thr3ads.net - Secure testing team - [Secure-testing-team] Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack [Mar 2012]

If this information is useful, please help other people find it:
Share via:

Markus Koschany

2012-Mar-25 00:10 UTC

[Secure-testing-team] Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Package: openarena-server
Version: 0.8.5-5+squeeze1
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

a few hours ago my openarena server was used for a distributed
reflected denial of service attack. I noticed unusual high outgoing
traffic on port 27960 (3MB/s) which was directed mainly towards
webservers in the beginning. The only solution was to shut down the
openarena-server or to create a new firewall rule. 

After some investigation into the problem i discovered that it is well
known with Quake3 based engines. See [1], [2] and [3] 

My server received many getstatus requests in a short amount of time
which were presumably faked by the real attacker.

The problem has also been discussed on the ioquake3 mailing list. [4]
One of the participants pointed out that a patch was introduced in 2010
which limits the rate of getstatus requests.[5] It might be a
potentially fix or at least mitigation for the attack.

I hope i could explain my problem understandably. That''s all the
information i could gather so far.

An alternative way for preventing the DRDoS attack with iptables is described in
[6].

[1] http://openarena.ws/board/index.php?topic=4391.0
[2] http://www.ioquake.org/forums/viewtopic.php?f=12&t=1694
[3] http://www.urbanterror.info/forums/topic/27825-drdos/
[4]
http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html
[5] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html
[6] http://www.altfire.com/main/news/index.php?news_id=586

Sincerely
Markus 


-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (990, ''stable''), (500,
''unstable'')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.17 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openarena-server depends on:
ii  libc6                   2.11.3-2         Embedded GNU C Library: Shared lib
ii  openarena-data          0.8.5-3          OpenArena game data
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

openarena-server recommends no packages.

openarena-server suggests no packages.

-- no debconf information

Secure testing team - Mar 2012 - Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

[Secure-testing-team] Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack