[quake3-bugzilla] [Bug 5678] prevent using getinfo as an amplifier for DDOS attacks
bugzilla-daemon at icculus.org
bugzilla-daemon at icculus.org
Mon Jul 2 05:49:42 EDT 2012
https://bugzilla.icculus.org/show_bug.cgi?id=5678
--- Comment #6 from Simon McVittie <smcv-ioquake3 at pseudorandom.co.uk> 2012-07-02 05:49:39 EDT ---
(In reply to comment #5)
> fixed r2289
Do you consider this to be a sufficiently serious vulnerability that
distributions should make it a security update? (If so, we should get a CVE
number for it and do an advisory.)
It would be really good to have an ioquake3 1.37 release - there have been
several security vulnerabilities fixed since 1.36.
(In reply to comment #4)
> (In reply to comment #3)
> > Is this actively being used in attacks?
>
> yes. there were reports and discussions about attacks on ioQuake3-based games.
> 5 months ago (around the time of the said events)
If I remember correctly, those reports were that getstatus (>= 20x traffic
multiplication) was being used actively as an attack.
Are you aware of any uses of getinfo (< 5x multiplication) as an attack?
--
Configure bugmail: https://bugzilla.icculus.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
More information about the quake3-bugzilla
mailing list