[bf1942] DoS against port 29900
ScratchMonkey
ScratchMonkey at MatureAsskickers.net
Wed Oct 12 00:31:02 EDT 2005
--On Tuesday, October 11, 2005 9:11 PM -0700 James Gurney
<james at globalmegacorp.org> wrote:
> Has anyone seen a DoS attack targeting the BF2 gamespy port? I came home
> to find my server taking a (fairly pathetic) 0.1Mbps flood against port
> 29900. Unfortunately, the reply was pumping out 2Mbps of traffic,
> presumably saturating the DSL of whatever poor sap was hosting the
> trojan. No problem, easily shut down.. I'm just curious if anyone has
> seen this before.. Seems pretty random.
>
> tcpdump revealed the source port as 22222. Port 22222 shows up in Google
> as being the source port for a bunch of trojans, but none of which appear
> to target the gamespy port (as far as I can tell).
>
> Anyone seen this before?
Sounds like a reflection attack. Valve's servers switched to a
challenge-response system to shut down this kind of thing. I believe Unreal
Tournament has also addressed it.
A couple of examples:
<http://aluigi.altervista.org/adv/msddos-adv.txt>
<http://aluigi.altervista.org/poc/utflood.c>
The issue is that a tiny packet sent as a query results in a huge flood of
information coming back, and the requester's address isn't verified. If you
spoof your source UDP address to be your victim, and send tiny requests to
lots of game servers, they all reply and swamp the victim.
More information about the Bf1942
mailing list