Sadly I see these all the time, and Valve's SRCDS is vulnerable as well (AFAIK any Q3 engine game is too). There are unofficial patches for source but I wish Valve and others would fix it for good. Normally I see these types of attacks in the 1-2Gbps range but we recently have seen them in the 5-8Gbps and even 10-20Gbps range. That is about 5000-15000 servers each sending 1-2Mbps.
http://wiki.alliedmods.net/SRCDS_Hardening#A2S_INFO_Spam The issue was partially resolved with Team Fortress 2 servers. I've also seen something similar to these but with DNS data. U XXX.XXX.XXX.XXX:53 -> XXX.XXX.XXX.XXX:53 .S.....!.....icann.org..............D.. ........................D....+..........X.........XNq..Nh.m7/.icann.org.....Y.W+...zzJ ...d.8S...;...U..[~[..}z+].Ov(......;\Gx......g.....wv...&...S....\y.-..4.'.Z..u.?..f.!...<L..o .wtE....E.M......,.e.......X.. ...pechora4.e.e.......X.....pechora5.e.e.......X.....pechora6.e.e.......X.....pechora7.e.e.......X.....pechora8.e.e.......X... ..pechora1.e.e.......X.....pechora2.e.e.......X.....pechora3.e.e.......X.........XNq.(Nh.m7/.icann.org.j...N..#{Gr.+G........B ..Rl.4..[......}\.........u. ...'..g.....qd.y#1..[8rw1......i...g...f\.a.$2.k....v64.pKv...1./..|......C..........X.........XN q."Nh.m7/.icann.org..1...^:.....}.....w.?..........*.........+D..(b.".....-av.X.b.K.|..R..+."i......=E.a....l.vmMqe)....i.}*Z. .&......`..|..............................Nqb.Nh.m7/.icann.org.{.g.h"h..z..0UV.I.-.v...rZK..t.<?.l8...n...R.....x"8O...$vSR..3 ._...a.... ......o.7.wk...r....X..?n9.(...fk-...~..h.E..y".5...;..(.........(.dns1.(.hostmaster.(w.....*0......u......(....... ....3......Nq..Nh.m7/.icann.org.v5/5J....{..[.c..e.....z...;x9...DR.....^B..V..........q|.........w.D.{..eb......\...G'...=L.. ..~^.......6......6...<D..k..........3.............P0.t.................0......Nq.RNh.m...icann.org.@W. ...i..Lj.....j..c%..Y.. ......._K=.j..E...u.`.....L..=,.i....K._.9....8X.G...V1J...N.B.....k8..5.I..Pk..#..Vs.X.Ax...P>....d7~~..$.[..{.........l.8... e...&:=S2.l.}W.@#.e.LN.j..7g.s..4/52.@...[MUXu.f9U.y~rXFH/......O<.......'..<.....y.j. On Tue, Sep 6, 2011 at 1:19 PM, George Herbert <george.herb...@gmail.com>wrote: > Arrgghhh.... > > This reminds me of the WebNFS attack. Which is why Sun aborted > WebNFS's public launch, after I pointed it out during its Solaris 2.6 > early access program. > > Never run a volume-multiplying service on UDP if you can help it, > exposed to the outside world, without serious in-band source > verification. Amplification attacks are a classic easy DDOS win. > > > -george > > On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter <je...@he.net> wrote: > > Call of Duty is apparently using the same flawed protocol as Quake III > > servers, so you can think of it as an amplification attack. (I wish I'd > > forgotten all about this stuff) > > > > You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed > > source, and the server responds with everything you see. With decent > > amplification (15B -> ~500B) and the number of CoD servers in world you > > could very easily build up a sizable attack. > > > > -- > > Jeff Walter > > Network Engineer > > Hurricane Electric > > > > > > -- > -george william herbert > george.herb...@gmail.com > >