Simon Garner wrote:
By that reasoning there is no solution to the problem - even a challenge/response system would be vulnerable if all you want is for the server to return one packet. Only ISPs can solve this, by fixing their routers as Jeremy said. In which case this security advisory has been targeted at the wrong audience, and we may as well just forget about it.
Not exactly, the cause of the DDOS, the immense traffic load you can produce is not given anymore. The great risk is in the unbalanced big responses the server will send.
<snip> When a request like the example above is sent, it uses approximately 30 bytes, not including UDP overhead. The resulting response can be anywhere from as low as 6000 - 7000, to as high as 11,000+ bytes. Using an example of 30:11,799, we get a ratio of 1:393. Basically, for every 1 byte we've sent, 393 are returned (in this particular example, which comes from a server housing 41 players).. Results will vary. A server which holds 64 players could potentially respond with well over 18,000 bytes. </snip> An attacker could make a DDOS with just a simple modem. The attacker doesn't need a big pipe. He has his drones (gameservers) with a really fat pipe which will do the traffic for him. ( 393 times the traffic the attacker itself has) With the challenge/response system, the gameserver would not fill the pipe of the victims (loaded with full of big packets the victim doesn't want) anymore. The pipe of the victims machine would than be filled with not more than the pipe of the attacker itself. ( 1 times the traffic) Sure that is not the perfect solution. The perfect solution would be to make three crosses and pray for all ISP admins would see the danger out of their misconfiguration. But this will never ever happen I bet. But it would make it far less vulnerable as it is now.
However, a query rate limit would at least prevent anybody taking advantage of this flaw from screwing up my game servers. Combined with a thousand other servers they still might be able to DDoS some third party, but then that would be the attacker's ISP's fault for not fixing their routers, not mine for running HLDS.
That is right, it is more a self-protect system than a protect for spoofing your service. The best would be both, so you can lessen the DDOS effect drastically and your server itself would not answer so many requests anymore and propably lag. Any thoughts? Frank _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux

