Recently (last month) Ryan Gordon (the person responsible for porting COD to Linux) released a patch for cod4 servers to address this specific issue. Here is the announcement and a link to the original email as well. The discussion also indicated that all of the Quake III based games suffered from the same issue.
http://icculus.org/pipermail/cod/2011-August/015397.html So we're getting reports of DDoS attacks, where botnets will send > infostring queries to COD4 dedicated servers as fast as possible with > spoofed addresses. They send a small UDP packet, and the server replies > with a larger packet to the faked address. Multiply this by however fast > you can stuff UDP packets into the server's incoming packet buffer per > frame, times 7500+ public COD4 servers, and you can really bring a > victim to its knees with a serious flood of unwanted packets. > > I've got a patch for COD4 for this, and I need admins to test it before > I make an official release. > > http://treefort.icculus.org/cod/cod4-lnxsrv-query-limit-test.tar.bz2 > > > On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter <[email protected]> wrote: > Call of Duty is apparently using the same flawed protocol as Quake III > servers, so you can think of it as an amplification attack. (I wish I'd > forgotten all about this stuff) > > You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed > source, and the server responds with everything you see. With decent > amplification (15B -> ~500B) and the number of CoD servers in world you > could very easily build up a sizable attack. > > -- > Jeff Walter > Network Engineer > Hurricane Electric > -- Mark Grigsby Network Operations Manager PCINW (Preferred Connections Inc., NW) 3555 Gateway St. Ste. 205 Springfield, OR 97477 Voice: 800-787-3806 ext 408 DID: 541-762-1171 Fax: 541-684-0283
