Simon Garner wrote:
By that reasoning there is no solution to the problem - even a
challenge/response system would be vulnerable if all you want is for the
server to return one packet.
You're always vulnerable to dDoS if the attacker has a big enough zombie
army. Even without HLDS, a SYN flood on any open port can still be used.
There's no way to stop this except to get everybody to patch their
Windoze 98 boxes that are still infected with Code Red, etc. The point
is, we are also now open to a vulnerability which does not even require
a zombie army. A single user on a dial-up connection can make my server
go effectively offline in a way that is extremely difficult to trace.
And they can even do this with the rate-limiting per-IP scheme. The only
solution that protects *my* server (I don't care if gamespy gets flooded
or not or even if they have to patch their own software to work... not
my problem) as much as possible is with a challenge-response.

We may not be able to close all holes, but we should try to close as
many as possible.

-Mad

_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux

Reply via email to