Flaw turns game servers into attack tools

In an advisory posted to the company's Web site, security consultancy PivX Solutions said that popular multiplayer games--such as Quake III, Unreal Tournament 2003, and Battlefield 1942--could be used to magnify a denial-of-service attack, in some cases by as much as 400 times. As a result, game servers could be used as the latest tool for online scofflaws to digitally attack other computers on the Internet.

"This attack will go right through a lot of firewalls right now," said Geoff Shively, chief technical officer for PivX. "A single server can theoretically produce enough data to flood a T-1 [a 1.5 Mbps connection]."

The flaw occurs because servers that include the GameSpy networking code automatically send responses to queries for status information and don't verify the sender's address. An attacker can just ask the server for the information but forge the data so that the packets appear to come from a fake address. When the game server responds, the large amount of information sent in reply goes to the target of the attack instead. Some games that don't specifically use GameSpy code are also affected.

Among the games that PivX believes are vulnerable are Battlefield 1942, Quake, Quake II, Quake III: Arena, Half-Life, Unreal Tournament, Tribes, Return to Castle Wolfenstein, Medal of Honor: Allied Assault, Neverwinter Nights, America's Army, and Unreal Tournament 2003. Servers that are released on the Linux platform are affected as well.

"As a basic rule of thumb, if it supports GameSpy, it will likely be vulnerable," Mike Kristovich, a security researcher for PivX, said in a statement.

David Wright, director of technology for GameSpy, acknowledged that the amount of data that the attack could generate was "significant." Yet, he downplayed the seriousness of the flaw.

"It is not something that is used often, because if anyone wants to do a denial-of-service attack, they are far more likely to use servers that they have taken control of," Wright said. GameSpy expects to send out guidelines to its partners on how to limit the effect of the attack and also plans to provide a patch to limit the rate the game servers would respond to requests for status.

Such a fix is long overdue, said Marc Maiffret, chief hacking officer for vulnerability assessment firm eEye Digital Security. Citing discussions between security experts about the susceptibility of Quake II to the same technique when that game was released, he said that security experts have known about the problem for some time.

"While this is not a new technique, it is good that it is being 'rediscovered,' because obviously games are still vulnerable," he said. "It's a Catch-22 situation where security, in some cases, has to be sacrificed in order to have the performance these network games require."

The problem takes advantage of Internet data known as the user datagram protocol, or UDP. Unlike the more common transmission control protocol, or TCP, packets that make up the majority of Internet traffic, UDP data doesn't require a connection to be established between a server and client. That allows an attacker to send a UDP packet with a phony source address; when the victim server responds to the UDP data, it will actually be sending data to--attacking--the target server specified in the forged source address.

For the long list of game servers included in the advisory, UDP packets are used to send commands, say, to request the status of the server. By sending a constant stream of packets that include the address of a specific target, the much larger status information will inundate the target network.

"Battlefield 1942 is the best example of this," said Shively. "It sends a large amount of data in reply to a single request." By PivX's calculations, commands sent to a Battlefield 1942 server at 4Kbps will turn into a 550Kbps attack on a target. He added that the software developers could fairly easily correct the problem. "They just have to push an update to the most popular games, and they are set," he said.

Electronic Arts, the publisher of Battlefield 1942, could not immediately comment on the issue.