Simon Garner wrote:

By that reasoning there is no solution to the problem - even a
challenge/response system would be vulnerable if all you want is for the
server to return one packet. Only ISPs can solve this, by fixing their
routers as Jeremy said. In which case this security advisory has been
targeted at the wrong audience, and we may as well just forget about it.
Not exactly, the cause of the DDOS, the immense traffic load you can
produce is not given anymore. The great risk is in the unbalanced big
responses the server will send.

<snip>
When a request like the example above is sent, it uses approximately
30 bytes, not including UDP overhead. The resulting response
can be anywhere from as low as 6000 - 7000, to as high as 11,000+
bytes. Using an example of 30:11,799, we get a ratio of 1:393.
Basically, for every 1 byte we've sent, 393 are returned (in this
particular example, which comes from a server housing 41 players)..
Results will vary. A server which holds 64 players could potentially
respond with well over 18,000 bytes.
</snip>

An attacker could make a DDOS with just a simple modem. The attacker
doesn't need a big pipe. He has his drones (gameservers) with a really
fat pipe which will do the traffic for him. ( 393 times the traffic the
attacker itself has)
With the challenge/response system, the gameserver would not fill the
pipe of the victims (loaded with full of big packets the victim doesn't
want) anymore. The pipe of the victims machine would than be filled with
not more than the pipe of the attacker itself. ( 1 times the traffic)
Sure that is not the perfect solution. The perfect solution would be to
make three crosses and pray for all ISP admins would see the danger out
of their misconfiguration. But this will never ever happen I bet.
But it would make it far less vulnerable as it is now.

However, a query rate limit would at least prevent anybody taking
advantage of this flaw from screwing up my game servers. Combined with a
thousand other servers they still might be able to DDoS some third
party, but then that would be the attacker's ISP's fault for not fixing
their routers, not mine for running HLDS.
That is right, it is more a self-protect system than a protect for
spoofing your service.
The best would be both, so you can lessen the DDOS effect drastically
and your server itself would not answer so many requests anymore and
propably lag.

Any thoughts?
Frank


_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux

Reply via email to