[quake3-bugzilla] [Bug 5954] DDOS with getchallenge

bugzilla-daemon at icculus.org bugzilla-daemon at icculus.org
Fri Jun 14 21:48:24 EDT 2013


https://bugzilla.icculus.org/show_bug.cgi?id=5954

--- Comment #5 from jawfin at gmail.com ---
I notice a person is assigned to this, does this mean it's being addressed?
Either way, I've noticed a flaw in the flood protect of getchallenge.

The server was successfully lagged by one person with one IP with a repeated
packet which shows in the logs (developer 1) thusly: -
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge

There was 134 on that port, then 156 on port -29022, then 192 on port -20149
etc
All told there was over 300,000 getchallenge's in less than 1 minute from IP
12.4.2.5

It could be a spoofed packet via a DDOS, but unlikely that so many bots would
all be on ISP without Ingress filtering.  It may just be a spoofed packet from
one person but not that IP.  Either way, it completely bypassed the flood
filter.  I can't give anymore information here as the server is hosted and I
don't have remove virtual control, and its unlikely EscapedTurkey was running
wireshark for the 5 minutes this attack lasted.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/quake3-bugzilla/attachments/20130615/e3c3363b/attachment.html>


More information about the quake3-bugzilla mailing list