machines.
      In two filtering rules no less!

      Ideally you would do filtering on both source and destination IPs, as well as filter out private IP space.

      If a device is not capable of doing this, it is not a router, but a bridge or switch/hub, and should not be used for your internet connectivity.
  • you may as well throw in all of those pesky UDP services on the list.
  • Isn't this just a DoS attack rather than a DDoS attack. Seems like it's coming from a single node.
    • If a user sends out packets to, say, 100 servers you get ~100 times the number of packets. So long as the user can reliably output the small request packet to each server the 400 times responce factor still applies.

      Say you are requesting at 14KB/s. Per server, at a 400 times rate, this is is 5,600KB/s. Do this to 100 servers and bam, you have ~546mb coming at you per second. This from a standard 128Kb/s upload cable service. Think of the possibilities
      • And you know what. I got my sums wrong. There is a finite responce for 128Kbps of 5,600KB. I applied the formula to an upload rate of 1400KB/s upload.

        My apologies
      • And someone could easily use a horde of zombie machines to generate the packets, resulting in an unspeakable amount of data coming at the poor victim.
  • by utdpenguin ( 413984 ) <johnNO@SPAMkendrick.com> on Sunday January 19, 2003 @02:49PM (#5114269) Homepage
    This is jsut an adaptation of an old exploit I used to used back in the good old days. Me and some friends had hacked together an intranet version of pong back in hte early 70's. It didnt take us long to discover that if you sent multiple balls to the same court it was soon too muhc to handle and the players would all drop out, come over to your cube and beat the crap out of you.


    This is the same technology they are talking about ehre.

  • DOS not DDOS (Score:1, Redundant)

    A DDOS attack is a distributed denial of service attack, one where many servers all send packets to take down a network. As this article states, it is a dos attack. You hit one server at a time. If you send packets to multiple servers, then it can be a ddos, but not in the sense where there is very little disruption from the source of the attack.
    This attack can take down the "source server" as well as the destination.
  • This is just an excuse for people to blame on lag.

    Goatasaur was killed by Yourname.
    "omg someone must be ddosing the server"
  • by Anonymous Coward
    i'm glad to see they had enough responsibility to put a couple "errors" in the proof-of-concept code so script kiddies dont just compile and have fun. i.e. #define DSTPORT 230
  • Feedback loop (Score:4, Interesting)

    by Mike McTernan ( 260224 ) on Sunday January 19, 2003 @03:10PM (#5114371)
    It would be possible to send the UDP packets at the game server with the source IP addresses spoofed to be the IP address of the game server itself. Nasty.

    This would probably be self limiting since as the server slows down it would reduce the amount of packets it sends to itself, but it would probably be pretty nasty to the server as it sends and recieves flood loads of crap.

    Hope a patch comes out soon...
    • That is a nasty attack, but most firewalls of any sort block packets from the outside pretending to be from the inside, since there are _way_ too many Bad Things that can be done otherwise, more of them security breaches than denial of service. Also, it's actually not as nasty an attack as it looks, because the server is probably on an Ethernet behind a router, so the loopback happens on the 100Mbps Ether segment, and doesn't try to go out the T1 Internet pipe.
      • That is a nasty attack, but most firewalls of any sort block packets from the outside pretending to be from the inside, since there are _way_ too many Bad Things that can be done otherwise,

        Phew! Let's hope Jolt have good firewalls!

        Also, it's actually not as nasty an attack as it looks, because the server is probably on an Ethernet behind a router

        Erm, it will probably loop straight back in the computer (at the IP layer) without even touching the network device since the source IP address would become that of the server! (Assuming not blocked by a firewall, as you point out)

    • There was an attack on early versions of Quake 2 which worked like that.
  • All I can say is... (Score:1, Informative)

    by Anonymous Coward
    that Gamespy is the biggest pain-in-the-you-know-what anyways. Bioware for some reason chose to use Gamespy for Neverwinter Nights, and it had to re-ping all the servers everytime you tried to connect to a server, but were told the server was full (even if it said the server had 39/40 people when you pinged it earlier). And then there's how the game publishers are too lazy to host their own patches, so they let jerkoffs like Gamespy's FilePlanet host the patches. I think they do it because they know they can get away with it.
  • Possible solution (Score:2, Interesting)

    Not sure how this wouild work, but require sort of a handshake to get data. I.e. the client sends a request to talk, the server replies with a auth token (some integer), then the client sends the auth token + query. auth tokens would be attached to an ip so it could be chached for faster queries, but required that a connection be authed to get data. Then the server only sends data on about a 1:1 ratio is the client doesn't send a token. Commands w/o a token would be ignored.
  • There is a variable within the main Unreal ini file that lets the server admin determine how many UDP server queries per second to allow. Unfortunately this variable is set to unlimited by default. Can't think of this variable off of the top of my head.

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...