It has been discovered that spoofed "getstatus" UDP requests are being used by attackers[0][1][2][3] to direct status responses from multiple Quake 3-based servers to a victim, as a traffic amplification mechanism for a denial of service attack on that victim. Open-source games derived from the Quake 3 engine are typically based on ioquake3 [4], a popular fork of that engine. This vulnerability was fixed in ioquake3 svn revision 1762 (January 2010) [5] by applying a rate-limit to the getstatus request. Like several other known and fixed vulnerabilities, it is not fixed in the latest official ioquake3 release (1.36, April 2009). If a CVE ID is allocated for this vulnerability, please reference ioquake3 r1762 prominently in any advisory. Fixed versions of various open-source games based on Quake III Arena, mostly based on visual inspection of their source code: * ioquake3 svn >= r1762 * OpenArena >= 0.8.8 * OpenArena engine snapshot >= 0.8.x-20 * World of Padman >= 1.5.4 * Tremulous svn trunk >= r1953 * Tremulous svn, gpp branch >= r1955 * Smokin' Guns >= 1.1b4 * Smokin' Guns svn 1.1 branch >= r472 Vulnerable older versions include: * ioquake3 engine 1.36 * OpenArena 0.8.5 * World of Padman 1.5 * Tremulous 1.1.0 * Tremulous Gameplay Preview 1 (GPP1) * Smokin' Guns svn trunk at the time of writing (r181) Proprietary games based on the Quake 3 engine (Quake III Arena when played using its official engine, Star Wars: Jedi Outcast and Jedi Academy, Star Trek: Elite Force 1 & 2, etc.) are also likely to be vulnerable. Proprietary games being run under the ioquake3 engine (Quake III Arena when using ioquake3, Urban Terror when using ioUrbanTerror, etc.) may be vulnerable or not vulnerable, depending on the version of ioquake3 used. [0] http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html [1] http://openarena.ws/board/index.php?topic=4391.0 [2] http://www.urbanterror.info/forums/topic/27825-drdos/ [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656 [4] http://ioquake3.org/ [5] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html