[6820] in bugtraq
NetQuake Protocol problem resulting in smurf like effect.
daemon@ATHENA.MIT.EDU (q@LESTAT.GNU.NET)
Tue May 26 15:39:45 1998
Date: Fri, 22 May 1998 08:06:39 -0700
Reply-To: Q <q@LESTAT.GNU.NET>
From: Q <q@LESTAT.GNU.NET>
To: BUGTRAQ@NETSPACE.ORG
Greetings all,
While happily idling on EFNet, several members of #LinuxOS found
that they were coming under DoS attack from a user who had been repeatedly
kicked and banned for his "haqur" attitude. That is: touting
an "elite" DoS attack, that he "couldn't distribute". However, being a
tech channel, and being more interested in how the problem worked than
having this code, we managed to pry the following details, as to their
accuracy I'm unsure.
* Through the NQ (NetQuake) Protocol it is possible to send a spoofed
connect request packet to several <i.e 400 or so> NetQuake Servers. This
then will result in a flood of attempted "Connect" requests from the
servers' end to the target machine whether that target machine carries a
copy of Quake or not. This may be perceived in a similar way to smurf
attack, although I'm told it requires far less bandwidth "and can be done
from even a 14.4"
* Apparently the fix is to send a DISCONNECT packet to each IP that tries
sending UDP traffic in the attempt to initialize a NetQuake game. This
will cause the server "give up" trying to start a game, ending the flood.
I would just like to now note, as a matter of courtesy: I and to the best
of my knowledge, no member of #LinuxOS discovered this bug, or wrote any
exploit code for it. I and the overwhelming majority of #LinuxOS felt
that it would be far better to alert the general community to "yet
another" DoS attack.
I do not have the exploit or patch code, as I have said "AgentX"/"Playtex"
on EFNet (your friendly neighbourhood DoS supplier) was incredibly tight
when it came to distributing any source code. I would recommend asking
him or one of his clique. I do however have tcpdump available from
http://riva.gnu.net/nq-attack
regards
- q
= To err is human, to forgive is Not Company Policy.
++- Q
+ - GNU Networks -http://www.gnu.net
+ - q@gnu.net/http://riva.gnu.net
