[144262] in North American Network Operators' Group
Re: DDoS - CoD? - Activision contact
daemon@ATHENA.MIT.EDU (Jeff Walter)
Wed Sep 7 11:36:17 2011
Date: Wed, 07 Sep 2011 08:35:03 -0700
From: Jeff Walter <jeffw@he.net>
To: nanog@nanog.org
In-Reply-To: <4E6619ED.7000503@blackhat.bz>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
This is a multi-part message in MIME format.
--------------000502020106020409080007
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
On 9/6/2011 6:02 AM, BH wrote:
> Looking around, I believe the issue is that the IP has ended up on a
> master game list, so we are now getting the queries directed at US.
Having written multiple versions of a Quake III master server (again,
much self-hate) I pulled one of my old master query scripts out of
mothballs and checked. You are not listed on the CoD4 master server
(assuming you did not alter the UDP frames you originally posted). If
you were you would be seeing "getInfo" and "getStatus" queries, but
you're not. You're seeing the "getInfoResponse" and "getStatusResponse"
packets from a server which is listed on the master server. This is an
attack, nothing sinister is happening.
Your best bet is to filter all UDP traffic except for what you need (DNS
comes to mind). You might also want to get in contact with
killkuter@hotmail.com and encourage them to install the previously
mentioned patched server executable to prevent their server from being
used as an attack amplifier.
--
Jeff Walter
Network Engineer
Hurricane Electric
--------------000502020106020409080007
Content-Type: text/x-vcard; charset=utf-8;
name="jeffw.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="jeffw.vcf"
begin:vcard
fn:Jeff Walter
n:Walter;Jeff
org:Hurricane Electric;Operations
adr:;;760 Mission Ct;Fremont;CA;94539;United States
email;internet:jeffw@he.net
title:Network Engineer
tel;work:+1-510-580-4108
tel;fax:+1-510-580-4152
tel;cell:+1-510-771-7036
x-mozilla-html:TRUE
url:http://he.net/
version:2.1
end:vcard
--------------000502020106020409080007--
