This is a multi-part message in MIME format. -- -- [ Picked text/plain from multipart/alternative ] http://www.pivx.com/kristovich/adv/mk001/
Mike Kristovich, security advisory MK#001 Topic: Multi-vendor Game Server DDoS Vulnerability Discovery date: November 20, 2002 Affected applications: Electronic Arts: Battlefield 1942 a.. Battlefield 1942 Server b.. Battlefield 1942 Dedicated Server c.. Quake d.. Quake 2 e.. Q3: Arena & Team Arena f.. Kingpin g.. Half-Life h.. Counter-Strike i.. Sin j.. Soldier of Fortune k.. Daikatana l.. Unreal Tourn. m.. Quakeworld n.. Unreal o.. Rune p.. Gore q.. Tribes r.. Tribes 2 s.. Serious Sam t.. Serious Sam 2 u.. C&C: Renegade Global Operations v.. Jedi Knight 2 w.. Return to Castle Wolfenstein x.. Medal of Honour: Allied Assault y.. SoF2: Double Helix z.. SoF2: Double Helix Demo aa.. Alien vs Predator 2 ab.. NeverWinter Nights ac.. V8 Supercar Challenge ad.. America's Army ae.. Battlefield 1942 af.. Unreal Tournament 2003 Severity: High Impact: Allows massive packet flooding, and massive CPU usage remotely and anonymously. Author: Mike Kristovich Introduction: This document is based on Battlefield 1942's query responses, but this vulnerability exists in many games. As a basic rule of thumb, if it supports gamespy, it will likely be vulnerable. The following games are vulnerable to the same type of attack, and most use the same general query commands (excluding Quake, Quake 2, Return to Castle Wolfenstein, and a couple others). The other query commands can be found in the source of a free program called "Server Query" (http://www.ServerQuery.com). The general rule of thumb is: If its supported by GameSpy and Server Query, its vulnerable. --------------------------------- The usage example for Battlefield 1942 follows.. Battlefield 1942 servers listen on UDP port 23000, awaiting commands: i.e. '\status\' '\players\' '\packets\' '\echo\' '\rules\', and more. The server uses a protocol very similar to UT2003 and America's Army, and many other GameSpy* supported games. * Gamespy is a popular program that allows game clients to find and connect to game servers. BF1942 allows you to combine requests: i.e. '\status\players\packets\rules\' When a request like the example above is sent, it uses approximately 30 bytes, not including UDP overhead. The resulting response can be anywhere from as low as 6000 - 7000, to as high as 11,000+ bytes. Using an example of 30:11,799, we get a ratio of 1:393. Basically, for every 1 byte we've sent, 393 are returned (in this particular example, which comes from a server housing 41 players).. Results will vary. A server which holds 64 players could potentially respond with well over 18,000 bytes. A server housing 31 players, in our test, responded with 9,583 bytes for a single 30 byte request. Side note, one single UDP request using the query line in our POC code responds with 10 seperate responses (due to packet size limitations.) This also means, if the victim port is unreachable, the victim will respond to the data with 10 ICMP Unreachable responses. Discussion: UDP is a connectionless protocol of which the source ip and port can easily be spoofed. If you've read the introduction, you can probably see where I'm going with this. The BF1942 status port will reply an amazing amount of requests, and although I have only personally tested this to 100 kbytes/sec, I dont see any reason why you couldn't go even higher. When these requests are received, the reply is sent to the source host which, in this case, we have spoofed. This causes a huge packet flood to your victim, therefore you now have your DoS. When tested, a single upstream of 4 k/s to the BF1942 server yielded over 550 k/s being sent to the victim host. When the victim's host receives these packets on a UDP port which is open (commonly found to be 135 (MS/DCE RPC), 53 (DNS), and so on), the downstream to that connection will be flooded. If you sent to an unreachable port on the victim's host, the victim's stack will respond with "Unreachable" responses which will also flood their upstream. A personal firewall will such as ZoneAlarm will not prevent this DoS, as it is simply a flood of information being sent directly to the victim's computer. To stop this DoS from reaching the victim, the port you specify would have to be blocked before reaching their system. Ports you would find particularly useless would be ones that are commonly blocked by ISPs before reaching the customers: (139/NetBIOS, and so on). A firewall will only prevent the victim from responding with ICMP Unreachable packets. Notes on bug ------------- * Packets can be sent steadily, no wait time needed for refresh. Further information, discussion.. --------------------------------- This is an attack that can easily flood any system slower than the Battlefield 1942 server, and do it anonymously because the UDP packet source is spoofed to that of the victim. This is very similar to the "smurf" attack that was used in the late 20th century. =) The attack does not only affect the bandwidth of the host and the victim, but it also tends to eat up a nice chunk of memory and CPU power on the server. Also, a side effect seems to be the server losing all its players, either by assuming their connection died or the players dropping the connection due to lag. This low amount of required upstream would allow a simple modem user to send a hefty DoS to a T1 or higher. (see example below) Due to the fact that Battlefield 1942 servers tend to require a lot of bandwidth to operate, you are very likely to find that nearly any server will have more than enough bandwidth to handle the task. EA has many of their servers hosted on OC3 lines. In many ways, this exceeds the severity of the smurf attack method. Example of risk: T1 (1.54 mbps) FULL DoS: 1 server needed @ ~220 k/s or more (a 20 player server will do). 1 - 2 k/s* upstream needed from attacker (~14.4 baud modem) A single user dialed up at 14,400 bps can topple a T1. A single dial-up at 56k (31.2kbit up) could DoS 2 T1s at a time. * You must account for UDP overhead (IP Header, UDP Header) While UDP spoofing is near extinction due to network providers finally deciding to block it, this is still a threat. Exploit: BF1942 Proof-of-concept code at PivX (bf1942dos.c) Solution: (for users) No solution currently. Tested on: Multitude of game servers, including *nix servers and windows servers.. Vendor status: Electronic Arts was notified on November 20, 2002. No response currently. No fix currently, but a fix is planned from GameSpy. Related Documents: Modern Day UDP Spoofing Server Query The Distributed Reflection DoS Attack 0x00.org ' Application-Level Reflection Attacks' by Tom Vogt Postscript: a.. The Battlefield 1942 DoS was found on the night of November 19, 2002, and was immediately tested. Further exploitation may be possible (i.e. spoofing server to server) a.. On November 21, 2002, It was found that combining query commands yields much more data reflected. a.. Shortly after, it was discovered and tested that this bug is found in many games, some more troublesome than others. Feedback: Please mail any questions or comments to [EMAIL PROTECTED] References: No references cited. -- [ at.gif of type image/gif deleted ] -- _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux

