GameSpy magnifies denial-of-service attacks?

By Derek Sooman on January 18, 2003, 3:55 PM
"In an advisory posted to the company's Web site, security consultancy PivX Solutions stated that popular multiplayer games that have servers supporting the GameSpy network--such as "Quake 3: Arena," "Unreal Tournament 2003" and "Battlefield 1942"--could be used to magnify a denial-of-service attack, in some cases by as much as 400 times...... "As a basic rule of thumb, if it supports GameSpy, it will likely be vulnerable," Mike Kristovich, a security researcher for PivX, said in a statement."

"This vulnerability spans many games across multiple platforms. It is based upon UDP spoofing, certainly not a new trick in the black bag of any computer expert. Steve Gibson of GRC research as a good write-up on packet spoofing, as he himself fell victim to this tactic in 2001. Firewalls cannot always protect against packets that are forged as legitimate traffic on standard ports. "A personal firewall will such as ZoneAlarm will not prevent this DoS, as it is simply a flood of information being sent directly to the victim's computer." Describes Mr. Kristovich."

Potentially scary stuff for many of our readers. Want to discuss this? Do so here.




User Comments: 8

Got something to say? Post a comment
Phantasm66 said:
Mike Kristovich, security advisory MK#001Topic: Multi-vendor Game Server DDoS VulnerabilityDiscovery date: November 20, 2002Affected applications:Electronic Arts: Battlefield 1942 Battlefield 1942 Server Battlefield 1942 Dedicated Server Quake Quake 2 Q3: Arena & Team Arena Kingpin Half-Life Counter-Strike Sin Soldier of Fortune Daikatana Unreal Tourn. Quakeworld Unreal Rune Gore Tribes Tribes 2 Serious Sam Serious Sam 2 C&C: Renegade Global Operations Jedi Knight 2 Return to Castle Wolfenstein Medal of Honour: Allied Assault SoF2: Double Helix SoF2: Double Helix Demo Alien vs Predator 2 NeverWinter Nights V8 Supercar Challenge America's Army Battlefield 1942 Unreal Tournament 2003 Severity: HighImpact:Allows massive packet flooding, and massive CPU usage remotely and anonymously.Author:Mike KristovichIntroduction:This document is based on Battlefield 1942's query responses, butthis vulnerability exists in many games. As a basic rule of thumb,if it supports gamespy, it will likely be vulnerable.The following games are vulnerable to the same type of attack, andmost use the same general query commands (excluding Quake, Quake 2,Return to Castle Wolfenstein, and a couple others). The other querycommands can be found in the source of a free program called "ServerQuery" ([url]http://www.ServerQuery.com[/url]). The general rule of thumb is:If its supported by GameSpy and Server Query, its vulnerable.---------------------------------The usage example for Battlefield 1942 follows..Battlefield 1942 servers listen on UDP port 23000, awaiting commands:i.e. 'status' 'players' 'packets' 'echo' 'rules', and more.The server uses a protocol very similar to UT2003 and America's Army,and many other GameSpy* supported games. * Gamespy is a popular program that allows game clients to find andconnect to game servers.BF1942 allows you to combine requests:i.e. 'statusplayerspacketsrules'When a request like the example above is sent, it uses approximately30 bytes, not including UDP overhead. The resulting responsecan be anywhere from as low as 6000 - 7000, to as high as 11,000+bytes. Using an example of 30:11,799, we get a ratio of 1:393. Basically, for every 1 byte we've sent, 393 are returned (in this particular example, which comes from a server housing 41 players)..Results will vary. A server which holds 64 players could potentiallyrespond with well over 18,000 bytes.A server housing 31 players, in our test, responded with 9,583 bytesfor a single 30 byte request. Side note, one single UDP request using the query line in our POC coderesponds with 10 seperate responses (due to packet size limitations.)This also means, if the victim port is unreachable, the victim will respond to the data with 10 ICMP Unreachable responses.Discussion:UDP is a connectionless protocol of which the source ip and port can easily be spoofed. If you've read the introduction, you can probablysee where I'm going with this.The BF1942 status port will reply an amazing amount of requests,and although I have only personally tested this to 100 kbytes/sec, Idont see any reason why you couldn't go even higher.When these requests are received, the reply is sent to the source hostwhich, in this case, we have spoofed. This causes a huge packet floodto your