[bf1942] DoS against port 29900

Steve Dalberg steve at sendithere.com
Thu Oct 13 11:45:56 EDT 2005

I wouldn't suggest to you ISP that they start doing any sort of packet 
inspection if they aren't currently doing it...  It can potentially 
increase latency and stop desired incoming traffic, especially if they 
have saturated links...  Of course, the ISP may have decent hardware in 
place that can handle the processor hits that packet inspection takes 
(by either ACL's/FW or by Policy/Source Routing).

James Gurney wrote:

> From the very little research I did on this last night, it sounds like 
> it's theoretically possible for the ISP to block spoofed packets, 
> which would seem to be the best solution all round. Or.. it may be 
> possible to use iptables to rate limit the queries to the port, thus 
> hugely reducing the impact of the flood.. I'll do some more research 
> on this today..
> James
> On 10/12/2005 3:43 AM, Steven Hartland wrote:
>> Yep we made EA aware of this issue a two weeks ago. ATM they dont
>> seem to be taking it seriously. Looks like that's a light one we had 
>> 150Mb
>> DDoS's for a number of days. Had to null route an entire /16 to ensure
>> the DoS didn't reach its intended target.
>>    Steve / K
>> ----- Original Message ----- From: "James Gurney" 
>> <james at globalmegacorp.org>
>>> Has anyone seen a DoS attack targeting the BF2 gamespy port? I came 
>>> home to find my server taking a (fairly pathetic) 0.1Mbps flood 
>>> against port 29900. Unfortunately, the reply was pumping out 2Mbps 
>>> of traffic, presumably saturating the DSL of whatever poor sap was 
>>> hosting the trojan. No problem, easily shut down.. I'm just curious 
>>> if anyone has seen this before.. Seems pretty random.
>>> tcpdump revealed the source port as 22222. Port 22222 shows up in 
>>> Google as being the source port for a bunch of trojans, but none of 
>>> which appear to target the gamespy port (as far as I can tell).
>> ================================================
>> This e.mail is private and confidential between Multiplay (UK) Ltd. 
>> and the person or entity to whom it is addressed. In the event of 
>> misdirection, the recipient is prohibited from using, copying, 
>> printing or otherwise disseminating it or any information contained 
>> in it.
>> In the event of misdirection, illegible or incomplete transmission 
>> please telephone (023) 8024 3137
>> or return the E.mail to postmaster at multiplay.co.uk.

More information about the Bf1942 mailing list