Game server flaw poses attack threat

Multiplayer game servers that let players attack each other in virtual worlds could be the latest tool for online scofflaws to digitally attack other computers on the Internet, according to a security firm.

In an advisory posted to the company's website, security consultancy PivX Solutions stated that popular multiplayer games that have servers supporting the GameSpy network - such as "Quake 3: Arena," "Unreal Tournament 2003" and "Battlefield 1942" - could be used to magnify a denial-of-service attack, in some cases by as much as 400 times.

"This attack will go right through a lot of firewalls right now," said Geoff Shively, chief technical officer for the company. "A single server can theoretically produce enough data to flood a T-1 (connection, or 1.5 Mbps)."

The flaw occurs because servers that include the GameSpy networking code automatically send responses to queries for status information and don't verify the sender's address. An attacker can just ask the server for the information, but forge the data so that the packets appear to come from a fake address. When the game server responds, the large amount of information sent in reply goes to the target of the attack instead.

Other games that PivX believes are vulnerable are "Quake," "Quake 2," "Half-Life," "Tribes," "Return to Castle Wolfenstein," "Medal of Honour: Allied Assault," "NeverWinter Nights," and "America's Army." Versions of the game servers that are released on the Linux platform are affected as well.

"As a basic rule of thumb, if it supports GameSpy, it will likely be vulnerable," Mike Kristovich, a security researcher for PivX, said in a statement.

David Wright, director of technology for GameSpy, acknowledged that the amount of data that the attack could generate was "significant." Yet he downplayed the seriousness of the flaw.

"It is not something that is used often, because if anyone wants to do a denial-of-service attack, they are far more likely to use servers that they have taken control of," Wright said. GameSpy expected to send out guidelines to its partners on how to limit the effect of an attack. It also plans to provide a patch to limit the rate that the game servers would respond to requests for status.

Such a fix is long overdue, said Marc Maiffret, chief hacking officer for vulnerability assessment company eEye Digital Security.

Citing discussions between security experts about the susceptibility of "Quake 2" to the same technique when that game was released, he said that security experts have known about the problem for some time.

"While this is not a new technique it is good that it is being 'rediscovered,' because obviously games are still vulnerable," he said. "It's a 'catch-22' situation where security, in some cases, has to be sacrificed in order to have the performance these network games require."