Mike Kristovich, security advisory MK#001
Topic: Multi-vendor Game Server DDoS Vulnerability
Discovery date: November 20, 2002
Affected applications:
Electronic Arts: Battlefield 1942
Battlefield 1942 Server
Battlefield 1942 Dedicated Server
Quake
Quake 2
Q3: Arena & Team Arena
Kingpin
Half-Life
Counter-Strike
Sin
Soldier of Fortune
Daikatana
Unreal Tourn.
Quakeworld
Unreal
Rune
Gore
Tribes
Tribes 2
Serious Sam
Serious Sam 2
C&C: Renegade Global Operations
Jedi Knight 2
Return to Castle Wolfenstein
Medal of Honour: Allied Assault
SoF2: Double Helix
SoF2: Double Helix Demo
Alien vs Predator 2
NeverWinter Nights
V8 Supercar Challenge
America's Army
Battlefield 1942
Unreal Tournament 2003
Severity: High
Impact:
Allows massive packet flooding, and massive CPU usage remotely and anonymously.
Author:
Mike Kristovich
Introduction:
This document is based on Battlefield 1942's query responses, but
this vulnerability exists in many games. As a basic rule of thumb,
if it supports gamespy, it will likely be vulnerable.
The following games are vulnerable to the same type of attack, and
most use the same general query commands (excluding Quake, Quake 2,
Return to Castle Wolfenstein, and a couple others). The other query
commands can be found in the source of a free program called "Server
Query" (
http://www.ServerQuery.com). The general rule of thumb is:
If its supported by GameSpy and Server Query, its vulnerable.
---------------------------------
The usage example for Battlefield 1942 follows..
Battlefield 1942 servers listen on UDP port 23000, awaiting commands:
i.e. '\status\' '\players\' '\packets\' '\echo\' '\rules\', and more.
The server uses a protocol very similar to UT2003 and America's Army,
and many other GameSpy* supported games.
* Gamespy is a popular program that allows game clients to find and
connect to game servers.
BF1942 allows you to combine requests:
i.e. '\status\players\packets\rules\'
When a request like the example above is sent, it uses approximately
30 bytes, not including UDP overhead. The resulting response
can be anywhere from as low as 6000 - 7000, to as high as 11,000+
bytes. Using an example of 30:11,799, we get a ratio of 1:393.
Basically, for every 1 byte we've sent, 393 are returned (in this
particular example, which comes from a server housing 41 players)..
Results will vary. A server which holds 64 players could potentially
respond with well over 18,000 bytes.
A server housing 31 players, in our test, responded with 9,583 bytes
for a single 30 byte request.
Side note, one single UDP request using the query line in our POC code
responds with 10 seperate responses (due to packet size limitations.)
This also means, if the victim port is unreachable, the victim will
respond to the data with 10 ICMP Unreachable responses.
Discussion:
UDP is a connectionless protocol of which the source ip and port can
easily be spoofed. If you've read the introduction, you can probably
see where I'm going with this.
The BF1942 status port will reply an amazing amount of requests,
and although I have only personally tested this to 100 kbytes/sec, I
dont see any reason why you couldn't go even higher.
When these requests are received, the reply is sent to the source host
which, in this case, we have spoofed. This causes a huge packet flood
to your victim, therefore you now have your DoS.
When tested, a single upstream of 4 k/s to the BF1942 server yielded
over 550 k/s being sent to the victim host. When the victim's host
receives these packets on a UDP port which is open (commonly found
to be 135 (MS/DCE RPC), 53 (DNS), and so on), the downstream to that
connection will be flooded. If you sent to an unreachable port on
the victim's host, the victim's stack will respond with "Unreachable"
responses which will also flood their upstream.
A personal firewall will such as ZoneAlarm will not prevent this
DoS, as it is simply a flood of information being sent directly to
the victim's computer. To stop this DoS from reaching the victim,
the port you specify would have to be blocked before reaching their
system. Ports you would find particularly useless would be ones that
are commonly blocked by ISPs before reaching the customers:
(139/NetBIOS, and so on). A firewall will only prevent the victim
from responding with ICMP Unreachable packets.
Notes on bug
-------------
* Packets can be sent steadily, no wait time needed for refresh.
Further information, discussion..
---------------------------------
This is an attack that can easily flood any system slower than the
Battlefield 1942 server, and do it anonymously because the UDP
packet source is spoofed to that of the victim. This is very similar
to the "smurf" attack that was used in the late 20th century. =)
The attack does not only affect the bandwidth of the host and the
victim, but it also tends to eat up a nice chunk of memory and CPU
power on the server. Also, a side effect seems to be the server
losing all its players, either by assuming their connection died
or the players dropping the connection due to lag.
This low amount of required upstream would allow a simple modem user
to send a hefty DoS to a T1 or higher. (see example below)
Due to the fact that Battlefield 1942 servers tend to require a
lot of bandwidth to operate, you are very likely to find that nearly
any server will have more than enough bandwidth to handle the task.
EA has many of their servers hosted on OC3 lines.
In many ways, this exceeds the severity of the smurf attack method.
Example of risk:
T1 (1.54 mbps) FULL DoS:
1 server needed @ ~220 k/s or more (a 20 player server will do).
1 - 2 k/s* upstream needed from attacker (~14.4 baud modem)
A single user dialed up at 14,400 bps can topple a T1.
A single dial-up at 56k (31.2kbit up) could DoS 2 T1s at a time.
* You must account for UDP overhead (IP Header, UDP Header)
While UDP spoofing is near extinction due to network providers
finally deciding to block it, this is still a threat.
Exploit:
BF1942 Proof-of-concept code at PivX (bf1942dos.c)
Solution: (for users)
No solution currently.
Tested on:
Multitude of game servers, including *nix servers and windows servers..
Vendor status:
Electronic Arts was notified on November 20, 2002. No response currently.
No fix currently, but a fix is planned from GameSpy.
Related Documents:
Modern Day UDP Spoofing
Server Query
The Distributed Reflection DoS Attack
0x00.org
' Application-Level Reflection Attacks' by Tom Vogt
Postscript:
The Battlefield 1942 DoS was found on the night of November 19, 2002, and was immediately tested. Further exploitation may be possible (i.e. spoofing server to server)
On November 21, 2002, It was found that combining query commands yields much more data reflected.
Shortly after, it was discovered and tested that this bug is found in many games, some more troublesome than others.
Feedback:
Please mail any questions or comments to
mkristovich@pivx.com
Pivx have me on their news releases email list now it seems.
