Many multiplayer game servers--think "Quake 3" and "Battlefield 1942"--are at risk of being used to launch a denial-of-service attack, warns a security company.
In an advisory posted to the company's Web site, security consultancy PivX Solutions stated that popular multiplayer games that have servers supporting the GameSpy network--such as "Quake 3: Arena," "Unreal Tournament 2003" and "Battlefield 1942"--could be used to magnify a denial-of-service attack, in some cases by as much as 400 times.
"This attack will go right through a lot of firewalls right now," said Geoff Shively, chief technical officer for the Newport Beach, Calif.-based company. "A single server can theoretically produce enough data to flood a T-1 (connection, or 1.5 Mbps)."
The flaw occurs because servers that include the GameSpy networking code automatically send responses to queries for status information and don't verify the sender's address. An attacker can just ask the server for the information, but forge the data so that the packets appear to come from a fake address. When the game server responds, the large amount of information sent in reply goes to the target of the attack instead.
Other games that PivX believes are vulnerable are "Quake," "Quake 2," "Half-Life," "Tribes," "Return to Castle Wolfenstein," "Medal of Honour: Allied Assault," "NeverWinter Nights," and "America's Army." Versions of the game servers that are released on the Linux platform are affected as well.
"As a basic rule of thumb, if it supports GameSpy, it will likely be vulnerable," Mike Kristovich, a security researcher for PivX, said in a statement.
David Wright, director of technology for GameSpy, acknowledged that the amount of data that the attack could generate was "significant." Yet he downplayed the seriousness of the flaw.
"It is not something that is used often, because if anyone wants to do a denial-of-service attack, they are far more likely to use servers that they have taken control of," Wright said. GameSpy expected to send out guidelines to its partners on how to limit the effect of an attack. It also plans to provide a patch to limit the rate that the game servers would respond to requests for status.
Such a fix is long overdue, said Marc Maiffret, chief hacking officer for vulnerability assessment company eEye Digital Security.
Citing discussions between security experts about the susceptibility of "Quake 2" to the same technique when that game was released, he said that security experts have known about the problem for some time.
"While this is not a new technique it is good that it is being 'rediscovered,' because obviously games are still vulnerable," he said. "It's a 'catch-22' situation where security, in some cases, has to be sacrificed in order to have the performance these network games require."
The problem takes advantage of Internet data known as the user datagram protocol, or UDP. Unlike the more common transmission control protocol, or TCP, packets that make up the majority of Internet traffic, UDP data doesn't require a connection to be established between a server and client. That allows an attacker to send a UDP packet with a phony source address; when the victim server responds to the UDP data, it will actually be sending data--as an attack--to the target server specified in the forged source address.
For the long list of game servers included in the advisory, UDP packets are used to send commands, say, to request the status of the server. By sending a constant stream of packets that include the address of a specific target, the much larger status information will inundate the target network.
"'Battlefield 1942' is the best example of this," said Shively. "It sends a large amount of data in reply to a single request." By PivX's calculations, commands sent to a "Battlefield 1942" server at 4Kbps will turn into a 550Kbps attack on a target.
He added that software developers could fairly easily correct the problem. "They just have to push an update to the most popular games, and they are set," he said.
Electronic Arts, the publisher of "Battlefield 1942," could not immediately comment on the issue.