Bug 5678 - prevent using getinfo as an amplifier for DDOS attacks
Status: RESOLVED FIXED
Alias: None
Product: ioquake3
Classification: Unclassified
Component: Misc
Version: unspecified
Hardware: All All
: P3 critical
Assignee: Zachary J. Slater
QA Contact: ioquake3 bugzilla mailing list
URL:
Depends on:
Blocks:
 
Reported: 2012-06-20 12:31 EDT by /dev/humancontroller
Modified: 2012-07-02 17:22:33 EDT
2 users (show)

See Also:

Attachments
prevent using getinfo as an amplifier for DDOS attacks (2.05 KB, patch)
2012-06-20 12:32 EDT, /dev/humancontroller

Description /dev/humancontroller 2012-06-20 12:31:48 EDT 
the rate limiter is applied to only getstatus (and rcon), not getinfo
Comment 1 /dev/humancontroller 2012-06-20 12:32:49 EDT 
Created attachment 3233 [details]
prevent using getinfo as an amplifier for DDOS attacks
Comment 2 /dev/humancontroller 2012-06-20 12:47:03 EDT 
this particular patch uses a shared "bucket" for both getstatus and getinfo limiting.

the following is an example sh(1) command line with which one can test the effects of this patch on a getinfo-DOSed server (that should be hosted at 127.0.0.1:27960):

while true ; do { printf '\377\377\377\377getinfo' | nc -u 127.0.0.1 27960 & } ; done

where nc(1) is the netcat utility.
Comment 3 Simon McVittie 2012-06-20 13:04:30 EDT 
When I looked at this for getstatus (CVE-2010-5077), the amplification factor for getinfo (in openarena, so based on an older ioquake3) was 4.4x, compared with 20x or more for getstatus:

> According to wireshark, using various commands on an unconfigured
> squeeze "listen server" (1 player in the game, playing on the server
> machine) has these amplification factors (I'm counting the size of the
> IP packet, so excluding Ethernet headers):
> 
> command    in/bytes   out/bytes   amp.
> --------------------------------------
> getstatus  41         802         20x   (more on a config'd server?)
> getinfo    39         172         4.4x
> rcon       36         73          2x
> getchallenge 44       61          < 2x
> connect    39         71          < 2x  (minimal connect message)

(<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656>)

Is this actively being used in attacks?

Is there some other reason for critical severity?
Comment 4 /dev/humancontroller 2012-06-20 22:29:22 EDT 
(In reply to comment #3)
> Is this actively being used in attacks?

yes. there were reports and discussions about attacks on ioQuake3-based games. 5 months ago (around the time of the said events), i reported that the limiting functionality is missing from the getinfo code [1], but apparently noone listened.

> Is there some other reason for critical severity?

no. and perhaps the "criticalness" of this bug report is already out-of-date (by this time, server owners have applied some rate limiting of their own, etc.).


[1] http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004785.html
Comment 5 Thilo Schulz 2012-07-01 10:18:45 EDT 
fixed r2289
Comment 6 Simon McVittie 2012-07-02 05:49:39 EDT 
(In reply to comment #5)
> fixed r2289

Do you consider this to be a sufficiently serious vulnerability that distributions should make it a security update? (If so, we should get a CVE number for it and do an advisory.)

It would be really good to have an ioquake3 1.37 release - there have been several security vulnerabilities fixed since 1.36.

(In reply to comment #4)
> (In reply to comment #3)
> > Is this actively being used in attacks?
> 
> yes. there were reports and discussions about attacks on ioQuake3-based games.
> 5 months ago (around the time of the said events)

If I remember correctly, those reports were that getstatus (>= 20x traffic multiplication) was being used actively as an attack.

Are you aware of any uses of getinfo (< 5x multiplication) as an attack?
Comment 7 /dev/humancontroller 2012-07-02 17:22:33 EDT 
(In reply to comment #6)

> Are you aware of any uses of getinfo (< 5x multiplication) as an attack?

i have no specific information on that.