Mailing List Archive: NANOG: users

DDoS - CoD?

Index | Next | Previous | View Threaded

lists at blackhat

Sep 6, 2011, 12:53 AM

Post #1 of 12 (1361 views)
Permalink

DDoS - CoD?

Hi all,

I am wondering if anyone has seen a large DDoS before, specifically on
port 80 UDP with data that seems to be relating to Call of Duty 4. I did
a quick packet capture, and the payload looks like this:

14:50:42.716247 IP Y1.YY.YY.YY.28960 > XX.XX.XX.XX.80: UDP, length 499
0x0000: 4500 020f 0000 4000 2a11 5203 58bf 8138 E.....@.*.R.X..8
0x0010: cbaa 5739 7120 0050 01fb 3e2e ffff ffff ..W9q..P..>.....
0x0020: 7374 6174 7573 5265 7370 6f6e 7365 0a5c statusResponse.\
0x0030: 5f41 646d 696e 5c6b 696c 6c6b 7574 6572 _Admin\killkuter
0x0040: 5c5f 456d 6169 6c5c 6b69 6c6c 6b75 7465 \_Email\killkute
0x0050: 7240 686f 746d 6169 6c2e 636f 6d5c 5f4c r [at] hotmail\_L
0x0060: 6f63 6174 696f 6e5c 4652 5c5f 6d61 6e75 ocation\FR\_manu
0x0070: 6164 6d69 6e6d 6f64 5c30 2e31 312e 3320 adminmod\0.11.3.
0x0080: 6265 7461 5c5f 5765 6273 6974 655c 6874 beta\_Website\ht
0x0090: 7470 3a2f 2f77 7777 2e73 7974 2e74 6561 tp://www.syt.tea
0x00a0: 6d2e 7374 5c67 5f63 6f6d 7061 7373 5368 m.st\g_compassSh
0x00b0: 6f77 456e 656d 6965 735c 305c 675f 6761 owEnemies\0\g_ga
0x00c0: 6d65 7479 7065 5c77 6172 5c67 616d 656e metype\war\gamen
0x00d0: 616d 655c 4361 6c6c 206f 6620 4475 7479 ame\Call.of.Duty
0x00e0: 2034 5c6d 6170 6e61 6d65 5c6d 705f 626c .4\mapname\mp_bl
0x00f0: 6f63 5c70 726f 746f 636f 6c5c 365c 7368 oc\protocol\6\sh
0x0100: 6f72 7476 6572 7369 6f6e 5c31 2e37 5c73 ortversion\1.7\s
0x0110: 765f 616c 6c6f 7741 6e6f 6e79 6d6f 7573 v_allowAnonymous
0x0120: 5c30 5c73 765f 6469 7361 626c 6543 6c69 \0\sv_disableCli
0x0130: 656e 7443 6f6e 736f 6c65 5c30 5c73 765f entConsole\0\sv_
0x0140: 666c 6f6f 6470 726f 7465 6374 5c31 5c73 floodprotect\1\s
0x0150: 765f 686f 7374 6e61 6d65 5c5e 3120 5359 v_hostname\^1.SY
0x0160: 5420 2d20 5e33 5444 4d20 4843 202d 205e T.-.^3TDM.HC.-.^
0x0170: 3120 6372 6163 6b20 5c73 765f 6d61 7863 1.crack.\sv_maxc
0x0180: 6c69 656e 7473 5c32 305c 7376 5f6d 6178 lients\20\sv_max
0x0190: 5069 6e67 5c31 3530 5c73 765f 6d61 7852 Ping\150\sv_maxR
0x01a0: 6174 655c 3235 3030 305c 7376 5f6d 696e ate\25000\sv_min
0x01b0: 5069 6e67 5c30 5c73 765f 7072 6976 6174 Ping\0\sv_privat
0x01c0: 6543 6c69 656e 7473 5c36 5c73 765f 7075 eClients\6\sv_pu
0x01d0: 6e6b 6275 7374 6572 5c30 5c73 765f 7075 nkbuster\0\sv_pu
0x01e0: 7265 5c31 5c73 765f 766f 6963 655c 305c re\1\sv_voice\0\
0x01f0: 7569 5f6d 6178 636c 6965 6e74 735c 3332 ui_maxclients\32
0x0200: 5c70 7377 7264 5c30 5c6d 6f64 5c30 0a \pswrd\0\mod\0.
14:50:42.716292 IP Y1.YY.YY.YY.28965 > XX.XX.XX.XX.80: UDP, length 870
0x0000: 4500 0382 0000 4000 2f11 27e7 c1c0 3be0 E.....@./.'...;.
0x0010: cbaa 5739 7125 0050 036e 1547 ffff ffff ..W9q%.P.n.G....
0x0020: 7374 6174 7573 5265 7370 6f6e 7365 0a5c statusResponse.\
0x0030: 7368 6f72 7476 6572 7369 6f6e 5c30 2e34 shortversion\0.4
0x0040: 2d34 325c 7376 5f6d 6178 636c 6965 6e74 -42\sv_maxclient
0x0050: 735c 3138 5c5f 4164 6d69 6e5c 447a 696e s\18\_Admin\Dzin
0x0060: 5c5f 456d 6169 6c5c 6164 6d69 6e40 6261 \_Email\admin [at] b
