GameSpy magnifies denial-of-service attacks?

By Phantasm66
Jan 18, 2003
  1. "In an advisory posted to the company's Web site, security consultancy PivX Solutions stated that popular multiplayer games that have servers supporting the GameSpy network--such as "Quake 3: Arena," "Unreal Tournament 2003" and "Battlefield 1942"--could be used to magnify a denial-of-service attack, in some cases by as much as 400 times...... "As a basic rule of thumb, if it supports GameSpy, it will likely be vulnerable," Mike Kristovich, a security researcher for PivX, said in a statement."

    "This vulnerability spans many games across multiple platforms. It is based upon UDP spoofing, certainly not a new trick in the black bag of any computer expert. Steve Gibson of GRC research as a good write-up on packet spoofing, as he himself fell victim to this tactic in 2001. Firewalls cannot always protect against packets that are forged as legitimate traffic on standard ports. "A personal firewall will such as ZoneAlarm will not prevent this DoS, as it is simply a flood of information being sent directly to the victim's computer." Describes Mr. Kristovich."

    Potentially scary stuff for many of our readers. Want to discuss this? Do so here.
  2. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 5,734   +7

    Mike Kristovich, security advisory MK#001
    Topic: Multi-vendor Game Server DDoS Vulnerability

    Discovery date: November 20, 2002

    Affected applications:

    Electronic Arts: Battlefield 1942

    Battlefield 1942 Server
    Battlefield 1942 Dedicated Server
    Quake 2
    Q3: Arena & Team Arena
    Soldier of Fortune
    Unreal Tourn.
    Tribes 2
    Serious Sam
    Serious Sam 2
    C&C: Renegade Global Operations
    Jedi Knight 2
    Return to Castle Wolfenstein
    Medal of Honour: Allied Assault
    SoF2: Double Helix
    SoF2: Double Helix Demo
    Alien vs Predator 2
    NeverWinter Nights
    V8 Supercar Challenge
    America's Army
    Battlefield 1942
    Unreal Tournament 2003
    Severity: High

    Allows massive packet flooding, and massive CPU usage remotely and anonymously.

    Mike Kristovich

    This document is based on Battlefield 1942's query responses, but
    this vulnerability exists in many games. As a basic rule of thumb,
    if it supports gamespy, it will likely be vulnerable.

    The following games are vulnerable to the same type of attack, and
    most use the same general query commands (excluding Quake, Quake 2,
    Return to Castle Wolfenstein, and a couple others). The other query
    commands can be found in the source of a free program called "Server
    Query" ( The general rule of thumb is:
    If its supported by GameSpy and Server Query, its vulnerable.


    The usage example for Battlefield 1942 follows..

    Battlefield 1942 servers listen on UDP port 23000, awaiting commands:
    i.e. '\status\' '\players\' '\packets\' '\echo\' '\rules\', and more.

    The server uses a protocol very similar to UT2003 and America's Army,
    and many other GameSpy* supported games.

    * Gamespy is a popular program that allows game clients to find and
    connect to game servers.

    BF1942 allows you to combine requests:
    i.e. '\status\players\packets\rules\'

    When a request like the example above is sent, it uses approximately
    30 bytes, not including UDP overhead. The resulting response
    can be anywhere from as low as 6000 - 7000, to as high as 11,000+
    bytes. Using an example of 30:11,799, we get a ratio of 1:393.
    Basically, for every 1 byte we've sent, 393 are returned (in this
    particular example, which comes from a server housing 41 players)..
    Results will vary. A server which holds 64 players could potentially
    respond with well over 18,000 bytes.

    A server housing 31 players, in our test, responded with 9,583 bytes
    for a single 30 byte request.

    Side note, one single UDP request using the query line in our POC code
    responds with 10 seperate responses (due to packet size limitations.)
    This also means, if the victim port is unreachable, the victim will
    respond to the data with 10 ICMP Unreachable responses.

    UDP is a connectionless protocol of which the source ip and port can
    easily be spoofed. If you've read the introduction, you can probably
    see where I'm going with this.

    The BF1942 status port will reply an amazing amount of requests,
    and although I have only personally tested this to 100 kbytes/sec, I
    dont see any reason why you couldn't go even higher.

    When these requests are received, the reply is sent to the source host
    which, in this case, we have spoofed. This causes a huge packet flood
    to your victim, therefore you now have your DoS.

