RDDOS problem with quake3 engine based gameservers



  • Hi, im coming up with a pretty clueless situation.
    In fact im a bit unsure if theres no topic existing about the thing, couldnt find anything in search…

    OK.
    1.) What they do:
    Quake3 (as most games) use UDP for the transport.
    Not only for the game, the whole communication to the server uses this UDP "connection"
    One of the most common UDP packets that such a Server recieves is "XFFXFFXFFXFFgetstatus"
    Allthough connectionless, the server will just answer.
    This brings a Problem: Spoofing. Without the proper communication around, just "someone" can "have some data"
    OK, u might say: wheres the clue?
    Its the Fact, that the "XFFXFFXFFXFFgetstatus" has 13 Bytes. The Answer has like 1 KB.
    So the Attacker sends in 1Mbit 13Bytes Packets and "harvests" some like 70 Mbit.
    Additionally, someone else sends valid packets for him.
    For me it started in November, my research shows me that Problems came up first in April 2011.
    RDDOS should stand for reflected ddos i think btw.

    2.) What i did yet
    I run Q3 and Urban Terror behind a Pfsense 2.0.1-64/2Core/2GB VM (VmWare)
    Both games have a "fix", allowing just a specified amount of getstatus packets.
    Urban Terror is Open Source, so it was easy to handle and penalize, even per IP.
    Working even if it just means locking out the victims IPs.
    Additionally i use the easyrule.php to block them completely, pulling from NTOP interface.
    So far…

    3.) What id like to do more
    Id like to find this packet on the wire, some times i blocked FTP backup scripts :)
    Id like to be faster, im having a schedule inside NTOP and 1 for the PHP script. Result is 2-3 Minutes "reaction time" atm. 10 Packets (in 1 Millisec) would proove it.

    Last but not least id like to start a little discussion about how to handle this problem in general.
    It turns alot gameservers into zombies, I know that im not the only one.
    Does anyone understand how providers of today are not beeing able to prevent spoofing?


Log in to reply