0x0070: 6c6b 616e 2d77 6172 732e 636f 6d5c 5f4c lkan-wars.com\_L
0x0080: 6f63 6174 696f 6e5c 5468 6520 556e 696f ocation\The.Unio
0x0090: 6e20 6f66 2053 6f76 6965 7420 536f 6369 n.of.Soviet.Soci
0x00a0: 616c 6973 7469 6320 5265 7075 626c 6963 alistic.Republic
0x00b0: 735c 5f57 6562 7369 7465 5c68 7474 703a s\_Website\http:
0x00c0: 2f2f 6261 6c6b 616e 2d77 6172 732e 636f //balkan-wars.co
0x00d0: 6d5c 6169 775f 7265 6d6f 7465 4b69 636b m\aiw_remoteKick
0x00e0: 5c31 5c61 6977 5f73 6563 7572 655c 305c \1\aiw_secure\0\
0x00f0: 675f 6761 6d65 7479 7065 5c77 6172 5c67 g_gametype\war\g
0x0100: 5f68 6172 6463 6f72 655c 305c 6761 6d65 _hardcore\0\game
0x0110: 6e61 6d65 5c49 5734 5c6d 6170 6e61 6d65 name\IW4\mapname
0x0120: 5c6d 705f 6272 6563 6f75 7274 5c70 726f \mp_brecourt\pro
0x0130: 746f 636f 6c5c 3134 345c 7363 725f 6761 tocol\144\scr_ga
0x0140: 6d65 5f61 6c6c 6f77 6b69 6c6c 6361 6d5c me_allowkillcam\
0x0150: 315c 7363 725f 7465 616d 5f66 6674 7970 1\scr_team_fftyp
0x0160: 655c 305c 7376 5f61 6c6c 6f77 416e 6f6e e\0\sv_allowAnon
0x0170: 796d 6f75 735c 305c 7376 5f61 6c6c 6f77 ymous\0\sv_allow
0x0180: 436c 6965 6e74 436f 6e73 6f6c 655c 315c ClientConsole\1\
0x0190: 7376 5f66 6c6f 6f64 5072 6f74 6563 745c sv_floodProtect\
0x01a0: 315c 7376 5f68 6f73 746e 616d 655c 7c46 1\sv_hostname\|F
0x01b0: 5233 3344 4f4d 7c20 4669 6768 7465 7273 R33DOM|.Fighters
0x01c0: 2055 4b20 4e6f 5475 6265 2d4e 6f41 6b69 .UK.NoTube-NoAki
0x01d0: 6d62 6f2d 5444 4d20 3234 2f37 5c73 765f mbo-TDM.24/7\sv_
0x01e0: 6d61 7850 696e 675c 3330 305c 7376 5f6d maxPing\300\sv_m
0x01f0: 6178 5261 7465 5c31 3530 3030 305c 7376 axRate\150000\sv
0x0200: 5f6d 696e 5069 6e67 5c30 5c73 765f 7072 _minPing\0\sv_pr
0x0210: 6976 6174 6543 6c69 656e 7473 5c30 5c73 ivateClients\0\s
0x0220: 765f 7072 6976 6174 6543 6c69 656e 7473 v_privateClients
0x0230: 466f 7243 6c69 656e 7473 5c30 0a30 2039 ForClients\0.0.9
0x0240: 3939 2022 5768 6974 6573 7061 726b 6c65 99."Whitesparkle
0x0250: 7322 0a30 2038 3920 226d 6174 7269 6361 s".0.89."matrica
0x0260: 2033 220a 3020 3734 2022 5368 616b 7567 .3".0.74."Shakug
0x0270: 616e 220a 3020 3536 2022 3336 3048 6561 an".0.56."360Hea
0x0280: 6453 686f 7422 0a36 3030 2037 3620 2261 dShot".600.76."a
0x0290: 7665 6c6c 7573 220a 3630 3020 3132 3220 vellus".600.122.
0x02a0: 2253 696c 7665 7222 0a34 3030 2031 3133 "Silver".400.113
0x02b0: 2022 4576 616c 6f6e 220a 3131 3030 2037 ."Evalon".1100.7
0x02c0: 3720 225e 345b 4d5e 3969 575e 345d 4465 7."^4[M^9iW^4]De
0x02d0: 725e 220a 3130 3020 3937 2022 416e 6472 r^".100.97."Andr
0x02e0: 6579 2053 756b 6163 6822 0a31 3030 2036 ey.Sukach".100.6
0x02f0: 3620 2244 7a65 6968 6e6f 3933 220a 3230 6."Dzeihno93".20
0x0300: 3020 3839 2022 5265 6e22 0a30 2031 3338 0.89."Ren".0.138
0x0310: 2022 d1d1 d1d0 220a 3230 3020 3334 2022 ."....".200.34."
0x0320: 7061 7631 220a 3430 3020 3138 3720 224b pav1".400.187."K
0x0330: 6172 6c6f 735f 3538 220a 3230 3020 3237 arlos_58".200.27
0x0340: 3020 226d 4f6e 7374 6572 220a 3730 3020 0."mOnster".700.
0x0350: 3137 3220 224d 6572 6365 6e61 7279 220a 172."Mercenary".
0x0360: 3130 3230 2039 3620 226e 696b 6f6c 6122 1020.96."nikola"
0x0370: 0a33 3030 2031 3234 2022 5349 444f 4922 .300.124."SIDOI"
0x0380: 0a00

