GameSpy query security flaw, possible fix

Michiel El Muerte Hendriks elmuerte at el-muerte.student.utwente.nl
Mon Jan 20 10:12:22 EST 2003


I've tried to fix the "security flauw" reported earlier that could be
used for DoS'ing.
I've also fixed the looping \echo\ query security flauw I reported a
while back on the mailing list.

The solution to prevent your server from being used for DoS'ing is not a
definite solution. 
I've implemented these fixes in my ServQuery package.
There are two ways to "secure" your server a bit more, one is to limit
the maximum number of query per second. And the other is to limit the
maximum number of queries per second per host. This last one can be
pretty intensive to your server.
You can use both protections at the same time, ofcourse the fastest one
if performed first. 
It's advised to use both protections if you want to limit per host.

I have not tested these fixes intensively to see what the impact is on
the server. So it would be great if you people could test this beta.

http://www.drunksnipers.com/files/ut2003/ServQuery-108beta.zip

-- 
Michiel "El Muerte" Hendriks            elmuerte at drunksnipers.com
TDS - Internet Services                 http://www.drunksnipers.com



More information about the ut2003 mailing list