From ba818d148b17cf9c054f06570c00cee8e92fee6d Mon Sep 17 00:00:00 2001 From: Thilo Schulz Date: Sun, 1 Jul 2012 14:18:31 +0000 Subject: prevent using getinfo as an amplifier for DDOS attacks (#5678). Patch by DevHC --- src/server/sv_main.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/server/sv_main.c b/src/server/sv_main.c index 0d15f2c2..bee0ec19 100644 --- a/src/server/sv_main.c +++ b/src/server/sv_main.c @@ -394,6 +394,7 @@ struct leakyBucket_s { static leakyBucket_t buckets[ MAX_BUCKETS ]; static leakyBucket_t *bucketHashes[ MAX_HASHES ]; +static leakyBucket_t outboundLeakyBucket; /* ================ @@ -566,7 +567,6 @@ static void SVC_Status( netadr_t from ) { int statusLength; int playerLength; char infostring[MAX_INFO_STRING]; - static leakyBucket_t bucket; // Prevent using getstatus as an amplifier if ( SVC_RateLimitAddress( from, 10, 1000 ) ) { @@ -577,7 +577,7 @@ static void SVC_Status( netadr_t from ) { // Allow getstatus to be DoSed relatively easily, but prevent // excess outbound bandwidth usage when being flooded inbound - if ( SVC_RateLimit( &bucket, 10, 100 ) ) { + if ( SVC_RateLimit( &outboundLeakyBucket, 10, 100 ) ) { Com_DPrintf( "SVC_Status: rate limit exceeded, dropping request\n" ); return; } @@ -622,6 +622,20 @@ void SVC_Info( netadr_t from ) { char *gamedir; char infostring[MAX_INFO_STRING]; + // Prevent using getinfo as an amplifier + if ( SVC_RateLimitAddress( from, 10, 1000 ) ) { + Com_DPrintf( "SVC_Info: rate limit from %s exceeded, dropping request\n", + NET_AdrToString( from ) ); + return; + } + + // Allow getinfo to be DoSed relatively easily, but prevent + // excess outbound bandwidth usage when being flooded inbound + if ( SVC_RateLimit( &outboundLeakyBucket, 10, 100 ) ) { + Com_DPrintf( "SVC_Info: rate limit exceeded, dropping request\n" ); + return; + } + /* * Check whether Cmd_Argv(1) has a sane length. This was not done in the original Quake3 version which led * to the Infostring bug discovered by Luigi Auriemma. See http://aluigi.altervista.org/ for the advisory. -- cgit