[mohaa] More MOHAA fixes...

Fredrick Ludden luddenf at comcast.net
Tue Jul 27 06:13:04 EDT 2004


Thanks for the info.

Hmmmm....

I believe we were able to "survive" this attack because our 20 person server
has eight private slots so the attacker could never fill the server.
Additionally, an admin was immediately available to ban (through Delator)
the offending IP.

Regards,
Fred

-----Original Message-----
From: Ryan C. Gordon [mailto:icculus at clutteredmind.org]
Sent: Monday, July 26, 2004 11:34 PM
To: mohaa at icculus.org
Subject: RE: [mohaa] More MOHAA fixes...


On Mon, 2004-07-26 at 19:28, Fredrick Ludden wrote:
> How does this "fake player slot crap" work?  We had a bunch of hooligans
try
> to enter the server apparently all using the same IP.  They were
> unsuccessful since we banned the IP.  Anyone care to explain what they
were
> trying to do and what vulnerability this exploits?

(forgive the rambling in this long email...)

It's a well-documented hack that works with several games (quake and
unreal based)...basically you fill the server with fake players, because
these games trust that you are really trying to join as soon as you send
a small handshake, and then, since UDP is stateless, can't assume that
you aren't really there until you timeout (since you otherwise might
just be lagging really bad). So they make, say, 16 connections with a
dummy program, which prevents others from joining since the server is
now "full" with people that are in the process of "joining". Then you
just have it start over every 30 seconds, to keep it full as the
original dummy connections time out and drop off. End result: for a
small amount of bandwidth you can deny entrance to anyone on a server
that is actually empty.

It's not an easy problem to solve, since it tends to be more about the
entire network infrastructure of a game and less about simple program
logic fixes. For now, you should ban by IP and hope they don't own a
subnet of zombies.

My understanding is Spearhead validates your CD key before it'll let you
join the server, which probably solves the problem (or limits you to one
dummy connection unless you've stolen/generated a bunch of valid keys),
but I could be totally wrong about this.

It's probably safe to assume that 3+ simultaneous connections from the
same IP is such an attack, especially if the player name changes...most
DSL/cable modems aren't going to have 3 people behind one NAT'd router.
Yes, there are exceptions to this rule, but it should definitely send up
a warning flag. Building in a new cvar that limits simultaneous
connection attempts from the same IP would probably be the quickest fix
(i.e. - ignore further "connect" packets from an IP when a connection
from that IP is pending), but it's not perfect, and still doesn't stop a
zombie subnet DoS. Then again...not much does.

I don't know what other Quake-based games are doing to solve this. If
anyone knows of a game that is explicitly INvulnerable to this attack,
please let me know.

Thoughts on a solution (specifically, a simple solution, since none of
my MOHAA work is financed at this point) are welcome.

--ryan.






More information about the Mohaa mailing list