Bugtraq mailing list archives
Re: NetQuake Protocol problem resulting in smurf like effect.
From: blk_jack () SELLOUT THT NET (Black Jack)
Date: Tue, 26 May 1998 15:19:05 -0400
A note on this subject, I, myself (blk_jack@EFnet) was talking to the attacker also (On #LinuxOS). He was distributing a file (binary) - anti. He then told me to run the program & let him attack me. I did so, and noticed immediately that floods of packets were coming in from quake server addresses... I then ran the program which 'looked' for the connect packets & sent disconnect packets back to the senders. This bug isn't very complicated, and it was efficiently stopped with this 'fix'. BUT, the next day or so I got 2 emails from my isp, complaining that quake servers had mailed them and told them that I had been flooding them (the spoofed address sent to the servers for the DoS attack in the first place). Luckily, my isp is understanding and let it slide after I explained. I wouldn't be so worried about the attack actually flooding you off, more of the side effects of quake servers complaining to your isp and getting YOU kicked off. My little thoughts... Jeff, Black Jack. On Fri, 22 May 1998, Q wrote:
Greetings all, While happily idling on EFNet, several members of #LinuxOS found that they were coming under DoS attack from a user who had been repeatedly kicked and banned for his "haqur" attitude. That is: touting an "elite" DoS attack, that he "couldn't distribute". However, being a tech channel, and being more interested in how the problem worked than having this code, we managed to pry the following details, as to their accuracy I'm unsure. * Through the NQ (NetQuake) Protocol it is possible to send a spoofed connect request packet to several <i.e 400 or so> NetQuake Servers. This then will result in a flood of attempted "Connect" requests from the servers' end to the target machine whether that target machine carries a copy of Quake or not. This may be perceived in a similar way to smurf attack, although I'm told it requires far less bandwidth "and can be done from even a 14.4" * Apparently the fix is to send a DISCONNECT packet to each IP that tries sending UDP traffic in the attempt to initialize a NetQuake game. This will cause the server "give up" trying to start a game, ending the flood. I would just like to now note, as a matter of courtesy: I and to the best of my knowledge, no member of #LinuxOS discovered this bug, or wrote any exploit code for it. I and the overwhelming majority of #LinuxOS felt that it would be far better to alert the general community to "yet another" DoS attack. I do not have the exploit or patch code, as I have said "AgentX"/"Playtex" on EFNet (your friendly neighbourhood DoS supplier) was incredibly tight when it came to distributing any source code. I would recommend asking him or one of his clique. I do however have tcpdump available from http://riva.gnu.net/nq-attack regards - q = To err is human, to forgive is Not Company Policy. ++- Q + - GNU Networks -http://www.gnu.net + - q () gnu net/http://riva.gnu.net
Current thread:
- NetQuake Protocol problem resulting in smurf like effect. Q (May 22)
- Re: NetQuake Protocol problem resulting in smurf like effect. Black Jack (May 26)
- <Possible follow-ups>
- Re: NetQuake Protocol problem resulting in smurf like effect. David Schwartz (May 26)
- Re: NetQuake Protocol problem resulting in smurf like effect. Ambrose Feinstein (May 26)