As far as I know CoD 4 doesn't use port 80 UDP, and I can't see anything
else that would. The box doesn't have anything listening for port 80/udp
(it does run a web server) and never has.

Has anyone seen similar traffic before? I am struggling to figure out
what is causing this traffic, or if its existing traffic being replayed
to try and avoid filters.

Thanks

rdobbins at arbor

Sep 6, 2011, 1:00 AM

Post #2 of 12 (1255 views)
Permalink

Re: DDoS - CoD? [In reply to]

On Sep 6, 2011, at 2:53 PM, BH wrote:

> Has anyone seen similar traffic before? I

I've seen DDoS traffic on UDP/80 as far back as 2002 - the miscreants often don't know a lot about TCP/IP, and if something happens to work once, they incorporate it into their attack tool defaults and keep using it over and over.

In several recent high-profile DDoS attacks, UDP/80 traffic ended up causing state exhaustion on load-balancers, as the victim sites weren't following the BCP of enforcing network access policies via stateless ACLs in hardware-based routers/layer-3 switches, and the load-balancers kept trying to load-balance this traffic from multiple purported source IPs/source ports.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins [at] arbor> // <http://www.arbornetworks.com>

The basis of optimism is sheer terror.

-- Oscar Wilde

jvanoppen at spectrumnet

Sep 6, 2011, 1:01 AM

Post #3 of 12 (1243 views)
Permalink

RE: DDoS - CoD? [In reply to]

i have seen many udp/80 floods as well... pretty common.

John van Oppen
Spectrum Networks / AS11404

________________________________________
From: Dobbins, Roland [rdobbins [at] arbor]
Sent: Tuesday, September 06, 2011 1:00 AM
To: North American Network Operators' Group
Subject: Re: DDoS - CoD?

On Sep 6, 2011, at 2:53 PM, BH wrote:

> Has anyone seen similar traffic before? I

I've seen DDoS traffic on UDP/80 as far back as 2002 - the miscreants often don't know a lot about TCP/IP, and if something happens to work once, they incorporate it into their attack tool defaults and keep using it over and over.

In several recent high-profile DDoS attacks, UDP/80 traffic ended up causing state exhaustion on load-balancers, as the victim sites weren't following the BCP of enforcing network access policies via stateless ACLs in hardware-based routers/layer-3 switches, and the load-balancers kept trying to load-balance this traffic from multiple purported source IPs/source ports.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins [at] arbor> // <http://www.arbornetworks.com>

The basis of optimism is sheer terror.

