Hi all, I am wondering if anyone has seen a large DDoS before, specifically on port 80 UDP with data that seems to be relating to Call of Duty 4. I did a quick packet capture, and the payload looks like this: 14:50:42.716247 IP Y1.YY.YY.YY.28960 > XX.XX.XX.XX.80: UDP, length 499 0x0000: 4500 020f 0000 4000 2a11 5203 58bf 8138 E.....@.*.R.X..8 0x0010: cbaa 5739 7120 0050 01fb 3e2e ffff ffff ..W9q..P..>..... 0x0020: 7374 6174 7573 5265 7370 6f6e 7365 0a5c statusResponse.\ 0x0030: 5f41 646d 696e 5c6b 696c 6c6b 7574 6572 _Admin\killkuter 0x0040: 5c5f 456d 6169 6c5c 6b69 6c6c 6b75 7465 \_Email\killkute 0x0050: 7240 686f 746d 6169 6c2e 636f 6d5c 5f4c r@hotmail.com\_L 0x0060: 6f63 6174 696f 6e5c 4652 5c5f 6d61 6e75 ocation\FR\_manu 0x0070: 6164 6d69 6e6d 6f64 5c30 2e31 312e 3320 adminmod\0.11.3. 0x0080: 6265 7461 5c5f 5765 6273 6974 655c 6874 beta\_Website\ht 0x0090: 7470 3a2f 2f77 7777 2e73 7974 2e74 6561 tp://www.syt.tea 0x00a0: 6d2e 7374 5c67 5f63 6f6d 7061 7373 5368 m.st\g_compassSh 0x00b0: 6f77 456e 656d 6965 735c 305c 675f 6761 owEnemies\0\g_ga 0x00c0: 6d65 7479 7065 5c77 6172 5c67 616d 656e metype\war\gamen 0x00d0: 616d 655c 4361 6c6c 206f 6620 4475 7479 ame\Call.of.Duty 0x00e0: 2034 5c6d 6170 6e61 6d65 5c6d 705f 626c .4\mapname\mp_bl 0x00f0: 6f63 5c70 726f 746f 636f 6c5c 365c 7368 oc\protocol\6\sh 0x0100: 6f72 7476 6572 7369 6f6e 5c31 2e37 5c73 ortversion\1.7\s 0x0110: 765f 616c 6c6f 7741 6e6f 6e79 6d6f 7573 v_allowAnonymous 0x0120: 5c30 5c73 765f 6469 7361 626c 6543 6c69 \0\sv_disableCli 0x0130: 656e 7443 6f6e 736f 6c65 5c30 5c73 765f entConsole\0\sv_ 0x0140: 666c 6f6f 6470 726f 7465 6374 5c31 5c73 floodprotect\1\s 0x0150: 765f 686f 7374 6e61 6d65 5c5e 3120 5359 v_hostname\^1.SY 0x0160: 5420 2d20 5e33 5444 4d20 4843 202d 205e T.-.^3TDM.HC.-.^ 0x0170: 3120 6372 6163 6b20 5c73 765f 6d61 7863 1.crack.\sv_maxc 0x0180: 6c69 656e 7473 5c32 305c 7376 5f6d 6178 lients\20\sv_max 0x0190: 5069 6e67 5c31 3530 5c73 765f 6d61 7852 Ping\150\sv_maxR 0x01a0: 6174 655c 3235 3030 305c 7376 5f6d 696e ate\25000\sv_min 0x01b0: 5069 6e67 5c30 5c73 765f 7072 6976 6174 Ping\0\sv_privat 0x01c0: 6543 6c69 656e 7473 5c36 5c73 765f 7075 eClients\6\sv_pu 0x01d0: 6e6b 6275 7374 6572 5c30 5c73 765f 7075 nkbuster\0\sv_pu 0x01e0: 7265 5c31 5c73 765f 766f 6963 655c 305c re\1\sv_voice\0\ 0x01f0: 7569 5f6d 6178 636c 6965 6e74 735c 3332 ui_maxclients\32 0x0200: 5c70 7377 7264 5c30 5c6d 6f64 5c30 0a \pswrd\0\mod\0. 14:50:42.716292 IP Y1.YY.YY.YY.28965 > XX.XX.XX.XX.80: UDP, length 870 0x0000: 4500 0382 0000 4000 2f11 27e7 c1c0 3be0 E.....@./.'...;. 0x0010: cbaa 5739 7125 0050 036e 1547 ffff ffff ..W9q%.P.n.G.... 0x0020: 7374 6174 7573 5265 7370 6f6e 7365 0a5c statusResponse.