Greetings all, While happily idling on EFNet, several members of #LinuxOS found that they were coming under DoS attack from a user who had been repeatedly kicked and banned for his "haqur" attitude. That is: touting an "elite" DoS attack, that he "couldn't distribute". However, being a tech channel, and being more interested in how the problem worked than having this code, we managed to pry the following details, as to their accuracy I'm unsure. * Through the NQ (NetQuake) Protocol it is possible to send a spoofed connect request packet to several <i.e 400 or so> NetQuake Servers. This then will result in a flood of attempted "Connect" requests from the servers' end to the target machine whether that target machine carries a copy of Quake or not. This may be perceived in a similar way to smurf attack, although I'm told it requires far less bandwidth "and can be done from even a 14.4" * Apparently the fix is to send a DISCONNECT packet to each IP that tries sending UDP traffic in the attempt to initialize a NetQuake game. This will cause the server "give up" trying to start a game, ending the flood. I would just like to now note, as a matter of courtesy: I and to the best of my knowledge, no member of #LinuxOS discovered this bug, or wrote any exploit code for it. I and the overwhelming majority of #LinuxOS felt that it would be far better to alert the general community to "yet another" DoS attack. I do not have the exploit or patch code, as I have said "AgentX"/"Playtex" on EFNet (your friendly neighbourhood DoS supplier) was incredibly tight when it came to distributing any source code. I would recommend asking him or one of his clique. I do however have tcpdump available from http://riva.gnu.net/nq-attack regards - q = To err is human, to forgive is Not Company Policy. ++- Q + - GNU Networks -http://www.gnu.net + - qat_private/http://riva.gnu.net
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:54:20 PDT