UDP packeting from monster.idgames.com

ok, i don’t want to start some kind of flame war or whatever… but i was really confused as to what was happening here, here is the logs on the firewall (ip not edited because it has since been changed, so please dont be immature and do anything stupid).

18:18:05.321157 monster.idsoftware.com.27950 > 66.79.181.78.6667: udp 810
18:18:05.321371 monster.idsoftware.com.27950 > 66.79.181.78.6667: udp 810
18:18:05.321777 monster.idsoftware.com.27950 > 66.79.181.78.6667: udp 810
18:18:05.321960 monster.idsoftware.com.27950 > 66.79.181.78.6667: udp 810
18:18:05.322238 monster.idsoftware.com.27950 > 66.79.181.78.6667: udp 810
18:18:05.322996 monster.idsoftware.com.27950 > 66.79.181.78.6667: udp 810

it’s only a small spec of it. the reason why i ask here is because the sending port is ironically the same port as the port enemy territory uses. maybe it was some sort of a bug in the servers? a hacked server? i don’t think it was a spoofed attack though… why would it resolve to that if it were?

just curious… if anyone knows, share the wealth, lol.

heh, my 0.02 ;

If you do an nslookup on monster.idsoftware.com it comes back with the address 192.246.40.56 - if you do an nslookup for wolfmaster.idsoftware.com it comes back with the address 192.246.40.65 - chances are the id own the entire class c range for those addresses so it’s legit imo.

UDP port 810 is a ‘common’ services port (FCP) - chances are that it’s the query service used by stuff like ASE and qstats to get player information.

I don’t think you’ve been hacked m8

That’s a log from a master server responce. Each UDP datagram are always 810 chars long, except the last one which is usually smaller. It contains ip numbers for the ingame browser or third party browser to scan server from. Default game server port is 27960 and not 27950.

oops - yup, 810 is the char size not the port *blushes

Hahashahshashahshashahsa…

/me points and laughs at EvilSock teh EvilNewb… j/k.

I knew what you meant the first time… dont worry…

fluffle

Do you get this when running a server or a client?

this was on a server… if you will notice the timing between the packets, it was actually seen as a DDoS attack. spoofing was looked into, but it left some unanswered questions.

the ip had to be nulled because it was eating a few megs of bandwidth/sec

That’s the Quake3 master server if I’m not mistaken.

There was some talk a while back on bugtraq about using game master servers for dos attacks, by forging the source IP of the query. Then you send lots of queries and get quite substantial bandwidth amplification.

If it was eating a few mb/s of bandwidth without any action on your part, contacting the technical contact for the id address would not be out of line.

http://www.securityfocus.com/archive/1/280772

um, for anybody that didn’t click the link;

> 2) Bug
> The UDP is a connection-less protocol so is “normal” that it is
> insecure, but UT don’t do any control about the packets that it
> receives!

This is almost identical to a method I developed in May using Q3
servers, and where I mention that Halflife, UT and possibly other
similiar game servers are subject to the very same problem.

I wrote a short paper about the method of this and posted it on my
webpage:

http://web.xxxxxxxx.org/security/

With the game servers, the impact is limited, as I detail in the paper.
You can’t take down yahoo or /. with it, but it’s more than enough to
blow any dial-up user or small business (T1 or so) off the net.

** pound to a pinch of shit that was the reason companies like ByGames and Game.net took their servers down - I bet my left nut they re-appear as M$ gameservers running ‘secure’ proprietary protocols with subscriber only services - pay-as-you-go…

looks to me like a classic IRC ddos. the destination port gives it away (despite being UDP)

someone is spoofing the attacker IP but targeting your PC.

so which irc script kiddie did you piss off?

Well, it would be fairly trivial to add some kind of rate limiting to per IP to the masters (you’d have to take a little care not to screw people on NAT networks, but it could be done). If they wanted to. :moo:

In any case, I concur with bani, a forged source is also quite likely…

Yeah, and with the destination port not equal to the ET server port (unless you’ve got it running on 6667, which seems unlikely), this is not a gameserver amplification DDOS attack.