\ 0x0030: 7368 6f72 7476 6572 7369 6f6e 5c30 2e34 shortversion\0.4 0x0040: 2d34 325c 7376 5f6d 6178 636c 6965 6e74 -42\sv_maxclient 0x0050: 735c 3138 5c5f 4164 6d69 6e5c 447a 696e s\18\_Admin\Dzin 0x0060: 5c5f 456d 6169 6c5c 6164 6d69 6e40 6261 \_Email\admin@ba 0x0070: 6c6b 616e 2d77 6172 732e 636f 6d5c 5f4c lkan-wars.com\_L 0x0080: 6f63 6174 696f 6e5c 5468 6520 556e 696f ocation\The.Unio 0x0090: 6e20 6f66 2053 6f76 6965 7420 536f 6369 n.of.Soviet.Soci 0x00a0: 616c 6973 7469 6320 5265 7075 626c 6963 alistic.Republic 0x00b0: 735c 5f57 6562 7369 7465 5c68 7474 703a s\_Website\http: 0x00c0: 2f2f 6261 6c6b 616e 2d77 6172 732e 636f //balkan-wars.co 0x00d0: 6d5c 6169 775f 7265 6d6f 7465 4b69 636b m\aiw_remoteKick 0x00e0: 5c31 5c61 6977 5f73 6563 7572 655c 305c \1\aiw_secure\0\ 0x00f0: 675f 6761 6d65 7479 7065 5c77 6172 5c67 g_gametype\war\g 0x0100: 5f68 6172 6463 6f72 655c 305c 6761 6d65 _hardcore\0\game 0x0110: 6e61 6d65 5c49 5734 5c6d 6170 6e61 6d65 name\IW4\mapname 0x0120: 5c6d 705f 6272 6563 6f75 7274 5c70 726f \mp_brecourt\pro 0x0130: 746f 636f 6c5c 3134 345c 7363 725f 6761 tocol\144\scr_ga 0x0140: 6d65 5f61 6c6c 6f77 6b69 6c6c 6361 6d5c me_allowkillcam\ 0x0150: 315c 7363 725f 7465 616d 5f66 6674 7970 1\scr_team_fftyp 0x0160: 655c 305c 7376 5f61 6c6c 6f77 416e 6f6e e\0\sv_allowAnon 0x0170: 796d 6f75 735c 305c 7376 5f61 6c6c 6f77 ymous\0\sv_allow 0x0180: 436c 6965 6e74 436f 6e73 6f6c 655c 315c ClientConsole\1\ 0x0190: 7376 5f66 6c6f 6f64 5072 6f74 6563 745c sv_floodProtect\ 0x01a0: 315c 7376 5f68 6f73 746e 616d 655c 7c46 1\sv_hostname\|F 0x01b0: 5233 3344 4f4d 7c20 4669 6768 7465 7273 R33DOM|.Fighters 0x01c0: 2055 4b20 4e6f 5475 6265 2d4e 6f41 6b69 .UK.NoTube-NoAki 0x01d0: 6d62 6f2d 5444 4d20 3234 2f37 5c73 765f mbo-TDM.24/7\sv_ 0x01e0: 6d61 7850 696e 675c 3330 305c 7376 5f6d maxPing\300\sv_m 0x01f0: 6178 5261 7465 5c31 3530 3030 305c 7376 axRate\150000\sv 0x0200: 5f6d 696e 5069 6e67 5c30 5c73 765f 7072 _minPing\0\sv_pr 0x0210: 6976 6174 6543 6c69 656e 7473 5c30 5c73 ivateClients\0\s 0x0220: 765f 7072 6976 6174 6543 6c69 656e 7473 v_privateClients 0x0230: 466f 7243 6c69 656e 7473 5c30 0a30 2039 ForClients\0.0.9 0x0240: 3939 2022 5768 6974 6573 7061 726b 6c65 99."Whitesparkle 0x0250: 7322 0a30 2038 3920 226d 6174 7269 6361 s".0.89."matrica 0x0260: 2033 220a 3020 3734 2022 5368 616b 7567 .3".0.74."Shakug 0x0270: 616e 220a 3020 3536 2022 3336 3048 6561 an".0.56."360Hea 0x0280: 6453 686f 7422 0a36 3030 2037 3620 2261 dShot".600.76."a 0x0290: 7665 6c6c 7573 220a 3630 3020 3132 3220 vellus".600.122. 0x02a0: 2253 696c 7665 7222 0a34 3030 2031 3133 "Silver".400.113 0x02b0: 2022 4576 616c 6f6e 220a 3131 3030 2037 ."Evalon".1100.7 0x02c0: 3720 225e 345b 4d5e 3969 575e 345d 4465 7."^4[M^9iW^4]De 0x02d0: 725e 220a 3130 3020 3937 2022 416e 6472 r^".100.97."Andr 0x02e0: 6579 2053 756b 6163 6822 0a31 3030 2036 ey.Sukach".100.6 0x02f0: 3620 2244 7a65 6968 6e6f 3933 220a 3230 6."Dzeihno93".20 0x0300: 3020 3839 2022 5265 6e22 0a30 2031 3338 0.89."Ren".0.138 0x0310: 2022 d1d1 d1d0 220a 3230 3020 3334 2022 ."