[quake3-bugzilla] [Bug 5954] DDOS with getchallenge
bugzilla-daemon at icculus.org
bugzilla-daemon at icculus.org
Fri Jun 14 21:48:24 EDT 2013
https://bugzilla.icculus.org/show_bug.cgi?id=5954
--- Comment #5 from jawfin at gmail.com ---
I notice a person is assigned to this, does this mean it's being addressed?
Either way, I've noticed a flaw in the flood protect of getchallenge.
The server was successfully lagged by one person with one IP with a repeated
packet which shows in the logs (developer 1) thusly: -
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
SV packet 12.4.2.5:-7392 : getchallenge
There was 134 on that port, then 156 on port -29022, then 192 on port -20149
etc
All told there was over 300,000 getchallenge's in less than 1 minute from IP
12.4.2.5
It could be a spoofed packet via a DDOS, but unlikely that so many bots would
all be on ISP without Ingress filtering. It may just be a spoofed packet from
one person but not that IP. Either way, it completely bypassed the flood
filter. I can't give anymore information here as the server is hosted and I
don't have remove virtual control, and its unlikely EscapedTurkey was running
wireshark for the 5 minutes this attack lasted.
--
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/quake3-bugzilla/attachments/20130615/e3c3363b/attachment.html>
More information about the quake3-bugzilla
mailing list