[144247] in North American Network Operators' Group
Re: DDoS - CoD?
daemon@ATHENA.MIT.EDU (George Herbert)
Tue Sep 6 14:19:59 2011
In-Reply-To: <4E662473.4090303@he.net>
Date: Tue, 6 Sep 2011 11:19:23 -0700
From: George Herbert <george.herbert@gmail.com>
To: Jeff Walter <jeffw@he.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Arrgghhh....
This reminds me of the WebNFS attack. Which is why Sun aborted
WebNFS's public launch, after I pointed it out during its Solaris 2.6
early access program.
Never run a volume-multiplying service on UDP if you can help it,
exposed to the outside world, without serious in-band source
verification. Amplification attacks are a classic easy DDOS win.
-george
On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter <jeffw@he.net> wrote:
> Call of Duty is apparently using the same flawed protocol as Quake III
> servers, so you can think of it as an amplification attack. =A0(I wish I'=
d
> forgotten all about this stuff)
>
> You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed
> source, and the server responds with everything you see. =A0With decent
> amplification (15B -> ~500B) and the number of CoD servers in world you
> could very easily build up a sizable attack.
>
> --
> Jeff Walter
> Network Engineer
> Hurricane Electric
>
--=20
-george william herbert
george.herbert@gmail.com