....".200.34." 0x0320: 7061 7631 220a 3430 3020 3138 3720 224b pav1".400.187."K 0x0330: 6172 6c6f 735f 3538 220a 3230 3020 3237 arlos_58".200.27 0x0340: 3020 226d 4f6e 7374 6572 220a 3730 3020 0."mOnster".700. 0x0350: 3137 3220 224d 6572 6365 6e61 7279 220a 172."Mercenary". 0x0360: 3130 3230 2039 3620 226e 696b 6f6c 6122 1020.96."nikola" 0x0370: 0a33 3030 2031 3234 2022 5349 444f 4922 .300.124."SIDOI" 0x0380: 0a00 As far as I know CoD 4 doesn't use port 80 UDP, and I can't see anything else that would. The box doesn't have anything listening for port 80/udp (it does run a web server) and never has. Has anyone seen similar traffic before? I am struggling to figure out what is causing this traffic, or if its existing traffic being replayed to try and avoid filters. Thanks
On Sep 6, 2011, at 2:53 PM, BH wrote:
Has anyone seen similar traffic before? I
I've seen DDoS traffic on UDP/80 as far back as 2002 - the miscreants often don't know a lot about TCP/IP, and if something happens to work once, they incorporate it into their attack tool defaults and keep using it over and over. In several recent high-profile DDoS attacks, UDP/80 traffic ended up causing state exhaustion on load-balancers, as the victim sites weren't following the BCP of enforcing network access policies via stateless ACLs in hardware-based routers/layer-3 switches, and the load-balancers kept trying to load-balance this traffic from multiple purported source IPs/source ports. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde
i have seen many udp/80 floods as well... pretty common. John van Oppen Spectrum Networks / AS11404 ________________________________________ From: Dobbins, Roland [rdobbins@arbor.net] Sent: Tuesday, September 06, 2011 1:00 AM To: North American Network Operators' Group Subject: Re: DDoS - CoD? On Sep 6, 2011, at 2:53 PM, BH wrote:
Has anyone seen similar traffic before? I
I've seen DDoS traffic on UDP/80 as far back as 2002 - the miscreants often don't know a lot about TCP/IP, and if something happens to work once, they incorporate it into their attack tool defaults and keep using it over and over. In several recent high-profile DDoS attacks, UDP/80 traffic ended up causing state exhaustion on load-balancers, as the victim sites weren't following the BCP of enforcing network access policies via stateless ACLs in hardware-based routers/layer-3 switches, and the load-balancers kept trying to load-balance this traffic from multiple purported source IPs/source ports. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde
On 6/09/2011 4:00 PM, Dobbins, Roland wrote:
I've seen DDoS traffic on UDP/80 as far back as 2002 Hi Roland,
