Sadly I see these all the time, and Valve's SRCDS is vulnerable as well (AFAIK any Q3 engine game is too). There are unofficial patches for source but I wish Valve and others would fix it for good. Normally I see these types of attacks in the 1-2Gbps range but we recently have seen them in the 5-8Gbps and even 10-20Gbps range. That is about 5000-15000 servers each sending 1-2Mbps. http://wiki.alliedmods.net/SRCDS_Hardening#A2S_INFO_Spam The issue was partially resolved with Team Fortress 2 servers. I've also seen something similar to these but with DNS data. U XXX.XXX.XXX.XXX:53 -> XXX.XXX.XXX.XXX:53 .S.....!.....icann.org..............D.. ........................D....+..........X.........XNq..Nh.m7/.icann.org.....Y.W+...zzJ ...d.8S...;...U..[~[..}z+].Ov(......;\Gx......g.....wv...&...S....\y.-..4.'.Z..u.?..f.!...<L..o .wtE....E.M......,.e.......X.. ...pechora4.e.e.......X.....pechora5.e.e.......X.....pechora6.e.e.......X.....pechora7.e.e.......X.....pechora8.e.e.......X... ..pechora1.e.e.......X.....pechora2.e.e.......X.....pechora3.e.e.......X.........XNq.(Nh.m7/.icann.org.j...N..#{Gr.+G........B ..Rl.4..[......}\.........u. ...'..g.....qd.y#1..[8rw1......i...g...f\.a.$2.k....v64.pKv...1./..|......C..........X.........XN q."Nh.m7/.icann.org..1...^:.....}.....w.?..........*.........+D..(b.".....-av.X.b.K.|..R..+."i......=E.a....l.vmMqe)....i.}*Z. .&......`..|..............................Nqb.Nh.m7/.icann.org.{.g.h"h..z..0UV.I.-.v...rZK..t.<?.l8...n...R.....x"8O...$vSR..3 ._...a.... ......o.7.wk...r....X..?n9.(...fk-...~..h.E..y".5...;..(.........(.dns1.(.hostmaster.(w.....*0......u......(....... ....3......Nq..Nh.m7/.icann.org.v5/5J....{..[.c..e.....z...;x9...DR.....^B..V..........q|.........w.D.{..eb......\...G'...=L.. ..~^.......6......6...<D..k..........3.............P0.t.................0......Nq.RNh.m...icann.org.@W. ...i..Lj.....j..c%..Y.. ......._K=.j..E...u.`.....L..=,.i....K._.9....8X.G...V1J...N.B.....k8..5.I..Pk..#..Vs.X.Ax...P>....d7~~..$.[..{.........l.8... e...&:=S2.l.}W.@#.e.LN.j..7g.s..4/52.@...[MUXu.f9U.y~rXFH/......O<.......'..<.....y.j. On Tue, Sep 6, 2011 at 1:19 PM, George Herbert <george.herbert@gmail.com>wrote:
Arrgghhh....
This reminds me of the WebNFS attack. Which is why Sun aborted WebNFS's public launch, after I pointed it out during its Solaris 2.6 early access program.
Never run a volume-multiplying service on UDP if you can help it, exposed to the outside world, without serious in-band source verification. Amplification attacks are a classic easy DDOS win.
-george
On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter <jeffw@he.net> wrote:
Call of Duty is apparently using the same flawed protocol as Quake III servers, so you can think of it as an amplification attack. (I wish I'd forgotten all about this stuff)
You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed source, and the server responds with everything you see. With decent amplification (15B -> ~500B) and the number of CoD servers in world you could very easily build up a sizable attack.
-- Jeff Walter Network Engineer Hurricane Electric
-- -george william herbert george.herbert@gmail.com