Re: DDoS - CoD?
Sadly I see these all the time, and Valve's SRCDS is vulnerable as well (AFAIK any Q3 engine game is too). There are unofficial patches for source but I wish Valve and others would fix it for good. Normally I see these types of attacks in the 1-2Gbps range but we recently have seen them in the 5-8Gbps and even 10-20Gbps range. That is about 5000-15000 servers each sending 1-2Mbps. http://wiki.alliedmods.net/SRCDS_Hardening#A2S_INFO_Spam The issue was partially resolved with Team Fortress 2 servers. I've also seen something similar to these but with DNS data. U XXX.XXX.XXX.XXX:53 - XXX.XXX.XXX.XXX:53 .S.!.icann.org..D.. D+..X.XNq..Nh.m7/.icann.org.Y.W+...zzJ ...d.8S...;...U..[~[..}z+].Ov(..;\Gx..g.wv..S\y.-..4.'.Z..u.?..f.!...L..o .wtEE.M..,.e...X.. ...pechora4.e.e...X.pechora5.e.e...X.pechora6.e.e...X.pechora7.e.e...X.pechora8.e.e...X... ..pechora1.e.e...X.pechora2.e.e...X.pechora3.e.e...X.XNq.(Nh.m7/.icann.org.j...N..#{Gr.+GB ..Rl.4..[..}\.u. ...'..g.qd.y#1..[8rw1..i...g...f\.a.$2.kv64.pKv...1./..|..C..X.XN q.Nh.m7/.icann.org..1...^:.}.w.?..*.+D..(b..-av.X.b.K.|..R..+.i..=E.al.vmMqe)i.}*Z. ...`..|..Nqb.Nh.m7/.icann.org.{.g.hh..z..0UV.I.-.v...rZK..t.?.l8...n...R.x8O...$vSR..3 ._...a ..o.7.wk...rX..?n9.(...fk-...~..h.E..y.5...;..(.(.dns1.(.hostmaster.(w.*0..u..(... 3..Nq..Nh.m7/.icann.org.v5/5J{..[.c..e.z...;x9...DR.^B..V..q|.w.D.{..eb..\...G'...=L.. ..~^...6..6...D..k..3.P0.t.0..Nq.RNh.m...icann.org.@W. ...i..Lj.j..c%..Y.. ..._K=.j..E...u.`.L..=,.iK._.98X.G...V1J...N.B.k8..5.I..Pk..#..Vs.X.Ax...Pd7~~..$.[..{.l.8... e...:=S2.l.}W.@#.e.LN.j..7g.s..4/52.@...[MUXu.f9U.y~rXFH/..O...'...y.j. On Tue, Sep 6, 2011 at 1:19 PM, George Herbert george.herb...@gmail.comwrote: Arrgghhh This reminds me of the WebNFS attack. Which is why Sun aborted WebNFS's public launch, after I pointed it out during its Solaris 2.6 early access program. Never run a volume-multiplying service on UDP if you can help it, exposed to the outside world, without serious in-band source verification. Amplification attacks are a classic easy DDOS win. -george On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter je...@he.net wrote: Call of Duty is apparently using the same flawed protocol as Quake III servers, so you can think of it as an amplification attack. (I wish I'd forgotten all about this stuff) You send \xff\xff\xff\xffgetstatus\n in a UDP packet with a spoofed source, and the server responds with everything you see. With decent amplification (15B - ~500B) and the number of CoD servers in world you could very easily build up a sizable attack. -- Jeff Walter Network Engineer Hurricane Electric -- -george william herbert george.herb...@gmail.com
Re: DDoS - CoD? - Activision contact
On 9/6/2011 6:02 AM, BH wrote: Looking around, I believe the issue is that the IP has ended up on a master game list, so we are now getting the queries directed at US. Having written multiple versions of a Quake III master server (again, much self-hate) I pulled one of my old master query scripts out of mothballs and checked. You are not listed on the CoD4 master server (assuming you did not alter the UDP frames you originally posted). If you were you would be seeing getInfo and getStatus queries, but you're not. You're seeing the getInfoResponse and getStatusResponse packets from a server which is listed on the master server. This is an attack, nothing sinister is happening. Your best bet is to filter all UDP traffic except for what you need (DNS comes to mind). You might also want to get in contact with killku...@hotmail.com and encourage them to install the previously mentioned patched server executable to prevent their server from being used as an attack amplifier. -- Jeff Walter Network Engineer Hurricane Electric attachment: jeffw.vcf
Re: DDoS - CoD?
