Traffic amplification via Quake 3-based servers Mar 26 2012 10:28AM
Simon McVittie (smcv debian org)
It has been discovered that spoofed "getstatus" UDP requests are being
used by attackers[0][1][2][3] to direct status responses from multiple
Quake 3-based servers to a victim, as a traffic amplification mechanism
for a denial of service attack on that victim.

Open-source games derived from the Quake 3 engine are typically based on
ioquake3 [4], a popular fork of that engine. This vulnerability was
fixed in ioquake3 svn revision 1762 (January 2010) [5] by applying a
rate-limit to the getstatus request. Like several other known and fixed
vulnerabilities, it is not fixed in the latest official ioquake3 release
(1.36, April 2009).

If a CVE ID is allocated for this vulnerability, please reference
ioquake3 r1762 prominently in any advisory.

Fixed versions of various open-source games based on Quake III Arena,
mostly based on visual inspection of their source code:

* ioquake3 svn >= r1762
* OpenArena >= 0.8.8
* OpenArena engine snapshot >= 0.8.x-20
* World of Padman >= 1.5.4
* Tremulous svn trunk >= r1953
* Tremulous svn, gpp branch >= r1955
* Smokin' Guns >= 1.1b4
* Smokin' Guns svn 1.1 branch >= r472

Vulnerable older versions include:

* ioquake3 engine 1.36
* OpenArena 0.8.5
* World of Padman 1.5
* Tremulous 1.1.0
* Tremulous Gameplay Preview 1 (GPP1)
* Smokin' Guns svn trunk at the time of writing (r181)

Proprietary games based on the Quake 3 engine (Quake III Arena
when played using its official engine, Star Wars: Jedi Outcast and Jedi
Academy, Star Trek: Elite Force 1 & 2, etc.) are also likely to be

Proprietary games being run under the ioquake3 engine (Quake III Arena
when using ioquake3, Urban Terror when using ioUrbanTerror, etc.) may be
vulnerable or not vulnerable, depending on the version of ioquake3 used.

[1] http://openarena.ws/board/index.php?topic=4391.0
[2] http://www.urbanterror.info/forums/topic/27825-drdos/
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656
[4] http://ioquake3.org/
[5] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus