I see these type of reflection/amplification attacks pretty frequently. Some games (mostly older games) are exploitable in this manner. The attacker sends a short spoofed request, and the game server sends back a huge chunk of data aimed at you. The chances of you finding the actual source are pretty slim. Usually this type of attack is going to be coming from / going to a specific port that you (or your upstream provider) can ACL. Clayton
Hi everybody, Last two days I was under an interesting attack which comes from multiple sources to three of my ADSL users destination. The attack make router to ran out of CPU and we had to reload it to solve. I ask those three users and they said we are only game players and all of them were kids, I think they told the true, they told we are playing: http://intl.garena.com/ Attacks takes only 20 or 30 minutes and it happens only 4 times in two days. I could'nt capture any packet but this is out put of my "show ip accounting" that time:
Source Destination Packets Bytes 212.180.138.90 128.141.119.209 117 5148 135.62.255.246 128.141.119.209 117 5148 46.136.27.13 128.141.119.209 117 5148 25.181.84.74 128.141.119.209 117 5148 108.0.207.17 128.141.119.209 117 5148 181.95.89.1 128.141.119.209 117 5148 36.161.28.42 128.141.119.209 117 5148 39.130.139.157 128.141.119.209 117 5148 139.81.4.106 128.141.119.209 117 5148 3.229.28.78 128.141.119.209 117 5148 115.28.11.208 128.141.119.209 117 5148 206.42.151.199 128.141.119.209 117 5148 213.221.149.41 128.141.119.209 117 5148 81.203.234.196 128.140.109.209 117 5148 43.134.71.94 128.141.119.209 117 5148 157.69.74.39 128.141.119.209 117 5148 16.206.47.71 128.141.119.209 117 5148 77.25.17.243 128.141.119.209 117 5148
If you have any information in this field and you can help me to find who is behind this, please share. Thanks
-- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator
Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90