I should be a bit more clear sorry, I too have frequently seen attacks on 80/udp but mainly as a source (eg. compromised hosting accounts) rather than the destination. I didn't in the past do a packet capture, but I lookes at a couple of scripts and the data was usually randm or just AAAAAA etc. The thing that perplexed me is why it appears to be Call of Duty data more than anything... Thanks
Could be legitimate CoD servers responding to a spoofed query? How much traffic are you talking about out of curiosity? Regards Greg On Tue, Sep 6, 2011 at 6:03 PM, BH <lists@blackhat.bz> wrote:
On 6/09/2011 4:00 PM, Dobbins, Roland wrote:
I've seen DDoS traffic on UDP/80 as far back as 2002 Hi Roland,
I should be a bit more clear sorry, I too have frequently seen attacks on 80/udp but mainly as a source (eg. compromised hosting accounts) rather than the destination. I didn't in the past do a packet capture, but I lookes at a couple of scripts and the data was usually randm or just AAAAAA etc. The thing that perplexed me is why it appears to be Call of Duty data more than anything...
Thanks
On Tuesday 06 Sep 2011 09:14:26 Greg Chalmers wrote:
Could be legitimate CoD servers responding to a spoofed query?
My first thought looking at the packet dump. Interesting that some poor sap's hotmail address is embedded in it.
How much traffic are you talking about out of curiosity?
Regards Greg
On Tue, Sep 6, 2011 at 6:03 PM, BH <lists@blackhat.bz> wrote:
On 6/09/2011 4:00 PM, Dobbins, Roland wrote:
I've seen DDoS traffic on UDP/80 as far back as 2002 Hi Roland,
I should be a bit more clear sorry, I too have frequently seen attacks on 80/udp but mainly as a source (eg. compromised hosting accounts) rather than the destination. I didn't in the past do a packet capture, but I lookes at a couple of scripts and the data was usually randm or just AAAAAA etc. The thing that perplexed me is why it appears to be Call of Duty data more than anything...
Thanks
-- The only thing worse than e-mail disclaimers...is people who send e-mail to lists complaining about them
Looking around, I believe the issue is that the IP has ended up on a master game list, so we are now getting the queries directed at US. For anyone interested, there seems to be some info here: http://forums.steampowered.com/forums/showthread.php?t=1670090 With the packet capture I have and the symptoms looking very alike the example in my original email. I found an earlier example as well with similar symptoms: http://forums.srcds.com/viewtopic/15737 Is there anyone from Activision on the list or does anyone have an Activision contact? Replies off list welcome, I can provide more details there. On 6/09/2011 6:10 PM, Alexander Harrowell wrote:
On Tuesday 06 Sep 2011 09:14:26 Greg Chalmers wrote:
Could be legitimate CoD servers responding to a spoofed query?
My first thought looking at the packet dump. Interesting that some poor sap's hotmail address is embedded in it.
How much traffic are you talking about out of curiosity?
