[cod] "reflection attacks" ... cod servers exploited ?

John lists.cod at nuclearfallout.net
Tue Jan 18 15:59:29 EST 2011


On 1/18/2011 5:51 AM, Marco Padovan wrote:
> We are getting hit HARD (.eu)
>
> I dunno what's the tool you are referring to... could you please mail 
> me some references privately so I can analyze it?

I was guessing that there is a new tool out there that is making this 
easy. I don't know for certain if this is actually the case, but it 
seems likely, considering the attack frequency and large-ranging target set.

> Basically we are currently dealing on a daily basis with this kind of 
> attackssince december ...
>
> We find ourself handling 10k incoming spoofed packets per second 
> during certain times of the day...
>
> What are you referring to small flow? 1k/sec? 100packets/sec?

On the reflector side, maybe a dozen packets per second, at most. So few 
that we don't even notice a problem with the server.

> Which kind of rate limiting figures did you all applied?
> We are trying to defend our self with very very strict network 
> filters... but that's damaging also our services that certain times 
> appear unreachable (even if they are not)

I haven't seen many of the reflections; I've mostly seen these attacks 
as a target. In those cases, filtering by strings that are specific to 
query responses seems to work best (when the attack is small enough to 
be filtered on our end), but other techniques have also been necessary 
at times.

> In our case it looks like it's not just against other gameservers... 
> but also against random hosts...
> Source packets sometimes are from port 80 udp and, if not blocked, 
> replies would do an udp flood to the poor host if enough gameservers 
> were involved... (even if no udp service was running on port 80) :(

Against TCP-based services on a unique IP, an ACL on the upstream side 
to filter all UDP should take care of this for them, at least.

The attacks are most effective against other game servers that respond 
on UDP. Source servers, for instance, seem to be particularly vulnerable.

> The worst thing is that the damage to us as "reflectors" is very low 
> as we are used to handle a shitload of packets so it's difficult to 
> say if there's an attack going on or not :/

Nod, I agree. From the reflector's perspective, the attacks are almost 
impossible to detect.

> Additionally, as I'm providing services to different GSP brands in 
> different countries, I found out that attacks are basically spread on 
> ALL the servers... using all the servers available on the master list 
> as reflectors and targeting only a little number of victims... they 
> are not exploiting just a single GSP / gameserver :|

That's what I have seen as well. I counted the IPs involved in one 
attack early this month and found that there were over 3500 used in a 
30-second span of time.

Black Ops servers were frequently used for this in December but I 
believe that GS coordinated with Treyarch to get a rate limiting feature 
put in place with that game.

-John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20110118/09904d25/attachment.htm>


More information about the cod mailing list