-- Oscar Wilde

lists at blackhat

Sep 6, 2011, 1:03 AM

Post #4 of 12 (1240 views)
Permalink

Re: DDoS - CoD? [In reply to]

On 6/09/2011 4:00 PM, Dobbins, Roland wrote:
> I've seen DDoS traffic on UDP/80 as far back as 2002
Hi Roland,

I should be a bit more clear sorry, I too have frequently seen attacks
on 80/udp but mainly as a source (eg. compromised hosting accounts)
rather than the destination. I didn't in the past do a packet capture,
but I lookes at a couple of scripts and the data was usually randm or
just AAAAAA etc. The thing that perplexed me is why it appears to be
Call of Duty data more than anything...

Thanks

gchalmers at gmail

Sep 6, 2011, 1:14 AM

Post #5 of 12 (1226 views)
Permalink

Re: DDoS - CoD? [In reply to]

Could be legitimate CoD servers responding to a spoofed query? How much
traffic are you talking about out of curiosity?

Regards
Greg

On Tue, Sep 6, 2011 at 6:03 PM, BH <lists [at] blackhat> wrote:

> On 6/09/2011 4:00 PM, Dobbins, Roland wrote:
> > I've seen DDoS traffic on UDP/80 as far back as 2002
> Hi Roland,
>
> I should be a bit more clear sorry, I too have frequently seen attacks
> on 80/udp but mainly as a source (eg. compromised hosting accounts)
> rather than the destination. I didn't in the past do a packet capture,
> but I lookes at a couple of scripts and the data was usually randm or
> just AAAAAA etc. The thing that perplexed me is why it appears to be
> Call of Duty data more than anything...
>
> Thanks
>
>

a.harrowell at gmail

Sep 6, 2011, 3:10 AM

Post #6 of 12 (1228 views)
Permalink

Re: DDoS - CoD? [In reply to]

On Tuesday 06 Sep 2011 09:14:26 Greg Chalmers wrote:
> Could be legitimate CoD servers responding to a spoofed query?

My first thought looking at the packet dump. Interesting that some poor
sap's hotmail address is embedded in it.

> How much
> traffic are you talking about out of curiosity?
>
> Regards
> Greg
>
>
> On Tue, Sep 6, 2011 at 6:03 PM, BH <lists [at] blackhat> wrote:
>
> > On 6/09/2011 4:00 PM, Dobbins, Roland wrote:
> > > I've seen DDoS traffic on UDP/80 as far back as 2002
> > Hi Roland,
> >
> > I should be a bit more clear sorry, I too have frequently seen
attacks
> > on 80/udp but mainly as a source (eg. compromised hosting accounts)
> > rather than the destination. I didn't in the past do a packet
capture,
> > but I lookes at a couple of scripts and the data was usually randm
or
> > just AAAAAA etc. The thing that perplexed me is why it appears to be
> > Call of Duty data more than anything...
> >
> > Thanks
> >
> >
>

--
The only thing worse than e-mail disclaimers...is people who send e-mail
to lists complaining about them

Attachments:

signature.asc (0.19 KB)

lists at blackhat

Sep 6, 2011, 6:02 AM

Post #7 of 12 (1236 views)
Permalink

Re: DDoS - CoD? - Activision contact [In reply to]

Looking around, I believe the issue is that the IP has ended up on a
master game list, so we are now getting the queries directed at US.

For anyone interested, there seems to be some info here:

http://forums.steampowered.com/forums/showthread.php?t=1670090

With the packet capture I have and the symptoms looking very alike the
example in my original email.

I found an earlier example as well with similar symptoms:
http://forums.srcds.com/viewtopic/15737

Is there anyone from Activision on the list or does anyone have an
Activision contact? Replies off list welcome, I can provide more details
there.

On 6/09/2011 6:10 PM, Alexander Harrowell wrote:
> On Tuesday 06 Sep 2011 09:14:26 Greg Chalmers wrote:
>> Could be legitimate CoD servers responding to a spoofed query?
>
> My first thought looking at the packet dump. Interesting that some poor
> sap's hotmail address is embedded in it.
>
>> How much
>> traffic are you talking about out of curiosity?
>>
>> Regards
>> Greg
>>
>>
>> On Tue, Sep 6, 2011 at 6:03 PM, BH<lists [at] blackhat> wrote:
>>
>>> On 6/09/2011 4:00 PM, Dobbins, Roland wrote:
>>>> I've seen DDoS traffic on UDP/80 as far back as 2002
>>> Hi Roland,
>>>
>>> I should be a bit more clear sorry, I too have frequently seen
> attacks
>>> on 80/udp but mainly as a source (eg. compromised hosting accounts)
>>> rather than the destination. I didn't in the past do a packet
> capture,
>>> but I lookes at a couple of scripts and the data was usually randm
> or
>>> just AAAAAA etc. The thing that perplexed me is why it appears to be
>>> Call of Duty data more than anything...
>>>
>>> Thanks
>>>
>>>
>>
>

jeffw at he

Sep 6, 2011, 6:47 AM

Post #8 of 12 (1215 views)
Permalink

Re: DDoS - CoD? [In reply to]

