>> I agree, this is a really old problem, but security through obscurity
>> rarely works for long and this one may become a problem now. I can
>> think of at least one relatively transparent way to solve the problem,
>> which is to implement some traffic-shaping within the game server
>> application. Rate limit query/status/info responses to queries from
>> the same source to some reasonable level. No challenge would be
>> required, and all the client-side applications could remain unchanged.
>> Seems like a limit of one or two query responses every five or ten
>> seconds to the same IP address would be sufficient for just about
>> anything I can think of.
>
> The problem with your solution is that (if IP spoofing is really used),
> you don't KNOW the source (the source IP address is bogus).
This is true, but since all responses are rate-limited it won't matter if
the destination is spoofed or not. Of course, an attacker hits enough
servers (maybe a hundred or so) with DDOS packets they could still flood a
victim from those servers, but this is a much more difficult attack.
> The real solution to this is for IP providers to block packets at the
> router front end when the source address in the packet does NOT match
> the network that the packet came from. If Cisco, Bay Networks (now
> Nortel), 3Com and the other network vendors would get off their asses
> and implement proper filtering (and if monkey brained ISPs would turn on
> the filters), we wouldn't have this type of attacks.
Yeah, but not much luck of that happening anytime soon. The router
manufacturers should all support this already, it's just not implemented
by the ISPs.
-kendokan
_______________________________________________
hlds_apps mailing list
[EMAIL PROTECTED]
http://list.valvesoftware.com/mailman/listinfo/hlds_apps
