DevNull Explained
Written by ipnullrouted (at) gmail.com
15th of January 2012
Definitions:
Garry’s Mod = A sandbox game based on the Source engine, see garrysmod.com.
Introduction
For several months there have been massive so called Distributed Denial of Service attacks towards the online gaming community, particularly towards the Garry’s Mod community. These attacks are capable of taking down the internet connectivity of servers and players by overloading their network with a lot of redundant information. The ability to perform these attacks is easily obtainable by purchasing a program for a relatively low price. The result is that many immature players have obtained a copy of this program and can take down any regular player or server that doesn’t have sufficient protection.
The attacks are performed using a program that's named DevNull. Access to this program can be obtained by contacting a person whose name won't be mentioned here. Selling of the program is done in private to avoid attention. For around $30 you can obtain a copy that works for a month and you can get a lifetime copy for $50. There’s also a special copy that costs $150 and has more power.
Inner Workings
Networking basics
First I will explain some networking basics before I am going to explain DevNull in detail.
When you send information across the internet, all information you send is split up in so called 'packets'. A packet is a small piece of information that contains among others a source address, a destination address and a payload with data. A packet can basically be compared to sending a letter. Each letter has to have a destination address, your address written on it (source) and usually contains a piece of information.
Attack types
DevNull is capable of attacking servers and players using 'bandwidth' and 'packets per second' attacks. Customers of DevNull have a variety of different attacks to choose from, however, each choice can be fit in one of these categories as research suggests.
Bandwidth attack
The bandwidth attack option is an attack that basically attempts to overload a system's internet line by sending lots of packets with a huge payload. A bandwidth attack doesn't necessarily overload a system, it just overloads the line it's connected to and it’s using a lot of bandwidth on the victim’s side which costs a lot of money to maintain for the victim. The average bandwidth attack is 600 megabits per second in size. That's around the same amount data that 75 ADSL lines combined could download per second. However, in DevNull additional ‘slots’ can be purchased, each slot increasing the attack with another few hundred megabits per second. This way some attacks can be up to several gigabits per second.
The method that DevNull currently uses to initiate bandwidth attacks of this size is amplification by reflection. The concept of amplification is that you use an external party to 'amplify' your attacks to several times the original size, usually by sending a small request to an external party, which in turn responds with a big amount of data. Then there’s the reflection part, which is tricking an external party into responding to a falsified IP address. Combining these two can give you powerful attacks.
The 'external party' that DevNull currently uses to amplify the majority of its bandwidth attacks are games running on the id Tech 3 engine, most notably Call of Duty 4 servers. The id Tech 3 engine currently has a vulnerability thanks to improper programming practices that can be exploited to trick a game server running the engine into sending a lot of information to another computer. This vulnerability is found inside the server query system. A query in this case is a request for information about a game server, and the response to that query contains the player count, names of the players on the server, the maximum amount of rounds that can be played, the map that the server is on et cetera.
The servers that host DevNull’s back-end send query requests to thousands of CoD4 servers but falsifies the source ip address of those requests, and all these thousands of CoD4 servers respond to the falsified IP address which is the victim of an attack. There’s currently no limit on the amount of query responses which can be sent to a person in the id Tech 3 engine, and there’s also no verification on whether the request are coming from a valid source. This allows the DevNull back-end to send hundreds of thousands of query requests and generate a huge amount of bandwidth on the victim’s side. The average query request is 58 bytes in size, and the average response to that query request is between 500 and 1500 bytes in size. The bandwidth DevNull has to use to attack is around 10% of the bandwidth that the victim of the attack will receive, which makes these attacks very easy to maintain and cheap in bandwidth costs for the owner of DevNull.
Packets per Second attack
The PPS attack option is an attack that attempts to overload a system not by sending a lot of data, but by sending a lot of relatively small packets containing a small amount of data (usually zeros). During an average PPS attack, where 50,000-100,000 of these packets reach an application hosted on a server every second, the application will consume all CPU time to answering/processing these packets.
The specialty of this attack is that each packet has a falsified and randomized source IP address, so the average built-in system that protects against IP floods won’t detect the attack because the ip address that the packets are originating from is different all the time. This causes the victim to waste a lot of resources to respond to IP addresses which didn’t request anything from the victim in the first place, which means that all these random servers that receive data out of nowhere also respond back to the victim that they aren’t accepting that data.
These attacks bring servers down to their knees, although it is cheaper for the victim’s side because there aren’t massive bandwidth costs included. The attacks can still rise to 50mbit/s and cause a lot of scattered responses coming from the victim.
What can be done about this?
One issue that needs to be addressed is the vulnerability in the id Tech 3 engine that allows DevNull to amplify its attack up to 10x its original size. While patching this vulnerability won’t stop DevNull from existing (DevNull might switch over to DNS based amplification attacks instead), it will save a lot of bandwidth for the game servers that are being used to perform these attacks.
The most reasonable fixes for this vulnerability would be to either implementing a handshake or by rate limiting the amount of query responses that can be sent to an IP address. In fact there are already unofficial patches to fix this vulnerability. However, there are over 10,000 CoD4 servers and thousands of other game servers running on the Id Tech 3 engine, and only a small fraction of these servers actually implemented this fix or are even aware of the issue. We strongly urge Infinity Ward, the developers of CoD4 to release an official update so everyone is aware of the problem and can apply the patch. Other game developers should also be notified.
�
Another possible measure is to implement ingress filtering in the network of all internet service providers in the world. Ingress filtering is a technique that assures that packets that leave a network never have a different IP address than the ip address that’s assigned to that network. Implementing this measure will mean that DevNull will no longer be able to spoof the ip addresses of packets, which then makes it unable to abuse any of these reflection attacks where it makes applications respond to a falsified IP address. Unfortunately there’s thousands of ISPs all around the world, and many internet service providers won’t be bothered to invest in their network and implement proper ingress filtering. So providers that allow IP spoofing will always exist.
Ideally the creator and operator of DevNull should be handed over to authorities, because like any hacker they always try to stay one step in front of you and security issues are usually harder to patch then to be found. DevNull’s operator also has the ability to perform DDoS attacks using DNS servers, which essentially is the same concept as the amplification attacks using CoD4 servers except that he uses a flaw in the domain name system (the system that’s responsible for translating domain names into IP addresses). This flaw in the DNS system will never be fully patched because there are simply too many domain name servers (millions) around the internet, and a batch of them will always carry this vulnerability. DevNull’s operator has been able to do over 15 gigabit per second attacks using DNS servers alone, so fixing the Id Tech 3 exploit will only be a temporarily solution.
The effects on the gaming community
The long term effects of these attacks are a decrease in player count, innovation and freedom of speech. In the game Garry’s Mod many good developers have left the scene because of massive attacks against their servers by other jealous server owners and players, resulting in massive bandwidth bills and downtime which don’t make up the efforts of developing and running a gaming community.
Other server and website owners all around the web are being threatened by people to give out administrator access or give money or else face attacks. There have been cases where an owner was attacked for not giving out administrator access and had to pay up to $15,000 in damages to the hosting company he was with. These attacks have been coming to the point where it’s ruining people financially for running a game server or a website and is causing infrastructural damage. It’s time to see if we can find a solution for this whole situation.
Register
Events
Popular
More
Post #81
Friendly x 1
Agree x 1
Funny x 16
Dumb x 1
Disagree x 1
Winner x 4
Informative x 1
Optimistic x 3
Useful x 1
