Multi-vendor Game Server (GameSpy) DDoS Attack

w4rl5ck writes "PivX has this security advisory about DDoS attacks using a single modem line and some game servers (i.e. Counter Strike, QuakeX, Battlefield 1942 - in short, those supporting GameSpy). Works via spoofed udp packages querying the server stats, and because udp is connectionless, the server simply answers - to the spoofed address, of course. Funny thing, isn't it? (originally found on heise.de)"

Spoofed packet question

Does anybody know how well spoofed packets traverse the internet? I know that "good netizens" drop spoofed packets, and that this really needs to be implmented on edge routers. Do enough service providers do this to have any real effects on these type of attacks?

Re:Spoofed packet question

[mrball_cb]

It needs to be done at the ISP level. Those at the core can't really do it because of the CPU horsepower it would require. Adding just a couple of ACLs reduces the throughput from maximum. Google for NANOG and search their archives (third link).

Of late, more and more DDOS are not using spoofed IP's (thought egress filtering would certainly help).

Egress filtering

[yggdrazil]

Part of the problem is all the totally clueless ISPs which don't do proper egress filtering. That is, they don't filter out outgoing packets with falsified sender addresses.

They've had years to do that, and still don't.

Isn't this self-correcting?

[slyborg]

Maybe I'm missing something, but since the data volume sepends on the number of people on the server, and gamers are notoriously intolerant of lag, the attack will in effect kill its own datasource as well if it goes on for more than a few minutes. The players will just jump off and look for another server.

Re:Well You Have To Give Them Credit

[quakeroatz]

Way to go GameSpy, yet another ounce of proof of a useless service for idjits.

Sorry? Yes, I'd be the first to bash Gamespy for their heavyhanded marketing approaches and Microsoftesque software pushing... but... they merely supply a tool that uses a service built into just about every FPS on the planet. This is an extremely useful service that's essential to find buddies, favourite maps and most importantly, the lowest pinging servers. Even "open" server browsers such as the All Seeing Eye use the same service as Gamespy3D/GamespyArcade and are equally susceptible to the same vulnerability.

Yes it's time to rethink client/server game querying, but not the time to bash M$, Gamespy or any other corporate scapegoat.

And to think Carmack didn't think about this years ago.... Shudder.

Re:Not as big a problem as one might think.

[vekotin]

As I understand it, patching GameSpy alone won't help - you don't use GameSpy to flood the servers, but a nasty program to send spoofed UDP packets.

Which means patching all servers. As I see it, many gaming providers have a LOT of games running that are vulnerable. And as working for a games service provider myself, I think games go into three categories:
* too old to expect manufacturer/distributer support, but still played - sometimes 3rd party help available(fe. quakeworld, quake 2)
* new or at least still selling enough to interest, and the manufacturer/distributor actually cares about technology(fe. quake 3, half-life)
* new enough, but the manufacturer/distributer hasn't yet really understood why they should support people and companies running servers for them(fe. games from companies such as EA)

True, thanks to ISP's, this isn't a huge problem and I think its also reasonable to thank GameSpy in advance, I'm sure they'll make fixing this reasonably easy by doing their homework well. But still, this has a potential of making nasty stuff hit the fan.

Unfortunately, looking at the way many ISP's see online gaming, they might not give a damn about tuning their routers until they get a ton of packets stuffed in their cables.

here's hoping that GameSpy can work quickly on this...