So after getting more familiar with the getchallenge code in sv_client.c of ioquake3, I started thinking about how to do a denial of service attack. Here is the idea.
I send getchallenge UDP packets to an ioquake3 server, where the source address and port of each packet is spoofed, chosen at random. I want my rate of packets sends to be high enough to completely flush out the 1024-length challenge array in about 30-40 milliseconds. This means I want to send 1024 spoofed getchallenge packets every 30 to 40 milliseconds. If I do this, a person with a ping greater than 40 milliseconds won't be able to connect to the server (probably getting the "bad challenge" message), because his challenge will be clobbered within 40 milliseconds, the time it takes him between getchallenge and connect packets. OK so 1024 getchallenge packets every 40 milliseconds. Each getchallenge packet's payload is about 20 bytes or so. Add the UDP header and that probably goes up to about 40 bytes (I actually don't know how bit the UDP headers are off hand, would have to read the specs). OK, so I need to send 40x1024 bytes every 40 milliseconds to do my denial of service attack. 1000 (1 second) divided by 40 millis is 25, so I need to send 25x40x1024 bytes per second. That's 1 megabyte per second, or 8 megabits per second. It's quite a lot of bandwidth for the job, but it would be effective (I have not actually tested this, but a program would be easy enough to write). One way to prevent against this attack is to increase the challenges array from size 1024 to, say, 2048. But then you have to scan the larger array on every getchallenge and connect packet. Scanning 1024 entries on every getchallenge and connect is already a lot IMO. Another way to do this is to have a tree structure, like an in-memory B+ tree. You could write it to use a constant, fixed amount of memory. There would have to be 2 indexes into the tree - one being the IP/port and the other being the time of creation. With a tree, you could store very very many challenges without paying a significant insertion, deletion, or scan penalty. But would this be worth it? (i've written trees before, it's not that complex.) I have not checked the TCP/IP stack code before, but how does someone like BSD handle storing of SYN packets in their network code? I imagine SYN packet is similar to challenge, but I don't know too much about TCP/IP. - Rambetter
_______________________________________________ ioquake3 mailing list ioquake3@lists.ioquake.org http://lists.ioquake.org/listinfo.cgi/ioquake3-ioquake.org By sending this message I agree to love ioquake3 and libsdl.
