Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Simon McVittie smcv at debian.org
Sun Mar 25 12:20:20 UTC 2012


# mitigated with ioquake3 upstream patch since we switched to
# the shared engine
fixed 665656 0.8.5-6
thanks

On 25/03/12 00:10, Markus Koschany wrote:
> Severity: grave
> Tags: security
> Justification: user security hole

Dear security team: what do you consider the severity of this bug to be?
Is it the sort of thing you issue DSAs for? (In this attack, the server
does not execute arbitrary code or reveal private data, but it can be
used for traffic-amplification as a DoS attack on someone else.)

Full text quoted in case this didn't already go to the security team.

> a few hours ago my openarena server was used for a distributed
> reflected denial of service attack. I noticed unusual high outgoing
> traffic on port 27960 (3MB/s) which was directed mainly towards
> webservers in the beginning. The only solution was to shut down the
> openarena-server or to create a new firewall rule. 
> 
> After some investigation into the problem i discovered that it is well
> known with Quake3 based engines. See [1], [2] and [3] 
> 
> My server received many getstatus requests in a short amount of time
> which were presumably faked by the real attacker.
> 
> The problem has also been discussed on the ioquake3 mailing list. [4]
> One of the participants pointed out that a patch was introduced in 2010
> which limits the rate of getstatus requests.[5] It might be a
> potentially fix or at least mitigation for the attack.

openarena in wheezy/sid uses a newer ioquake3 engine which already has
this patch, mitigating the attack. I think that's the best we're likely
to be able to do within the constraints of the Q3 network protocol.

> I hope i could explain my problem understandably. That's all the
> information i could gather so far.
> 
> An alternative way for preventing the DRDoS attack with iptables is described in [6]. 
> 
> [1] http://openarena.ws/board/index.php?topic=4391.0
> [2] http://www.ioquake.org/forums/viewtopic.php?f=12&t=1694
> [3] http://www.urbanterror.info/forums/topic/27825-drdos/
> [4] http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html
> [5] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html
> [6] http://www.altfire.com/main/news/index.php?news_id=586





More information about the Pkg-games-devel mailing list