On Sep 6, 2011, at 2:53 PM, BH wrote: Has anyone seen similar traffic before? I I've seen DDoS traffic on UDP/80 as far back as 2002 - the miscreants often don't know a lot about TCP/IP, and if something happens to work once, they incorporate it into their attack tool defaults and keep using it over and over. In several recent high-profile DDoS attacks, UDP/80 traffic ended up causing state exhaustion on load-balancers, as the victim sites weren't following the BCP of enforcing network access policies via stateless ACLs in hardware-based routers/layer-3 switches, and the load-balancers kept trying to load-balance this traffic from multiple purported source IPs/source ports. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde
RE: DDoS - CoD?
i have seen many udp/80 floods as well... pretty common. John van Oppen Spectrum Networks / AS11404 From: Dobbins, Roland [rdobb...@arbor.net] Sent: Tuesday, September 06, 2011 1:00 AM To: North American Network Operators' Group Subject: Re: DDoS - CoD? On Sep 6, 2011, at 2:53 PM, BH wrote: Has anyone seen similar traffic before? I I've seen DDoS traffic on UDP/80 as far back as 2002 - the miscreants often don't know a lot about TCP/IP, and if something happens to work once, they incorporate it into their attack tool defaults and keep using it over and over. In several recent high-profile DDoS attacks, UDP/80 traffic ended up causing state exhaustion on load-balancers, as the victim sites weren't following the BCP of enforcing network access policies via stateless ACLs in hardware-based routers/layer-3 switches, and the load-balancers kept trying to load-balance this traffic from multiple purported source IPs/source ports. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde
Re: DDoS - CoD?
On 6/09/2011 4:00 PM, Dobbins, Roland wrote: I've seen DDoS traffic on UDP/80 as far back as 2002 Hi Roland, I should be a bit more clear sorry, I too have frequently seen attacks on 80/udp but mainly as a source (eg. compromised hosting accounts) rather than the destination. I didn't in the past do a packet capture, but I lookes at a couple of scripts and the data was usually randm or just AA etc. The thing that perplexed me is why it appears to be Call of Duty data more than anything... Thanks
Re: DDoS - CoD?
Could be legitimate CoD servers responding to a spoofed query? How much traffic are you talking about out of curiosity? Regards Greg On Tue, Sep 6, 2011 at 6:03 PM, BH li...@blackhat.bz wrote: On 6/09/2011 4:00 PM, Dobbins, Roland wrote: I've seen DDoS traffic on UDP/80 as far back as 2002 Hi Roland, I should be a bit more clear sorry, I too have frequently seen attacks on 80/udp but mainly as a source (eg. compromised hosting accounts) rather than the destination. I didn't in the past do a packet capture, but I lookes at a couple of scripts and the data was usually randm or just AA etc. The thing that perplexed me is why it appears to be Call of Duty data more than anything... Thanks
Re: DDoS - CoD?
On Tuesday 06 Sep 2011 09:14:26 Greg Chalmers wrote: Could be legitimate CoD servers responding to a spoofed query? My first thought looking at the packet dump. Interesting that some poor sap's hotmail address is embedded in it. How much traffic are you talking about out of curiosity? Regards Greg On Tue, Sep 6, 2011 at 6:03 PM, BH li...@blackhat.bz wrote: On 6/09/2011 4:00 PM, Dobbins, Roland wrote: I've seen DDoS traffic on UDP/80 as far back as 2002 Hi Roland, I should be a bit more clear sorry, I too have frequently seen attacks on 80/udp but mainly as a source (eg. compromised hosting accounts) rather than the destination. I didn't in the past do a packet capture, but I lookes at a couple of scripts and the data was usually randm or just AA etc. The thing that perplexed me is why it appears to be Call of Duty data more than anything... Thanks -- The only thing worse than e-mail disclaimers...is people who send e-mail to lists complaining about them signature.asc Description: This is a digitally signed message part.
