Multi-vendor Game Server (GameSpy) DDoS Attack

w4rl5ck writes "PivX has this security advisory about DDoS attacks using a single modem line and some game servers (i.e. Counter Strike, QuakeX, Battlefield 1942 - in short, those supporting GameSpy). Works via spoofed udp packages querying the server stats, and because udp is connectionless, the server simply answers - to the spoofed address, of course. Funny thing, isn't it? (originally found on heise.de)"

Even if it is connectionless..

[grub]

.. it wouldn't be hard to put in some sort of verification to ensure the packets are getting to an appropriate destination. Witness NFS.

Re:Even if it is connectionless..

[Yokaze]

It would be and it is.

Connectionless is on the connection layer. This doesn't mean, that the application can't be stateful.
HTTP is a stateless protocol, still you are surfing just this moment a stateful website.

Re:Even if it is connectionless..

[The+Raven]

WTF do they do that, anyway?

Because a program that queries thousands of servers would take HOURS to query them all if it had to negotiate a connection, query, then break down the connection for EVERY SINGLE ONE of the servers it queries.

It's not uncommon for me to query 20 thousand servers in a few minutes. Doing this with a stateful method would take over an hour. Imagine downloading 20 thousand 500 byte images from 20 thousand web servers. With a well written program, you should be able to do 20 a second... IF you have Windows NT (or derivatives, like 2000 or XP) or Linux. Windows 9x wouldn't be able to do more than 3 or 4, because it can't handle the massive number of TCP connections that NT can.

Using UDP, on Windows 9x or NT or Linux, I can query 100-200 servers per second.

The advantages of a connectionless protocol are clear. Yes, we may need to consider an alternative, but don't bash them for stupidity when you don't know the first thing about what you're talking about.

Re:What did we always say..

As much as I love the All Seeing Eye and I hate Gamespy, the problem exists in the games themselves, any games that support Gamespy. Next time read the article.

Re:Well You Have To Give Them Credit

[ChazeFroy]

This approach and idea is actually very old, and it has already been done (although not through Gamespy).

I wrote a program for Quake 1 that flooded a server with false connections and disconnected legitimate users (http://online.securityfocus.com/bid/3051), and a friend changed 1 line of code to make my exploit do a "smurf" attack on a client (http://online.securityfocus.com/bid/3060).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Well You Have To Give Them Credit

[freaksta]

dcd3c.c was a DoS that used about 100 quake servers to send data to a specified target.. it's nothing new.. just another DoS kiddie.. prolly DoSing DALNET too.

Half-Life.east.won.net

[ThreeZee]

Among the other won.net server trackers, Half-Life.east.won.net, Half-life.west.won.net, and so on, are also able to be exploited in the same manner. They can return thousands of bytes for a 2 byte query. a 3000 byte response would be a 1500x magnification..

Re:Spoofed packet question

No it has little to do with CPU power at the core. It has to do with the actual possibility of doing it. The only place you can do proper egress filtering is at the edge. Nowehere else. Jebus save me.

Re:Well You Have To Give Them Credit

[SirCrashALot]

The idea here is that you don't need zombies. With such a large return ratio, you can have a single computer on dialup, 14.4 can take down a T1 if you read the article. Yes, it can be a DDos but the point is IT DOES NOT HAVE TO BE.

This low amount of required upstream would allow a simple modem user to send a hefty DoS to a T1 or higher. (see example below)

All I can say is...

that Gamespy is the biggest pain-in-the-you-know-what anyways. Bioware for some reason chose to use Gamespy for Neverwinter Nights, and it had to re-ping all the servers everytime you tried to connect to a server, but were told the server was full (even if it said the server had 39/40 people when you pinged it earlier). And then there's how the game publishers are too lazy to host their own patches, so they let jerkoffs like Gamespy's FilePlanet host the patches. I think they do it because they know they can get away with it.

Re:All I can say is...

[Justus]

Personally, I found The All-Seeing Eye to be much less bloated than Gamespy 3D. I have both a registration to Gamespy 3D (which I originally got years ago) and to the Eye, and I never (never!) go back to using Gamespy any more, because the Eye is just that much faster.

Possible fix already in Unreal based games

[Xenolith]

There is a variable within the main Unreal ini file that lets the server admin determine how many UDP server queries per second to allow. Unfortunately this variable is set to unlimited by default. Can't think of this variable off of the top of my head.

Re:Well You Have To Give Them Credit

[Jouster]

I'll take this opportunity to give you a message referring you to other posts on this thread. The All-Seeing Eye (which I've used, mind you, great program) does nothing to solve this problem.

It was foolish to put "GameSpy" in the title of this article; it has nothing directory to do with GameSpy.

Jouster