NetQuake Protocol problem resulting in smurf like effect.

[q () LESTAT GNU NET (Q)]

Greetings all,

  While happily idling on EFNet, several members of #LinuxOS found
that they were coming under DoS attack from a user who had been repeatedly
kicked and banned for his "haqur" attitude.  That is: touting
an "elite" DoS attack, that he "couldn't distribute".  However, being a
tech channel, and being more interested in how the problem worked than
having this code, we managed to pry the following details, as to their
accuracy I'm unsure.

* Through the NQ (NetQuake) Protocol it is possible to send a spoofed
connect request packet to several <i.e 400 or so> NetQuake Servers.  This
then will result in a flood of attempted "Connect" requests from the
servers' end to the target machine whether that target machine carries a
copy of Quake or not. This may be perceived in a similar way to smurf
attack, although I'm told it requires far less bandwidth "and can be done
from even a 14.4"

*  Apparently the fix is to send a DISCONNECT packet to each IP that tries
sending UDP traffic in the attempt to initialize a NetQuake game.  This
will cause the server "give up" trying to start a game, ending the flood.

I would just like to now note, as a matter of courtesy: I and to the best
of my knowledge, no member of #LinuxOS discovered this bug, or wrote any
exploit code for it. I and the overwhelming majority of #LinuxOS felt
that it would be far better to alert the general community to "yet
another" DoS attack.

I do not have the exploit or patch code, as I have said "AgentX"/"Playtex"
on EFNet  (your friendly neighbourhood DoS supplier) was incredibly tight
when it came to distributing any source code.  I would recommend asking
him or one of his clique. I do however have tcpdump available from
http://riva.gnu.net/nq-attack

regards

- q


= To err is human, to forgive is Not Company Policy.
++- Q
  + - GNU Networks -http://www.gnu.net
  + - q () gnu net/http://riva.gnu.net