DDoS Attacks Cause of Game Servers
Hi everybody, Last two days I was under an interesting attack which comes from multiple sources to three of my ADSL users destination. The attack make router to ran out of CPU and we had to reload it to solve. I ask those three users and they said we are only game players and all of them were kids, I think they told the true, they told we are playing: http://intl.garena.com/ Attacks takes only 20 or 30 minutes and it happens only 4 times in two days. I could'nt capture any packet but this is out put of my "show ip accounting" that time: Source Destination Packets Bytes 212.180.138.90 128.141.119.209 117 5148 135.62.255.246 128.141.119.209 117 5148 46.136.27.13 128.141.119.209 117 5148 25.181.84.74 128.141.119.209 117 5148 108.0.207.17 128.141.119.209 117 5148 181.95.89.1 128.141.119.209 117 5148 36.161.28.42 128.141.119.209 117 5148 39.130.139.157 128.141.119.209 117 5148 139.81.4.106 128.141.119.209 117 5148 3.229.28.78 128.141.119.209 117 5148 115.28.11.208 128.141.119.209 117 5148 206.42.151.199 128.141.119.209 117 5148 213.221.149.41 128.141.119.209 117 5148 81.203.234.196 128.140.109.209 117 5148 43.134.71.94 128.141.119.209 117 5148 157.69.74.39 128.141.119.209 117 5148 16.206.47.71 128.141.119.209 117 5148 77.25.17.243 128.141.119.209 117 5148 If you have any information in this field and you can help me to find who is behind this, please share. Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
On 2013-01-31 08:04 , Shahab Vahabzadeh wrote:
Hi everybody, Last two days I was under an interesting attack which comes from multiple sources to three of my ADSL users destination.
You say that it comes from multiple sources to 3 of your DSL users. The below source/dest though shows that the destination is from CERN in Switzerland, you know the people who build black holes ;) The IP does not ping at the moment, but the whois indicates 'dyn' in the netname thus that is not too unsurprising.
The attack make router to ran out of CPU and we had to reload it to solve. I ask those three users and they said we are only game players and all of them were kids, I think they told the true, they told we are playing: http://intl.garena.com/
Looks not like a game, just another messenger / IM client.
Attacks takes only 20 or 30 minutes and it happens only 4 times in two days. I could'nt capture any packet but this is out put of my "show ip accounting" that time:
You'll be needing a bit more info than that... and 117 packets with a total of 5148 bytes is not a lot of traffic to put anything down (unless it is a targeted attack) You might though contact the CERN NOC, if you really think something is funny there. Timestamps might be very useful to provide though, especially if the IP is really dynamic. Greets, Jeroen
Those ip addresses I send were only sample, its 5 page :D and not only those addresses. And you are looking to target 128.141.X.Y its mine and I change it because of mailing list, maybe attackers are here. You must check the sources not destination. Thanks On Thu, Jan 31, 2013 at 11:06 AM, Jeroen Massar <jeroen@massar.ch> wrote:
On 2013-01-31 08:04 , Shahab Vahabzadeh wrote:
Hi everybody, Last two days I was under an interesting attack which comes from multiple sources to three of my ADSL users destination.
You say that it comes from multiple sources to 3 of your DSL users.
The below source/dest though shows that the destination is from CERN in Switzerland, you know the people who build black holes ;)
The IP does not ping at the moment, but the whois indicates 'dyn' in the netname thus that is not too unsurprising.
The attack make router to ran out of CPU and we had to reload it to solve. I ask those three users and they said we are only game players and all of them were kids, I think they told the true, they told we are playing: http://intl.garena.com/
Looks not like a game, just another messenger / IM client.
Attacks takes only 20 or 30 minutes and it happens only 4 times in two days. I could'nt capture any packet but this is out put of my "show ip accounting" that time:
You'll be needing a bit more info than that... and 117 packets with a total of 5148 bytes is not a lot of traffic to put anything down (unless it is a targeted attack)
You might though contact the CERN NOC, if you really think something is funny there. Timestamps might be very useful to provide though, especially if the IP is really dynamic.
Greets, Jeroen
-- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
On Thu, Jan 31, 2013 at 11:23:11AM +0330, Shahab Vahabzadeh <sh.vahabzadeh@gmail.com> wrote a message of 55 lines which said:
Those ip addresses I send were only sample, its 5 page :D and not only those addresses.
Because the attacker attacks when they have a new opponent. They DoS it long enough to win a race, then start a new fight in the game.
And you are looking to target 128.141.X.Y its mine and I change it because of mailing list, maybe attackers are here. You must check the sources not destination.
What Jeroen said is that source IP addresses are spoofed (which is common with UDP-based protocols such as the DNS). They are the victim's addresses, not the attacker's.
Hi. The IPs you see is the exploited gameservers, so "just" contact them, and send them the link below. There is a workaround for it: http://rankgamehosting.ru/index.php?showtopic=1320 We have had problem with this in the past. Usually we get "abuse complaints" from the admin of the game server(s) claiming one of our customers is DDoSing them, when in fact their servers are used to DDoS our customer(s). After explaining how the DDoS works and sending them the link above, they fix the problem on their side. We have also tried to send abuse messages to the ISPs of the exploited servers, and can't say that we are pleased with the response, the small ISPs responded and took care of the issue (talked with their customers), most big ones didn't even send a ACK back. When this attack type was used (1+ year ago) we had aprox 3.5 Gbit coming from the gameservers. On 2013-01-31 07:02, Stephane Bortzmeyer wrote:
On Thu, Jan 31, 2013 at 11:23:11AM +0330, Shahab Vahabzadeh <sh.vahabzadeh@gmail.com> wrote a message of 55 lines which said:
Those ip addresses I send were only sample, its 5 page :D and not only those addresses.