Still, this incident shows that ET does not have a built-in rate limiter that controls how many status packets may get transmitted per second. That, in turn, makes ET (and most likely any other UDP-based game server) a very “useful” tool for such an amplification attack.

I’m kinda puzzled that it hasn’t really happened yet (well, as far as I know), since writing an exploit for it is entirely trivial (crosses fingers).

My input for what its worth…

Is this not traffic from a master server to an IRC based games browser like the one in “no name script”?

Puds

It’s (like Lanz said) a response from the master server with a list of server IPs. Normally, the server browser sends a packet to masterserver:27950 with a command like '\xff\xff\xff\xffgetservers 83 empty full demo
’ (in the case of ET), to which the master server responds with a stream of packets that look like '\xff\xff\xff\xffgetserversResponse\AAAABB\AAAABB\AAAABB…\EOT" (where AAAA is four bytes making up the server IP address, BB is two bytes making up the server port, and there are 112 servers total.)

The problem is that, unlike the majority of the Quake-related connectionless commands, getservers doesn’t require you to respond to a challenge before it gives you the server list. This is especially unfortunate in this case, since the getservers command returns a fairly large amount of data.

To detail on the challenge I just mentioned–several of the connectionless commands from Quake-engine games require you to answer a challenge before you get to do anything interesting in order to verify that you are really the person who is sending the request. For example, when you connect to an ET server, the game sends ‘getchallenge’ (and displays ‘Awaiting challenge…’ to the user); then, the server sends back ‘challengeResponse <random number>’ to the client; and then, the client sends back that random number to the server in the connect request. If the random number that the client sends back doesn’t match what the server gave out, the connection is rejected as invalid (so it’s very difficult for someone malicious to spoof a connection to the server.)

Here’s a brief, simplified illustration (italicized text indicates data that’s actually sent compressed):

[quote="

 is difficult to read"]
<pre>[b]Client                                [/b]  [b]Server[/b]                          [b]Client prints[/b]
getchallenge                                                            "Awaiting challenge..."
                                        challengeResponse -1384463566
connect [i]\challenge\-1384463566\...[/i]                                      "Awaiting connection..."
                                        connectResponse                 "Awaiting gamestate..."
                                        [i][gamestate data][/i]</pre>(etc...)
[/quote]


To demonstrate the problem, I can send the getservers command to the Quake 3 master server with a forged source IP (the IP of another server I administer), e.g.:

[quote="

is difficult to read"]
victim.host:6667 > master.quake3arena.com:27950 (udp): "\xff\xff\xff\xffgetServers 68 empty full demo
"
[/quote]

The result is similar to what Kamel posted:

[quote="

 is difficult to read"]
12:08:51.728067 monster.idsoftware.com.27950 > victim.host.6667: udp 810
12:08:51.732550 monster.idsoftware.com.27950 > victim.host.6667: udp 810
12:08:51.737068 monster.idsoftware.com.27950 > victim.host.6667: udp 810
12:08:51.741570 monster.idsoftware.com.27950 > victim.host.6667: udp 810
12:08:51.746083 monster.idsoftware.com.27950 > victim.host.6667: udp 810
(etc.)
[/quote]

The high packet rate in itself isn't indicative of a DOS attack--a normal response to the request will consist of about 21 such packets as rapidly as shown; however, the fact that the packets kept going long enough for you to realize trouble was afoot (along with the destination port of 6667) IS a good indication.

So, to summarize, it is an amplification attack (although not via the game server itself, but rather, the master server), and letting Id know about it (if you haven't already) would be a good idea, as it is/was wasting their bandwidth.


Why yes, I [i]am[/i] having a slow morning!
...why do you ask?

:eek2: wekk there ya go lol thank you for the very effective yet simple responce

SUZUKI TS250