    When tested, a single upstream of 4 k/s to the BF1942 server yielded
    over 550 k/s being sent to the victim host. When the victim's host
    receives these packets on a UDP port which is open (commonly found
    to be 135 (MS/DCE RPC), 53 (DNS), and so on), the downstream to that
    connection will be flooded. If you sent to an unreachable port on
    the victim's host, the victim's stack will respond with "Unreachable"
    responses which will also flood their upstream.

    A personal firewall will such as ZoneAlarm will not prevent this
    DoS, as it is simply a flood of information being sent directly to
    the victim's computer. To stop this DoS from reaching the victim,
    the port you specify would have to be blocked before reaching their
    system. Ports you would find particularly useless would be ones that
    are commonly blocked by ISPs before reaching the customers:
    (139/NetBIOS, and so on). A firewall will only prevent the victim
    from responding with ICMP Unreachable packets.

    Notes on bug

    * Packets can be sent steadily, no wait time needed for refresh.

    Further information, discussion..

    This is an attack that can easily flood any system slower than the
    Battlefield 1942 server, and do it anonymously because the UDP
    packet source is spoofed to that of the victim. This is very similar
    to the "smurf" attack that was used in the late 20th century. =)

    The attack does not only affect the bandwidth of the host and the
    victim, but it also tends to eat up a nice chunk of memory and CPU
    power on the server. Also, a side effect seems to be the server
    losing all its players, either by assuming their connection died
    or the players dropping the connection due to lag.

    This low amount of required upstream would allow a simple modem user
    to send a hefty DoS to a T1 or higher. (see example below)

    Due to the fact that Battlefield 1942 servers tend to require a
    lot of bandwidth to operate, you are very likely to find that nearly
    any server will have more than enough bandwidth to handle the task.
    EA has many of their servers hosted on OC3 lines.

    In many ways, this exceeds the severity of the smurf attack method.

    Example of risk:

    T1 (1.54 mbps) FULL DoS:
    1 server needed @ ~220 k/s or more (a 20 player server will do).
    1 - 2 k/s* upstream needed from attacker (~14.4 baud modem)
    A single user dialed up at 14,400 bps can topple a T1.
    A single dial-up at 56k (31.2kbit up) could DoS 2 T1s at a time.

    * You must account for UDP overhead (IP Header, UDP Header)

    While UDP spoofing is near extinction due to network providers
    finally deciding to block it, this is still a threat.


    BF1942 Proof-of-concept code at PivX (bf1942dos.c)
    Solution: (for users)
    No solution currently.

    Tested on:
    Multitude of game servers, including *nix servers and windows servers..

    Vendor status:
    Electronic Arts was notified on November 20, 2002. No response currently.
    No fix currently, but a fix is planned from GameSpy.

    Related Documents:

    Modern Day UDP Spoofing
    Server Query
    The Distributed Reflection DoS Attack
    ' Application-Level Reflection Attacks' by Tom Vogt


    The Battlefield 1942 DoS was found on the night of November 19, 2002, and was immediately tested. Further exploitation may be possible (i.e. spoofing server to server)
    On November 21, 2002, It was found that combining query commands yields much more data reflected.
    Shortly after, it was discovered and tested that this bug is found in many games, some more troublesome than others.


    Please mail any questions or comments to
  3. TS | Thomas

    TS | Thomas TS Rookie Posts: 1,319

    Posted this a while back ;) Pivx have me on their news releases email list now it seems.
    It's a big shame to see EA have seemingly done nothing about it at all though.
  4. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 5,734   +7

    Sorry man, must have missed it. It was news on Hard OCP.
  5. MrGaribaldi

    MrGaribaldi TechSpot Ambassador Posts: 2,512

  6. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 5,734   +7

    that's interesting a couple of sites seem to regard this as news... but Thomas you say you heard of this a while back...
  7. Per Hansson

    Per Hansson TS Server Guru Posts: 1,926   +185

    Thursday, January 16, at 10:34 PM to be exact :D
  8. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 5,734   +7

  9. TS | Thomas

    TS | Thomas TS Rookie Posts: 1,319

    I know, but I meant I'd already posted it a day or 2 days ago :) Its a few stories down on the frontpage. I dunno when hardocp posted it, but I posted it right after Pivx emailed it into me.
  10. rgw2354

    rgw2354 TS Rookie

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...