In our auth server design we use secret keys and MD4 (yes, since they
are already in the server's code base) to add checksums to packets.
Unless someone knows the keys you have established between game server
and auth server, packets that don't checksum correctly are tossed. Now
obviously that's not going to help against a DDOS, but it helps
against spoofing. Once again, the details are in the source for our
fork on github. Note that we didn't finish the auth server, but the
basic packet authentication is fully done.
On Fri, Oct 8, 2010 at 5:10 PM, Nerius Landys <nlan...@gmail.com> wrote:
> Hi guys. This is a more general question about IP networks I guess. Even
> though I'm a FreeBSD dude, I don't know that much about IP networks. I've
> implemented a feature for my Urban Terror server which works very much like
> the legacy Q3 auth server. Now I have realized something (thanks to a reply
> I got for my previous question).
>
> In [ioquake3 1.36] the function SV_AuthorizeIpPacket()
> (code/server/sv_client.c) for handlng auth packets from the legacy Q3 auth
> server. I see this in the first lines of code there:
>
> if ( !NET_CompareBaseAdr( from, svs.authorizeAddress ) ) {
> Com_Printf( "SV_AuthorizeIpPacket: not from authorize
> server\n" );
> return;
> }
>
> Now presumably all that this checks is the source IP of the packet that came
> in. My question is, is it possible to easily spoof the source IP address in
> the UDP packet, so that some random Joe Schmoe on the internet [in Paris,
> France or in New Delhi, India] can send me tons of packets that look like
> they're from the auth server?
>
> Luckily, the lines that follow in this function are:
>
> challenge = atoi( Cmd_Argv( 1 ) );
>
> for (i = 0 ; i < MAX_CHALLENGES ; i++) {
> if ( svs.challenges[i].challenge == challenge ) {
> break;
> }
> }
>
> So, the auth server echoes back a challenge number that was present in the
> request packet, and this is a good [enough] protection against spoofed
> packets. Now my question is, do I need a similar "challenge number" system
> for my new code, or is it enough to check NET_CompareBaseAdr() or
> NET_CompareAdr()? How easy is it to spoof the source IP and port in UDP
> packets?
>
> - Rambetter
>
> _______________________________________________
> ioquake3 mailing list
> ioquake3@lists.ioquake.org
> http://lists.ioquake.org/listinfo.cgi/ioquake3-ioquake.org
> By sending this message I agree to love ioquake3 and libsdl.
>
--
|ALPHA| Mad Professor <alpha.mad.profes...@gmail.com>
http://www.urtalphaclan.com/ <><><> Home of El Guapo!
_______________________________________________
ioquake3 mailing list
ioquake3@lists.ioquake.org
http://lists.ioquake.org/listinfo.cgi/ioquake3-ioquake.org
By sending this message I agree to love ioquake3 and libsdl.
