####################################################################### Luigi Auriemma Applications: Games'Master servers that use UDP protocol for send the lists of games servers currently active to the clients. The servers most vulnerables are owned by ID Software and Valve/Sierra games Versions: - Platforms: - Bugs: Usage of UDP protocol for sending large amount of data Date: 20 Feb 2003 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Details 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== In the recent time and in the past, a lot of people (my friend Mike Kristovich, Tom Vogt and many other people) have talked and discussed about the usage of videogame online servers for launch DDoS attacks versus every host on Internet. All these attacks are focused on the amount of data in the responses of the game servers to the information queries made by the clients, like for example the list of players in the server. Instead in this advisory I want to talk about another type of DDoS attack that will result in an amount of data that in some cases (depended by the game, the number of matches and more other variables) can be more dangerous than the "information queries DDoS". I talk about the "list of current game servers" sent by the Master Servers to the game clients. So the "object" used for retrieve the list of vulnerable servers now becomes the real "attack". ####################################################################### ========== 2) Details ========== First important thing to know is "what are Master Servers?". Master Servers are centralized servers (they have a fixed hostname) used for store the current list of available game servers on Internet. Eachone of these MS (Master Servers) is used ONLY for one specific game (the only exception are that servers that are not primary MS but just mirrors). For example, master3.idsoftware.com is used for Quake III, half-life.east.won.net for Half-Life and so on... When someone (a player like you) start a server game on Internet, his game will send a packet to the primary MS used by his game announcing itself so all the other players in the world will know that on his machine there is a multiplayer match. When another guy want to find a multiplayer server on Internet for connect to it and play, he must simply go in the Multiplayer section of his game and the system will send a request to the primary MS of that specific game and then the MS will answer with the list of current servers availables. Watch this simple schema about the sending of the list to the client: Game client -> Master server (request for the list) Game client <========== Master server (answer with big list of servers) My DDoS idea born when exist some Master Servers that use a connection less network protocol like UDP for send the list of current available game servers to the clients. So the new schema is: Attacker (with victim IP source) -> Master server (request) Victim <========== Master server (big answer) A quick and short list of the most important Masters Servers that support UDP are as follows: QUAKE WORLD 192.246.40.37:27000 QUAKE WORLD 192.246.40.37:27002 QUAKE WORLD 192.246.40.37:27003 QUAKE WORLD 192.246.40.37:27004 QUAKE WORLD 192.246.40.37:27006 QUAKE III ARENA master3.idsoftware.com:27950 HALF-LIFE half-life.east.won.net:27010 HALF-LIFE half-life.west.won.net:27010 TRIBES II 198.74.32.54:27999 TRIBES II 198.74.32.55:27999 TRIBES II 211.233.86.203:28002 STAR TREK: VOYAGER ELITE FORCE master.stef1.ravensoft.com:27953 DESCENT III gt.pxo.net:3445 ... In the list the most powerful is the QuakeIII Master Server that is able to flood the client with a real rain of UDP packets... it can send an amount of data that can be equal to the sum of all the data sent by the other Master servers!!! Wow... NOTE: more servers can be found on Internet or you can take a look to the servers that support the standard game protocol used by XQF (http://www.linuxgames.con/xqf/), and if you want to know the format of the query used for contact the Master Server of a specific game I suggest you to see the code of Qstat (http://www.qstat.org). The bytes received by these Master Servers depend by the current matches available, however the amount of data is quite large. Just for example, I have tested a lot of time the primary Master Server used for QuakeIII (master3.idsoftware.com); the amount of data I have received has been about 650 times bigger than my original packet that was only 34 bytes (FYI: I have considered only data size, without the size of packets headers). So, the correct equation is: "more game servers ---> biggest ratio" This is the cause of the enormous amount of data sent back by QuakeIII master server. The worst thing is that these servers are centralized and writing a DDoS tool is alarmingly simple (take a look to "The Code" section of this paper), simply because the attacker doesn't need to retrieve a list of servers, get IP and ports from it and then launch an attack using a server of someone that probably will stay alive for some minutes or that probably at that moment has stopped the game... Master Servers are "fixed", centralized and are active EVER so a simple and lame UDP spoofer makes an excellent DDoS work! ####################################################################### =========== 3) The Code =========== I have written a DDoS tool based on this attack that simply sends spoofed UDP datagrams to the servers I have specified in the Details section. For see the amount of data received by QuakeIII master server, I have added a simple option (-t) that show the amount of bytes received in real-time by it. The utility is really dangerous so use it setting very low values and ONLY for confirm what I have said in this document. http://aluigi.org/poc/msddos.zip NOTE: Remember that some ISP (network providers) now avoid spoofing technic from their network so in this case your packets will be dropped before arrive to the servers. ####################################################################### ====== 4) Fix ====== An initial fix is offered by the ISP that now finally avoid spoofed packets from their network. However the only fix possible is the usage of the TCP protocol that is not a bad idea because server lists have less priority than the data of real-time multiplayer matches. For example Gamespy servers use TCP protocol and many other types of servers use HTTP protocol, so it is very simple to remove the problem just adjust a tiny piece of code of the games that use these Master servers. NOTE: I have contacted both ID-Software and Sierra some weeks ago just for notify the problem to them. ID-Software seems to be unreachable by mails (???) and Sierra has not answered. IMHO this is a well know problem because using a connection-less protocol like UDP without any handshake will give these effects EVER!!! #######################################################################