[nsp-sec] UDP love against AS5539
sthaug at nethelp.no
sthaug at nethelp.no
Fri Dec 23 16:58:52 EST 2011
> Just another tidbit... I've been told that this might actually be
> legitimate sources, specifically COD4 game servers reflecting
> traffic spoofed to claim "coming from 194.97.147.57". David Freedman
> saw symmetric traffic in his network, with his hosts just responding
> to solicitations (though I'm sure our host isn't sending them). Bah.
>
> This link has been sent to me:
>
> http://icculus.org/pipermail/cod/2011-August/015397.html
>
> "So we're getting reports of DDoS attacks, where botnets will send
> infostring queries to COD4 dedicated servers as fast as possible with
> spoofed addresses. They send a small UDP packet, and the server replies
> with a larger packet to the faked address."
Yup, spoofed source amplification attacks are all the rage now. I'm
seeing DNS based ones, typically querying for ANY isc.org or ripe.net
and getting a large reply, several times per day.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the nsp-security
mailing list