Re: NetQuake Protocol problem resulting in smurf like effect.

[blk_jack () SELLOUT THT NET (Black Jack)]

A note on this subject, I, myself (blk_jack@EFnet) was talking to the
attacker also (On #LinuxOS).  He was distributing a file (binary) - anti.
He then told me to run the program & let him attack me.  I did so, and
noticed immediately that floods of packets were coming in from quake
server addresses... I then ran the program which 'looked' for the connect
packets & sent disconnect packets back to the senders.

This bug isn't very complicated, and it was efficiently stopped with this
'fix'.  BUT, the next day or so I got 2 emails from my isp, complaining
that quake servers had mailed them and told them that I had been flooding
them (the spoofed address sent to the servers for the DoS attack in the
first place).  Luckily, my isp is understanding and let it slide after I
explained.

I wouldn't be so worried about the attack actually flooding you off, more
of the side effects of quake servers complaining to your isp and getting
YOU kicked off.

My little thoughts...

        Jeff,
        Black Jack.

On Fri, 22 May 1998, Q wrote:

> Greetings all,
>
>   While happily idling on EFNet, several members of #LinuxOS found
> that they were coming under DoS attack from a user who had been repeatedly
> kicked and banned for his "haqur" attitude.  That is: touting
> an "elite" DoS attack, that he "couldn't distribute".  However, being a
> tech channel, and being more interested in how the problem worked than
> having this code, we managed to pry the following details, as to their
> accuracy I'm unsure.
>
> * Through the NQ (NetQuake) Protocol it is possible to send a spoofed
> connect request packet to several <i.e 400 or so> NetQuake Servers.  This
> then will result in a flood of attempted "Connect" requests from the
> servers' end to the target machine whether that target machine carries a
> copy of Quake or not. This may be perceived in a similar way to smurf
> attack, although I'm told it requires far less bandwidth "and can be done
> from even a 14.4"
>
> *  Apparently the fix is to send a DISCONNECT packet to each IP that tries
> sending UDP traffic in the attempt to initialize a NetQuake game.  This
> will cause the server "give up" trying to start a game, ending the flood.
>
> I would just like to now note, as a matter of courtesy: I and to the best
> of my knowledge, no member of #LinuxOS discovered this bug, or wrote any
> exploit code for it. I and the overwhelming majority of #LinuxOS felt
> that it would be far better to alert the general community to "yet
> another" DoS attack.
>
> I do not have the exploit or patch code, as I have said "AgentX"/"Playtex"
> on EFNet  (your friendly neighbourhood DoS supplier) was incredibly tight
> when it came to distributing any source code.  I would recommend asking
> him or one of his clique. I do however have tcpdump available from
> http://riva.gnu.net/nq-attack
>
> regards
>
> - q
>
>
> = To err is human, to forgive is Not Company Policy.
> ++- Q
>   + - GNU Networks -http://www.gnu.net
>   + - q () gnu net/http://riva.gnu.net