victim, therefore you now have your DoS.When tested, a single upstream of 4 k/s to the BF1942 server yieldedover 550 k/s being sent to the victim host. When the victim's hostreceives these packets on a UDP port which is open (commonly foundto be 135 (MS/DCE RPC), 53 (DNS), and so on), the downstream to thatconnection will be flooded. If you sent to an unreachable port onthe victim's host, the victim's stack will respond with "Unreachable"responses which will also flood their upstream. A personal firewall will such as ZoneAlarm will not prevent thisDoS, as it is simply a flood of information being sent directly tothe victim's computer. To stop this DoS from reaching the victim,the port you specify would have to be blocked before reaching theirsystem. Ports you would find particularly useless would be ones thatare commonly blocked by ISPs before reaching the customers:(139/NetBIOS, and so on). A firewall will only prevent the victimfrom responding with ICMP Unreachable packets.Notes on bug-------------* Packets can be sent steadily, no wait time needed for refresh.Further information, discussion..---------------------------------This is an attack that can easily flood any system slower than theBattlefield 1942 server, and do it anonymously because the UDP packet source is spoofed to that of the victim. This is very similarto the "smurf" attack that was used in the late 20th century. =)The attack does not only affect the bandwidth of the host and thevictim, but it also tends to eat up a nice chunk of memory and CPUpower on the server. Also, a side effect seems to be the serverlosing all its players, either by assuming their connection diedor the players dropping the connection due to lag.This low amount of required upstream would allow a simple modem userto send a hefty DoS to a T1 or higher. (see example below)Due to the fact that Battlefield 1942 servers tend to require a lot of bandwidth to operate, you are very likely to find that nearlyany server will have more than enough bandwidth to handle the task.EA has many of their servers hosted on OC3 lines.In many ways, this exceeds the severity of the smurf attack method.Example of risk:T1 (1.54 mbps) FULL DoS:1 server needed @ ~220 k/s or more (a 20 player server will do).1 - 2 k/s* upstream needed from attacker (~14.4 baud modem)A single user dialed up at 14,400 bps can topple a T1.A single dial-up at 56k (31.2kbit up) could DoS 2 T1s at a time.* You must account for UDP overhead (IP Header, UDP Header)While UDP spoofing is near extinction due to network providersfinally deciding to block it, this is still a threat. Exploit:BF1942 Proof-of-concept code at PivX (bf1942dos.c)Solution: (for users)No solution currently.Tested on:Multitude of game servers, including *nix servers and windows servers..Vendor status:Electronic Arts was notified on November 20, 2002. No response currently.No fix currently, but a fix is planned from GameSpy. Related Documents:Modern Day UDP SpoofingServer QueryThe Distributed Reflection DoS Attack0x00.org' Application-Level Reflection Attacks' by Tom VogtPostscript:The Battlefield 1942 DoS was found on the night of November 19, 2002, and was immediately tested. Further exploitation may be possible (i.e. spoofing server to server) On November 21, 2002, It was found that combining query commands yields much more data reflected. Shortly after, it was discovered and tested that this bug is found in many games, some more troublesome than others. Feedback: Please mail any questions or comments to [email]mkristovich@pivx.com[/email]
TS | Thomas said:
Posted this a while back ;) Pivx have me on their news releases email list now it seems.It's a big shame to see EA have seemingly done nothing about it at all though.
Phantasm66 said:
Sorry man, must have missed it. It was news on Hard OCP.
MrGaribaldi said:
It's also posted [url=http://212.100.234.54/content/55/28924.html]here[/url] at [url=www.theregister.co.uk]The Register[/url]...
Phantasm66 said:
that's interesting a couple of sites seem to regard this as news... but Thomas you say you heard of this a while back...
Per Hansson said:
Thursday, January 16, at 10:34 PM to be exact :D
Phantasm66 said:
slashdot.org seems to think its news as well.....[url]http://slashdot.org/articles/03/01/19/1729250.
html?tid=172[/url]
TS | Thomas said:
I know, but I meant I'd already posted it a day or 2 days ago :) Its a few stories down on the frontpage. I dunno when hardocp posted it, but I posted it right after Pivx emailed it into me.
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.