mailing list archives
Re: NetQuake Protocol problem resulting in smurf like effect.
From: blk_jack () SELLOUT THT NET (Black Jack)
Date: Tue, 26 May 1998 15:19:05 -0400
A note on this subject, I, myself (blk_jack () EFnet) was talking to the
attacker also (On #LinuxOS). He was distributing a file (binary) - anti.
He then told me to run the program & let him attack me. I did so, and
noticed immediately that floods of packets were coming in from quake
server addresses... I then ran the program which 'looked' for the connect
packets & sent disconnect packets back to the senders.
This bug isn't very complicated, and it was efficiently stopped with this
'fix'. BUT, the next day or so I got 2 emails from my isp, complaining
that quake servers had mailed them and told them that I had been flooding
them (the spoofed address sent to the servers for the DoS attack in the
first place). Luckily, my isp is understanding and let it slide after I
I wouldn't be so worried about the attack actually flooding you off, more
of the side effects of quake servers complaining to your isp and getting
YOU kicked off.
My little thoughts...
On Fri, 22 May 1998, Q wrote:
While happily idling on EFNet, several members of #LinuxOS found
that they were coming under DoS attack from a user who had been repeatedly
kicked and banned for his "haqur" attitude. That is: touting
an "elite" DoS attack, that he "couldn't distribute". However, being a
tech channel, and being more interested in how the problem worked than
having this code, we managed to pry the following details, as to their
accuracy I'm unsure.
* Through the NQ (NetQuake) Protocol it is possible to send a spoofed
connect request packet to several <i.e 400 or so> NetQuake Servers. This
then will result in a flood of attempted "Connect" requests from the
servers' end to the target machine whether that target machine carries a
copy of Quake or not. This may be perceived in a similar way to smurf
attack, although I'm told it requires far less bandwidth "and can be done
from even a 14.4"
* Apparently the fix is to send a DISCONNECT packet to each IP that tries
sending UDP traffic in the attempt to initialize a NetQuake game. This
will cause the server "give up" trying to start a game, ending the flood.
I would just like to now note, as a matter of courtesy: I and to the best
of my knowledge, no member of #LinuxOS discovered this bug, or wrote any
exploit code for it. I and the overwhelming majority of #LinuxOS felt
that it would be far better to alert the general community to "yet
another" DoS attack.
I do not have the exploit or patch code, as I have said "AgentX"/"Playtex"
on EFNet (your friendly neighbourhood DoS supplier) was incredibly tight
when it came to distributing any source code. I would recommend asking
him or one of his clique. I do however have tcpdump available from
= To err is human, to forgive is Not Company Policy.
+ - GNU Networks -http://www.gnu.net
+ - q () gnu net/http://riva.gnu.net