Source: cve@mitre.org
Quake 2 server allows remote attackers to cause a denial of service via a spoofed UDP packet with a source address of 127.0.0.1, which causes the server to attempt to connect to itself.
Quake 2 servers are vulnerable to a denial-of-service (DoS) attack. By sending a crafted UDP packet with a spoofed source IP of 127.0.0.1, attackers can force the server to repeatedly attempt connections to itself, consuming resources and rendering the server unresponsive. This vulnerability can disrupt gameplay and potentially impact network availability.
Step 1: Packet Crafting: The attacker crafts a UDP packet. The packet's payload is irrelevant, but the crucial element is the spoofed source IP address, which is set to 127.0.0.1 (localhost). Step 2: Packet Delivery: The attacker sends the crafted UDP packet to the target Quake 2 server's listening port (typically UDP port 27910 or similar). Step 3: Server Processing: The Quake 2 server receives the packet. Due to the spoofed source IP (127.0.0.1), the server's logic interprets this as a request to connect to itself. Step 4: Recursive Connection Attempts: The server attempts to initiate a connection to itself, triggering further connection attempts. This process repeats, consuming server resources. Step 5: Denial of Service: The repeated connection attempts exhaust the server's resources (CPU, network bandwidth), leading to a denial-of-service, making the server unresponsive to legitimate players.
The vulnerability stems from insufficient input validation and improper handling of UDP packets. The Quake 2 server, upon receiving a UDP packet with a source IP of 127.0.0.1 (localhost), attempts to initiate a connection back to itself. This creates a recursive loop of connection attempts. The server's logic fails to adequately filter or rate-limit these self-initiated connection requests. This lack of resource management allows an attacker to flood the server with these requests, leading to resource exhaustion (CPU, network bandwidth) and ultimately a denial-of-service. The root cause is a missing check to prevent the server from attempting to connect to itself based on the source IP address of incoming UDP packets. There is no buffer overflow or race condition in this specific vulnerability.
Due to the age of the vulnerability, it's unlikely to be directly targeted by sophisticated APTs. However, any threat actor could leverage this for opportunistic attacks. This vulnerability is not listed on the CISA KEV catalog due to its age and the relative obscurity of the affected software.
Network traffic analysis: Monitor for a high volume of UDP packets originating from external sources with a destination port matching the Quake 2 server port and a source IP of 127.0.0.1.
Server-side logging: Examine server logs for repeated connection attempts from the server's own IP address (127.0.0.1 or the server's public IP).
Performance monitoring: Observe CPU and network bandwidth usage on the server. A sudden spike in resource consumption could indicate an ongoing attack.
Intrusion Detection Systems (IDS): Implement IDS rules to detect packets with spoofed source IPs or unusual traffic patterns associated with this vulnerability.
Upgrade: If possible, upgrade to a patched version of the Quake 2 server software. (This is unlikely to be possible given the age of the software).
Firewall rules: Implement firewall rules to block UDP packets with a source IP of 127.0.0.1 from reaching the Quake 2 server's listening port.
Rate limiting: Implement rate limiting on UDP packets to prevent excessive connection attempts.
Input validation: Ensure that the server validates the source IP address of incoming UDP packets and rejects packets with a source IP of 127.0.0.1.
Network segmentation: Isolate the Quake 2 server on a separate network segment to limit the impact of a successful attack.