TechSpot - PC Technology News and Analysis

"In an advisory posted to the company's Web site, security consultancy PivX Solutions stated that popular multiplayer games that have servers supporting the GameSpy network--such as "Quake 3: Arena," "Unreal Tournament 2003" and "Battlefield 1942"--could be used to magnify a denial-of-service attack, in some cases by as much as 400 times...... "As a basic rule of thumb, if it supports GameSpy, it will likely be vulnerable," Mike Kristovich, a security researcher for PivX, said in a statement."

"This vulnerability spans many games across multiple platforms. It is based upon UDP spoofing, certainly not a new trick in the black bag of any computer expert. Steve Gibson of GRC research as a good write-up on packet spoofing, as he himself fell victim to this tactic in 2001. Firewalls cannot always protect against packets that are forged as legitimate traffic on standard ports. "A personal firewall will such as ZoneAlarm will not prevent this DoS, as it is simply a flood of information being sent directly to the victim's computer." Describes Mr. Kristovich."

Potentially scary stuff for many of our readers. Want to discuss this? Do so here.

Mike Kristovich, security advisory MK#001
Topic: Multi-vendor Game Server DDoS Vulnerability

Discovery date: November 20, 2002

Affected applications:

Electronic Arts: Battlefield 1942

Battlefield 1942 Server
Battlefield 1942 Dedicated Server
Quake
Quake 2
Q3: Arena & Team Arena
Kingpin
Half-Life
Counter-Strike
Sin
Soldier of Fortune
Daikatana
Unreal Tourn.
Quakeworld
Unreal
Rune
Gore
Tribes
Tribes 2
Serious Sam
Serious Sam 2
C&C: Renegade Global Operations
Jedi Knight 2
Return to Castle Wolfenstein
Medal of Honour: Allied Assault
SoF2: Double Helix
SoF2: Double Helix Demo
Alien vs Predator 2
NeverWinter Nights
V8 Supercar Challenge
America's Army
Battlefield 1942
Unreal Tournament 2003
Severity: High

Impact:
Allows massive packet flooding, and massive CPU usage remotely and anonymously.

Author:
Mike Kristovich

Introduction:
This document is based on Battlefield 1942's query responses, but
this vulnerability exists in many games. As a basic rule of thumb,
if it supports gamespy, it will likely be vulnerable.

The following games are vulnerable to the same type of attack, and
most use the same general query commands (excluding Quake, Quake 2,
Return to Castle Wolfenstein, and a couple others). The other query
commands can be found in the source of a free program called "Server
Query" (http://www.ServerQuery.com). The general rule of thumb is:
If its supported by GameSpy and Server Query, its vulnerable.

---------------------------------

The usage example for Battlefield 1942 follows..

Battlefield 1942 servers listen on UDP port 23000, awaiting commands:
i.e. '\status\' '\players\' '\packets\' '\echo\' '\rules\', and more.

The server uses a protocol very similar to UT2003 and America's Army,
and many other GameSpy* supported games.

* Gamespy is a popular program that allows game clients to find and
connect to game servers.

BF1942 allows you to combine requests:
i.e. '\status\players\packets\rules\'

When a request like the example above is sent, it uses approximately
30 bytes, not including UDP overhead. The resulting response
can be anywhere from as low as 6000 - 7000, to as high as 11,000+
bytes. Using an example of 30:11,799, we get a ratio of 1:393.
Basically, for every 1 byte we've sent, 393 are returned (in this
particular example, which comes from a server housing 41 players)..
Results will vary. A server which holds 64 players could potentially
respond with well over 18,000 bytes.

A server housing 31 players, in our test, responded with 9,583 bytes
for a single 30 byte request.

Side note, one single UDP request using the query line in our POC code
responds with 10 seperate responses (due to packet size limitations.)
This also means, if the victim port is unreachable, the victim will
respond to the data with 10 ICMP Unreachable responses.

Discussion:
UDP is a connectionless protocol of which the source ip and port can
easily be spoofed. If you've read the introduction, you can probably
see where I'm going with this.

The BF1942 status port will reply an amazing amount of requests,
and although I have only personally tested this to 100 kbytes/sec, I
dont see any reason why you couldn't go even higher.

