08-21-2005 10:54 AM - edited 03-10-2019 01:35 AM
One of our most common hosted games suffer greatly at the moment, as we get hit by a mirc script that forces the servers to crash. We have tried to limit the buffer size, i e patching it - but it simply doesnt work against this malware.
We are now looking into a hardware firewall solution that can prevent these attacks without causing performance losses on our game servers.
Cisco PIX506E or PIX516E - can any of these deliver this?
The game servers gets flooded by a getinfo request +a and loops until the server cant respond any more and shuts down. I know what strings to look for in the packets, so could these hw firewalls filter these out?
08-25-2005 05:35 AM
Remember that the purpose of Firewalls is to prevent unauthorized entry into your network while allowing desired traffic at the same time. It is probably easiest to begin with an analysis of what the objective of a break-in might be, then consider how to make it difficult for a potential criminal to get into your network. Due to their inherently insecure natures, some network protocols are not appropriate for running across Firewalls from untrusted to trusted networks. Examples of such insecure protocols are:
NFS
rlogin
rsh
any RPC-based protocol.
08-25-2005 06:03 AM
The Quake 3 engine has problems to handle big queries allowing an
attacker to shutdown any game server based on this engine:
ERROR: Info_SetValueForKey: oversize infostring
In some of the vulnerable games is also possible to crash the server.
A malware script sends a getstatus aaaaa to the server until it chokes and crashes. The patch that is out there doesnt really solved the problem. That is why i was wondering if the firewall solution could filter out these packets or if it would slow it down to much?
08-25-2005 07:34 AM
If the getinfo/getstatus messages must get through for proper play, and you need to block just malformed versions of those packets, then I don't think a FW is what you need. You need a regex capability, like in the IDS/IPS product, that can be customized to your specific problem. Either an IPS (inline) solution or and IDS w/ blocking FW or router would work. Implementation detail would be specific to your requirements (response time, latency impact, etc) for game play. (I know *I* don't want high pings
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide