Simon Garner wrote:
By that reasoning there is no solution to the problem - even a challenge/response system would be vulnerable if all you want is for the server to return one packet.
You're always vulnerable to dDoS if the attacker has a big enough zombie army. Even without HLDS, a SYN flood on any open port can still be used. There's no way to stop this except to get everybody to patch their Windoze 98 boxes that are still infected with Code Red, etc. The point is, we are also now open to a vulnerability which does not even require a zombie army. A single user on a dial-up connection can make my server go effectively offline in a way that is extremely difficult to trace. And they can even do this with the rate-limiting per-IP scheme. The only solution that protects *my* server (I don't care if gamespy gets flooded or not or even if they have to patch their own software to work... not my problem) as much as possible is with a challenge-response.
We may not be able to close all holes, but we should try to close as many as possible. -Mad _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux

