As a user, my servers can't be used for gamestate-related DDoS attacks

[MJLHThomassen]

I'll wrap up the visual studio debugging branch tomorrow and then I'll get on this.

This seems fixed on line 546 of sv_main.c in the ioquake3 repo: https://github.com/ioquake/ioq3/blob/master/code/server/sv_main.c

// Prevent using getstatus as an amplifier
    if ( SVC_RateLimitAddress( from, 10, 1000 ) ) {
        Com_DPrintf( "SVC_Status: rate limit from %s exceeded, dropping request\n",
            NET_AdrToString( from ) );
        return;
    }

    // Allow getstatus to be DoSed relatively easily, but prevent
    // excess outbound bandwidth usage when being flooded inbound
    if ( SVC_RateLimit( &outboundLeakyBucket, 10, 100 ) ) {
        Com_DPrintf( "SVC_Status: rate limit exceeded, dropping request\n" );
        return;
    }

How could we test this? Any ideas?

[solarisstar]

Unfortunately that doesn't solve the problem. I've read some blog articles about this where people say the easiest way to circumvent this is to just request game states at a slightly slower rate than the limit.

[MJLHThomassen]

There's a few things we can do here. We can either decrease the rate further, or, what I was thinking is this.

We can create a queue of all getstatus requests and serve them all at once every minute or so. Duplicate requests aren't queued. That way, the load on the server is fixed. I don't know in how far this is possible though. I'd have to take a look at how UDP packets work again since I havn't worked with them for a while.

[solarisstar]

I think actual game clients are going to need gamestate requests served faster than that.

[solarisstar]

I think the best approach would be to carefully copy over the most recent ioq3 networking code, being sure to not obliterate changes made in RPG-X since the fork.