Hi all,
I am wondering if anyone has seen a large DDoS before, specifically on
port 80 UDP with data that seems to be relating to Call of Duty 4. I did
a quick packet capture, and the payload looks like this:
14:50:42.716247 IP Y1.YY.YY.YY.28960 > XX.XX.XX.XX.80: UDP, length 499
0x:
On Sep 6, 2011, at 2:53 PM, BH wrote:
> Has anyone seen similar traffic before? I
I've seen DDoS traffic on UDP/80 as far back as 2002 - the miscreants often
don't know a lot about TCP/IP, and if something happens to work once, they
incorporate it into their attack tool defaults and keep using
i have seen many udp/80 floods as well... pretty common.
John van Oppen
Spectrum Networks / AS11404
From: Dobbins, Roland [rdobb...@arbor.net]
Sent: Tuesday, September 06, 2011 1:00 AM
To: North American Network Operators' Group
Subject: Re: DDoS
On 6/09/2011 4:00 PM, Dobbins, Roland wrote:
> I've seen DDoS traffic on UDP/80 as far back as 2002
Hi Roland,
I should be a bit more clear sorry, I too have frequently seen attacks
on 80/udp but mainly as a source (eg. compromised hosting accounts)
rather than the destination. I didn't in the pa
Could be legitimate CoD servers responding to a spoofed query? How much
traffic are you talking about out of curiosity?
Regards
Greg
On Tue, Sep 6, 2011 at 6:03 PM, BH wrote:
> On 6/09/2011 4:00 PM, Dobbins, Roland wrote:
> > I've seen DDoS traffic on UDP/80 as far back as 2002
> Hi Roland,
>
On Tuesday 06 Sep 2011 09:14:26 Greg Chalmers wrote:
> Could be legitimate CoD servers responding to a spoofed query?
My first thought looking at the packet dump. Interesting that some poor
sap's hotmail address is embedded in it.
> How much
> traffic are you talking about out of curiosity?
>
>
Call of Duty is apparently using the same flawed protocol as Quake III
servers, so you can think of it as an amplification attack. (I wish I'd
forgotten all about this stuff)
You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed
source, and the server responds with everything
Recently (last month) Ryan Gordon (the person responsible for porting COD to
Linux) released a patch for cod4 servers to address this specific issue.
Here is the announcement and a link to the original email as well. The
discussion also indicated that all of the Quake III based games suffered
fro
Arrgghhh
This reminds me of the WebNFS attack. Which is why Sun aborted
WebNFS's public launch, after I pointed it out during its Solaris 2.6
early access program.
Never run a volume-multiplying service on UDP if you can help it,
exposed to the outside world, without serious in-band source
v
Sadly I see these all the time, and Valve's SRCDS is vulnerable as well
(AFAIK any Q3 engine game is too). There are unofficial patches for source
but I wish Valve and others would fix it for good. Normally I see these
types of attacks in the 1-2Gbps range but we recently have seen them in the
5-8G
Looking around, I believe the issue is that the IP has ended up on a
master game list, so we are now getting the queries directed at US.
For anyone interested, there seems to be some info here:
http://forums.steampowered.com/forums/showthread.php?t=1670090
With the packet capture I have and th
On 9/6/2011 6:02 AM, BH wrote:
Looking around, I believe the issue is that the IP has ended up on a
master game list, so we are now getting the queries directed at US.
Having written multiple versions of a Quake III master server (again,
much self-hate) I pulled one of my old master query scri
12 matches
Mail list logo
