Source Engine Servers and Network Protocols – Security
As an administrator of several Source based game servers, I’ve dealt with various known security vulnerabilities that Valve hasn’t bothered to fix. Some of the most common include client side console commands, that if run once, or spammed (which the server will allow), will cause a degradation (massive lag) or denial of service (you guessed it, the server will crash). These really aren’t all that bad, since they are well known, server plugins are available to block the commands.
The most troubling incident I’ve dealt with involved an attacker who exploited a security vulnerability in Valve’s server query protocol, which caused a serious degradation of service condition. I couldn’t simply block all the query packets, since legitimate clients needed to be able to query servers. To further complicate matters, the attacker was also spoofing IP headers, which ruled out the possibility of a simple firewall rule.
This particular vulnerability was not really bad design per say (although it was poorly designed), but more a really poor implementation. Here are the details:
When a client wishes to find out basic information about a server (player counts, game type, game version, etc), they send a packet to the server requesting the information. The server then locates all this information, creates a packet and replies.
Normally, the query protocol works perfectly, without any performance issues. However, the code that generates the replies is so poorly written, that a large number of query packets will generate lag spikes on the server, thus making the server unplayable (degradation of service). Did Valve require a handshake / challenge before replying with this expensive to generate packet? Nope.
To resolve the attack, I wrote a server plugin that hooks the Winsock recvfrom call, and replies to query packets (it generates the replies itself) from a high performance cache (it returns SOCKET_ERROR to the server so it doesn’t try to reply).
With this cache installed, the server works flawlessly. This makes me wonder, how could Valve have written such inefficient code, and having written it, consider it ready for production.
I’d like to take a minute here and remind everyone this is just one of many known (and inexplicably, not yet patched) vulnerabilities (in game and network based) in the Source engine.
I enjoyed this post. I am sure you have seen me around AM helping out, but networking is not my cup of tea. Thanks.
They really don’t require a handshake? Man, that’s so amateur hour, thank you so much for installing that packet. Would you mind sharing which game servers you administrate?