[144232] in North American Network Operators' Group
Re: DDoS - CoD? - Activision contact
daemon@ATHENA.MIT.EDU (BH)
Tue Sep 6 09:03:29 2011
Date: Tue, 06 Sep 2011 21:02:37 +0800
From: BH <lists@blackhat.bz>
To: nanog@nanog.org
In-Reply-To: <201109061110.34711.a.harrowell@gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Looking around, I believe the issue is that the IP has ended up on a
master game list, so we are now getting the queries directed at US.
For anyone interested, there seems to be some info here:
http://forums.steampowered.com/forums/showthread.php?t=1670090
With the packet capture I have and the symptoms looking very alike the
example in my original email.
I found an earlier example as well with similar symptoms:
http://forums.srcds.com/viewtopic/15737
Is there anyone from Activision on the list or does anyone have an
Activision contact? Replies off list welcome, I can provide more details
there.
On 6/09/2011 6:10 PM, Alexander Harrowell wrote:
> On Tuesday 06 Sep 2011 09:14:26 Greg Chalmers wrote:
>> Could be legitimate CoD servers responding to a spoofed query?
>
> My first thought looking at the packet dump. Interesting that some poor
> sap's hotmail address is embedded in it.
>
>> How much
>> traffic are you talking about out of curiosity?
>>
>> Regards
>> Greg
>>
>>
>> On Tue, Sep 6, 2011 at 6:03 PM, BH<lists@blackhat.bz> wrote:
>>
>>> On 6/09/2011 4:00 PM, Dobbins, Roland wrote:
>>>> I've seen DDoS traffic on UDP/80 as far back as 2002
>>> Hi Roland,
>>>
>>> I should be a bit more clear sorry, I too have frequently seen
> attacks
>>> on 80/udp but mainly as a source (eg. compromised hosting accounts)
>>> rather than the destination. I didn't in the past do a packet
> capture,
>>> but I lookes at a couple of scripts and the data was usually randm
> or
>>> just AAAAAA etc. The thing that perplexed me is why it appears to be
>>> Call of Duty data more than anything...
>>>
>>> Thanks
>>>
>>>
>>
>
