Re: Quake II Remote Denial of Service

Kool Hercz (khercs@BIGFOOT.COM)
Thu, 25 Dec 1997 21:08:13 -0800

At 06:22 PM 12/24/97 -0500, you wrote:
>Hello bugtraq readers, this message will detail a security flaw in
>Id Software's game, Quake II.
>
>When a user runs a Quake II server, the attacker can send a couple of
>spoofed udp packets with the return address of 127.0.0.1 to the server
>port and this will cause the Quake II server to go into a cycle of trying
>to start a game with itself. Thus, the server will crash.
>
>There is currently no official patch for this problem, however for a
>temporary fix, you can setup a firewall and deny all incoming udp packets
>from 127.0.0.1 to your Quake II server port.
<Source Snipped>

ID Software is aware of this problem and is currently working on various
other updates and is going to include the fix for this problem in it. They
hope to have it released by Sunday (12-28), however since I am not speaking
on behalf of them, take not my word but finger johnc@ifsoftware.com.

An exerpt:

We are going to release a new quake 2 executable that fixes the
malicious server crashing problems Real Soon Now. It also fixes a
ton of other problems that have been reported, so we are going to
have to give it some good testing before releasing it.

Billy