Regards Greg
On Tue, Sep 6, 2011 at 6:03 PM, BH<lists@blackhat.bz> wrote:
On 6/09/2011 4:00 PM, Dobbins, Roland wrote:
I've seen DDoS traffic on UDP/80 as far back as 2002 Hi Roland,
I should be a bit more clear sorry, I too have frequently seen attacks on 80/udp but mainly as a source (eg. compromised hosting accounts) rather than the destination. I didn't in the past do a packet capture, but I lookes at a couple of scripts and the data was usually randm or just AAAAAA etc. The thing that perplexed me is why it appears to be Call of Duty data more than anything...
Thanks
On 9/6/2011 6:02 AM, BH wrote:
Looking around, I believe the issue is that the IP has ended up on a master game list, so we are now getting the queries directed at US.
Having written multiple versions of a Quake III master server (again, much self-hate) I pulled one of my old master query scripts out of mothballs and checked. You are not listed on the CoD4 master server (assuming you did not alter the UDP frames you originally posted). If you were you would be seeing "getInfo" and "getStatus" queries, but you're not. You're seeing the "getInfoResponse" and "getStatusResponse" packets from a server which is listed on the master server. This is an attack, nothing sinister is happening. Your best bet is to filter all UDP traffic except for what you need (DNS comes to mind). You might also want to get in contact with killkuter@hotmail.com and encourage them to install the previously mentioned patched server executable to prevent their server from being used as an attack amplifier. -- Jeff Walter Network Engineer Hurricane Electric
Call of Duty is apparently using the same flawed protocol as Quake III servers, so you can think of it as an amplification attack. (I wish I'd forgotten all about this stuff) You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed source, and the server responds with everything you see. With decent amplification (15B -> ~500B) and the number of CoD servers in world you could very easily build up a sizable attack. -- Jeff Walter Network Engineer Hurricane Electric
Recently (last month) Ryan Gordon (the person responsible for porting COD to Linux) released a patch for cod4 servers to address this specific issue. Here is the announcement and a link to the original email as well. The discussion also indicated that all of the Quake III based games suffered from the same issue. http://icculus.org/pipermail/cod/2011-August/015397.html So we're getting reports of DDoS attacks, where botnets will send
infostring queries to COD4 dedicated servers as fast as possible with spoofed addresses. They send a small UDP packet, and the server replies with a larger packet to the faked address. Multiply this by however fast you can stuff UDP packets into the server's incoming packet buffer per frame, times 7500+ public COD4 servers, and you can really bring a victim to its knees with a serious flood of unwanted packets.
I've got a patch for COD4 for this, and I need admins to test it before I make an official release.
http://treefort.icculus.org/cod/cod4-lnxsrv-query-limit-test.tar.bz2
On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter <jeffw@he.net> wrote:
Call of Duty is apparently using the same flawed protocol as Quake III servers, so you can think of it as an amplification attack. (I wish I'd forgotten all about this stuff)
You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed source, and the server responds with everything you see. With decent amplification (15B -> ~500B) and the number of CoD servers in world you could very easily build up a sizable attack.
-- Jeff Walter Network Engineer Hurricane Electric
-- Mark Grigsby Network Operations Manager PCINW (Preferred Connections Inc., NW) 3555 Gateway St. Ste. 205 Springfield, OR 97477 Voice: 800-787-3806 ext 408 DID: 541-762-1171 Fax: 541-684-0283
Arrgghhh.... This reminds me of the WebNFS attack. Which is why Sun aborted WebNFS's public launch, after I pointed it out during its Solaris 2.6 early access program. Never run a volume-multiplying service on UDP if you can help it, exposed to the outside world, without serious in-band source verification. Amplification attacks are a classic easy DDOS win. -george On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter <jeffw@he.net> wrote:
Call of Duty is apparently using the same flawed protocol as Quake III servers, so you can think of it as an amplification attack. (I wish I'd forgotten all about this stuff)
You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed source, and the server responds with everything you see. With decent amplification (15B -> ~500B) and the number of CoD servers in world you could very easily build up a sizable attack.
