Gamespy and dos attacks

[Angry Radish 0]

Saw this over at gamespot, more proof that gamespy is eeeevil!  

Makes me look twice at the ablity to get server status, never thought about it in this light before

Link to article

</span><table border="0" align="center" width="95%" cellpadding="3" cellspacing="1"><tr><td>Quote </td></tr><tr><td id="QUOTE">

A security firm finds that an old security problem plagues many of the latest multiplayer game servers, such as Unreal Tournament 2003, Quake III, and Battlefield 1942.

In an advisory posted to the company's Web site, security consultancy PivX Solutions said that popular multiplayer games--such as Quake III, Unreal Tournament 2003, and Battlefield 1942--could be used to magnify a denial-of-service attack, in some cases by as much as 400 times. As a result, game servers could be used as the latest tool for online scofflaws to digitally attack other computers on the Internet.

"This attack will go right through a lot of firewalls right now," said Geoff Shively, chief technical officer for PivX. "A single server can theoretically produce enough data to flood a T-1 [a 1.5 Mbps connection]."

The flaw occurs because servers that include the GameSpy networking code automatically send responses to queries for status information and don't verify the sender's address. An attacker can just ask the server for the information but forge the data so that the packets appear to come from a fake address. When the game server responds, the large amount of information sent in reply goes to the target of the attack instead. Some games that don't specifically use GameSpy code are also affected.

Among the games that PivX believes are vulnerable are Battlefield 1942, Quake, Quake II, Quake III: Arena, Half-Life, Unreal Tournament, Tribes, Return to Castle Wolfenstein, Medal of Honor: Allied Assault, Neverwinter Nights, America's Army, and Unreal Tournament 2003. Servers that are released on the Linux platform are affected as well.

"As a basic rule of thumb, if it supports GameSpy, it will likely be vulnerable," Mike Kristovich, a security researcher for PivX, said in a statement.

David Wright, director of technology for GameSpy, acknowledged that the amount of data that the attack could generate was "significant." Yet, he downplayed the seriousness of the flaw.

"It is not something that is used often, because if anyone wants to do a denial-of-service attack, they are far more likely to use servers that they have taken control of," Wright said. GameSpy expects to send out guidelines to its partners on how to limit the effect of the attack and also plans to provide a patch to limit the rate the game servers would respond to requests for status.

Such a fix is long overdue, said Marc Maiffret, chief hacking officer for vulnerability assessment firm eEye Digital Security. Citing discussions between security experts about the susceptibility of Quake II to the same technique when that game was released, he said that security experts have known about the problem for some time.

"While this is not a new technique, it is good that it is being 'rediscovered,' because obviously games are still vulnerable," he said. "It's a Catch-22 situation where security, in some cases, has to be sacrificed in order to have the performance these network games require."

The problem takes advantage of Internet data known as the user datagram protocol, or UDP. Unlike the more common transmission control protocol, or TCP, packets that make up the majority of Internet traffic, UDP data doesn't require a connection to be established between a server and client. That allows an attacker to send a UDP packet with a phony source address; when the victim server responds to the UDP data, it will actually be sending data to--attacking--the target server specified in the forged source address.

For the long list of game servers included in the advisory, UDP packets are used to send commands, say, to request the status of the server. By sending a constant stream of packets that include the address of a specific target, the much larger status information will inundate the target network.

"Battlefield 1942 is the best example of this," said Shively. "It sends a large amount of data in reply to a single request." By PivX's calculations, commands sent to a Battlefield 1942 server at 4Kbps will turn into a 550Kbps attack on a target. He added that the software developers could fairly easily correct the problem. "They just have to push an update to the most popular games, and they are set," he said.

Electronic Arts, the publisher of Battlefield 1942, could not immediately comment on the issue.

<span id='postcolor'>

[LowLevelFunctionary 0]

woah man!  its a conspiracy! Next thing you know, feds will be in your back garden

[Cloney 0]

If they know this stuff, why don't they send it to the developer instead of making available for every Script Kiddie "hAcKeR" to read?

[ralphwiggum 6]

i'm pretty sure even the scrip kiddies are busy playing games that are mentioned above, so they will not attack it.

and i'm sure developers are aware of this too. sometimes, you gotta make it public to force dev-ers to work on it. like MS.

[FSPilot 0]

One more reason to not use Gamespy.

It's either the all seeing eye or a default game browser for me.

[Necromancer- 0]

</span><table border="0" align="center" width="95%" cellpadding="3" cellspacing="1"><tr><td>Quote (FSPilot @ Jan. 19 2003,06:51)</td></tr><tr><td id="QUOTE">One more reason to not use Gamespy.

It's either the all seeing eye or a default game browser for me.<span id='postcolor'>

Uhh...

OFP's default game browser uses gamespy.

[DracoPaladore 0]

</span><table border="0" align="center" width="95%" cellpadding="3" cellspacing="1"><tr><td>Quote (FSPilot @ Jan. 19 2003,06:51)</td></tr><tr><td id="QUOTE">One more reason to not use Gamespy.

It's either the all seeing eye or a default game browser for me.<span id='postcolor'>

Unfortunatly for me, one of my most used games in-game browsers dosen't seem to work. And I cant figure how to work out All-Seeing-Eye, so I just use Arcade.

I can live with one or two ads.

[Albert Schweitzer 10]

I HATE GAMESPY, peiuhhhh finally someone gives me a chance to release some steam. The all seeing eye works great but some games still refuse cooperation.

[Necromancer- 0]

Talk about Steam®.

Ugh... just like Gayspy, but with more crap you'll hate.

[DracoPaladore 0]

Steam is being developed actually by Valve. You need it in order to get CounterStrike 1.6 or something like that. I actually beta tested it, nothing new. Quite useless and retarded. What I know valve is going to do is let people have it for free, then make a special service for money, then make the program pay-for use.