[nsp-sec] UDP love against AS5539
Gert Doering
gert at greenie.muc.de
Fri Dec 23 16:45:37 EST 2011
Hi,
On Fri, Dec 23, 2011 at 09:43:19AM +0100, Gert Doering wrote:
> So, what I'd like you to do is to check your telemetry for flows
> to
> dst ip = 194.97.147.57
> proto = udp
> dst port = 27660
Just another tidbit... I've been told that this might actually be
legitimate sources, specifically COD4 game servers reflecting
traffic spoofed to claim "coming from 194.97.147.57". David Freedman
saw symmetric traffic in his network, with his hosts just responding
to solicitations (though I'm sure our host isn't sending them). Bah.
This link has been sent to me:
http://icculus.org/pipermail/cod/2011-August/015397.html
"So we're getting reports of DDoS attacks, where botnets will send
infostring queries to COD4 dedicated servers as fast as possible with
spoofed addresses. They send a small UDP packet, and the server replies
with a larger packet to the faked address."
this posting contains a patch for COD servers to rate-limit "info"
queries to 1/second, which renders this attack useless - but it seems
enough servers are yet-unpatched - so there's *still* work to do for
your customer relations department...
Anyway. The attack has stopped at 18:30 GMT+1, so I'm formally no
longer annoyed :-) - thanks to all who have responded and investigated.
gert
--
Gert Doering
SpaceNet AG, AS 5539, gert at space.net. PGP-KeyID: 0x65514975
Also reachable via gert at greenie.muc.de and gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20111223/81853c81/attachment-0001.sig>
More information about the nsp-security
mailing list