When these requests are received, the reply is sent to the source host
which, in this case, we have spoofed. This causes a huge packet flood
to your victim, therefore you now have your DoS.

When tested, a single upstream of 4 k/s to the BF1942 server yielded
over 550 k/s being sent to the victim host. When the victim's host
receives these packets on a UDP port which is open (commonly found
to be 135 (MS/DCE RPC), 53 (DNS), and so on), the downstream to that
connection will be flooded. If you sent to an unreachable port on
the victim's host, the victim's stack will respond with "Unreachable"
responses which will also flood their upstream.

A personal firewall will such as ZoneAlarm will not prevent this
DoS, as it is simply a flood of information being sent directly to
the victim's computer. To stop this DoS from reaching the victim,
the port you specify would have to be blocked before reaching their
system. Ports you would find particularly useless would be ones that
are commonly blocked by ISPs before reaching the customers:
(139/NetBIOS, and so on). A firewall will only prevent the victim
from responding with ICMP Unreachable packets.

Notes on bug
-------------

* Packets can be sent steadily, no wait time needed for refresh.

Further information, discussion..
---------------------------------

This is an attack that can easily flood any system slower than the
Battlefield 1942 server, and do it anonymously because the UDP
packet source is spoofed to that of the victim. This is very similar
to the "smurf" attack that was used in the late 20th century. =)

The attack does not only affect the bandwidth of the host and the
victim, but it also tends to eat up a nice chunk of memory and CPU
power on the server. Also, a side effect seems to be the server
losing all its players, either by assuming their connection died
or the players dropping the connection due to lag.

This low amount of required upstream would allow a simple modem user
to send a hefty DoS to a T1 or higher. (see example below)

Due to the fact that Battlefield 1942 servers tend to require a
lot of bandwidth to operate, you are very likely to find that nearly
any server will have more than enough bandwidth to handle the task.
EA has many of their servers hosted on OC3 lines.

In many ways, this exceeds the severity of the smurf attack method.

Example of risk:

T1 (1.54 mbps) FULL DoS:
1 server needed @ ~220 k/s or more (a 20 player server will do).
1 - 2 k/s* upstream needed from attacker (~14.4 baud modem)
A single user dialed up at 14,400 bps can topple a T1.
A single dial-up at 56k (31.2kbit up) could DoS 2 T1s at a time.

* You must account for UDP overhead (IP Header, UDP Header)

While UDP spoofing is near extinction due to network providers
finally deciding to block it, this is still a threat.


Exploit:


BF1942 Proof-of-concept code at PivX (bf1942dos.c)
Solution: (for users)
No solution currently.

Tested on:
Multitude of game servers, including *nix servers and windows servers..


Vendor status:
Electronic Arts was notified on November 20, 2002. No response currently.
No fix currently, but a fix is planned from GameSpy.

Related Documents:


Modern Day UDP Spoofing
Server Query
The Distributed Reflection DoS Attack
0x00.org
' Application-Level Reflection Attacks' by Tom Vogt

Postscript:


The Battlefield 1942 DoS was found on the night of November 19, 2002, and was immediately tested. Further exploitation may be possible (i.e. spoofing server to server)
On November 21, 2002, It was found that combining query commands yields much more data reflected.
Shortly after, it was discovered and tested that this bug is found in many games, some more troublesome than others.

Feedback:

Please mail any questions or comments to mkristovich@pivx.com

Posted this a while back Pivx have me on their news releases email list now it seems.
It's a big shame to see EA have seemingly done nothing about it at all though.

Sorry man, must have missed it. It was news on Hard OCP.

It's also posted here at The Register...

that's interesting a couple of sites seem to regard this as news... but Thomas you say you heard of this a while back...

Thursday, January 16, at 10:34 PM to be exact

slashdot.org seems to think its news as well.....

http://slashdot.org/articles/03/01/1....shtml?tid=172

I know, but I meant I'd already posted it a day or 2 days ago Its a few stories down on the frontpage. I dunno when hardocp posted it, but I posted it right after Pivx emailed it into me.

http://www.techspot.com/vb/topic57563.html
Could you please tell me if this is the problem I am experiencing???