Master Servers: yet another DDoS...

[Auriemma Luigi <aluigi () pivx com>]

Yeah, seems that DDoS attacks will never die and in these months seems
that every game can be used for launch DDoS attacks...

This time I want to show a problem that, for me, is very obvious but
I have not found any reference to it on Internet.

The following is my advisory about the problem:


#######################################################################

Applications: Games'Master servers that use UDP protocol for send the
              lists of games servers currently active to the clients.
              The servers most vulnerables are owned by ID Software
              and Valve/Sierra games

Versions:     -

Platforms:    -

Bugs:         Usage of UDP protocol for sending large amount of data

Risk (high):  Distribuited Denial of Service

Author:       Auriemma Luigi, Security Researcher, PivX Solutions, LLC
              e-mail: aluigi () pivx com
              web:    http://www.pivx.com/luigi/


#######################################################################


1) Introduction
2) Details
3) The Code
4) Fix
5) Philosophy


#######################################################################

===============
1) Introduction
===============


In the recent time and in the past, a lot of people (my friend Mike
Kristovich, Tom Vogt and many other people) have talked and discussed
about the usage of videogame online servers for launch DDoS attacks
versus every host on Internet.

All these attacks are focused on the amount of data in the responses
of the game servers to the information queries made by the clients,
like for example the list of players in the server.

Instead in this advisory I want to talk about another type of DDoS
attack that will result in an amount of data that in a lot of cases
(depended by the game, the number of matches and more other variables)
can be more dangerous than the "information queries DDoS".

I talk about the "list of current game servers" sent by the Master
Servers to the game clients.

So the "object" used for retrieve the list of vulnerable servers now
becomes the real "attack".
 


#######################################################################

==========
2) Details
==========


First important thing to know is "what are Master Servers?".

Master Servers are centralized servers (they have a fixed hostname)
used for store the current list of available game servers on Internet.

Eachone of these MS (Master Servers) is used ONLY for one specific
game (the only exception are that servers that are not primary MS but
just mirrors).
For example, master3.idsoftware.com is used for Quake III,
half-life.east.won.net for Half-Life and so on...

When someone (a player like you) start a server game on Internet, his
game will send a packet to the primary MS used by his game announcing
itself so all the other players in the world will know that on his
machine there is a multiplayer match.

When another guy want to find a multiplayer server on Internet for
connect to it and play, he must simply go in the Multiplayer section of
his game and the system will send a request to the primary MS of that
specific game and then the MS will answer with the list of current
servers availables.


Watch this simple schema about the sending of the list to the client:

Game client      ->     Master server (request for the list)
Game client <========== Master server (answer with big list of servers)



My DDoS idea born when exist some Master Servers that use a connection
less network protocol like UDP for send the list of current available
game servers to the clients.


So the new schema is:

Attacker (with victim IP source)      ->     Master server (request)
Victim                           <========== Master server (big answer)



A quick and short list of the most important Masters Servers that
support UDP are as follows:

QUAKE WORLD                         192.246.40.37:27000
QUAKE WORLD                         192.246.40.37:27002
QUAKE WORLD                         192.246.40.37:27003
QUAKE WORLD                         192.246.40.37:27004
QUAKE WORLD                         192.246.40.37:27006
QUAKE III ARENA                     master3.idsoftware.com:27950
HALF-LIFE                           half-life.east.won.net:27010
HALF-LIFE                           half-life.west.won.net:27010
TRIBES II                           198.74.32.54:27999
TRIBES II                           198.74.32.55:27999
TRIBES II                           211.233.86.203:28002
STAR TREK: VOYAGER ELITE FORCE      master.stef1.ravensoft.com:27953
DESCENT III                         gt.pxo.net:3445
...


In the list the most powerful is the QuakeIII Master Server that is
able to flood the client with a real rain of UDP packets... it can send
an amount of data that can be equal to the sum of all the data sent
by the other Master servers!!! Wow...

NOTE: more servers can be found on Internet or you can take a look to
the servers that support the standard game protocol used by XQF
(http://www.linuxgames.con/xqf/), and if you want to know the format of
the query used for contact the Master Server of a specific game I
suggest you to see the code of Qstat (http://www.qstat.org).


The bytes received by these Master Servers depend by the current
matches available, however the amount of data is quite large. Just for
example, I have tested a lot of time the primary Master Server used
for QuakeIII (master3.idsoftware.com); the amount of data I have
received has been about 650 times bigger than my original packet that
was only 34 bytes (FYI: I have considered only data size, without the
size of packets headers).

So, the correct equation is: "more game servers ---> biggest ratio"
This is the cause of the enormous amount of data sent back by QuakeIII
master server.


The worst thing is that these servers are centralized and writing a
DDoS tool is alarmingly simple (take a look to "The Code"  section of
this paper), simply because the attacker doesn't need to retrieve a
list of servers, get IP and ports from it and then launch an attack
using a server of someone that probably will stay alive for some
minutes or that probably at that moment has stopped the game...
Master Servers are "fixed", centralized and are active EVER so a simple
and lame UDP spoofer makes an excellent DDoS work!



#######################################################################


===========
3) The Code
===========


I have written a DDoS tool based on this attack that simply sends
spoofed UDP datagrams to the servers I have specified in the Details
section.
For see the amount of data received by QuakeIII master server, I have
added a simple option (-t) that show the amount of bytes received in
real-time by it.
The utility is really dangerous so use it setting very low values and
ONLY for confirm what I have said in this document.

http://www.pivx.com/luigi/poc/msddos.zip


NOTE: Remember that some ISP (network providers) now avoid spoofing
      technic from their network so in this case your packets will be
      dropped before arrive to the servers.



#######################################################################

======
4) Fix
======


An initial fix is offered by the ISP that now finally avoid spoofed
packets from their network.

However the only fix possible is the usage of the TCP protocol that is
not a bad idea because server lists have less priority than the data
of real-time multiplayer matches.
For example Gamespy servers use TCP protocol and many other types of
servers use HTTP protocol, so it is very simple to remove the problem
just adjust a tiny piece of code of the games that use these Master
servers.


NOTE: I have contacted both ID-Software and Sierra some weeks ago just
      for notify the problem to them.
      ID-Software seems to be unreacheable by mails (???) and Sierra
      has not answered.
      
      IMHO this is a well know problem because using a connection-less
      protocol like UDP without any handshake will give these effects
      EVER!!!



#######################################################################

=============
5) Philosophy
=============


I'm really hopeful about the FULL-DISCLOSURE policy, because with it
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of creative programming (I have learned
a bit of interesting C from the source code of some published
exploits) and it's useful for all the people that are hopeful in this
type of disclosure.
No secrets!



#######################################################################

====================
About PivX Solutions
====================


PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients, the most notable
being our proprietary StrikeFirst Security Assessments  
(http://www.pivx.com/sf.html).

For more information go to http://www.PivX.com


#######################################################################
 

Any type of feedback is really welcome!

Byez




--- 
PivX Security Researcher
http://www.pivx.com/luigi/