Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Markus Koschany apo at gambaru.de
Sun Mar 25 00:10:13 UTC 2012 

Package: openarena-server
Version: 0.8.5-5+squeeze1
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

a few hours ago my openarena server was used for a distributed
reflected denial of service attack. I noticed unusual high outgoing
traffic on port 27960 (3MB/s) which was directed mainly towards
webservers in the beginning. The only solution was to shut down the
openarena-server or to create a new firewall rule. 

After some investigation into the problem i discovered that it is well
known with Quake3 based engines. See [1], [2] and [3] 

My server received many getstatus requests in a short amount of time
which were presumably faked by the real attacker.

The problem has also been discussed on the ioquake3 mailing list. [4]
One of the participants pointed out that a patch was introduced in 2010
which limits the rate of getstatus requests.[5] It might be a
potentially fix or at least mitigation for the attack.

I hope i could explain my problem understandably. That's all the
information i could gather so far.

An alternative way for preventing the DRDoS attack with iptables is described in [6]. 

[1] http://openarena.ws/board/index.php?topic=4391.0
[2] http://www.ioquake.org/forums/viewtopic.php?f=12&t=1694
[3] http://www.urbanterror.info/forums/topic/27825-drdos/
[4] http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html
[5] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html
[6] http://www.altfire.com/main/news/index.php?news_id=586

Sincerely
Markus 


-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.17 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openarena-server depends on:
ii  libc6                   2.11.3-2         Embedded GNU C Library: Shared lib
ii  openarena-data          0.8.5-3          OpenArena game data
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

openarena-server recommends no packages.

openarena-server suggests no packages.

-- no debconf information

More information about the Pkg-games-devel mailing list