Call of Duty is apparently using the same flawed protocol as Quake III
servers, so you can think of it as an amplification attack. (I wish I'd
forgotten all about this stuff)

You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed
source, and the server responds with everything you see. With decent
amplification (15B -> ~500B) and the number of CoD servers in world you
could very easily build up a sizable attack.

--
Jeff Walter
Network Engineer
Hurricane Electric

Attachments:

jeffw.vcf (0.30 KB)

mark at pcinw

Sep 6, 2011, 8:26 AM

Post #9 of 12 (1276 views)
Permalink

Re: DDoS - CoD? [In reply to]

Recently (last month) Ryan Gordon (the person responsible for porting COD to
Linux) released a patch for cod4 servers to address this specific issue.
Here is the announcement and a link to the original email as well. The
discussion also indicated that all of the Quake III based games suffered
from the same issue.

http://icculus.org/pipermail/cod/2011-August/015397.html

So we're getting reports of DDoS attacks, where botnets will send
> infostring queries to COD4 dedicated servers as fast as possible with
> spoofed addresses. They send a small UDP packet, and the server replies
> with a larger packet to the faked address. Multiply this by however fast
> you can stuff UDP packets into the server's incoming packet buffer per
> frame, times 7500+ public COD4 servers, and you can really bring a
> victim to its knees with a serious flood of unwanted packets.
>
> I've got a patch for COD4 for this, and I need admins to test it before
> I make an official release.
>
> http://treefort.icculus.org/cod/cod4-lnxsrv-query-limit-test.tar.bz2
>
>
>
On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter <jeffw [at] he> wrote:

> Call of Duty is apparently using the same flawed protocol as Quake III
> servers, so you can think of it as an amplification attack. (I wish I'd
> forgotten all about this stuff)
>
> You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed
> source, and the server responds with everything you see. With decent
> amplification (15B -> ~500B) and the number of CoD servers in world you
> could very easily build up a sizable attack.
>
> --
> Jeff Walter
> Network Engineer
> Hurricane Electric
>

--
Mark Grigsby
Network Operations Manager
PCINW (Preferred Connections Inc., NW)
3555 Gateway St. Ste. 205
Springfield, OR 97477
Voice: 800-787-3806 ext 408
DID: 541-762-1171
Fax: 541-684-0283

george.herbert at gmail

Sep 6, 2011, 11:19 AM

Post #10 of 12 (1217 views)
Permalink

Re: DDoS - CoD? [In reply to]

Arrgghhh....

This reminds me of the WebNFS attack. Which is why Sun aborted
WebNFS's public launch, after I pointed it out during its Solaris 2.6
early access program.

Never run a volume-multiplying service on UDP if you can help it,
exposed to the outside world, without serious in-band source
verification. Amplification attacks are a classic easy DDOS win.

-george

On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter <jeffw [at] he> wrote:
> Call of Duty is apparently using the same flawed protocol as Quake III
> servers, so you can think of it as an amplification attack. �(I wish I'd
> forgotten all about this stuff)
>
> You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed
> source, and the server responds with everything you see. �With decent
> amplification (15B -> ~500B) and the number of CoD servers in world you
> could very easily build up a sizable attack.
>
> --
> Jeff Walter
> Network Engineer
> Hurricane Electric
>

--
-george william herbert
george.herbert [at] gmail

jeffw at he

Sep 7, 2011, 8:35 AM

Post #11 of 12 (1234 views)
Permalink

Re: DDoS - CoD? - Activision contact [In reply to]

On 9/6/2011 6:02 AM, BH wrote:
> Looking around, I believe the issue is that the IP has ended up on a
> master game list, so we are now getting the queries directed at US.

Having written multiple versions of a Quake III master server (again,
much self-hate) I pulled one of my old master query scripts out of
mothballs and checked. You are not listed on the CoD4 master server
(assuming you did not alter the UDP frames you originally posted). If
you were you would be seeing "getInfo" and "getStatus" queries, but
you're not. You're seeing the "getInfoResponse" and "getStatusResponse"
packets from a server which is listed on the master server. This is an
attack, nothing sinister is happening.

