Slashdot Mirror

← Back to Stories (view on slashdot.org)

Multi-vendor Game Server (GameSpy) DDoS Attack

Posted by Hemos on from the how-many-games-do-you-have dept.

w4rl5ck writes "PivX has this security advisory about DDoS attacks using a single modem line and some game servers (i.e. Counter Strike, QuakeX, Battlefield 1942 - in short, those supporting GameSpy). Works via spoofed udp packages querying the server stats, and because udp is connectionless, the server simply answers - to the spoofed address, of course. Funny thing, isn't it? (originally found on heise.de)"

12 of 188 comments (clear)

  1. Even if it is connectionless.. by grub · · Score: 5, Informative

    .. it wouldn't be hard to put in some sort of verification to ensure the packets are getting to an appropriate destination. Witness NFS.

    --
    Trolling is a art,
    1. Re:Even if it is connectionless.. by Yokaze · · Score: 3, Informative

      It would be and it is.

      Connectionless is on the connection layer. This doesn't mean, that the application can't be stateful.
      HTTP is a stateless protocol, still you are surfing just this moment a stateful website.

      --
      "Between strong and weak, between rich and poor [...], it is freedom which oppresses and the law which sets free"
    2. Re:Even if it is connectionless.. by The+Raven · · Score: 3, Informative
      WTF do they do that, anyway?
      Because a program that queries thousands of servers would take HOURS to query them all if it had to negotiate a connection, query, then break down the connection for EVERY SINGLE ONE of the servers it queries.

      It's not uncommon for me to query 20 thousand servers in a few minutes. Doing this with a stateful method would take over an hour. Imagine downloading 20 thousand 500 byte images from 20 thousand web servers. With a well written program, you should be able to do 20 a second... IF you have Windows NT (or derivatives, like 2000 or XP) or Linux. Windows 9x wouldn't be able to do more than 3 or 4, because it can't handle the massive number of TCP connections that NT can.

      Using UDP, on Windows 9x or NT or Linux, I can query 100-200 servers per second.

      The advantages of a connectionless protocol are clear. Yes, we may need to consider an alternative, but don't bash them for stupidity when you don't know the first thing about what you're talking about.
      --
      "I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
  2. Re:What did we always say.. by Anonymous Coward · · Score: 3, Informative

    As much as I love the All Seeing Eye and I hate Gamespy, the problem exists in the games themselves, any games that support Gamespy. Next time read the article.

  3. Re:Well You Have To Give Them Credit by ChazeFroy · · Score: 2, Informative

    This approach and idea is actually very old, and it has already been done (although not through Gamespy).

    I wrote a program for Quake 1 that flooded a server with false connections and disconnected legitimate users (http://online.securityfocus.com/bid/3051), and a friend changed 1 line of code to make my exploit do a "smurf" attack on a client (http://online.securityfocus.com/bid/3060).

  4. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  5. Re:Well You Have To Give Them Credit by freaksta · · Score: 2, Informative

    dcd3c.c was a DoS that used about 100 quake servers to send data to a specified target.. it's nothing new.. just another DoS kiddie.. prolly DoSing DALNET too.

    --


    Hrrm... I usually just sign my name.
  6. Half-Life.east.won.net by ThreeZee · · Score: 2, Informative

    Among the other won.net server trackers, Half-Life.east.won.net, Half-life.west.won.net, and so on, are also able to be exploited in the same manner. They can return thousands of bytes for a 2 byte query. a 3000 byte response would be a 1500x magnification..

  7. Re:Well You Have To Give Them Credit by SirCrashALot · · Score: 2, Informative
    The idea here is that you don't need zombies. With such a large return ratio, you can have a single computer on dialup, 14.4 can take down a T1 if you read the article. Yes, it can be a DDos but the point is IT DOES NOT HAVE TO BE.
    This low amount of required upstream would allow a simple modem user to send a hefty DoS to a T1 or higher. (see example below)
  8. Re:All I can say is... by Justus · · Score: 2, Informative

    Personally, I found The All-Seeing Eye to be much less bloated than Gamespy 3D. I have both a registration to Gamespy 3D (which I originally got years ago) and to the Eye, and I never (never!) go back to using Gamespy any more, because the Eye is just that much faster.

    --
    Schlock Mercenary
  9. Possible fix already in Unreal based games by Xenolith · · Score: 2, Informative

    There is a variable within the main Unreal ini file that lets the server admin determine how many UDP server queries per second to allow. Unfortunately this variable is set to unlimited by default. Can't think of this variable off of the top of my head.

    --

    Journal
  10. Re:Well You Have To Give Them Credit by Jouster · · Score: 2, Informative

    I'll take this opportunity to give you a message referring you to other posts on this thread. The All-Seeing Eye (which I've used, mind you, great program) does nothing to solve this problem.

    It was foolish to put "GameSpy" in the title of this article; it has nothing directory to do with GameSpy.

    Jouster