-- Jeff Walter Network Engineer Hurricane Electric
-- -george william herbert george.herbert@gmail.com
Sadly I see these all the time, and Valve's SRCDS is vulnerable as well (AFAIK any Q3 engine game is too). There are unofficial patches for source but I wish Valve and others would fix it for good. Normally I see these types of attacks in the 1-2Gbps range but we recently have seen them in the 5-8Gbps and even 10-20Gbps range. That is about 5000-15000 servers each sending 1-2Mbps. http://wiki.alliedmods.net/SRCDS_Hardening#A2S_INFO_Spam The issue was partially resolved with Team Fortress 2 servers. I've also seen something similar to these but with DNS data. U XXX.XXX.XXX.XXX:53 -> XXX.XXX.XXX.XXX:53 .S.....!.....icann.org..............D.. ........................D....+..........X.........XNq..Nh.m7/.icann.org.....Y.W+...zzJ ...d.8S...;...U..[~[..}z+].Ov(......;\Gx......g.....wv...&...S....\y.-..4.'.Z..u.?..f.!...<L..o .wtE....E.M......,.e.......X.. ...pechora4.e.e.......X.....pechora5.e.e.......X.....pechora6.e.e.......X.....pechora7.e.e.......X.....pechora8.e.e.......X... ..pechora1.e.e.......X.....pechora2.e.e.......X.....pechora3.e.e.......X.........XNq.(Nh.m7/.icann.org.j...N..#{Gr.+G........B ..Rl.4..[......}\.........u. ...'..g.....qd.y#1..[8rw1......i...g...f\.a.$2.k....v64.pKv...1./..|......C..........X.........XN q."Nh.m7/.icann.org..1...^:.....}.....w.?..........*.........+D..(b.".....-av.X.b.K.|..R..+."i......=E.a....l.vmMqe)....i.}*Z. .&......`..|..............................Nqb.Nh.m7/.icann.org.{.g.h"h..z..0UV.I.-.v...rZK..t.<?.l8...n...R.....x"8O...$vSR..3 ._...a.... ......o.7.wk...r....X..?n9.(...fk-...~..h.E..y".5...;..(.........(.dns1.(.hostmaster.(w.....*0......u......(....... ....3......Nq..Nh.m7/.icann.org.v5/5J....{..[.c..e.....z...;x9...DR.....^B..V..........q|.........w.D.{..eb......\...G'...=L.. ..~^.......6......6...<D..k..........3.............P0.t.................0......Nq.RNh.m...icann.org.@W. ...i..Lj.....j..c%..Y.. ......._K=.j..E...u.`.....L..=,.i....K._.9....8X.G...V1J...N.B.....k8..5.I..Pk..#..Vs.X.Ax...P>....d7~~..$.[..{.........l.8... e...&:=S2.l.}W.@#.e.LN.j..7g.s..4/52.@...[MUXu.f9U.y~rXFH/......O<.......'..<.....y.j. On Tue, Sep 6, 2011 at 1:19 PM, George Herbert <george.herbert@gmail.com>wrote:
Arrgghhh....
This reminds me of the WebNFS attack. Which is why Sun aborted WebNFS's public launch, after I pointed it out during its Solaris 2.6 early access program.
Never run a volume-multiplying service on UDP if you can help it, exposed to the outside world, without serious in-band source verification. Amplification attacks are a classic easy DDOS win.
-george
On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter <jeffw@he.net> wrote:
Call of Duty is apparently using the same flawed protocol as Quake III servers, so you can think of it as an amplification attack. (I wish I'd forgotten all about this stuff)
You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed source, and the server responds with everything you see. With decent amplification (15B -> ~500B) and the number of CoD servers in world you could very easily build up a sizable attack.
-- Jeff Walter Network Engineer Hurricane Electric
-- -george william herbert george.herbert@gmail.com
participants (9)
-
Alexander Harrowell
-
BH
-
Dobbins, Roland
-
George Herbert
-
Greg Chalmers
-
Jeff Walter
-
John van Oppen
-
Mark Grigsby
-
Ryan Gelobter