[cod] "reflection attacks" ... cod servers exploited ?

John lists.cod at nuclearfallout.net
Fri Jan 21 20:45:46 EST 2011


The 12 pps number that I quoted was in reference to the kind of inbound 
rate that I have been seeing from each external IP in an attack. 
Multiplied by thousands of game servers, this adds to enough to 
overwhelm the processing abilities of a CS:S server, for instance.

 From the standpoint of a reflector, there's not too much that you can 
do to prevent your servers from being used to attack the target, apart 
from potentially:

a) Rate-limiting queries for each source-destination IP tuple with 
firewall rules
b) Monitoring the network overall to look for large numbers of packets 
in from or out to any single external source, and potentially blocking 
(temporarily) inbound queries or your outbound responses from/to that IP
c) Given a sufficiently lengthy attack, trying to get your upstream to 
track down the true source of the traffic -- but this is a long shot, as 
most ISPs will not do it without major damage involved

 From the standpoint of a target (which is mostly what I see on my end), 
detecting an attack based on the inbound packet rate and then blocking 
the IP set of attackers based on automated traffic analysis, or using a 
rule that nukes any inbound packets containing the string 
"statusResponse" at position 32, can be effective -- as long as the 
attack isn't completely overwhelming the uplink (in which case, a null 
route or upstream filtering is necessary).

-John

On 1/18/2011 2:15 PM, Marco Padovan wrote:
> Thanks for the detailed reply :)
>
> Within 8hours got 7million inbound spoofed packets.
>
> Those were 7million abusive requests ... all apparently coming from a 
> single IP source (I'm seeing that same source querying hundreds of 
> other gameservers in different dacenters)
> That's something like a constant flow of 200packets/seconds from a 
> single source... looks like they are trying to exploit some of our 
> gameservers as reflectors...
> The source ip appear offline and unreacheable ... dunno which services 
> it is serving... but seeing the rates I'm pretty sure that the source 
> it's really that ip...
>
> In this moment these are the stats on a connection:
>    rx:    12.28 Mbit/s 15878 p/s          tx:    11.95 Mbit/s  9805 p/s
>
> Nearly 5k out of those 15k incoming packets are spoofed.
> 5000packets / second filtered out...
>
> the 12p/s figure you were referring to is very rare here.. or at least 
> it's covered by these big attacks...
>
> Unless you were talking about 12packets to each single gameserver 
> instance... in such a case that would be possible... we have a lot of 
> gameservers running and the stats I was referring above were overall 
> stats...
>
> Il 18/01/2011 21:59, John ha scritto:
>> On 1/18/2011 5:51 AM, Marco Padovan wrote:
>>> We are getting hit HARD (.eu)
>>>
>>> I dunno what's the tool you are referring to... could you please 
>>> mail me some references privately so I can analyze it?
>>
>> I was guessing that there is a new tool out there that is making this 
>> easy. I don't know for certain if this is actually the case, but it 
>> seems likely, considering the attack frequency and large-ranging 
>> target set.
>>
>>> Basically we are currently dealing on a daily basis with this kind 
>>> of attackssince december ...
>>>
>>> We find ourself handling 10k incoming spoofed packets per second 
>>> during certain times of the day...
>>>
>>> What are you referring to small flow? 1k/sec? 100packets/sec?
>>
>> On the reflector side, maybe a dozen packets per second, at most. So 
>> few that we don't even notice a problem with the server.
>>
>>> Which kind of rate limiting figures did you all applied?
>>> We are trying to defend our self with very very strict network 
>>> filters... but that's damaging also our services that certain times 
>>> appear unreachable (even if they are not)
>>
>> I haven't seen many of the reflections; I've mostly seen these 
>> attacks as a target. In those cases, filtering by strings that are 
>> specific to query responses seems to work best (when the attack is 
>> small enough to be filtered on our end), but other techniques have 
>> also been necessary at times.
>>
>>> In our case it looks like it's not just against other gameservers... 
>>> but also against random hosts...
>>> Source packets sometimes are from port 80 udp and, if not blocked, 
>>> replies would do an udp flood to the poor host if enough gameservers 
>>> were involved... (even if no udp service was running on port 80) :(
>>
>> Against TCP-based services on a unique IP, an ACL on the upstream 
>> side to filter all UDP should take care of this for them, at least.
>>
>> The attacks are most effective against other game servers that 
>> respond on UDP. Source servers, for instance, seem to be particularly 
>> vulnerable.
>>
>>> The worst thing is that the damage to us as "reflectors" is very low 
>>> as we are used to handle a shitload of packets so it's difficult to 
>>> say if there's an attack going on or not :/
>>
>> Nod, I agree. From the reflector's perspective, the attacks are 
>> almost impossible to detect.
>>
>>> Additionally, as I'm providing services to different GSP brands in 
>>> different countries, I found out that attacks are basically spread 
>>> on ALL the servers... using all the servers available on the master 
>>> list as reflectors and targeting only a little number of victims... 
>>> they are not exploiting just a single GSP / gameserver :|
>>
>> That's what I have seen as well. I counted the IPs involved in one 
>> attack early this month and found that there were over 3500 used in a 
>> 30-second span of time.
>>
>> Black Ops servers were frequently used for this in December but I 
>> believe that GS coordinated with Treyarch to get a rate limiting 
>> feature put in place with that game.
>>
>> -John
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20110121/19464212/attachment.htm>


More information about the cod mailing list