########################################################################

                            Luigi Auriemma

Application: Unreal Tournament (Win version, Linux and Mac not tested)
Version:     all the version (436 vulnerable too)
Bug:         UT servers send a great number of packets to every host
             that send only 1 packet to them, for 2 min and 30 sec
Date:        03 July 2002
Author:      Luigi Auriemma
             e-mail: aluigi@autistici.org
             web:    aluigi.org


########################################################################


Sections:
1) Introduction
2) Bug
3) The Code
4) Fix


########################################################################

===============
1) Introduction
===============


- Important:
Some days ago I have found, with some difficult, a discussion started
by Jeff Calvert in the "Vuln-Dev" section of the SecurityFocus's
Bugtraq, a lot of time ago (May 28 2000), that show the problem of do
a DoS with the UT servers, but this discussion was dead after about
some mails.
I think that is INCREDIBLE that a so important and danger problem
(for me a DDoS attack so simple to do is a real risk...) that is
known from the year 2000 already exist.
However it exist and this advisory want to explain it.

########################################################################

======
2) Bug
======


The UDP is a connection-less protocol so is "normal" that it is
insecure, but UT don't do any control about the packets that it
receives!

However the bug is really simple and really danger, the follow is a
simple example.

First the list of the UT default ports found on the home of the
game, http://unreal.epicgames.com:
* UDP 7775 and 7776 are used only for LAN games. You don't need
  to route them through a firewall.
* UDP 7777 is for gameplay (...the dangerous port...).
* UDP 7778 is for server querying.
* UDP 7779+ are allocated dynamically for each helper UdpLink
  objects, including UdpServerUplink objects.
* UDP 27900 is for server querying, if you enable the master server
  uplink. Some master servers use other ports,  like 27500.

Now the example, we have 3 hosts:
A - the attacker
B - the UT server
C - the victim

- The host A send 1 empty UDP packet with the source IP of the host C
  to the port 7777 (UT default port) of the host B.

- The host B begin to send about 10 packets/second of the size of 46
  bytes to the host C and it will stop to send after 2 minutes and 30
  seconds (default UT timeout).

- The host C will receive all these packets and it will reply with an
  ICMP port unreachable message that will be ignored by the host B.

- The host A after 2 mins and 30 secs can restart the attack.

So with this bug an attacker can flood (in anonimity) other hosts.
Every packets that the UT server send have a size of 46 bytes (and
the packets that we send to it are 28 bytes), for this IN THEORY if I
send 156 packets to an UT server with the sender address of an user
that have a 56K modem and the sender port that is different for each
packets (a good choose is to use incremental or random ports), this
last will be flooded with 7200 bytes for 2 minutes and 30 seconds.
The number of packets sended by the server seem to be the same also if
I change the "Network speed" option in the net settings of UT.

Naturally this attack have 2 effects.
The first is the DoS against the victim and than the DoS versus the
same UT server that must send a great quantity of packets, so it use
a lot of network band and CPU.
I think that this attack is a bit similar to the smurf attack, but
UnrealTournament is really a great game with a lot of players and
servers in all the world, so there is no problem to found servers to use
for the attack (for the smurf attack you need misconfigured routers that
are more difficult to found, but with UT you can found servers without
any problem).
For this I think that this bug is really danger and can be used for do
DDoS.
Then I hope that the same error wille not be present in UT 2003, but I
also hope that this problem will be fixed soon.

All the tests, are been made on my LAN on the Win version of
UnrealTournament (v436). (Linux and Mac has not be tested, but it use
the same protocol of sure).
Naturally I have done also some test on Internet and the results are the
same.

########################################################################

===========
3) The Code
===========


Look to the Utddos proof-of-concept (use with care!):

http://aluigi.org/poc/utddos.c


########################################################################

======
4) Fix
======


IPDrv.dll from Epic home.


########################################################################