[mohaa] Security flaw in Q3 engine?
Steve Pirk
orion at deathcon.com
Fri Jan 17 20:49:16 EST 2003
I especially like the comment from David Wright:
"David Wright, director of technology for GameSpy, acknowledged that the
amount of data that the attack could generate was "significant." Yet he
downplayed the seriousness of the flaw."
Hopefully the patch will be out soon, becuase the description on how
to pull off a DOS was mentioned is simple english. The problem will
be in getting ALL the vendors to patch their code. What a nightmare :-)
The example of BF1942 was especially scary:
By PivX's calculations, commands sent to a "Battlefield 1942" server at
4Kbps will turn into a 550Kbps attack on a target.
That is one hell of an easy way to DOS someone... Find 10 servers,
send each 4Kbps for 40Kbps total (a bit more than you average DSL
upstream), and it would result in 5500Kbps directed at a target
(50Mbits). Ouch.
I wonder if any of the maxrate commands would throddle this any...?
Keep us posted on anything you hear Ryan...
--
Steve (egrep)
On Fri, 17 Jan 2003, Ryan C. Gordon wrote:
>
> > Many multiplayer game servers--think "Quake 3" and "Battlefield 1942"--are
> > at risk of being used to launch a denial-of-service attack, warns a
> > security company.
>
> This is actually a flaw in the GameSpy SDK, not specifically MOHAA or
> Battlefield, etc.
>
> Since this has shown up on four mailing lists I'm subscribed to today, I
> assume GameSpy is taking a ton of flak right now and will hopefully send a
> fix soon.
>
> --ryan.
>
>
>
More information about the Mohaa
mailing list