Hi guys. This is a more general question about IP networks I guess. Even
though I'm a FreeBSD dude, I don't know that much about IP networks. I've
implemented a feature for my Urban Terror server which works very much like
the legacy Q3 auth server. Now I have realized something (thanks to a reply
I got for my previous question).
In [ioquake3 1.36] the function SV_AuthorizeIpPacket()
(code/server/sv_client.c) for handlng auth packets from the legacy Q3 auth
server. I see this in the first lines of code there:
if ( !NET_CompareBaseAdr( from, svs.authorizeAddress ) ) {
Com_Printf( "SV_AuthorizeIpPacket: not from authorize
server\n" );
return;
}
Now presumably all that this checks is the source IP of the packet that came
in. My question is, is it possible to easily spoof the source IP address in
the UDP packet, so that some random Joe Schmoe on the internet [in Paris,
France or in New Delhi, India] can send me tons of packets that look like
they're from the auth server?
Luckily, the lines that follow in this function are:
challenge = atoi( Cmd_Argv( 1 ) );
for (i = 0 ; i < MAX_CHALLENGES ; i++) {
if ( svs.challenges[i].challenge == challenge ) {
break;
}
}
So, the auth server echoes back a challenge number that was present in the
request packet, and this is a good [enough] protection against spoofed
packets. Now my question is, do I need a similar "challenge number" system
for my new code, or is it enough to check NET_CompareBaseAdr() or
NET_CompareAdr()? How easy is it to spoof the source IP and port in UDP
packets?
- Rambetter
_______________________________________________
ioquake3 mailing list
ioquake3@lists.ioquake.org
http://lists.ioquake.org/listinfo.cgi/ioquake3-ioquake.org
By sending this message I agree to love ioquake3 and libsdl.
