Vulnerability Development mailing list archives

Re: New DoS attack

From: dave.booth () MEDTRONIC COM (Dave Booth)
Date: Mon, 19 Jun 2000 09:11:54 -0500


Sorry, BB - normally I read your comments here with much head-nodding
and agreement but this time I have to disagree. As a previous poster
pointed out if you are reimplementing TCP in UDP gaming protocols you
may as well just use TCP. Lots of reasons, all performance-related, why
game designers dont want to do that. Assuming 2-way UDP traffic is
possible through whatever firewalling setup is in place (or they wouldnt
be playing now!) how do you hit the back-channel nightmares you worry
about with a scheme like this...?

Game client makes tcp connection to server and requests to join the
game.
Server responds (as part of the same tcp session) with a unique token,
remembers it and the clients IP then signs off.
Client initiates normal UDP game connection including the token in
every datagram.
Server silently ignores all incoming datagrams where there isnt a valid
token that matches up with the IP address the datagram claims to come
from.

In each case the connection is initiated by the client, but that makes
blind spoofing to create bogus connections impossible as there has to be
a two-way conversation in tcp to pass the token before the UDP join game
request (which doesnt get modified at all apart from the inclusion of
the token) will be accepted by the server. If it isnt blind spoofing but
is done by someone who can sniff the network then as you so rightly
pointed out the victim is in a world of hurt anyway and spoofed game
connections are the least of their problems.

Dave Booth
dave.booth () medtronic com
Opinions exressed here are mine, not my employers.

Blue Boar <BlueBoar () THIEVCO COM> 06/17/00 11:51AM >>>


No, because then you'd have one of those horrible protocols that
passes
addresses and ports as part of the datastream, does backchannel
connections,
etc.. and will generally make firewall admins want to kill you.  I.e.
you just broke everyone's home NAT box, so they can't play their game
now.

A simple rip-off of the 3-way handshake from TCP (including the equiv
of sequence numbers, which must be non-predictable) will do the trick.
For blind spoofing anyway.  An attacker who can monitor the exchange
can still execute the DoS, but that's generally a much worse problem
anyway.

                                                BB

Current thread:

Re: New DoS attack Luke Dudney (Jun 15)
- Re: New DoS attack Bluefish (Jun 17)
- Re: New DoS attack Blue Boar (Jun 17)
- <Possible follow-ups>
- Re: New DoS attack Dave Booth (Jun 19)
  - Re: New DoS attack Blue Boar (Jun 19)
  - Re: New DoS attack Taneli Huuskonen (Jun 20)