Because the attacker attacks when they have a new opponent. They DoS it long enough to win a race, then start a new fight in the game.
And you are looking to target 128.141.X.Y its mine and I change it because of mailing list, maybe attackers are here. You must check the sources not destination.
What Jeroen said is that source IP addresses are spoofed (which is common with UDP-based protocols such as the DNS). They are the victim's addresses, not the attacker's.
-- Fredrik Holmqvist I2B (Internet 2 Business) 070-740 5033
On 2013-01-31 08:53 , Shahab Vahabzadeh wrote:
Those ip addresses I send were only sample, its 5 page :D and not only those addresses. And you are looking to target 128.141.X.Y its mine
128.141.0.0/16 is CERN in Switzerland. Thus not yours, but "owned"(*) by noc@cern.ch. (unless you work there, but I don't think that is the case...) If you have the need to hide your IP addresses, then do so properly by marking them as x.x.x.x, don't use other people's IP addresses as examples that only causes alarm bells to ring and people to do unnecessary work. And then the next time you complain people will nicely just ignore you.
and I change it because of mailing list, maybe attackers are here.
Obviously you have something to hide from and something that those attackers want to attack. That is the first problem that you need to solve IMHO, not having anything that needs to be attacked is a very good strategy. Greets, Jeroen (* = pre-RIR alloc, then then it is more 'owned' right? :)
I see these type of reflection/amplification attacks pretty frequently. Some games (mostly older games) are exploitable in this manner. The attacker sends a short spoofed request, and the game server sends back a huge chunk of data aimed at you. The chances of you finding the actual source are pretty slim. Usually this type of attack is going to be coming from / going to a specific port that you (or your upstream provider) can ACL. Clayton
Hi everybody, Last two days I was under an interesting attack which comes from multiple sources to three of my ADSL users destination. The attack make router to ran out of CPU and we had to reload it to solve. I ask those three users and they said we are only game players and all of them were kids, I think they told the true, they told we are playing: http://intl.garena.com/ Attacks takes only 20 or 30 minutes and it happens only 4 times in two days. I could'nt capture any packet but this is out put of my "show ip accounting" that time:
Source Destination Packets Bytes 212.180.138.90 128.141.119.209 117 5148 135.62.255.246 128.141.119.209 117 5148 46.136.27.13 128.141.119.209 117 5148 25.181.84.74 128.141.119.209 117 5148 108.0.207.17 128.141.119.209 117 5148 181.95.89.1 128.141.119.209 117 5148 36.161.28.42 128.141.119.209 117 5148 39.130.139.157 128.141.119.209 117 5148 139.81.4.106 128.141.119.209 117 5148 3.229.28.78 128.141.119.209 117 5148 115.28.11.208 128.141.119.209 117 5148 206.42.151.199 128.141.119.209 117 5148 213.221.149.41 128.141.119.209 117 5148 81.203.234.196 128.140.109.209 117 5148 43.134.71.94 128.141.119.209 117 5148 157.69.74.39 128.141.119.209 117 5148 16.206.47.71 128.141.119.209 117 5148 77.25.17.243 128.141.119.209 117 5148
If you have any information in this field and you can help me to find who is behind this, please share. Thanks
-- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator
Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
On Thu, 31 Jan 2013 10:34:29 +0330 Shahab Vahabzadeh <sh.vahabzadeh@gmail.com> wrote:
Attacks takes only 20 or 30 minutes and it happens only 4 times in two days. I could'nt capture any packet but this is out put of my "show ip accounting" that time:
Attacks on gaming systems or at the gamers themselves are unfortunately quite common. Many of the DNS 'IN ANY' amplification and reflection attacks for instance appear to involve online games. We've also seen some similar reflection attacks involving CoD systems as someone else alluded in a link post. Dissimilar in attack profile, but similar in target were the frequent, but brief Xbox packet floods that attempted to disrupt a gamer's session. It can be extremely difficult to assign attribution for any particular attack without a great deal of effort on your part, often in being prepared with lots of data collection in advance, plus the selfless cooperation of other network operators. The latter is often the biggest challenge given that you're often relying on the good will and limited available time of 3rd parties to work on it. While many of the most recent attacks are performing address spoofing, collecting raw packet detail and knowing where it enters your network can offer at least the start of where to look for it. You can at least start with your peer or upstream. Examine IP TTLs to gauge at least how far back those packets are coming from. If your network is diverse enough from a global routing perspective, you may be able to triangulate it better. I'd be particularly interested in working with folks in tracking down the DNS 'IN ANY' style attacks to the attack code or source attacks. Please shoot me an email off list or see me at NANOG 57 to discuss. John
participants (6)
-
clayton@haydel.org
-
Fredrik Holmqvist / I2B
-
Jeroen Massar
-
John Kristoff
-
Shahab Vahabzadeh
-
Stephane Bortzmeyer