Kyle,
SRCDS doesn't need to be a "majority stakeholder" to receive patches to
known security vulnerabilities. There's tens of thousands of srcds
servers, nearly all of which can be sent a spoofed query and will
respond to a victim address with server information. "Only 8x" is still
enough to cause plenty of people issues, when this can be resolved by a
patch like Fletcher is suggesting. We still see dozens of these attacks
per month. Patching this won't have the same impact as patching the
memcached reflection, but it will still result in a decrease in attacks,
and allow a simplified mitigation solution.
To break down how 8x can still overwhelm plenty of providers:
Five servers/zombies on providers non-compliant with BCP38/RFC2827, each
with 1000mbit uplinks, send spoofed source engine queries to 5,000 srcds
servers. At 8x average amplification, the victim address will
theoretically receive 40Gbps worth of responses from those 5,000 srcds
instances.
Also, if I'm not mistaken, they did try to patch this previously a
couple years ago on CSGO, with the addition of the sv_max_queries_sec.
But unfortunately there's tens of thousands of srcds servers malicious
actors can cycle through, so those commands aren't very effective at
their default values.
I think where I'm going with this is why on gods green earth are we
doing this when SRCDS is just not a majority stakeholder on the
internet anymore. I'm confuzzled: and now I'm confused.
Kyle.
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/
