Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Simon McVittie smcv at debian.org
Sun Mar 25 22:51:35 UTC 2012 

Some proposed updates using the patch from ioquake3 are in my home
directory on alioth:
<http://alioth.debian.org/~smcv/>. Patch for review:
<http://anonscm.debian.org/gitweb/?p=pkg-games/openarena.git;a=commitdiff;h=caeb284533211bb0f76872279106a49306290168>

Markus, if you install devscripts and debian-keyring, you should be able
to download the packages from Alioth with dget, and verify the
signatures on them by running dscverify on the .changes file (they're
signed with my GPG key, which is in the Debian keyring). URLs:

i386:
dget
http://alioth.debian.org/~smcv/openarena_0.8.5-5+squeeze2~try1_i386.changes
amd64 and source:
dget
http://alioth.debian.org/~smcv/openarena_0.8.5-5+squeeze2~try1_amd64.changes

Verified on i386 to lock out rapid getstatus requests after an initial
"burst" of 10; if I'm reading the implementation correctly, after the
initial "burst" they limit getstatus to 1 per second per IP address or
10 per second across all addresses, and rcon to 1 per second. One
getstatus per second should be about 1 KB/sec outbound.

On 25/03/12 19:09, Florian Weimer wrote:
> So the problem seems to be traffic amplification by a factor or 250.
> (around 2000 bytes in, 500,000 bytes out).  Is this correct?

According to wireshark, using various commands on an unconfigured
squeeze "listen server" (1 player in the game, playing on the server
machine) has these amplification factors (I'm counting the size of the
IP packet, so excluding Ethernet headers):

command    in/bytes   out/bytes   amp.
--------------------------------------
getstatus  41         802         20x   (more on a config'd server?)
getinfo    39         172         4.4x
rcon       36         73          2x
getchallenge 44       61          < 2x
connect    39         71          < 2x  (minimal connect message)

The ioquake3 patch rate-limits getstatus because it has the largest
amplification (and the most scope for more amplification on a more
elaborately-configured server), and rcon (because its first argument is
a password to remote-control the game if that feature is enabled, and we
don't want to make it trivial to brute-force).

I'd be surprised to get a factor of 250: a minimal getstatus command
seems to be 41 bytes including IP headers, so 2000 bytes of input would
get you about 49 commands, which means each response would have to be
10204 bytes, nearly 10K, to provide that much output...

One of the ioquake3 developers noted in January that getinfo should have
rate-limiting too, but it's a considerably smaller amplification -
getinfo returns a small number of whitelisted variables, whereas
getstatus returns a set of variables that the server admin can
configure, AIUI - so nothing has been done about this by ioquake3
upstream yet.

Regards,
    S

More information about the Pkg-games-devel mailing list