[bf1942] DoS vulnerability in game servers (including BF1942)

Scott Brooks blaze at fragz.ca
Sat Jan 18 02:07:37 EST 2003 

No, UDP packets are connectionless.  You send a UDP packet to a server,
it checks the return address and sends off it's own UDP packet to the IP
specified in the return address.

So someone could lookup the gamespy lists of servers, take your IP
address, forge the return address to be the address of your server, and
all of a sudden all the game servers on the internet are sending you all
the updates instead of the real user who requested them.

This could be solved by a simple handshake like the following.

1) Gamespy client connects to server and requests a token.
2) Server generates a random number and sends it back to the client.
3) Client responds with this random number, along with it's request for
information.
4) Server sends the information back to the client

This would solve the problem above since the client needs the random
number to get the information from the server, but the server needs to
send the token to the client so it's IP can't be forged.

Scott 

On Fri, 2003-01-17 at 22:18, Kirk wrote:
> Gee...there's a freaking newsflash.
> 
> Basically he's telling you that if you query your server over and over
> and over again you will flood it??  And because BF1942 gives you ALL the
> information on a query everyone should lock their doors??  Wow....this
> guy is brilliant.
> 
> 
> 
> 
> 
> -----Original Message-----
> From: g8 at the.whole.net [mailto:g8 at the.whole.net] 
> Sent: Friday, January 17, 2003 2:51 PM
> To: bf1942 at icculus.org
> Subject: [bf1942] DoS vulnerability in game servers (including BF1942)
> 
> http://www.pivx.com/press_releases/mk_mk001.html?tag=fd_top%3Cbr%20/%3E
> 
> "As a basic rule of thumb, if it supports gamespy, it will likely be
> vulnerable."
> 
> I assume some of you have seen this.  Of course BF is included in the
> bunch.  The reasearh into this exploit was done using the bf1942 server.
> Don't know if anything can be done to prevent it at this point but now
> it's official.
> 
> -g8
-- 
Scott Brooks <blaze at fragz.ca>

More information about the Bf1942 mailing list