Re: DDoS - CoD? - Activision contact
Looking around, I believe the issue is that the IP has ended up on a master game list, so we are now getting the queries directed at US. For anyone interested, there seems to be some info here: http://forums.steampowered.com/forums/showthread.php?t=1670090 With the packet capture I have and the symptoms looking very alike the example in my original email. I found an earlier example as well with similar symptoms: http://forums.srcds.com/viewtopic/15737 Is there anyone from Activision on the list or does anyone have an Activision contact? Replies off list welcome, I can provide more details there. On 6/09/2011 6:10 PM, Alexander Harrowell wrote: On Tuesday 06 Sep 2011 09:14:26 Greg Chalmers wrote: Could be legitimate CoD servers responding to a spoofed query? My first thought looking at the packet dump. Interesting that some poor sap's hotmail address is embedded in it. How much traffic are you talking about out of curiosity? Regards Greg On Tue, Sep 6, 2011 at 6:03 PM, BHli...@blackhat.bz wrote: On 6/09/2011 4:00 PM, Dobbins, Roland wrote: I've seen DDoS traffic on UDP/80 as far back as 2002 Hi Roland, I should be a bit more clear sorry, I too have frequently seen attacks on 80/udp but mainly as a source (eg. compromised hosting accounts) rather than the destination. I didn't in the past do a packet capture, but I lookes at a couple of scripts and the data was usually randm or just AA etc. The thing that perplexed me is why it appears to be Call of Duty data more than anything... Thanks
Re: DDoS - CoD?
Call of Duty is apparently using the same flawed protocol as Quake III servers, so you can think of it as an amplification attack. (I wish I'd forgotten all about this stuff) You send \xff\xff\xff\xffgetstatus\n in a UDP packet with a spoofed source, and the server responds with everything you see. With decent amplification (15B - ~500B) and the number of CoD servers in world you could very easily build up a sizable attack. -- Jeff Walter Network Engineer Hurricane Electric attachment: jeffw.vcf
Re: DDoS - CoD?
Recently (last month) Ryan Gordon (the person responsible for porting COD to Linux) released a patch for cod4 servers to address this specific issue. Here is the announcement and a link to the original email as well. The discussion also indicated that all of the Quake III based games suffered from the same issue. http://icculus.org/pipermail/cod/2011-August/015397.html So we're getting reports of DDoS attacks, where botnets will send infostring queries to COD4 dedicated servers as fast as possible with spoofed addresses. They send a small UDP packet, and the server replies with a larger packet to the faked address. Multiply this by however fast you can stuff UDP packets into the server's incoming packet buffer per frame, times 7500+ public COD4 servers, and you can really bring a victim to its knees with a serious flood of unwanted packets. I've got a patch for COD4 for this, and I need admins to test it before I make an official release. http://treefort.icculus.org/cod/cod4-lnxsrv-query-limit-test.tar.bz2 On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter je...@he.net wrote: Call of Duty is apparently using the same flawed protocol as Quake III servers, so you can think of it as an amplification attack. (I wish I'd forgotten all about this stuff) You send \xff\xff\xff\xffgetstatus\n in a UDP packet with a spoofed source, and the server responds with everything you see. With decent amplification (15B - ~500B) and the number of CoD servers in world you could very easily build up a sizable attack. -- Jeff Walter Network Engineer Hurricane Electric -- Mark Grigsby Network Operations Manager PCINW (Preferred Connections Inc., NW) 3555 Gateway St. Ste. 205 Springfield, OR 97477 Voice: 800-787-3806 ext 408 DID: 541-762-1171 Fax: 541-684-0283
Re: DDoS - CoD?
Arrgghhh This reminds me of the WebNFS attack. Which is why Sun aborted WebNFS's public launch, after I pointed it out during its Solaris 2.6 early access program. Never run a volume-multiplying service on UDP if you can help it, exposed to the outside world, without serious in-band source verification. Amplification attacks are a classic easy DDOS win. -george On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter je...@he.net wrote: Call of Duty is apparently using the same flawed protocol as Quake III servers, so you can think of it as an amplification attack. (I wish I'd forgotten all about this stuff) You send \xff\xff\xff\xffgetstatus\n in a UDP packet with a spoofed source, and the server responds with everything you see. With decent amplification (15B - ~500B) and the number of CoD servers in world you could very easily build up a sizable attack. -- Jeff Walter Network Engineer Hurricane Electric -- -george william herbert george.herb...@gmail.com