Re: DDoS - CoD?

[Ryan Gelobter <ryan.g () atwgpc net>]

Sadly I see these all the time, and Valve's SRCDS is vulnerable as well
(AFAIK any Q3 engine game is too). There are unofficial patches for source
but I wish Valve and others would fix it for good. Normally I see these
types of attacks in the 1-2Gbps range but we recently have seen them in the
5-8Gbps and even 10-20Gbps range. That is about 5000-15000 servers each
sending 1-2Mbps.

http://wiki.alliedmods.net/SRCDS_Hardening#A2S_INFO_Spam

The issue was partially resolved with Team Fortress 2 servers.

I've also seen something similar to these but with DNS data.

U XXX.XXX.XXX.XXX:53 -> XXX.XXX.XXX.XXX:53
  .S.....!.....icann.org..............D..
........................D....+..........X.........XNq..Nh.m7/.icann.org.....Y.W+...zzJ

...d.8S...;...U..[~[..}z+].Ov(......;\Gx......g.....wv...&...S....\y.-..4.'.Z..u.?..f.!...<L..o
.wtE....E.M......,.e.......X..

...pechora4.e.e.......X.....pechora5.e.e.......X.....pechora6.e.e.......X.....pechora7.e.e.......X.....pechora8.e.e.......X...

..pechora1.e.e.......X.....pechora2.e.e.......X.....pechora3.e.e.......X.........XNq.(Nh.m7/.icann.org.j...N..#{Gr.+G........B
  ..Rl.4..[......}\.........u.
...'..g.....qd.y#1..[8rw1......i...g...f\.a.$2.k....v64.pKv...1./..|......C..........X.........XN

q."Nh.m7/.icann.org..1...^:.....}.....w.?..........*.........+D..(b.".....-av.X.b.K.|..R..+."i......=E.a....l.vmMqe)....i.}*Z.

.&......`..|..............................Nqb.Nh.m7/.icann.org.{.g.h"h..z..0UV.I.-.v...rZK..t.<?.l8...n...R.....x"8O...$vSR..3
  ._...a....
......o.7.wk...r....X..?n9.(...fk-...~..h.E..y".5...;..(.........(.dns1.(.hostmaster.(w.....*0......u......(.......

....3......Nq..Nh.m7/.icann.org.v5/5J....{..[.c..e.....z...;x9...DR.....^B..V..........q|.........w.D.{..eb......\...G'...=L..

..~^.......6......6...<D..k..........3.............P0.t.................0......Nq.RNh.m...icann.org.@W.
...i..Lj.....j..c%..Y..

......._K=.j..E...u.`.....L..=,.i....K._.9....8X.G...V1J...N.B.....k8..5.I..Pk..#..Vs.X.Ax...P>....d7~~..$.[..{.........l.8...
  e...&:=S2.l.}W.@#.e.LN.j..7g.s..4/52.@...[MUXu.f9U.y~rXFH/......O<.......'..<.....y.j.


On Tue, Sep 6, 2011 at 1:19 PM, George Herbert <george.herbert () gmail com>wrote:

> Arrgghhh....
>
> This reminds me of the WebNFS attack.  Which is why Sun aborted
> WebNFS's public launch, after I pointed it out during its Solaris 2.6
> early access program.
>
> Never run a volume-multiplying service on UDP if you can help it,
> exposed to the outside world, without serious in-band source
> verification.  Amplification attacks are a classic easy DDOS win.
>
>
> -george
>
> On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter <jeffw () he net> wrote:
> > Call of Duty is apparently using the same flawed protocol as Quake III
> > servers, so you can think of it as an amplification attack.  (I wish I'd
> > forgotten all about this stuff)
> >
> > You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed
> > source, and the server responds with everything you see.  With decent
> > amplification (15B -> ~500B) and the number of CoD servers in world you
> > could very easily build up a sizable attack.
> >
> > --
> > Jeff Walter
> > Network Engineer
> > Hurricane Electric
>
>
>
> --
> -george william herbert
> george.herbert () gmail com