Recently (last month) Ryan Gordon (the person responsible for porting COD to Linux) released a patch for cod4 servers to address this specific issue. Here is the announcement and a link to the original email as well. The discussion also indicated that all of the Quake III based games suffered from the same issue. http://icculus.org/pipermail/cod/2011-August/015397.html So we're getting reports of DDoS attacks, where botnets will send
infostring queries to COD4 dedicated servers as fast as possible with spoofed addresses. They send a small UDP packet, and the server replies with a larger packet to the faked address. Multiply this by however fast you can stuff UDP packets into the server's incoming packet buffer per frame, times 7500+ public COD4 servers, and you can really bring a victim to its knees with a serious flood of unwanted packets.
I've got a patch for COD4 for this, and I need admins to test it before I make an official release.
http://treefort.icculus.org/cod/cod4-lnxsrv-query-limit-test.tar.bz2
On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter <jeffw@he.net> wrote:
Call of Duty is apparently using the same flawed protocol as Quake III servers, so you can think of it as an amplification attack. (I wish I'd forgotten all about this stuff)
You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed source, and the server responds with everything you see. With decent amplification (15B -> ~500B) and the number of CoD servers in world you could very easily build up a sizable attack.
-- Jeff Walter Network Engineer Hurricane Electric
-- Mark Grigsby Network Operations Manager PCINW (Preferred Connections Inc., NW) 3555 Gateway St. Ste. 205 Springfield, OR 97477 Voice: 800-787-3806 ext 408 DID: 541-762-1171 Fax: 541-684-0283