Re: DDoS - CoD? - Activision contact

[Jeff Walter]

On 9/6/2011 6:02 AM, BH wrote:
Looking around, I believe the issue is that the IP has ended up on a 
master game list, so we are now getting the queries directed at US.


Having written multiple versions of a Quake III master server (again, 
much self-hate) I pulled one of my old master query scripts out of 
mothballs and checked.  You are not listed on the CoD4 master server 
(assuming you did not alter the UDP frames you originally posted).  If 
you were you would be seeing getInfo and getStatus queries, but 
you're not.  You're seeing the getInfoResponse and getStatusResponse 
packets from a server which is listed on the master server.  This is an 
attack, nothing sinister is happening.


Your best bet is to filter all UDP traffic except for what you need (DNS 
comes to mind).  You might also want to get in contact with 
killku...@hotmail.com and encourage them to install the previously 
mentioned patched server executable to prevent their server from being 
used as an attack amplifier.


--
Jeff Walter
Network Engineer
Hurricane Electric
attachment: jeffw.vcf

Re: DDoS - CoD? - Activision contact

[BH]

Looking around, I believe the issue is that the IP has ended up on a 
master game list, so we are now getting the queries directed at US.


For anyone interested, there seems to be some info here:

http://forums.steampowered.com/forums/showthread.php?t=1670090

With the packet capture I have and the symptoms looking very alike the 
example in my original email.


I found an earlier example as well with similar symptoms:
http://forums.srcds.com/viewtopic/15737

Is there anyone from Activision on the list or does anyone have an 
Activision contact? Replies off list welcome, I can provide more details 
there.



On 6/09/2011 6:10 PM, Alexander Harrowell wrote:

On Tuesday 06 Sep 2011 09:14:26 Greg Chalmers wrote:

Could be legitimate CoD servers responding to a spoofed query?


My first thought looking at the packet dump. Interesting that some poor
sap's hotmail address is embedded in it.


How much
traffic are you talking about out of curiosity?

Regards
Greg


On Tue, Sep 6, 2011 at 6:03 PM, BHli...@blackhat.bz  wrote:


On 6/09/2011 4:00 PM, Dobbins, Roland wrote:

I've seen DDoS traffic on UDP/80 as far back as 2002

Hi Roland,

I should be a bit more clear sorry, I too have frequently seen

attacks

on 80/udp but mainly as a source (eg. compromised hosting accounts)
rather than the destination. I didn't in the past do a packet

capture,

but I lookes at a couple of scripts and the data was usually randm

or

just AA etc. The thing that perplexed me is why it appears to be
Call of Duty data more than anything...

Thanks