[144233] in North American Network Operators' Group
Re: DDoS - CoD?
daemon@ATHENA.MIT.EDU (Jeff Walter)
Tue Sep 6 09:48:37 2011
Date: Tue, 06 Sep 2011 06:47:31 -0700
From: Jeff Walter <jeffw@he.net>
To: nanog@nanog.org
In-Reply-To: <4E65D182.8010008@blackhat.bz>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
This is a multi-part message in MIME format.
--------------030209010100050200090908
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Call of Duty is apparently using the same flawed protocol as Quake III
servers, so you can think of it as an amplification attack. (I wish I'd
forgotten all about this stuff)
You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed
source, and the server responds with everything you see. With decent
amplification (15B -> ~500B) and the number of CoD servers in world you
could very easily build up a sizable attack.
--
Jeff Walter
Network Engineer
Hurricane Electric
--------------030209010100050200090908
Content-Type: text/x-vcard; charset=utf-8;
name="jeffw.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="jeffw.vcf"
begin:vcard
fn:Jeff Walter
n:Walter;Jeff
org:Hurricane Electric;Operations
adr:;;760 Mission Ct;Fremont;CA;94539;United States
email;internet:jeffw@he.net
title:Network Engineer
tel;work:+1-510-580-4108
tel;fax:+1-510-580-4152
tel;cell:+1-510-771-7036
url:http://jeffw.corp.he.net/
version:2.1
end:vcard
--------------030209010100050200090908--