Your best bet is to filter all UDP traffic except for what you need (DNS
comes to mind). You might also want to get in contact with
killkuter [at] hotmail and encourage them to install the previously
mentioned patched server executable to prevent their server from being
used as an attack amplifier.

--
Jeff Walter
Network Engineer
Hurricane Electric

Attachments:

jeffw.vcf (0.31 KB)

ryan.g at atwgpc

Sep 8, 2011, 7:06 AM

Post #12 of 12 (1191 views)
Permalink

Re: DDoS - CoD? [In reply to]

Sadly I see these all the time, and Valve's SRCDS is vulnerable as well
(AFAIK any Q3 engine game is too). There are unofficial patches for source
but I wish Valve and others would fix it for good. Normally I see these
types of attacks in the 1-2Gbps range but we recently have seen them in the
5-8Gbps and even 10-20Gbps range. That is about 5000-15000 servers each
sending 1-2Mbps.

http://wiki.alliedmods.net/SRCDS_Hardening#A2S_INFO_Spam

The issue was partially resolved with Team Fortress 2 servers.

I've also seen something similar to these but with DNS data.

U XXX.XXX.XXX.XXX:53 -> XXX.XXX.XXX.XXX:53
.S.....!.....icann.org..............D..
........................D....+..........X.........XNq..Nh.m7/.icann.org.....Y.W+...zzJ

...d.8S...;...U..[~[..}z+].Ov(......;\Gx......g.....wv...&...S....\y.-..4.'.Z..u.?..f.!...<L..o
.wtE....E.M......,.e.......X..

...pechora4.e.e.......X.....pechora5.e.e.......X.....pechora6.e.e.......X.....pechora7.e.e.......X.....pechora8.e.e.......X...

..pechora1.e.e.......X.....pechora2.e.e.......X.....pechora3.e.e.......X.........XNq.(Nh.m7/.icann.org.j...N..#{Gr.+G........B
..Rl.4..[......}\.........u.
...'..g.....qd.y#1..[8rw1......i...g...f\.a.$2.k....v64.pKv...1./..|......C..........X.........XN

q."Nh.m7/.icann.org..1...^:.....}.....w.?..........*.........+D..(b.".....-av.X.b.K.|..R..+."i......=E.a....l.vmMqe)....i.}*Z.

.&......`..|..............................Nqb.Nh.m7/.icann.org.{.g.h"h..z..0UV.I.-.v...rZK..t.<?.l8...n...R.....x"8O...$vSR..3
._...a....
......o.7.wk...r....X..?n9.(...fk-...~..h.E..y".5...;..(.........(.dns1.(.hostmaster.(w.....*0......u......(.......

....3......Nq..Nh.m7/.icann.org.v5/5J....{..[.c..e.....z...;x9...DR.....^B..V..........q|.........w.D.{..eb......\...G'...=L..

..~^.......6......6...<D..k..........3.............P0.t.................0......Nq.RNh.m...icann.org.@W.
...i..Lj.....j..c%..Y..

......._K=.j..E...u.`.....L..=,.i....K._.9....8X.G...V1J...N.B.....k8..5.I..Pk..#..Vs.X.Ax...P>....d7~~..$.[..{.........l.8...
e...&:=S2.l.}W.@#.e.LN.j..7g.s..4/52.@...[MUXu.f9U.y~rXFH/......O<.......'..<.....y.j.

On Tue, Sep 6, 2011 at 1:19 PM, George Herbert <george.herbert [at] gmail>wrote:

> Arrgghhh....
>
> This reminds me of the WebNFS attack. Which is why Sun aborted
> WebNFS's public launch, after I pointed it out during its Solaris 2.6
> early access program.
>
> Never run a volume-multiplying service on UDP if you can help it,
> exposed to the outside world, without serious in-band source
> verification. Amplification attacks are a classic easy DDOS win.
>
>
> -george
>
> On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter <jeffw [at] he> wrote:
> > Call of Duty is apparently using the same flawed protocol as Quake III
> > servers, so you can think of it as an amplification attack. (I wish I'd
> > forgotten all about this stuff)
> >
> > You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed
> > source, and the server responds with everything you see. With decent
> > amplification (15B -> ~500B) and the number of CoD servers in world you
> > could very easily build up a sizable attack.
> >
> > --
> > Jeff Walter
> > Network Engineer
> > Hurricane Electric
> >
>
>
>
> --
> -george william herbert
> george.herbert [at] gmail
>
>

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads